Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Firefox AND IE hijacked.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 5th, 2010, 1:34 am

I downloaded the file for SP2 as instructed since I have SP3, and dropped it on ComboFix. All that happened was a blue box with a flashing cursor in it, so after 15 minutes I stopped it.

What am I doing wrong???


Have/Did you disable AVG and Zone Alarm before running ComboFIx/dragging and dropping the Recovery Console file onto ComboFix? If you haven't, disable those two programs and try again.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 5th, 2010, 8:17 am

ComboFix 10-04-03.01 - Lori 04/05/2010 7:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2673 [GMT -4:00]
Running from: c:\documents and settings\Lori\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lori\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-247421605-189612145-2731240965-1001
C:\Thumbs.db
c:\windows\AppPatch\AcAdProc.dll
c:\windows\system32\spool\prtprocs\w32x86\00003ae4.tmp
c:\windows\system32\spool\prtprocs\w32x86\00007775.tmp
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
H:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 02:17 . 2010-04-05 02:17 -------- d-----w- c:\documents and settings\Lori\Application Data\LegacyInteractive
2010-04-04 02:19 . 2010-04-05 01:14 -------- d-----w- C:\Crystal Portal
2010-04-03 01:40 . 2010-04-03 01:40 -------- d-----w- C:\Sysprot
2010-03-31 03:39 . 2010-03-31 03:39 -------- d-----w- c:\documents and settings\Lori\Application Data\HSA
2010-03-31 02:35 . 2010-03-31 02:35 -------- d-----w- c:\documents and settings\Lori\Local Settings\Application Data\Windows Live Writer
2010-03-31 02:35 . 2010-03-31 02:35 -------- d-----w- c:\documents and settings\Lori\Application Data\Windows Live Writer
2010-03-29 11:39 . 2010-03-29 11:39 -------- d-----w- c:\documents and settings\Lori\Application Data\Malwarebytes
2010-03-29 11:39 . 2009-04-06 20:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 11:39 . 2009-04-06 20:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 11:39 . 2010-03-29 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-29 11:37 . 2010-03-29 11:40 -------- d-----w- C:\Malwarebytes.1.32
2010-03-29 04:47 . 2010-03-29 04:48 6509608 ----a-w- C:\RUBotted.exe
2010-03-29 04:45 . 2010-03-29 16:14 -------- d-----w- C:\TMRBLog
2010-03-29 04:45 . 2010-03-29 04:45 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-29 04:45 . 2010-03-29 04:45 -------- d-----w- C:\log
2010-03-29 04:44 . 2010-03-29 04:44 1074232 ----a-w- C:\RootkitBuster_2.80.1077.zip
2010-03-29 04:39 . 2010-03-29 04:39 -------- d-----w- C:\TrendMicro
2010-03-29 04:30 . 2010-03-29 04:30 1840232 ----a-w- C:\HousecallLauncher.exe
2010-03-28 19:21 . 2010-03-28 19:21 -------- d-----w- C:\Firefox3point6
2010-03-28 18:53 . 2010-03-28 18:53 4592 ----a-w- C:\b4-firefox-removal.reg
2010-03-28 15:18 . 2010-03-28 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-03-28 14:38 . 2010-03-28 14:41 -------- d-----w- C:\Defrag Registry
2010-03-26 23:27 . 2010-03-26 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii
2010-03-26 14:35 . 2010-03-26 14:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-26 14:34 . 2010-03-26 14:35 -------- d-----w- C:\Firefox 3-6-2(2)
2010-03-24 23:05 . 2010-03-24 23:05 -------- d-----w- c:\documents and settings\Lori\Application Data\Jetdogs Studios
2010-03-24 22:17 . 2010-03-18 17:55 1811456 ----a-w- c:\windows\NetworkCfg.exe
2010-03-24 19:50 . 2010-03-24 19:50 15015 ----a-w- C:\Just_Checking_v3.15_by_FFF.zip
2010-03-24 16:20 . 2010-03-24 22:06 -------- dc----w- c:\documents and settings\All Users\Application Data\{35ACA973-70F0-495F-9092-74A130711865}
2010-03-24 14:12 . 2010-03-24 22:15 -------- d-----w- c:\documents and settings\All Users\Anyplace Control 4
2010-03-24 14:06 . 2010-03-26 18:18 -------- d-----w- C:\Anyplace Control
2010-03-23 23:57 . 2010-03-23 23:57 -------- d-----w- c:\documents and settings\Lori\Application Data\Artifex Mundi
2010-03-22 21:03 . 2010-03-22 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HiddenSecretsNightmare
2010-03-22 03:48 . 2010-03-22 03:50 -------- d-----w- C:\BadCopy_Pro_v4.10__Jufsoft_Build_1215
2010-03-22 01:23 . 2010-03-22 01:23 2584093 ----a-w- C:\Weather Forecaster.zip
2010-03-21 03:58 . 2010-03-21 14:30 -------- d-----w- C:\Viewsat
2010-03-20 21:27 . 2010-03-20 21:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-20 21:27 . 2010-03-20 21:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-20 19:15 . 2010-03-29 19:43 97364760 ----a-w- C:\Ad-AwareInstaller.exe
2010-03-19 13:26 . 2010-03-19 13:26 -------- d-----w- c:\documents and settings\Lori\Application Data\EBookSys
2010-03-18 14:22 . 2010-03-18 14:22 6876688 ----a-w- C:\Thunderbird Setup 2.0.0.24.exe
2010-03-18 13:47 . 2010-03-18 13:47 9009352 ----a-w- C:\Thunderbird Setup 3.0.3.exe
2010-03-17 03:35 . 2010-03-17 03:35 -------- d-----w- c:\documents and settings\Lori\Application Data\AzuazGames
2010-03-16 15:15 . 2010-03-16 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Nevosoft
2010-03-16 04:37 . 2010-03-16 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2010-03-15 21:39 . 2010-03-15 21:39 -------- d-----w- c:\documents and settings\Lori\Application Data\Silverback Productions
2010-03-15 17:19 . 2010-03-15 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Vampireville
2010-03-14 22:48 . 2010-03-14 22:48 -------- d-----w- c:\documents and settings\Lori\Application Data\QB9
2010-03-14 17:37 . 2010-03-14 17:37 -------- d-----w- c:\documents and settings\Lori\Application Data\Frogwares
2010-03-14 15:32 . 2010-03-14 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-14 15:32 . 2010-03-14 15:32 -------- d-----w- c:\program files\NOS
2010-03-14 15:23 . 2008-08-06 20:29 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-14 04:20 . 2010-03-14 04:21 -------- d-----w- c:\documents and settings\Lori\Application Data\DarkParablesBriarRose_BFG
2010-03-14 02:17 . 2010-03-14 02:17 -------- d-----w- c:\documents and settings\Lori\Application Data\DarkParablesRose_BFG_Survey
2010-03-13 16:06 . 2010-03-13 16:06 127 ----a-w- c:\documents and settings\Lori\Local Settings\Application Data\fusioncache.dat
2010-03-13 15:56 . 2010-03-13 15:57 11629915 ----a-w- C:\Shozam_download.exe
2010-03-13 15:22 . 2010-03-13 15:22 -------- d-----w- C:\Applets
2010-03-13 13:38 . 2010-03-28 18:50 -------- d-----w- C:\Firefox 3-6
2010-03-12 22:22 . 2010-04-04 02:21 -------- d-----w- c:\documents and settings\Lori\Application Data\Artogon
2010-03-12 19:14 . 2010-03-12 19:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 20:50 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-03-11 20:50 . 2010-02-25 16:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-11 20:50 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-11 20:50 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-11 20:50 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-11 20:50 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-11 20:50 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-11 20:49 . 2010-03-11 20:50 -------- dc-h--w- c:\windows\ie8
2010-03-11 19:06 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-11 19:05 . 2009-12-08 19:26 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-11 19:05 . 2009-12-08 19:27 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-11 19:05 . 2009-12-08 18:43 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-11 19:05 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-11 16:54 . 2008-04-13 23:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-03-11 16:45 . 2008-04-13 23:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-03-11 16:45 . 2008-04-13 23:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-03-11 16:45 . 2008-04-13 23:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-03-11 16:45 . 2008-04-13 23:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-03-11 11:36 . 2010-03-11 11:36 -------- d-----w- c:\windows\Dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 12:02 . 2009-11-29 20:35 12530852 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-04 13:16 . 2010-04-04 13:16 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-04 13:16 . 2010-04-04 13:16 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-02 23:00 . 2010-04-02 23:09 2538496 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-03-29 20:33 . 2010-01-08 17:53 4031608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-29 11:40 . 2010-03-29 11:40 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-29 04:39 . 2010-03-29 04:39 388096 ----a-r- c:\documents and settings\Lori\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-27 01:50 . 2010-01-16 22:22 -------- d-----w- c:\documents and settings\Lori\Application Data\Meridian93
2010-03-24 22:06 . 2010-01-08 17:38 -------- d-----w- c:\program files\Linksys
2010-03-23 16:13 . 2009-12-20 23:17 -------- d-----w- c:\documents and settings\Lori\Application Data\ERS G-Studio
2010-03-22 17:10 . 2009-08-15 01:12 354384 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-21 13:47 . 2010-01-12 00:12 -------- d-----w- c:\documents and settings\Lori\Application Data\U3
2010-03-20 03:55 . 2010-01-03 20:47 -------- d-----w- c:\documents and settings\Lori\Application Data\Big Fish Games
2010-03-18 14:02 . 2009-11-18 19:26 -------- d-----w- c:\documents and settings\Lori\Application Data\Thunderbird
2010-03-17 02:04 . 2009-11-30 16:01 -------- d-----w- c:\documents and settings\Lori\Application Data\AdobeUM
2010-03-14 14:44 . 2009-12-05 02:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-12 19:14 . 2010-03-12 19:14 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-12 19:14 . 2010-03-12 19:14 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-12 19:14 . 2010-03-12 19:14 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-12 19:14 . 2010-03-12 19:14 161800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys
2010-03-12 19:14 . 2009-11-18 21:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 19:14 . 2009-11-18 21:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 19:13 . 2009-11-18 21:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 19:13 . 2009-11-18 21:38 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-11 21:46 . 2009-11-18 21:44 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-03-11 16:52 . 2008-04-25 21:27 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-25 06:24 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-09 03:50 . 2010-03-11 17:54 2249216 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-02-09 03:50 . 2010-03-11 17:54 2628096 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-02-07 19:34 . 2010-02-07 19:27 -------- d-----w- c:\documents and settings\Lori\Application Data\RobinsonCrusoe
2010-02-07 04:17 . 2010-02-07 04:17 -------- d-----w- c:\documents and settings\Lori\Application Data\TheFixerUpper
2010-02-07 00:47 . 2010-02-04 21:42 -------- d-----w- c:\documents and settings\Lori\Application Data\Gamers Digital
2010-02-07 00:47 . 2010-02-04 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Gamers Digital
2010-02-06 14:12 . 2010-02-06 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SOS
2010-02-06 04:02 . 2010-01-20 04:26 -------- d-----w- c:\documents and settings\Lori\Application Data\PlayFirst
2010-02-06 04:02 . 2010-01-20 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-02-05 20:23 . 2010-02-05 20:22 -------- d-----w- c:\documents and settings\Lori\Application Data\HiT-MM
2010-02-04 21:46 . 2009-11-18 21:44 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-04 15:46 . 2009-11-18 21:45 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-04 15:46 . 2009-11-18 21:44 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-02 19:55 . 2009-11-18 22:40 968184 ----a-w- c:\documents and settings\Lori\Local Settings\Application Data\prvlcl.dat
2010-01-31 02:25 . 2010-01-31 02:25 21504 ----a-w- c:\documents and settings\All Users\Application Data\3rd Eye Solutions\jestertb.dll
2010-01-27 15:48 . 2009-11-18 21:46 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-27 15:48 . 2009-11-18 21:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 15:48 . 2009-11-18 21:46 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 15:48 . 2009-11-18 21:46 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-27 15:48 . 2009-11-18 21:46 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-27 15:48 . 2009-11-18 21:46 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-27 15:48 . 2009-11-18 21:45 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 15:48 . 2009-11-18 21:45 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-27 15:48 . 2009-11-18 21:45 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-27 15:47 . 2009-11-18 21:45 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-27 15:47 . 2009-11-18 21:45 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 15:47 . 2009-11-18 21:45 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-27 15:47 . 2009-11-18 21:44 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-27 15:46 . 2009-11-18 21:44 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-27 15:46 . 2009-11-18 21:44 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-14 21:59 . 2010-01-14 21:59 4592 ----a-w- C:\reg-b4-acrobat8.reg
2010-01-08 18:43 . 2010-01-08 18:43 79488 ----a-w- c:\documents and settings\Lori\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-08 17:59 . 2010-01-08 17:59 21135514 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_01_08_12_18_10_full.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\zonealarm\zlclient.exe" [2009-02-16 981384]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 19:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOY5KNQ8OC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-01-13 03:00 33546240 ----a-w- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 20:50 54576 ----a-w- c:\hp\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-12 23:06 642856 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
2002-05-14 21:08 49152 ----a-w- c:\textbridge11\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-05-23 19:06 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-15 01:10 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherPulse]
2009-12-13 20:24 4066816 ----a-w- c:\documents and settings\All Users\Application Data\Weather Pulse 2.2.4.4\weatherpulse.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WS-FTP\\WS_FTP32.EXE"=
"c:\\AVG9\\avgam.exe"=
"c:\\AVG9\\avgdiagex.exe"=
"c:\\AVG9\\avgnsx.exe"=
"c:\\AVG9\\avgupd.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Anyplace Control\\apc_host.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [10/13/2008 3:14 AM 184848]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/18/2009 5:38 PM 52872]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/18/2009 5:46 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/18/2009 5:38 PM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/18/2009 5:38 PM 242696]
R2 APC-Host;APC-Host;c:\anyplace control\apc_host.exe [3/18/2010 2:01 PM 498688]
R2 avg9wd;AVG WatchDog;c:\avg9\avgwdsvc.exe [3/12/2010 3:14 PM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1181328]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [8/14/2009 11:59 PM 992256]
S0 cerc6;cerc6; [x]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/3/2009 12:16 AM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\micros~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\cmstxy32.default\
FF - prefs.js: browser.search.selectedEngine - AltaVista
FF - prefs.js: browser.startup.homepage - loricase.com
FF - plugin: c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\cmstxy32.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\firefox3point6\greprefs\all.js - pref("ui.use_native_colors", true);
c:\firefox3point6\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\firefox3point6\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\firefox3point6\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\firefox3point6\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\firefox3point6\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\firefox3point6\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\firefox3point6\greprefs\all.js - pref("svg.smil.enabled", false);
c:\firefox3point6\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.debug", false);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\firefox3point6\greprefs\all.js - pref("html5.enable", false);
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\firefox3point6\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\firefox3point6\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\firefox3point6\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\firefox3point6\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\firefox3point6\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
txtfile=c:\notebook3\notebook.exe %1
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DAEMON Tools Lite - c:\daemon tools lite\DTLite.exe
AddRemove-Haunted Manor Lord of Mirrors Collectors Edition 1.00 - c:\haunted manor lord of mirrors \Uninstall.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,4b,18,cb,ca,13,a6,4a,80,6d,6a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,4b,18,cb,ca,13,a6,4a,80,6d,6a,\

[HKEY_USERS\S-1-5-21-2316762710-2237065447-2982121470-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC26E27F-5721-7403-9AE5-5D7F7F04C00C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haodcafnbnnofdhl"=hex:66,61,62,61,6f,68,6c,64,62,70,63,6e,00,00
"iapkginamnbelbbnff"=hex:6a,61,64,61,65,68,6e,6e,67,70,61,6a,66,6e,69,6e,6f,67,
69,68,00,28
"hajkigemejfjgpaf"=hex:6a,61,64,61,63,68,6b,68,6e,69,61,6b,63,6d,6f,6b,65,69,
69,65,00,fb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(528)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\avg9\avgchsvx.exe
c:\avg9\avgrsx.exe
c:\avg9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\avg9\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-04-05 08:07:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 12:07

Pre-Run: 677,265,432,576 bytes free
Post-Run: 678,086,156,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FED2F8BD2DD1500D7C57F0AC93EC7F05


km2357 wrote:
I downloaded the file for SP2 as instructed since I have SP3, and dropped it on ComboFix. All that happened was a blue box with a flashing cursor in it, so after 15 minutes I stopped it.

What am I doing wrong???


Have/Did you disable AVG and Zone Alarm before running ComboFIx/dragging and dropping the Recovery Console file onto ComboFix? If you haven't, disable those two programs and try again.
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 5th, 2010, 4:22 pm

Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KILLALL::
    
    File::
    
    c:\windows\Internet Logs\xDB2.tmp
    c:\windows\Internet Logs\xDB1.tmp
    
    DDS::
    
    uStart Page = about:blank
    
    RegNull::
    
    [HKEY_USERS\S-1-5-21-2316762710-2237065447-2982121470-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC26E27F-5721-7403-9AE5-5D7F7F04C00C}*]



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Image


    Note: This CFScript is for use on GrannyGrump's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 5th, 2010, 6:54 pm

ComboFix log:

ComboFix 10-04-03.01 - Lori 04/05/2010 18:03:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2563 [GMT -4:00]
Running from: c:\documents and settings\Lori\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lori\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\Internet Logs\xDB1.tmp"
"c:\windows\Internet Logs\xDB2.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Internet Logs\xDB1.tmp
c:\windows\Internet Logs\xDB2.tmp

.
((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 02:17 . 2010-04-05 02:17 -------- d-----w- c:\documents and settings\Lori\Application Data\LegacyInteractive
2010-04-04 02:19 . 2010-04-05 01:14 -------- d-----w- C:\Crystal Portal
2010-04-03 01:40 . 2010-04-03 01:40 -------- d-----w- C:\Sysprot
2010-03-31 03:39 . 2010-03-31 03:39 -------- d-----w- c:\documents and settings\Lori\Application Data\HSA
2010-03-31 02:35 . 2010-03-31 02:35 -------- d-----w- c:\documents and settings\Lori\Local Settings\Application Data\Windows Live Writer
2010-03-31 02:35 . 2010-03-31 02:35 -------- d-----w- c:\documents and settings\Lori\Application Data\Windows Live Writer
2010-03-29 11:39 . 2010-03-29 11:39 -------- d-----w- c:\documents and settings\Lori\Application Data\Malwarebytes
2010-03-29 11:39 . 2009-04-06 20:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 11:39 . 2009-04-06 20:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 11:39 . 2010-03-29 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-29 11:37 . 2010-03-29 11:40 -------- d-----w- C:\Malwarebytes.1.32
2010-03-29 04:47 . 2010-03-29 04:48 6509608 ----a-w- C:\RUBotted.exe
2010-03-29 04:45 . 2010-03-29 16:14 -------- d-----w- C:\TMRBLog
2010-03-29 04:45 . 2010-03-29 04:45 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-29 04:45 . 2010-03-29 04:45 -------- d-----w- C:\log
2010-03-29 04:44 . 2010-03-29 04:44 1074232 ----a-w- C:\RootkitBuster_2.80.1077.zip
2010-03-29 04:39 . 2010-03-29 04:39 -------- d-----w- C:\TrendMicro
2010-03-29 04:30 . 2010-03-29 04:30 1840232 ----a-w- C:\HousecallLauncher.exe
2010-03-28 19:21 . 2010-03-28 19:21 -------- d-----w- C:\Firefox3point6
2010-03-28 18:53 . 2010-03-28 18:53 4592 ----a-w- C:\b4-firefox-removal.reg
2010-03-28 15:18 . 2010-03-28 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-03-28 14:38 . 2010-03-28 14:41 -------- d-----w- C:\Defrag Registry
2010-03-26 23:27 . 2010-03-26 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Gogii
2010-03-26 14:35 . 2010-03-26 14:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-26 14:34 . 2010-03-26 14:35 -------- d-----w- C:\Firefox 3-6-2(2)
2010-03-24 23:05 . 2010-03-24 23:05 -------- d-----w- c:\documents and settings\Lori\Application Data\Jetdogs Studios
2010-03-24 22:17 . 2010-03-18 17:55 1811456 ----a-w- c:\windows\NetworkCfg.exe
2010-03-24 19:50 . 2010-03-24 19:50 15015 ----a-w- C:\Just_Checking_v3.15_by_FFF.zip
2010-03-24 16:20 . 2010-03-24 22:06 -------- dc----w- c:\documents and settings\All Users\Application Data\{35ACA973-70F0-495F-9092-74A130711865}
2010-03-24 14:12 . 2010-03-24 22:15 -------- d-----w- c:\documents and settings\All Users\Anyplace Control 4
2010-03-24 14:06 . 2010-03-26 18:18 -------- d-----w- C:\Anyplace Control
2010-03-23 23:57 . 2010-03-23 23:57 -------- d-----w- c:\documents and settings\Lori\Application Data\Artifex Mundi
2010-03-22 21:03 . 2010-03-22 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HiddenSecretsNightmare
2010-03-22 03:48 . 2010-03-22 03:50 -------- d-----w- C:\BadCopy_Pro_v4.10__Jufsoft_Build_1215
2010-03-22 01:23 . 2010-03-22 01:23 2584093 ----a-w- C:\Weather Forecaster.zip
2010-03-21 03:58 . 2010-03-21 14:30 -------- d-----w- C:\Viewsat
2010-03-20 21:27 . 2010-03-20 21:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-20 21:27 . 2010-03-20 21:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-20 19:15 . 2010-03-29 19:43 97364760 ----a-w- C:\Ad-AwareInstaller.exe
2010-03-19 13:26 . 2010-03-19 13:26 -------- d-----w- c:\documents and settings\Lori\Application Data\EBookSys
2010-03-18 14:22 . 2010-03-18 14:22 6876688 ----a-w- C:\Thunderbird Setup 2.0.0.24.exe
2010-03-18 13:47 . 2010-03-18 13:47 9009352 ----a-w- C:\Thunderbird Setup 3.0.3.exe
2010-03-17 03:35 . 2010-03-17 03:35 -------- d-----w- c:\documents and settings\Lori\Application Data\AzuazGames
2010-03-16 15:15 . 2010-03-16 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Nevosoft
2010-03-16 04:37 . 2010-03-16 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2010-03-15 21:39 . 2010-03-15 21:39 -------- d-----w- c:\documents and settings\Lori\Application Data\Silverback Productions
2010-03-15 17:19 . 2010-03-15 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Vampireville
2010-03-14 22:48 . 2010-03-14 22:48 -------- d-----w- c:\documents and settings\Lori\Application Data\QB9
2010-03-14 17:37 . 2010-03-14 17:37 -------- d-----w- c:\documents and settings\Lori\Application Data\Frogwares
2010-03-14 15:32 . 2010-03-14 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-14 15:32 . 2010-03-14 15:32 -------- d-----w- c:\program files\NOS
2010-03-14 15:23 . 2008-08-06 20:29 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-14 04:20 . 2010-03-14 04:21 -------- d-----w- c:\documents and settings\Lori\Application Data\DarkParablesBriarRose_BFG
2010-03-14 02:17 . 2010-03-14 02:17 -------- d-----w- c:\documents and settings\Lori\Application Data\DarkParablesRose_BFG_Survey
2010-03-13 16:06 . 2010-03-13 16:06 127 ----a-w- c:\documents and settings\Lori\Local Settings\Application Data\fusioncache.dat
2010-03-13 15:56 . 2010-03-13 15:57 11629915 ----a-w- C:\Shozam_download.exe
2010-03-13 15:22 . 2010-03-13 15:22 -------- d-----w- C:\Applets
2010-03-13 13:38 . 2010-03-28 18:50 -------- d-----w- C:\Firefox 3-6
2010-03-12 22:22 . 2010-04-04 02:21 -------- d-----w- c:\documents and settings\Lori\Application Data\Artogon
2010-03-12 19:14 . 2010-03-12 19:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 20:50 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-03-11 20:50 . 2010-02-25 16:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-11 20:50 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-11 20:50 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-11 20:50 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-11 20:50 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-11 20:50 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-11 20:49 . 2010-03-11 20:50 -------- dc-h--w- c:\windows\ie8
2010-03-11 19:06 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-11 19:05 . 2009-12-08 19:26 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-11 19:05 . 2009-12-08 19:27 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-11 19:05 . 2009-12-08 18:43 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-11 19:05 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-11 16:54 . 2008-04-13 23:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-03-11 16:45 . 2008-04-13 23:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-03-11 16:45 . 2008-04-13 23:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-03-11 16:45 . 2008-04-13 23:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-03-11 16:45 . 2008-04-13 23:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-03-11 11:36 . 2010-03-11 11:36 -------- d-----w- c:\windows\Dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 12:02 . 2009-11-29 20:35 12530852 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-04 13:16 . 2010-04-04 13:16 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-04 13:16 . 2010-04-04 13:16 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-02 23:00 . 2010-04-02 23:09 2538496 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-03-29 20:33 . 2010-01-08 17:53 4031608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-29 11:40 . 2010-03-29 11:40 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-29 04:39 . 2010-03-29 04:39 388096 ----a-r- c:\documents and settings\Lori\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-27 01:50 . 2010-01-16 22:22 -------- d-----w- c:\documents and settings\Lori\Application Data\Meridian93
2010-03-24 22:06 . 2010-01-08 17:38 -------- d-----w- c:\program files\Linksys
2010-03-23 16:13 . 2009-12-20 23:17 -------- d-----w- c:\documents and settings\Lori\Application Data\ERS G-Studio
2010-03-22 17:10 . 2009-08-15 01:12 354384 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-21 13:47 . 2010-01-12 00:12 -------- d-----w- c:\documents and settings\Lori\Application Data\U3
2010-03-20 03:55 . 2010-01-03 20:47 -------- d-----w- c:\documents and settings\Lori\Application Data\Big Fish Games
2010-03-18 14:02 . 2009-11-18 19:26 -------- d-----w- c:\documents and settings\Lori\Application Data\Thunderbird
2010-03-17 02:04 . 2009-11-30 16:01 -------- d-----w- c:\documents and settings\Lori\Application Data\AdobeUM
2010-03-14 14:44 . 2009-12-05 02:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-12 19:14 . 2010-03-12 19:14 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-12 19:14 . 2010-03-12 19:14 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-12 19:14 . 2010-03-12 19:14 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-12 19:14 . 2010-03-12 19:14 161800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrkx86.sys
2010-03-12 19:14 . 2009-11-18 21:38 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 19:14 . 2009-11-18 21:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 19:13 . 2009-11-18 21:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 19:13 . 2009-11-18 21:38 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-11 21:46 . 2009-11-18 21:44 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-03-11 16:52 . 2008-04-25 21:27 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-25 06:24 . 2008-04-13 23:00 916480 ------w- c:\windows\system32\wininet.dll
2010-02-07 19:34 . 2010-02-07 19:27 -------- d-----w- c:\documents and settings\Lori\Application Data\RobinsonCrusoe
2010-02-07 04:17 . 2010-02-07 04:17 -------- d-----w- c:\documents and settings\Lori\Application Data\TheFixerUpper
2010-02-07 00:47 . 2010-02-04 21:42 -------- d-----w- c:\documents and settings\Lori\Application Data\Gamers Digital
2010-02-07 00:47 . 2010-02-04 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Gamers Digital
2010-02-06 14:12 . 2010-02-06 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SOS
2010-02-06 04:02 . 2010-01-20 04:26 -------- d-----w- c:\documents and settings\Lori\Application Data\PlayFirst
2010-02-06 04:02 . 2010-01-20 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-02-05 20:23 . 2010-02-05 20:22 -------- d-----w- c:\documents and settings\Lori\Application Data\HiT-MM
2010-02-04 21:46 . 2009-11-18 21:44 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-04 15:46 . 2009-11-18 21:45 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-04 15:46 . 2009-11-18 21:44 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-02 19:55 . 2009-11-18 22:40 968184 ----a-w- c:\documents and settings\Lori\Local Settings\Application Data\prvlcl.dat
2010-01-31 02:25 . 2010-01-31 02:25 21504 ----a-w- c:\documents and settings\All Users\Application Data\3rd Eye Solutions\jestertb.dll
2010-01-27 15:48 . 2009-11-18 21:46 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-27 15:48 . 2009-11-18 21:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 15:48 . 2009-11-18 21:46 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 15:48 . 2009-11-18 21:46 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-27 15:48 . 2009-11-18 21:46 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-27 15:48 . 2009-11-18 21:46 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-27 15:48 . 2009-11-18 21:45 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 15:48 . 2009-11-18 21:45 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-27 15:48 . 2009-11-18 21:45 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-27 15:47 . 2009-11-18 21:45 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-27 15:47 . 2009-11-18 21:45 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 15:47 . 2009-11-18 21:45 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-27 15:47 . 2009-11-18 21:44 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-27 15:46 . 2009-11-18 21:44 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-27 15:46 . 2009-11-18 21:44 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-14 21:59 . 2010-01-14 21:59 4592 ----a-w- C:\reg-b4-acrobat8.reg
2010-01-08 18:43 . 2010-01-08 18:43 79488 ----a-w- c:\documents and settings\Lori\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-08 17:59 . 2010-01-08 17:59 21135514 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_01_08_12_18_10_full.dmp.zip
.

((((((((((((((((((((((((((((( SnapShot@2010-04-05_12.02.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-05 22:10 . 2010-04-05 22:10 16384 c:\windows\temp\Perflib_Perfdata_1e4.dat
+ 2009-11-18 17:43 . 2010-04-05 22:03 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-18 17:43 . 2010-04-04 22:51 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-18 17:43 . 2010-04-05 22:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-18 17:43 . 2010-04-04 22:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-05 12:22 . 2010-04-05 22:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\zonealarm\zlclient.exe" [2009-02-16 981384]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 19:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2009-01-13 03:00 33546240 ----a-w- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 20:50 54576 ----a-w- c:\hp\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-12 23:06 642856 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
2002-05-14 21:08 49152 ----a-w- c:\textbridge11\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-05-23 19:06 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-15 01:10 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherPulse]
2009-12-13 20:24 4066816 ----a-w- c:\documents and settings\All Users\Application Data\Weather Pulse 2.2.4.4\weatherpulse.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WS-FTP\\WS_FTP32.EXE"=
"c:\\AVG9\\avgam.exe"=
"c:\\AVG9\\avgdiagex.exe"=
"c:\\AVG9\\avgnsx.exe"=
"c:\\AVG9\\avgupd.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Anyplace Control\\apc_host.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [10/13/2008 3:14 AM 184848]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/18/2009 5:38 PM 52872]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/18/2009 5:46 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/18/2009 5:38 PM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/18/2009 5:38 PM 242696]
R2 APC-Host;APC-Host;c:\anyplace control\apc_host.exe [3/18/2010 2:01 PM 498688]
R2 avg9wd;AVG WatchDog;c:\avg9\avgwdsvc.exe [3/12/2010 3:14 PM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1181328]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [8/14/2009 11:59 PM 992256]
S0 cerc6;cerc6; [x]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/3/2009 12:16 AM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]

2010-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 21:46]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\micros~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\cmstxy32.default\
FF - prefs.js: browser.search.selectedEngine - AltaVista
FF - prefs.js: browser.startup.homepage - loricase.com
FF - plugin: c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\cmstxy32.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin2.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin3.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin4.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin5.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin6.dll
FF - plugin: c:\quicktime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\firefox3point6\greprefs\all.js - pref("ui.use_native_colors", true);
c:\firefox3point6\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\firefox3point6\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\firefox3point6\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\firefox3point6\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\firefox3point6\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\firefox3point6\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\firefox3point6\greprefs\all.js - pref("svg.smil.enabled", false);
c:\firefox3point6\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.debug", false);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\firefox3point6\greprefs\all.js - pref("html5.enable", false);
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\firefox3point6\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\firefox3point6\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\firefox3point6\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\firefox3point6\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\firefox3point6\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 18:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,4b,18,cb,ca,13,a6,4a,80,6d,6a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,4b,18,cb,ca,13,a6,4a,80,6d,6a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3800)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\avg9\avgchsvx.exe
c:\avg9\avgrsx.exe
c:\avg9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\avg9\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-04-05 18:15:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 22:15
ComboFix2.txt 2010-04-05 12:07

Pre-Run: 678,018,686,976 bytes free
Post-Run: 677,985,341,440 bytes free

- - End Of File - - 9D459C7A3BD077DA766648E1117B1EB1



DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Lori at 18:50:02.79 on Mon 04/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2716 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\AVG9\avgchsvx.exe
C:\AVG9\avgrsx.exe
svchost.exe
C:\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Anyplace Control\apc_host.exe
C:\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\AVG9\avgnsx.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\AVG9\avgupd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Lori\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\acrobat 6\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\avg9\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\acrobat 6\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\acrobat 6\acrobat\AcroIEFavClient.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [ZoneAlarm Client] "c:\zonealarm\zlclient.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\micros~1\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Elf%20Bowling%207%2017%20-%20The%20Last%20Insult/Images/stg_drm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Elf%20Bowling%207%2017%20-%20The%20Last%20Insult/Images/armhelper.ocx
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lori\applic~1\mozilla\firefox\profiles\cmstxy32.default\
FF - prefs.js: browser.search.selectedEngine - AltaVista
FF - prefs.js: browser.startup.homepage - loricase.com
FF - plugin: c:\documents and settings\lori\application data\mozilla\firefox\profiles\cmstxy32.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\quicktime\plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\firefox3point6\greprefs\all.js - pref("ui.use_native_colors", true);
c:\firefox3point6\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\firefox3point6\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\firefox3point6\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\firefox3point6\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\firefox3point6\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\firefox3point6\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\firefox3point6\greprefs\all.js - pref("svg.smil.enabled", false);
c:\firefox3point6\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.debug", false);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\firefox3point6\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\firefox3point6\greprefs\all.js - pref("html5.enable", false);
c:\firefox3point6\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\firefox3point6\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\firefox3point6\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\firefox3point6\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\firefox3point6\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\firefox3point6\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\firefox3point6\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\firefox3point6\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-10-13 184848]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-11-18 52872]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-18 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-18 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-18 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-18 242696]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-11-19 353672]
R2 APC-Host;APC-Host;c:\anyplace control\apc_host.exe [2010-3-18 498688]
R2 avg9wd;AVG WatchDog;c:\avg9\avgwdsvc.exe [2010-3-12 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-8-14 992256]
S0 cerc6;cerc6; [x]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

============== File Associations ===============

txtfile=c:\notebook3\notebook.exe %1

=============== Created Last 30 ================

2010-04-05 11:52:08 0 d-sha-r- C:\cmdcons
2010-04-05 02:17:59 0 d-----w- c:\docume~1\lori\applic~1\LegacyInteractive
2010-04-05 01:24:13 38336 ----a-w- C:\fran4.jpg
2010-04-05 01:24:00 36777 ----a-w- C:\fran3.jpg
2010-04-05 01:23:04 47725 ----a-w- C:\fran2.jpg
2010-04-05 01:21:57 134102 ----a-w- C:\fran1.jpg
2010-04-04 02:19:45 0 d-----w- C:\Crystal Portal
2010-04-04 00:01:05 28637 ----a-w- C:\max-or-austin.jpg
2010-04-03 19:22:03 77312 ----a-w- c:\windows\MBR.exe
2010-04-03 19:22:02 98816 ----a-w- c:\windows\sed.exe
2010-04-03 19:22:02 261632 ----a-w- c:\windows\PEV.exe
2010-04-03 19:22:02 161792 ----a-w- c:\windows\SWREG.exe
2010-04-03 03:36:52 29420 ----a-w- C:\baby-jap-snail-4-2-10.jpg
2010-04-03 01:40:20 0 d-----w- C:\Sysprot
2010-04-02 13:40:12 299120 ----a-w- C:\isaac-malin-marriage-record.jpg
2010-04-02 13:31:44 1277656 ----a-w- C:\isaac-malin-constable-pa-1710.jpg
2010-04-02 03:10:16 70807 ----a-w- C:\max-yawn-pattison.jpg
2010-04-01 21:38:51 116528 ----a-w- C:\Mollyowlettes-ringtone.mp3
2010-04-01 21:38:41 156652 ----a-w- C:\Molly-ringtone.mp3
2010-04-01 21:38:30 221853 ----a-w- C:\Max-ringtone.mp3
2010-03-31 18:51:45 98752 ----a-w- C:\owlets.jpg
2010-03-31 18:49:05 102899 ----a-w- C:\max-molly.jpg
2010-03-31 03:39:12 0 d-----w- c:\docume~1\lori\applic~1\HSA
2010-03-31 02:35:14 0 d-----w- c:\docume~1\lori\applic~1\Windows Live Writer
2010-03-31 00:06:11 332641 ----a-w- C:\MollyYoga.jpg
2010-03-31 00:05:39 153673 ----a-w- C:\wesley-owlet2.jpg
2010-03-30 14:26:00 32249 ----a-w- C:\eliza-lott-2.jpg
2010-03-30 14:25:51 27883 ----a-w- C:\eliza-lott.jpg
2010-03-30 14:25:41 32180 ----a-w- C:\mary-lott.jpg
2010-03-30 14:25:32 17874 ----a-w- C:\ann-lott.jpg
2010-03-30 14:24:47 27024 ----a-w- C:\martha-lemen-tomlinson.jpg
2010-03-30 14:24:29 31579 ----a-w- C:\mary-lemen.jpg
2010-03-30 14:24:15 32836 ----a-w- C:\gabriel-lemen.jpg
2010-03-30 14:09:17 89211 ----a-w- C:\jeffcrthouse_01.jpg
2010-03-29 21:08:09 91470 ----a-w- C:\food!.jpg
2010-03-29 21:03:32 101516 ----a-w- C:\who's-there.jpg
2010-03-29 16:57:40 103270 ----a-w- C:\molly-and-4.jpg
2010-03-29 16:57:24 96498 ----a-w- C:\molly2.jpg
2010-03-29 16:57:08 95612 ----a-w- C:\molly3.jpg
2010-03-29 16:56:52 95612 ----a-w- C:\Image1.jpg
2010-03-29 11:39:25 0 d-----w- c:\docume~1\lori\applic~1\Malwarebytes
2010-03-29 11:39:24 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 11:39:22 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 11:39:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-29 11:37:52 0 d-----w- C:\Malwarebytes.1.32
2010-03-29 11:30:42 68273 ----a-w- C:\win-net-security-error.jpg
2010-03-29 04:47:55 6509608 ----a-w- C:\RUBotted.exe
2010-03-29 04:45:15 0 d-----w- C:\TMRBLog
2010-03-29 04:45:09 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-29 04:45:09 0 d-----w- C:\log
2010-03-29 04:44:12 1074232 ----a-w- C:\RootkitBuster_2.80.1077.zip
2010-03-29 04:39:15 0 d-----w- C:\TrendMicro
2010-03-29 04:34:13 71963 ----a-w- C:\crack-me-up.gif
2010-03-29 04:30:59 1840232 ----a-w- C:\HousecallLauncher.exe
2010-03-29 03:44:50 66396 ----a-w- C:\4-owlets.jpg
2010-03-28 20:13:22 107015 ----a-w- C:\wesley-owlet.jpg
2010-03-28 19:21:05 0 d-----w- C:\Firefox3point6
2010-03-28 18:53:28 4592 ----a-w- C:\b4-firefox-removal.reg
2010-03-28 16:32:16 108862 ----a-w- C:\AustinM.jpg
2010-03-28 15:18:49 0 d-----w- c:\docume~1\alluse~1\applic~1\AlawarWrapper
2010-03-28 14:38:11 0 d-----w- C:\Defrag Registry
2010-03-28 02:10:30 223891 ----a-w- C:\egg-pip.jpg
2010-03-27 00:53:42 144100482 ----a-w- C:\C.W.Pro.2010.v10.0.5.163.Multilingual.Incl.Keymaker-CORE.rar
2010-03-26 23:27:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Gogii
2010-03-26 18:54:09 56337 ----a-w- C:\kb-acct.jpg
2010-03-26 17:45:06 224706 ----a-w- C:\flat-stanley.jpg
2010-03-26 17:20:54 66672 ----a-w- C:\h-w-secondary-ins.pdf
2010-03-26 17:13:22 15772 ----a-w- C:\cd-2-burn-3-26.roxio
2010-03-26 16:01:48 16384 ----a-w- C:\wayne-invest-payment.xls
2010-03-26 14:35:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-26 14:34:12 0 d-----w- C:\Firefox 3-6-2(2)
2010-03-25 13:06:11 153584 ----a-w- C:\max-pattison.jpg
2010-03-25 05:47:53 52432 ----a-w- C:\mcghee.jpg
2010-03-24 23:05:05 0 d-----w- c:\docume~1\lori\applic~1\Jetdogs Studios
2010-03-24 22:17:37 1811456 ----a-w- c:\windows\NetworkCfg.exe
2010-03-24 19:50:40 15015 ----a-w- C:\Just_Checking_v3.15_by_FFF.zip
2010-03-24 16:20:08 0 dc----w- c:\docume~1\alluse~1\applic~1\{35ACA973-70F0-495F-9092-74A130711865}
2010-03-24 14:17:41 44736 ----a-w- C:\anyplace-control-info.jpg
2010-03-24 14:12:43 0 d-----w- c:\documents and settings\all users\Anyplace Control 4
2010-03-24 14:06:39 0 d-----w- C:\Anyplace Control
2010-03-23 23:57:37 0 d-----w- c:\docume~1\lori\applic~1\Artifex Mundi
2010-03-23 16:09:59 295616 ----a-w- C:\Molly-FamilyMonday.jpg
2010-03-23 00:43:06 9855 ----a-w- C:\giant-caterpiller.jpg
2010-03-22 21:03:50 0 d-----w- c:\docume~1\alluse~1\applic~1\HiddenSecretsNightmare
2010-03-22 03:48:27 0 d-----w- C:\BadCopy_Pro_v4.10__Jufsoft_Build_1215
2010-03-22 01:23:00 2584093 ----a-w- C:\Weather Forecaster.zip
2010-03-21 15:24:49 23906 ----a-w- C:\frogsmiley.gif
2010-03-21 03:58:12 0 d-----w- C:\Viewsat
2010-03-20 19:15:55 97364760 ----a-w- C:\Ad-AwareInstaller.exe
2010-03-19 22:15:18 1916670 ----a-w- C:\brains.gif
2010-03-19 13:26:35 0 d-----w- c:\docume~1\lori\applic~1\EBookSys
2010-03-19 01:19:23 66710 ----a-w- C:\spring-is-coming.gif
2010-03-18 14:22:09 6876688 ----a-w- C:\Thunderbird Setup 2.0.0.24.exe
2010-03-18 13:47:13 9009352 ----a-w- C:\Thunderbird Setup 3.0.3.exe
2010-03-18 02:08:46 12764 ----a-w- C:\check-your-eggs.jpg
2010-03-17 03:35:31 0 d-----w- c:\docume~1\lori\applic~1\AzuazGames
2010-03-17 03:10:05 1960 ----a-w- C:\wells-fargo-refinance-fax-3-10.wpd
2010-03-16 15:15:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Nevosoft
2010-03-16 04:37:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Big Fish Games
2010-03-15 21:39:12 0 d-----w- c:\docume~1\lori\applic~1\Silverback Productions
2010-03-15 17:19:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Vampireville
2010-03-14 22:48:00 0 d-----w- c:\docume~1\lori\applic~1\QB9
2010-03-14 19:31:53 38904 ----a-w- C:\winver.jpg
2010-03-14 17:37:13 0 d-----w- c:\docume~1\lori\applic~1\Frogwares
2010-03-14 15:23:43 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-14 04:20:20 0 d-----w- c:\docume~1\lori\applic~1\DarkParablesBriarRose_BFG
2010-03-14 02:17:51 0 d-----w- c:\docume~1\lori\applic~1\DarkParablesRose_BFG_Survey
2010-03-13 15:56:34 11629915 ----a-w- C:\Shozam_download.exe
2010-03-13 15:22:59 0 d-----w- C:\Applets
2010-03-13 13:38:22 0 d-----w- C:\Firefox 3-6
2010-03-13 13:37:37 194086 ----a-w- C:\trojan.jpg
2010-03-12 22:22:03 0 d-----w- c:\docume~1\lori\applic~1\Artogon
2010-03-12 19:14:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 20:50:49 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-03-11 20:50:33 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-11 20:50:33 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-11 20:50:33 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-11 20:50:33 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-11 20:50:33 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-11 20:50:33 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-11 20:49:38 0 dc-h--w- c:\windows\ie8
2010-03-11 19:06:27 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-03-11 19:05:27 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-11 19:05:26 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-11 19:05:26 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-11 19:05:13 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-11 16:56:04 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-03-11 16:56:00 156672 -c--a-w- c:\windows\system32\dllcache\winzm.ime
2010-03-11 16:54:56 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-03-11 16:53:09 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-03-11 16:53:04 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-03-11 11:36:50 0 d-----w- c:\windows\Dell
2010-03-11 11:36:49 2145386496 ----a-w- c:\windows\MEMORY.DMP

==================== Find3M ====================

2010-03-12 19:14:08 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 19:13:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 19:13:45 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-11 16:52:12 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-01-27 15:48:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-14 21:59:51 4592 ----a-w- C:\reg-b4-acrobat8.reg

============= FINISH: 18:50:17.06 ===============
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 5th, 2010, 7:48 pm

Registry Cleaners + "Tweak" Tools

Re. Registry Defragmentation

I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools

They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though
Stopping services and setting policies can speed up your machine ..... as long as you stop and set the right ones, and even then it's debatable if you will notice the improvement.

Remove the wrong registry entry, or stop the wrong service, and not only can you slow your machine .... you could kill it !

To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing and what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.

discussion on regcleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/ ... ng_13.html


Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u19.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java(TM) 6 Update 3

    Java(TM) 6 Update 13


  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.



Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


Post the MalwareBytes' Log in your next post/reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 5th, 2010, 9:22 pm

Registry Defragmentation removed.

Java removed and newest version installed.

MalWareBytes log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/5/2010 9:20:28 PM
mbam-log-2010-04-05 (21-20-28).txt

Scan type: Quick scan
Objects scanned: 110494
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\LREC75DND7 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\E8WECRKKMV (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



km2357 wrote:Registry Cleaners + "Tweak" Tools

Re. Registry Defragmentation

I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools

They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though
Stopping services and setting policies can speed up your machine ..... as long as you stop and set the right ones, and even then it's debatable if you will notice the improvement.

Remove the wrong registry entry, or stop the wrong service, and not only can you slow your machine .... you could kill it !

To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing and what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.

discussion on regcleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/ ... ng_13.html


Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u19.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java(TM) 6 Update 3

    Java(TM) 6 Update 13


  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.



Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


Post the MalwareBytes' Log in your next post/reply.
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 6th, 2010, 9:08 am

I deleted the 2 infected files and here is the final MalWare log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/6/2010 9:07:25 AM
mbam-log-2010-04-06 (09-07-25).txt

Scan type: Quick scan
Objects scanned: 110494
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\LREC75DND7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\E8WECRKKMV (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 6th, 2010, 2:38 pm

Your version of Adobe Acrobat Reader is out of date. Open up Adobe Reader, then click Help then click Check for Updates. Once Adobe Reader is done checking for updates, have it download and install the update for Adobe Acrobat Reader 9.3.1


Step # 1: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. How is your computer doing, any problems?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 7th, 2010, 6:23 pm

Your version of Adobe Acrobat Reader is out of date. Open up Adobe Reader, then click Help then click Check for Updates. Once Adobe Reader is done checking for updates, have it download and install the update for Adobe Acrobat Reader 9.3.1


Step # 1: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. How is your computer doing, any problems?


I don't use Acrobat Reader, but when I went to the site to update my reader, the version available is 9.3, which is what I already have.


1. Kaspersky Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, April 7, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, April 06, 2010 08:52:57
Records in database: 3914280
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 242587
Threats found: 7
Infected objects found: 8
Suspicious objects found: 14
Scan duration: 03:50:56


File name / Threat / Threats count
C:\Documents and Settings\Lori\Application Data\Sun\Java\Deployment\cache\6.0\42\484f342a-5777c108 Infected: Trojan-Downloader.Java.Agent.al 1
C:\Documents and Settings\Lori\Application Data\Thunderbird\Profiles\4cf4jz9f.default\Mail\Local Folders\Inbox Infected: Trojan-Downloader.HTML.Agent.bp 1
C:\Documents and Settings\Lori\Application Data\Thunderbird\Profiles\4cf4jz9f.default\Mail\mail.bigoaks.org\Auctions - Stores Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\Lori\Application Data\Thunderbird\Profiles\4cf4jz9f.default\Mail\mail.bigoaks.org\Inbox Infected: Trojan-Downloader.HTML.Agent.bp 1
C:\Documents and Settings\Lori\Application Data\Thunderbird\Profiles\4cf4jz9f.default\Mail\mail.bigoaks.org\Misc Infected: not-a-virus:PSWTool.Win32.AdvancedPR.af 1
C:\Documents and Settings\Lori\Application Data\Thunderbird\Profiles\4cf4jz9f.default\Mail\mail.loricase-4.com\BOCS.sbd\Auctions - Stores Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\Lori\Application Data\Thunderbird\Profiles\4cf4jz9f.default\Mail\mail.loricase-4.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 7
C:\Documents and Settings\Lori\Application Data\Thunderbird\Profiles\4cf4jz9f.default\Mail\mail.loricase-4.com\Misc Infected: not-a-virus:PSWTool.Win32.AdvancedPR.af 1
C:\Documents and Settings\Lori\Application Data\Thunderbird\Profiles\4cf4jz9f.default\Mail\mail.loricase-4.com\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00003ae4.tmp.vir Infected: Packed.Win32.Krap.aq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\00007775.tmp.vir Suspicious: Packed.Win32.Morphine.a 1

Selected area has been scanned.

Critical Area scan showed everything was good, all zeros.


2. Computer is doing fine...the first things you had me do corrected the problem with the browsers :)
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 8th, 2010, 12:42 am

Good to hear that the computer is running fine. :)

Kaspersky found some files in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove those and ComboFix in an upcoming post.

I'd like for you to open Thunderbird and delete any e-mails in the Inbox that you no longer need. Also, delete all the e-mails in the Junk/Spam/Bulk/Trash folder.


Step # 1 Clear Java's Cache

Click Start > Control Panel

  • Double-click the Java icon in the control panel. (coffeecup icon)
  • Click Settings under Temporary Internet Files.

    -The Temporary Files Settings dialog box appears.
  • Click Delete Files.

    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
  • Delete Files
  • View Applications
  • View Applets

Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Close the Java Control Panel

You can view those instructions along with graphics here
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 8th, 2010, 9:38 am

Good to hear that the computer is running fine. :)

Kaspersky found some files in the Qoobox folder which is where ComboFix keeps its quarantined files. I'll show you how to remove those and ComboFix in an upcoming post.

I'd like for you to open Thunderbird and delete any e-mails in the Inbox that you no longer need. Also, delete all the e-mails in the Junk/Spam/Bulk/Trash folder.


Step # 1 Clear Java's Cache

Click Start > Control Panel

  • Double-click the Java icon in the control panel. (coffeecup icon)
  • Click Settings under Temporary Internet Files.

    -The Temporary Files Settings dialog box appears.
  • Click Delete Files.

    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
  • Delete Files
  • View Applications
  • View Applets

Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Close the Java Control Panel

You can view those instructions along with graphics here


Emails deleted or relocated to various folders.

Java Cache cleared.
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 8th, 2010, 2:29 pm

If there are no more problems, then you are good to go. :)

You can reenable AVG and ZoneAlarm

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
SysProt.zip
SysProt.exe
The SysProt Log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK

Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  5. When all these settings have been made, click on the OK button.
  6. If it asks you if you want to save the settings, press the Yes button.
  7. Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miek ... ntion.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 8th, 2010, 8:54 pm

km2357 wrote:If there are no more problems, then you are good to go. :)

I am answering inside your text, in purple, because this post is long and I want to make sure you see everything I am answering or any questions I might ask....I hope this way doesn't offend you.


You can reenable AVG and ZoneAlarm

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
SysProt.zip
SysProt.exe
The SysProt Log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK

Empty your Recycle Bin.

Will do!



Please take the time to read my All Clean Post.

I assume a search for that thread will locate this?


Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.

There are infected restore points on my external hard drive...is it possible to do this also with that drive?


Make your Internet Explorer more secure This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  5. When all these settings have been made, click on the OK button.
  6. If it asks you if you want to save the settings, press the Yes button.
  7. Next press the Apply button and then the OK to exit the Internet Properties page.

I only use IE for one site...should I still do all the above for IE?


Set correct settings for files that should be hidden in Windows XP

May I ask why these need to be hidden? Hiding files doesn't prevent nasties from infecting the files does it? Not being a smart A-- here, just curious...I know a lot of people could potentially screw up their computers by having the 'hidden' files visible.

  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.

    I use AVG and updates are done daily.

  • Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    Updates are done automatically on my system...should I still go to the site and check for new updates?

  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware

    Is this something I really need to do since I don't use IE?

  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

    Thanks, but I don't do the IM scene, so don't think this is something I need at this point in time. I will keep this info for future reference should I give in and start using IM :)

  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet

    I will.

  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.

    My Firefox checks and tells me when there is a new update.

  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

    I usually do all program updates...but some of the newer versions I hate, so end up going back to an older one. Guess I need to grit my teeth and use the new versions.....

  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

I will read this site too.


Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miek ... ntion.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

Please answer my question about the external hard drive before we close this thread?

I never could see anywhere to choose drives when I ran all these programs as you said what and when to do them.

Thank you so much for being so patient and also very good at instructing me on this clean-up operation!!

GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby GrannyGrump » April 8th, 2010, 9:13 pm

km2357 wrote:
You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
SysProt.zip
SysProt.exe
The SysProt Log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK


What about the file to install the windows recovery console and ATF Cleaner program?

ComboFix is not listed in my Control Panel - Add/Remove ....so do I simply delete that file from my desktop?

And also, you said you would tell me how to delete the quarantined files in qoobox ?
GrannyGrump
Regular Member
 
Posts: 19
Joined: March 29th, 2010, 12:11 am

Re: Firefox AND IE hijacked.

Unread postby km2357 » April 9th, 2010, 12:44 am

I am answering inside your text, in purple, because this post is long and I want to make sure you
see everything I am answering or any questions I might ask....I hope this way doesn't offend you.


It's no problem. :)


I assume a search for that thread will locate this?


I'm confused. Do you mean a search of this thread will locate my "All-Clean" Post? My All-Clean speech is everything starting with Please follow these simple steps in order to keep your computer clean and secure: to Please reply one last time so that I know you have read my post and this thread can be closed. in my previous post.


There are infected restore points on my external hard drive...is it possible to do this also with that drive?


You should be able to clean out the infected System Restore points on your external hard drive. Plug in your external Hard Drive and do the removing bad System Restore points and setting a new one process and instead of selecting the C: Drive, make sure the Drive letter of your external Hard Drive is selected.


I only use IE for one site...should I still do all the above for IE?


Yes, you want IE (even though you only use it for one site) to be protected as much as possible.

May I ask why these need to be hidden? Hiding files doesn't prevent nasties from infecting the files does it? Not being a smart A-- here, just curious...I know a lot of people could potentially screw up their computers by having the 'hidden' files visible.


Hiding files doesn't prevent malware from infecting them. Hiding files is so that computer users don't delete or mess with any important system files. A precaution, that's all. :)

Is this something I really need to do since I don't use IE?


I would still download and install SpywareBlaster on your computer. It will help protect both IE and Firefox from malicious ActiveX and block bad websites from loading on your browser.

Updates are done automatically on my system...should I still go to the site and check for new updates?


I would still check Windows Update from time to time to make sure you always have the latest updates for your computer.

What about the file to install the windows recovery console and ATF Cleaner program?


You can go ahead and delete the Recovery Console setup file and I would keep ATF Cleaner on your computer. You can use it every 2 weeks or so to help keep your computer tidy and clean the junk off of it.

ComboFix is not listed in my Control Panel - Add/Remove ....so do I simply delete that file from my desktop?


Did you do the following yet?:

Go to Start > Run - type in ComboFix /Uninstall & click OK

Doing that will uninstall ComboFix and delete ComboFix.exe off of your computer.

And also, you said you would tell me how to delete the quarantined files in qoobox ?


When you uninstall/remove ComboFix, that also removes the qoobox folder from your computer.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware