Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Hijacked browser.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Hijacked browser.

Unread postby FatBoy » March 10th, 2009, 6:27 pm

ComboFix 09-03-10.01 - Milan 2009-03-10 18:13:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2948 [GMT -4:00]
Running from: c:\documents and settings\Milan\Desktop\Combo-Fix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\quadraserv.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxtxinardd.dll
c:\windows\system32\tmp.reg
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_QUADRASERV.SYS
-------\Legacy_QUADRASERV.SYS
-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-03-08 16:30 . 2009-03-08 17:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 16:30 . 2009-03-08 16:30 <DIR> d-------- c:\documents and settings\Milan\Application Data\Malwarebytes
2009-03-08 16:30 . 2009-03-08 16:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-08 16:30 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 16:30 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 01:13 . 2009-03-08 01:13 <DIR> d-------- c:\program files\Trend Micro
2009-03-07 00:30 . 2009-03-08 00:13 <DIR> d-------- C:\spywarebegone
2009-03-07 00:30 . 2009-03-07 00:29 737,280 --a------ c:\windows\iun6002.exe
2009-03-07 00:30 . 2009-03-07 00:30 170 --a------ c:\windows\spywarebegone-fullversion-installed.html
2009-02-25 23:55 . 2009-02-25 23:55 <DIR> d-------- c:\windows\Cache
2009-02-25 23:55 . 2009-02-25 23:55 <DIR> d-------- c:\program files\Coupons
2009-02-25 23:55 . 2009-02-25 23:55 202,072 -ra------ c:\windows\system32\cpnprt2.cid
2009-02-20 14:30 . 2009-02-20 14:30 <DIR> d-------- c:\documents and settings\Milan\Application Data\HP
2009-02-20 14:28 . 2009-02-20 14:28 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\HPSSUPPLY
2009-02-20 14:27 . 2009-03-08 17:14 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2009-02-20 14:26 . 2009-02-20 14:26 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-02-20 14:25 . 2009-02-20 14:25 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2009-02-20 14:25 . 2007-10-25 11:38 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2009-02-20 14:25 . 2007-10-25 11:38 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2009-02-20 14:24 . 2007-10-25 11:38 675,840 -ra------ c:\windows\system32\hpowiax4.dll
2009-02-20 14:24 . 2007-10-25 11:38 569,344 -ra------ c:\windows\system32\hpotscl4.dll
2009-02-20 14:24 . 2007-10-25 11:38 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2009-02-20 14:24 . 2007-10-25 11:38 309,760 -ra------ c:\windows\system32\difxapi.dll
2009-02-20 14:24 . 2007-10-25 11:38 294,912 -ra------ c:\windows\system32\hpovst11.dll
2009-02-20 14:24 . 2007-10-25 11:35 258,048 -ra------ c:\windows\system32\hpzids01.dll
2009-02-20 14:24 . 2007-10-29 18:14 117,760 --a------ c:\windows\system32\hpzll4xl.dll
2009-02-20 14:24 . 2007-10-25 11:38 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2009-02-20 14:22 . 2009-02-20 14:22 <DIR> d-------- c:\windows\zhenghe2
2009-02-20 14:22 . 2009-03-09 16:40 <DIR> d-------- c:\program files\HP
2009-02-20 14:20 . 2009-02-20 14:10 144,011 --------- c:\windows\hpwins16.dat.temp
2009-02-20 14:20 . 2007-10-24 23:00 1,162 --------- c:\windows\hpwmdl16.dat.temp
2009-02-20 14:10 . 2009-02-20 14:10 <DIR> d-------- C:\a95b406f714086ff71e7
2009-02-19 18:51 . 2009-02-19 18:51 25 --a------ c:\windows\cdplayer.ini
2009-02-19 08:26 . 2009-02-19 08:26 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-19 08:26 . 2009-02-19 08:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-18 18:56 . 2009-02-18 18:57 <DIR> d-------- c:\documents and settings\Milan\Application Data\Roxio
2009-02-18 17:36 . 2009-02-18 17:37 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-02-18 16:03 . 2009-02-18 16:03 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
2009-02-18 16:02 . 2009-02-18 16:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Sonic
2009-02-18 16:00 . 2006-07-21 12:21 99,176 --a------ c:\windows\system32\drivers\DRVMCDB.SYS
2009-02-18 16:00 . 2006-08-18 14:17 92,920 --a------ c:\windows\DLA.EXE
2009-02-18 16:00 . 2006-08-18 14:17 56,056 --a------ c:\windows\system32\DLAAPI_W.DLL
2009-02-18 16:00 . 2006-08-11 12:05 51,768 --a------ c:\windows\system32\drivers\DRVNDDM.SYS
2009-02-18 16:00 . 2006-08-11 11:35 28,184 --a------ c:\windows\system32\drivers\DLARTL_M.SYS
2009-02-18 16:00 . 2006-08-11 11:35 12,920 --a------ c:\windows\system32\drivers\DLACDBHM.SYS
2009-02-18 16:00 . 2009-02-18 16:07 166 --a------ c:\windows\wininit.ini
2009-02-18 11:56 . 2009-02-18 11:56 400,569,600 --a------ c:\windows\system32\xa3963906.exe
2009-02-18 11:56 . 2009-02-18 11:56 400,569,600 --a------ c:\windows\system32\xa3932828.exe
2009-02-18 11:43 . 2009-02-18 11:43 400,569,600 --a------ c:\windows\system32\xa3198234.exe
2009-02-18 11:43 . 2009-02-18 11:43 400,569,600 --a------ c:\windows\system32\xa3165953.exe
2009-02-18 11:32 . 2009-02-18 13:28 <DIR> d-------- c:\program files\Nero 9
2009-02-18 11:28 . 2009-02-18 11:28 400,569,600 --a------ c:\windows\system32\xa2257796.exe
2009-02-18 11:27 . 2009-02-18 11:28 400,569,600 --a------ c:\windows\system32\xa2222406.exe
2009-02-17 23:34 . 2009-02-17 23:34 400,569,600 --a------ c:\windows\system32\xa844265.exe
2009-02-17 23:34 . 2009-02-17 23:34 400,569,600 --a------ c:\windows\system32\xa805437.exe
2009-02-17 23:25 . 2009-02-17 23:25 400,569,600 --a------ c:\windows\system32\xa287484.exe
2009-02-17 23:24 . 2009-02-17 23:25 400,569,600 --a------ c:\windows\system32\xa247468.exe
2009-02-17 23:10 . 2009-02-17 23:10 400,569,600 --a------ c:\windows\system32\xa56818296.exe
2009-02-17 23:08 . 2009-02-17 23:10 400,569,600 --a------ c:\windows\system32\xa56668609.exe
2009-02-13 22:01 . 2009-02-13 22:01 376 --a------ c:\windows\ODBC.INI
2009-02-13 20:03 . 2009-02-13 20:03 344,064 --a------ C:\dfggdft.exe
2009-02-13 00:12 . 2009-02-13 00:12 400,569,600 --a------ c:\windows\system32\xa103680593.exe
2009-02-13 00:11 . 2009-02-13 00:12 400,569,600 --a------ c:\windows\system32\xa103643125.exe
2009-02-12 21:51 . 2009-02-12 21:54 <DIR> d-------- c:\documents and settings\Milan\Application Data\vlc
2009-02-12 21:48 . 2009-02-12 21:48 <DIR> d-------- c:\program files\VideoLAN
2009-02-12 21:10 . 2009-02-12 21:10 400,569,600 --a------ c:\windows\system32\xa92755890.exe
2009-02-12 21:09 . 2009-02-12 21:10 400,569,600 --a------ c:\windows\system32\xa92717984.exe
2009-02-11 22:57 . 2009-02-11 22:57 400,569,600 --a------ c:\windows\system32\xa12831265.exe
2009-02-11 22:57 . 2009-02-11 22:57 400,569,600 --a------ c:\windows\system32\xa12810187.exe
2009-02-11 22:41 . 2009-02-11 22:41 400,569,600 --a------ c:\windows\system32\xa11863468.exe
2009-02-11 22:40 . 2009-02-11 22:40 400,569,600 --a------ c:\windows\system32\xa11773843.exe
2009-02-11 22:39 . 2009-02-11 22:41 400,569,600 --a------ c:\windows\system32\xa11694703.exe
2009-02-11 22:37 . 2009-02-11 22:40 400,569,600 --a------ c:\windows\system32\xa11598328.exe
2009-02-11 22:37 . 2009-02-11 22:37 400,569,600 --a------ c:\windows\system32\xa11581765.exe
2009-02-11 22:37 . 2009-02-11 22:36 400,569,600 --a------ c:\windows\system32\xa11573828.exe
2009-02-11 22:36 . 2009-02-11 22:37 400,569,600 --a------ c:\windows\system32\xa11542468.exe
2009-02-11 22:36 . 2009-02-11 22:36 400,569,600 --a------ c:\windows\system32\xa11541687.exe
2009-02-11 22:03 . 2009-02-11 22:03 400,569,600 --a------ c:\windows\system32\xa9587968.exe
2009-02-11 22:03 . 2009-02-11 22:03 400,569,600 --a------ c:\windows\system32\xa9577062.exe
2009-02-11 21:49 . 2009-02-11 21:49 400,569,600 --a------ c:\windows\system32\xa8752765.exe
2009-02-11 21:49 . 2009-02-11 21:49 400,569,600 --a------ c:\windows\system32\xa8728687.exe
2009-02-11 21:48 . 2009-02-11 21:48 400,569,600 --a------ c:\windows\system32\xa8674671.exe
2009-02-11 21:48 . 2009-02-11 21:48 400,569,600 --a------ c:\windows\system32\xa8662000.exe
2009-02-11 21:15 . 2009-02-11 21:15 400,569,600 --a------ c:\windows\system32\xa6674828.exe
2009-02-11 21:15 . 2009-02-11 21:15 400,569,600 --a------ c:\windows\system32\xa6661171.exe
2009-02-11 18:53 . 2009-02-16 23:12 <DIR> d-------- c:\documents and settings\Milan\Application Data\Tunebite
2009-02-11 17:39 . 2009-02-11 17:39 <DIR> d-------- c:\program files\PixiePack Codec Pack
2009-02-11 17:37 . 2009-02-11 17:37 <DIR> d-------- c:\program files\RapidSolution
2009-02-11 17:37 . 2009-02-11 19:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\RapidSolution
2009-02-11 16:59 . 2009-02-11 17:02 <DIR> d-------- c:\documents and settings\Milan\Application Data\Media Player Classic
2009-02-11 16:50 . 2009-02-11 16:50 <DIR> d-------- C:\AgoodOutput
2009-02-11 16:48 . 2009-02-11 17:15 <DIR> d-------- c:\program files\Agood All to AVI MPEG WMV MOV DVD Converter Free
2009-02-11 16:48 . 2009-02-11 16:48 34 --ah----- c:\windows\system32\Converter_sysquict.dat
2009-02-10 17:59 . 2009-02-10 17:59 <DIR> d-------- c:\documents and settings\Milan\Application Data\NeroDigital(TM)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 22:19 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-03-10 22:19 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-03-10 22:19 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-03-10 22:19 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-03-10 22:19 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-03-10 22:19 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-03-10 22:19 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-03-10 22:19 104,980 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-03-10 12:35 --------- d-----w c:\documents and settings\Milan\Application Data\CallingID
2009-03-06 01:04 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-19 12:26 --------- d-----w c:\program files\Java
2009-02-18 21:36 --------- d-----w c:\program files\NOS
2009-02-18 20:02 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-02-18 20:01 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-02-18 16:04 241,665 ---ha-w c:\windows\Cursors\NOGOOD.exe
2009-02-17 02:54 --------- d-----w c:\program files\DVD Shrink
2009-02-15 00:28 --------- d-----w c:\program files\uTorrent
2009-02-14 04:58 --------- d-----w c:\documents and settings\Milan\Application Data\uTorrent
2009-02-12 03:07 --------- d-----w c:\program files\Nero
2009-02-09 17:56 --------- d-----w c:\documents and settings\Milan\Application Data\GlarySoft
2009-02-09 17:53 --------- d-----w c:\program files\Glary Utilities
2009-02-09 17:12 --------- d-----w c:\documents and settings\Milan\Application Data\Uniblue
2009-02-09 02:09 --------- d-----w c:\documents and settings\Milan\Application Data\Nero
2009-02-09 00:57 --------- d-----w c:\program files\Common Files\Nero
2009-02-09 00:52 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-09 00:36 --------- d-----w c:\program files\Windows Sidebar
2009-02-09 00:29 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2009-02-09 00:26 --------- d-----w c:\documents and settings\Milan\Application Data\Winamp
2009-02-09 00:19 --------- d-----w c:\program files\Common Files\Adobe
2009-02-09 00:11 --------- d-----w c:\program files\Winamp
2009-02-08 23:18 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
2009-02-08 22:51 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-08 22:49 --------- d-----w c:\documents and settings\Milan\Application Data\AVS4YOU
2009-02-08 22:48 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AVS4YOU
2009-02-08 03:49 --------- d-----w c:\documents and settings\Milan\Application Data\CyberLink
2009-02-08 03:44 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\CyberLink
2009-02-08 03:08 --------- d-----w c:\program files\MSI
2009-02-08 03:07 --------- d-----w c:\documents and settings\Milan\Application Data\InterTrust
2009-02-08 02:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 02:53 --------- d-----w c:\program files\CyberLink
2009-02-08 02:50 --------- d-----w c:\program files\Lexmark X5100 Series
2009-02-08 02:48 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint
2009-02-08 02:47 --------- d-----w c:\program files\FaxTools
2009-02-08 02:47 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2009-02-08 01:56 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\WinZip
2009-02-08 00:59 --------- d-----w c:\program files\LIVEUPDATE
2009-02-08 00:54 --------- d-----w c:\program files\AMT
2009-02-07 22:34 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-02-07 22:02 315,392 ----a-w c:\windows\HideWin.exe
2009-02-07 22:02 --------- d-----w c:\program files\Realtek
2009-02-07 21:44 880,560 ----a-w c:\windows\system32\drivers\vetefile.sys
2009-02-07 21:44 108,368 ----a-w c:\windows\system32\drivers\veteboot.sys
2009-02-07 21:44 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\CA
2009-02-07 21:42 --------- d-----w c:\program files\Common Files\Scanner
2009-02-07 21:38 --------- d-----w c:\documents and settings\Milan\Application Data\GetRightToGo
2009-02-07 21:22 --------- d-----w c:\program files\Intel
2009-02-07 21:07 --------- d-----w c:\program files\Dell
2009-02-07 18:43 --------- d-----w c:\program files\Google
2009-02-07 06:30 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\GetRightToGo
2009-02-07 06:02 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\AVGTOOLBAR
2009-02-07 03:27 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\uTorrent
2009-02-07 02:46 23,040 ----a-w C:\xxweksc.exe
2009-02-07 02:46 22,016 ----a-w C:\wskrote.exe
2009-02-07 02:46 22,016 ----a-w C:\jwfmld.exe
2009-02-06 01:25 --------- d-----w c:\program files\AOL Toolbar
2009-02-04 05:20 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\mIRC
2009-02-04 04:48 --------- d-----w c:\program files\mIRC
2009-02-04 04:33 --------- d-----w c:\program files\Common Files\xing shared
2009-02-04 04:33 --------- d-----w c:\program files\Common Files\Real
2009-02-04 00:33 --------- d-----w c:\program files\Microsoft.NET
2009-01-26 02:40 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\NCH Software
2009-01-25 06:38 --------- d-----w c:\program files\Video Convert Master
2009-01-25 03:38 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\Apple Computer
2009-01-17 03:30 --------- d-----w c:\program files\DivX
2009-01-12 05:16 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-19 03:48 86,016 ----a-w c:\documents and settings\Milan Knezevic\Application Data\ezpinst.exe
2008-12-19 03:48 47,360 ----a-w c:\documents and settings\Milan Knezevic\Application Data\pcouffin.sys
2008-10-26 00:13 36,296 ----a-w c:\documents and settings\Milan Knezevic\Application Data\GDIPFONTCACHEV1.DAT
2008-07-19 17:56 61,224 ----a-w c:\documents and settings\Milan Knezevic\GoToAssistDownloadHelper.exe
2008-03-27 23:57 578 ----a-w c:\documents and settings\Milan Knezevic\Application Data\wklnhst.dat
2004-08-04 10:00 360,448 --sh--r c:\windows\system32\iafhch.exe
2004-08-04 10:00 360,448 --sh--r c:\windows\system32\judwpo.exe
2004-08-04 10:00 360,448 --sh--r c:\windows\system32\wzjixo.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Spyware Begone"="c:\spywarebegone\SpywareBeGone.exe" [2008-08-05 1236992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-02-07 181488]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-08-30 234736]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2009-02-07 14088]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-28 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-28 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-28 259312]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 225280]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 c:\windows\RTHDCPL.exe]
"NVCLOCK"="nvclock.dll" [2002-05-14 c:\windows\system32\nvclock.dll]
"nwiz"="nwiz.exe" [2008-05-03 c:\windows\system32\nwiz.exe]

c:\documents and settings\Milan Knezevic\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2008-06-24 41824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-06-23 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 15:30 79368 c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
--a------ 2003-03-04 08:49 86100 c:\program files\Lexmark X5100 Series\lxbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"LexBceS"=2 (0x2)
"stllssvr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-03-19 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-03-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-03-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-03-19 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-06-04 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-03-21 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-05-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2009-02-07 185584]
R3 VGAUTI;VGAUTI;c:\windows\system32\drivers\vgauti.sys [2009-02-07 37684]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-18 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\CAAntiSpywareScan_Daily as Milan at 4 42 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2008-08-27 19:44]

2009-03-10 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-07-18 12:08]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: microsoft.com\download
Trusted Zone: optimum.net\www
Trusted Zone: safer-networking.org\www
Trusted Zone: stopzilla.com\www
FF - ProfilePath - c:\documents and settings\Milan\Application Data\Mozilla\Firefox\Profiles\txtd7tsx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.optimum.net/optonline
FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\Firefox\components\CallingIDLinkAdvisorGecko.dll
FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\Firefox\components\CIDDomFx3.dll
FF - plugin: c:\documents and settings\Milan\Application Data\Mozilla\Firefox\Profiles\txtd7tsx.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 18:21:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\windows\system32\rundll32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
.
**************************************************************************
.
Completion time: 2009-03-10 18:24:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-10 22:24:39

Pre-Run: 104,618,283,008 bytes free
Post-Run: 104,583,753,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

341 --- E O F --- 2009-02-26 08:00:32
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top
Advertisement
Register to Remove

Re: Hijacked browser.

Unread postby FatBoy » March 10th, 2009, 6:28 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:28:09, on 3/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\spywarebegone\SpywareBeGone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 7085 bytes
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top

Re: Hijacked browser.

Unread postby dan12 » March 10th, 2009, 6:58 pm

Ok, we got there in the end, :) Your logs will take me a little time to check over, you should start to get some improvement soon.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Hijacked browser.

Unread postby dan12 » March 11th, 2009, 6:30 pm

I have not forgot you so don't worry just had a lot of catchup work to do.
Hope to be with you soon. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Hijacked browser.

Unread postby FatBoy » March 11th, 2009, 6:34 pm

No problem
take your time
I have this problem for some times now so few extra days wont hurt lol.
Once more tank you very much for your work
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top

Re: Hijacked browser.

Unread postby dan12 » March 11th, 2009, 7:04 pm

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
c:\windows\system32\xa3963906.exe

Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
c:\windows\Cursors\NOGOOD.exe
c:\windows\HideWin.exe


If Jotti is too busy please try Virustotal



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
c:\windows\iun6002.exe
C:\xxweksc.exe
C:\wskrote.exe
C:\jwfmld.exe
c:\windows\system32\iafhch.exe
c:\windows\system32\judwpo.exe
c:\windows\system32\wzjixo.exe
Folder::
c:\documents and settings\Milan Knezevic\Application Data\uTorrent
c:\program files\uTorrent
c:\documents and settings\Milan\Application Data\uTorrent
DirLook::
C:\a95b406f714086ff71e7
c:\windows\zhenghe2


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Post:
combofix report
Jotti's report
HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Hijacked browser.

Unread postby FatBoy » March 11th, 2009, 9:18 pm

this is scan for c:\windows\Cursors\NOGOOD.exe

Scan taken on 12 Mar 2009 01:08:41 (GMT)
A-Squared Found Trojan.Generic!IK
AntiVir Found HEUR/Malware
ArcaVir Found nothing
Avast Found Win32:Rootkit-gen
AVG Antivirus Found nothing
BitDefender Found Trojan.Generic.1543366
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found Trojan.Generic
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Backdoor.VBbot.1 (paranoid heuristics) (probable variant)
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top

Re: Hijacked browser.

Unread postby FatBoy » March 11th, 2009, 9:24 pm

scan result for
C:\windows\hidewin.exe


Scan taken on 12 Mar 2009 01:18:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top

Re: Hijacked browser.

Unread postby FatBoy » March 12th, 2009, 12:08 am

ComboFix 09-03-10.01 - Milan 2009-03-11 23:14:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2862 [GMT -4:00]
Running from: c:\documents and settings\Milan\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Milan\Desktop\cfscript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated)
FW: CA Personal Firewall *enabled*
* Created a new restore point

FILE ::
C:\jwfmld.exe
c:\windows\iun6002.exe
c:\windows\system32\iafhch.exe
c:\windows\system32\judwpo.exe
c:\windows\system32\wzjixo.exe
C:\wskrote.exe
C:\xxweksc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Milan Knezevic\Application Data\uTorrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\17.Kids.and.Counting.S01E03.WS.DSR.XviD-OMiCRON.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\Australia 2008 DVDSCR XviD-KingBen.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\dht.dat
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\Nero-Ultra Editon 9.2.6.0.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\Nero 9 - Keymaker.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\Nero 9.0.9.4c Ultra.Edition + Serial's;.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\resume.dat
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\rss.dat
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\settings.dat
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\Seven Pounds[2008]DvDrip-aXXo.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\The.Curious.Case.of.Benjamin.Button.DVDSCR.XviD-DEViSE.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\utorrent-help.zip
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\utorrent.chm
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\Valkyrie[2008]DvDRip.Eng.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\WinZip PRO v12 + Serials REZMAN1984.7z.torrent
c:\documents and settings\Milan Knezevic\Application Data\uTorrent\Zack and Miri Make a Porno (2008) [djfred].torrent
c:\documents and settings\Milan\Application Data\uTorrent
c:\documents and settings\Milan\Application Data\uTorrent\Australia 2008 DVDSCR XviD.wmv.torrent
c:\documents and settings\Milan\Application Data\uTorrent\dht.dat
c:\documents and settings\Milan\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Milan\Application Data\uTorrent\DRM Removal - drmdbg and drmcreep.zip.torrent
c:\documents and settings\Milan\Application Data\uTorrent\DVD Identifier 5.2.0.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Friday the 13th.[2009] . DvDrip.XviD - aXXo.torrent
c:\documents and settings\Milan\Application Data\uTorrent\He's Just Not That Into You [2009] English.DvDRip.XviD-PLUTO.torrent
c:\documents and settings\Milan\Application Data\uTorrent\His.Name.Was.Jason.30.Years.of.Friday.the.13th.2009.DVDRip[desifilmz.com].torrent
c:\documents and settings\Milan\Application Data\uTorrent\Inkheart [2009] DvDrip -aXXo.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Nero 9 keygen.zip.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Nero 9 Lite Version + Activation Serials.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Nero 9.0 Full Program.rar.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Nero Burning Rom 9.2.6.0.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Nero.9.2.6.0_Ultra Edition Powerful Multimedia Suite 2009.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Push Sci-Fi MPEG-4 DVDRip.torrent
c:\documents and settings\Milan\Application Data\uTorrent\resume.dat
c:\documents and settings\Milan\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Milan\Application Data\uTorrent\rss.dat
c:\documents and settings\Milan\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Milan\Application Data\uTorrent\settings.dat
c:\documents and settings\Milan\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Milan\Application Data\uTorrent\The Uninvited (2009) English DvDScr.XviD - LUSO.torrent
c:\documents and settings\Milan\Application Data\uTorrent\The Uninvited.DVDSCR.XviD-ORC.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Ticker.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Tunebite CONVERTER Platinum.v5.0.335.30(NEW-with serial key).torrent
c:\documents and settings\Milan\Application Data\uTorrent\Twilight [2008][Dvdrip Release]-Xvid.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Twilight[2008].[DVDrip].[Eng].torrent
c:\documents and settings\Milan\Application Data\uTorrent\UNDERWORLD 3 THE RISE OF THE LYCANS (2009) REAL PROPER DVDSCR.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Underworld.Rise.Of.The.Lycans.TS.XViD-PreVail.torrent
c:\documents and settings\Milan\Application Data\uTorrent\Valkyrie [2009 DiVX].torrent
c:\documents and settings\Milan\Application Data\uTorrent\Valkyrie(2008)DvDrip(Eng).torrent
c:\documents and settings\Milan\Application Data\uTorrent\Valkyrie[2008]DvDrip.Super.Quality.torrent
C:\jwfmld.exe
c:\program files\uTorrent
c:\program files\uTorrent\14458-utorrent.cfac.dmp
c:\windows\iun6002.exe
c:\windows\system32\iafhch.exe
c:\windows\system32\judwpo.exe
c:\windows\system32\wzjixo.exe
C:\wskrote.exe
C:\xxweksc.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-11 23:07 . 2009-03-11 23:07 <DIR> d-------- C:\spoolerlogs
2009-03-11 22:07 . 2009-03-11 22:07 <DIR> d-------- C:\Lxkx5150
2009-03-11 20:02 . 2009-03-11 20:02 <DIR> d-------- C:\cd072c42f5992ac4dc40d4bc9df3
2009-03-11 15:00 . 2009-03-11 15:00 <DIR> d-------- C:\08d837178a2be32ae0
2009-03-11 08:54 . 2009-03-11 08:54 <DIR> d-------- C:\51f76d167a5b6bdd244a
2009-03-11 03:00 . 2004-08-04 06:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-08 16:30 . 2009-03-08 17:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 16:30 . 2009-03-08 16:30 <DIR> d-------- c:\documents and settings\Milan\Application Data\Malwarebytes
2009-03-08 16:30 . 2009-03-08 16:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-08 16:30 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-08 16:30 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 01:13 . 2009-03-08 01:13 <DIR> d-------- c:\program files\Trend Micro
2009-03-07 00:30 . 2009-03-08 00:13 <DIR> d-------- C:\spywarebegone
2009-03-07 00:30 . 2009-03-07 00:30 170 --a------ c:\windows\spywarebegone-fullversion-installed.html
2009-02-25 23:55 . 2009-02-25 23:55 <DIR> d-------- c:\windows\Cache
2009-02-25 23:55 . 2009-02-25 23:55 <DIR> d-------- c:\program files\Coupons
2009-02-25 23:55 . 2009-02-25 23:55 202,072 -ra------ c:\windows\system32\cpnprt2.cid
2009-02-20 14:30 . 2009-02-20 14:30 <DIR> d-------- c:\documents and settings\Milan\Application Data\HP
2009-02-20 14:27 . 2009-03-11 20:25 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2009-02-20 14:26 . 2009-02-20 14:26 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-02-20 14:25 . 2009-02-20 14:25 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2009-02-20 14:25 . 2007-10-25 11:38 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2009-02-20 14:25 . 2007-10-25 11:38 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2009-02-20 14:24 . 2007-10-25 11:38 675,840 -ra------ c:\windows\system32\hpowiax4.dll
2009-02-20 14:24 . 2007-10-25 11:38 569,344 -ra------ c:\windows\system32\hpotscl4.dll
2009-02-20 14:24 . 2007-10-25 11:38 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2009-02-20 14:24 . 2007-10-25 11:38 309,760 -ra------ c:\windows\system32\difxapi.dll
2009-02-20 14:24 . 2007-10-25 11:38 294,912 -ra------ c:\windows\system32\hpovst11.dll
2009-02-20 14:24 . 2007-10-25 11:35 258,048 -ra------ c:\windows\system32\hpzids01.dll
2009-02-20 14:24 . 2007-10-29 18:14 117,760 --a------ c:\windows\system32\hpzll4xl.dll
2009-02-20 14:24 . 2007-10-25 11:38 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2009-02-20 14:22 . 2009-02-20 14:22 <DIR> d-------- c:\windows\zhenghe2
2009-02-20 14:22 . 2009-03-11 20:40 <DIR> d-------- c:\program files\HP
2009-02-20 14:20 . 2009-03-11 15:27 144,581 --------- c:\windows\hpwins16.dat.temp
2009-02-20 14:20 . 2007-10-24 23:00 1,162 --------- c:\windows\hpwmdl16.dat.temp
2009-02-20 14:10 . 2009-02-20 14:10 <DIR> d-------- C:\a95b406f714086ff71e7
2009-02-19 18:51 . 2009-02-19 18:51 25 --a------ c:\windows\cdplayer.ini
2009-02-19 08:26 . 2009-02-19 08:26 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-19 08:26 . 2009-02-19 08:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-18 18:56 . 2009-02-18 18:57 <DIR> d-------- c:\documents and settings\Milan\Application Data\Roxio
2009-02-18 17:36 . 2009-02-18 17:37 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-02-18 16:03 . 2009-02-18 16:03 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
2009-02-18 16:02 . 2009-02-18 16:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Sonic
2009-02-18 16:00 . 2006-07-21 12:21 99,176 --a------ c:\windows\system32\drivers\DRVMCDB.SYS
2009-02-18 16:00 . 2006-08-18 14:17 92,920 --a------ c:\windows\DLA.EXE
2009-02-18 16:00 . 2006-08-18 14:17 56,056 --a------ c:\windows\system32\DLAAPI_W.DLL
2009-02-18 16:00 . 2006-08-11 12:05 51,768 --a------ c:\windows\system32\drivers\DRVNDDM.SYS
2009-02-18 16:00 . 2006-08-11 11:35 28,184 --a------ c:\windows\system32\drivers\DLARTL_M.SYS
2009-02-18 16:00 . 2006-08-11 11:35 12,920 --a------ c:\windows\system32\drivers\DLACDBHM.SYS
2009-02-18 16:00 . 2009-03-11 09:15 164 --a------ c:\windows\wininit.ini
2009-02-18 11:56 . 2009-02-18 11:56 400,569,600 --a------ c:\windows\system32\xa3963906.exe
2009-02-18 11:56 . 2009-02-18 11:56 400,569,600 --a------ c:\windows\system32\xa3932828.exe
2009-02-18 11:43 . 2009-02-18 11:43 400,569,600 --a------ c:\windows\system32\xa3198234.exe
2009-02-18 11:43 . 2009-02-18 11:43 400,569,600 --a------ c:\windows\system32\xa3165953.exe
2009-02-18 11:32 . 2009-02-18 13:28 <DIR> d-------- c:\program files\Nero 9
2009-02-18 11:28 . 2009-02-18 11:28 400,569,600 --a------ c:\windows\system32\xa2257796.exe
2009-02-18 11:27 . 2009-02-18 11:28 400,569,600 --a------ c:\windows\system32\xa2222406.exe
2009-02-17 23:34 . 2009-02-17 23:34 400,569,600 --a------ c:\windows\system32\xa844265.exe
2009-02-17 23:34 . 2009-02-17 23:34 400,569,600 --a------ c:\windows\system32\xa805437.exe
2009-02-17 23:25 . 2009-02-17 23:25 400,569,600 --a------ c:\windows\system32\xa287484.exe
2009-02-17 23:24 . 2009-02-17 23:25 400,569,600 --a------ c:\windows\system32\xa247468.exe
2009-02-17 23:10 . 2009-02-17 23:10 400,569,600 --a------ c:\windows\system32\xa56818296.exe
2009-02-17 23:08 . 2009-02-17 23:10 400,569,600 --a------ c:\windows\system32\xa56668609.exe
2009-02-13 22:01 . 2009-02-13 22:01 376 --a------ c:\windows\ODBC.INI
2009-02-13 20:03 . 2009-02-13 20:03 344,064 --a------ C:\dfggdft.exe
2009-02-13 00:12 . 2009-02-13 00:12 400,569,600 --a------ c:\windows\system32\xa103680593.exe
2009-02-13 00:11 . 2009-02-13 00:12 400,569,600 --a------ c:\windows\system32\xa103643125.exe
2009-02-12 21:51 . 2009-02-12 21:54 <DIR> d-------- c:\documents and settings\Milan\Application Data\vlc
2009-02-12 21:48 . 2009-02-12 21:48 <DIR> d-------- c:\program files\VideoLAN
2009-02-12 21:10 . 2009-02-12 21:10 400,569,600 --a------ c:\windows\system32\xa92755890.exe
2009-02-12 21:09 . 2009-02-12 21:10 400,569,600 --a------ c:\windows\system32\xa92717984.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 03:05 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-03-12 03:05 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-03-12 03:05 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-03-12 03:05 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-03-12 03:05 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-03-12 03:05 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-03-12 03:05 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-03-12 03:05 104,980 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-03-12 03:04 --------- d-----w c:\documents and settings\Milan\Application Data\CallingID
2009-03-12 02:15 --------- d-----w c:\program files\Lexmark X5100 Series
2009-03-06 01:04 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-19 12:26 --------- d-----w c:\program files\Java
2009-02-18 21:36 --------- d-----w c:\program files\NOS
2009-02-18 20:02 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-02-18 20:01 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-02-18 16:04 241,665 ---ha-w c:\windows\Cursors\NOGOOD.exe
2009-02-17 03:12 --------- d-----w c:\documents and settings\Milan\Application Data\Tunebite
2009-02-17 02:54 --------- d-----w c:\program files\DVD Shrink
2009-02-12 03:07 --------- d-----w c:\program files\Nero
2009-02-12 02:57 400,569,600 ----a-w c:\windows\system32\xa12831265.exe
2009-02-12 02:57 400,569,600 ----a-w c:\windows\system32\xa12810187.exe
2009-02-12 02:41 400,569,600 ----a-w c:\windows\system32\xa11863468.exe
2009-02-12 02:41 400,569,600 ----a-w c:\windows\system32\xa11694703.exe
2009-02-12 02:40 400,569,600 ----a-w c:\windows\system32\xa11773843.exe
2009-02-12 02:40 400,569,600 ----a-w c:\windows\system32\xa11598328.exe
2009-02-12 02:37 400,569,600 ----a-w c:\windows\system32\xa11581765.exe
2009-02-12 02:37 400,569,600 ----a-w c:\windows\system32\xa11542468.exe
2009-02-12 02:36 400,569,600 ----a-w c:\windows\system32\xa11573828.exe
2009-02-12 02:36 400,569,600 ----a-w c:\windows\system32\xa11541687.exe
2009-02-12 02:03 400,569,600 ----a-w c:\windows\system32\xa9587968.exe
2009-02-12 02:03 400,569,600 ----a-w c:\windows\system32\xa9577062.exe
2009-02-12 01:49 400,569,600 ----a-w c:\windows\system32\xa8752765.exe
2009-02-12 01:49 400,569,600 ----a-w c:\windows\system32\xa8728687.exe
2009-02-12 01:48 400,569,600 ----a-w c:\windows\system32\xa8674671.exe
2009-02-12 01:48 400,569,600 ----a-w c:\windows\system32\xa8662000.exe
2009-02-12 01:15 400,569,600 ----a-w c:\windows\system32\xa6674828.exe
2009-02-12 01:15 400,569,600 ----a-w c:\windows\system32\xa6661171.exe
2009-02-11 23:31 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\RapidSolution
2009-02-11 21:39 --------- d-----w c:\program files\PixiePack Codec Pack
2009-02-11 21:37 --------- d-----w c:\program files\RapidSolution
2009-02-11 21:15 --------- d-----w c:\program files\Agood All to AVI MPEG WMV MOV DVD Converter Free
2009-02-11 21:02 --------- d-----w c:\documents and settings\Milan\Application Data\Media Player Classic
2009-02-10 21:59 --------- d-----w c:\documents and settings\Milan\Application Data\NeroDigital(TM)
2009-02-09 17:56 --------- d-----w c:\documents and settings\Milan\Application Data\GlarySoft
2009-02-09 17:53 --------- d-----w c:\program files\Glary Utilities
2009-02-09 17:12 --------- d-----w c:\documents and settings\Milan\Application Data\Uniblue
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 02:09 --------- d-----w c:\documents and settings\Milan\Application Data\Nero
2009-02-09 00:57 --------- d-----w c:\program files\Common Files\Nero
2009-02-09 00:52 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-09 00:36 --------- d-----w c:\program files\Windows Sidebar
2009-02-09 00:29 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2009-02-09 00:26 --------- d-----w c:\documents and settings\Milan\Application Data\Winamp
2009-02-09 00:19 --------- d-----w c:\program files\Common Files\Adobe
2009-02-09 00:11 --------- d-----w c:\program files\Winamp
2009-02-08 23:18 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\DVD Shrink
2009-02-08 22:51 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-08 22:49 --------- d-----w c:\documents and settings\Milan\Application Data\AVS4YOU
2009-02-08 22:48 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AVS4YOU
2009-02-08 03:49 --------- d-----w c:\documents and settings\Milan\Application Data\CyberLink
2009-02-08 03:44 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\CyberLink
2009-02-08 03:08 --------- d-----w c:\program files\MSI
2009-02-08 03:07 --------- d-----w c:\documents and settings\Milan\Application Data\InterTrust
2009-02-08 02:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 02:53 --------- d-----w c:\program files\CyberLink
2009-02-08 02:48 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint
2009-02-08 02:47 --------- d-----w c:\program files\FaxTools
2009-02-08 02:47 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2009-02-08 01:56 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\WinZip
2009-02-08 00:59 --------- d-----w c:\program files\LIVEUPDATE
2009-02-08 00:54 --------- d-----w c:\program files\AMT
2009-02-07 22:34 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-02-07 22:02 315,392 ----a-w c:\windows\HideWin.exe
2009-02-07 22:02 --------- d-----w c:\program files\Realtek
2009-02-07 21:55 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-02-07 21:55 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-02-07 21:44 880,560 ----a-w c:\windows\system32\drivers\vetefile.sys
2009-02-07 21:44 108,368 ----a-w c:\windows\system32\drivers\veteboot.sys
2009-02-07 21:44 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\CA
2009-02-07 21:42 --------- d-----w c:\program files\Common Files\Scanner
2009-02-07 21:38 --------- d-----w c:\documents and settings\Milan\Application Data\GetRightToGo
2009-02-07 21:22 --------- d-----w c:\program files\Intel
2009-02-07 21:07 --------- d-----w c:\program files\Dell
2009-02-07 18:43 --------- d-----w c:\program files\Google
2009-02-07 06:30 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\GetRightToGo
2009-02-07 06:02 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\AVGTOOLBAR
2009-02-06 01:25 --------- d-----w c:\program files\AOL Toolbar
2009-02-04 05:20 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\mIRC
2009-02-04 04:48 --------- d-----w c:\program files\mIRC
2009-02-04 04:33 --------- d-----w c:\program files\Common Files\xing shared
2009-02-04 04:33 --------- d-----w c:\program files\Common Files\Real
2009-02-04 00:33 --------- d-----w c:\program files\Microsoft.NET
2009-01-26 02:40 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\NCH Software
2009-01-25 06:38 --------- d-----w c:\program files\Video Convert Master
2009-01-25 03:38 --------- d-----w c:\documents and settings\Milan Knezevic\Application Data\Apple Computer
2009-01-17 03:30 --------- d-----w c:\program files\DivX
2009-01-12 05:16 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-19 03:48 86,016 ----a-w c:\documents and settings\Milan Knezevic\Application Data\ezpinst.exe
2008-12-19 03:48 47,360 ----a-w c:\documents and settings\Milan Knezevic\Application Data\pcouffin.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\a95b406f714086ff71e7 ----

2004-10-26 19:41 365 --a------ c:\a95b406f714086ff71e7\update\update.ver
2004-10-26 19:39 27021 --a------ c:\a95b406f714086ff71e7\update\update_win2k.inf
2004-10-26 19:39 27020 --a------ c:\a95b406f714086ff71e7\update\update_w2k3.inf
2004-10-26 19:39 27015 --a------ c:\a95b406f714086ff71e7\update\update_wxp.inf
2004-10-26 19:27 29459 --a------ c:\a95b406f714086ff71e7\update\msi30_net.cat
2004-10-26 19:26 29459 --a------ c:\a95b406f714086ff71e7\update\msi30_wxp.cat
2004-10-26 19:26 29459 --a------ c:\a95b406f714086ff71e7\update\msi30_w2k.cat
2004-10-26 10:25 77312 --a------ c:\a95b406f714086ff71e7\msiexec.exe
2004-10-26 10:25 44032 --a------ c:\a95b406f714086ff71e7\msisip.dll
2004-10-26 10:24 331264 --a------ c:\a95b406f714086ff71e7\msihnd.dll
2004-10-26 10:24 2797056 --a------ c:\a95b406f714086ff71e7\msi.dll
2004-10-26 10:16 884736 --a------ c:\a95b406f714086ff71e7\msimsg.dll
2004-06-24 18:15 654336 --a------ c:\a95b406f714086ff71e7\update\update.exe
2004-06-24 18:13 21504 --a------ c:\a95b406f714086ff71e7\update\spcustom.dll
2004-06-24 18:13 169984 --a------ c:\a95b406f714086ff71e7\spuninst.exe
2004-06-24 18:08 6656 --a------ c:\a95b406f714086ff71e7\spmsg.dll
2004-06-22 14:55 4092 --a------ c:\a95b406f714086ff71e7\update\eula.txt
2003-08-29 21:08 6566 --a------ c:\a95b406f714086ff71e7\empty.cat
2003-08-27 17:30 287 --a------ c:\a95b406f714086ff71e7\update\updatebr.inf

---- Directory of c:\windows\zhenghe2 ----

2007-05-16 11:14 340 --a------ c:\windows\zhenghe2\scrub2k.ini
2007-02-05 14:01 65536 --a------ c:\windows\zhenghe2\scrub2k.exe


((((((((((((((((((((((((((((( SnapShot_2009-03-11_23.01.44.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-12 03:06:53 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Spyware Begone"="c:\spywarebegone\SpywareBeGone.exe" [2008-08-05 1236992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-02-07 181488]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-08-30 234736]
"cafw"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-28 771312]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-28 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-28 259312]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 225280]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 c:\windows\RTHDCPL.exe]
"NVCLOCK"="nvclock.dll" [2002-05-14 c:\windows\system32\nvclock.dll]
"nwiz"="nwiz.exe" [2008-05-03 c:\windows\system32\nwiz.exe]

c:\documents and settings\Milan Knezevic\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2008-06-24 41824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= "c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\CIDLinkAdvisor.dll" [2008-06-23 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 15:30 79368 c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
--------- 2003-03-04 08:49 86100 c:\program files\Lexmark X5100 Series\lxbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"LexBceS"=2 (0x2)
"stllssvr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-03-19 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-03-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-03-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-03-19 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-06-04 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-03-21 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-05-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2009-02-07 185584]
R3 VGAUTI;VGAUTI;c:\windows\system32\drivers\vgauti.sys [2009-02-07 37684]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2009-02-07 26488]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-18 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\CAAntiSpywareScan_Daily as Milan at 4 42 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2008-08-27 19:44]

2009-03-12 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-07-18 12:08]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: microsoft.com\download
Trusted Zone: optimum.net\www
Trusted Zone: safer-networking.org\www
Trusted Zone: stopzilla.com\www
FF - ProfilePath - c:\documents and settings\Milan\Application Data\Mozilla\Firefox\Profiles\txtd7tsx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.optimum.net/optonline
FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\LinkAdvisor\Firefox\components\CallingIDLinkAdvisorGecko.dll
FF - component: c:\program files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\Firefox\components\CIDDomFx3.dll
FF - plugin: c:\documents and settings\Milan\Application Data\Mozilla\Firefox\Profiles\txtd7tsx.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 23:17:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2009-03-11 23:18:48
ComboFix-quarantined-files.txt 2009-03-12 03:18:46
ComboFix2.txt 2009-03-10 22:24:44

Pre-Run: 105,049,526,272 bytes free
Post-Run: 105,034,088,448 bytes free

406 --- E O F --- 2009-03-11 07:00:43
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top

Re: Hijacked browser.

Unread postby FatBoy » March 12th, 2009, 12:10 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:09:34, on 3/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\spywarebegone\SpywareBeGone.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CAGlobal.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8021 bytes
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top

Re: Hijacked browser.

Unread postby dan12 » March 12th, 2009, 3:45 pm

Let's try that online scan now.


Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Post report
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Hijacked browser.

Unread postby FatBoy » March 12th, 2009, 10:25 pm

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, March 12, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 13, 2009 00:29:54
Records in database: 1892891
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 73223
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:51:02


File name / Threat name / Threats count
C:\dfggdft.exe Infected: Backdoor.Win32.SdBot.kkz 1
C:\Documents and Settings\Milan\My Documents\Downloads\Nero 9 Lite Version + Activation Serials\Nero 9 Lite Setup.exe Infected: Trojan.Win32.Chifrax.a 1
C:\drivers\audio\R158510\RtlUpd64.exe Infected: Virus.Win32.Virut.ce 1
C:\Qoobox\Quarantine\C\xxweksc.exe.vir Infected: Virus.Win32.Virut.ce 1

The selected area was scanned.
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top

Re: Hijacked browser.

Unread postby dan12 » March 13th, 2009, 5:56 am

Even though we have come this far with the cleanup process with the problems we had, from what I've seen from the combofix logs and now confirmed by kaspersky, you also have a virut infection.
I'm afraid its practically impossible to recover from a Virut infection. This thing tries to infect all executable files on your system. Unfortunately, it does it somewhat 'badly' - and actually corrupts the files. If you try and remove the infected part of these files, you are left with a little corrupted shell of what was once a legitimate program. As soon as this infection hits your system files problems start.Your best option is for a refomat,
not the news you wanted I'm sorry to say. Don't backup your files either, because when you backup exe files, they are also infected. You can however backup pictures and documents.

dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top

Re: Hijacked browser.

Unread postby FatBoy » March 13th, 2009, 7:55 pm

That sounds like a bad news to me
Thank you very much for your hard work and all your help
FatBoy
Regular Member
 
Posts: 26
Joined: March 8th, 2009, 3:20 am
Top

Re: Hijacked browser.

Unread postby dan12 » March 13th, 2009, 8:17 pm

I'm sorry to give you that news but I would be doing an injustice if I was to continue as this wouldn't be the end of the problems even had I finished the cleanup. For the time it takes to reformat it's not worth pursuing.I have some links to good tutorials on reformating if you need them.
Regards dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Top
Advertisement
Register to Remove
PreviousNext
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 545 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index