# Browser Redirect Virus



## Ashaman91 (Mar 23, 2011)

Hello,
I have recently gained a virus somehow...most likely through frostwire. When using mozilla i get redirected to a different site. It is really random as to when it does it. I have tried to run Malwarebytes on it but it doesnt seem to find it or get rid of it. Please help. It
Here is my hijack this log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:30:15 PM, on 4/8/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\32788R22FWJFW\cmd.cfxxe
C:\Documents and Settings\User\My Documents\AppRemover.exe
C:\Documents and Settings\User\My Documents\AppRemover.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z013&form=ZGAPHP
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANwA5ADQAMwA4ADUAMgAxAC0AQgAyAC0ARgBQADkAKwAzAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQA"&"prod=90"&"ver=9.0.894
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Telnet (TlntSvr32) - Unknown owner - C:\WINDOWS\system32\scrrun32.exe (file missing)

--
End of file - 8080 bytes

*DDS text-*
.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by User at 20:43:30.46 on Fri 04/08/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1375 [GMT -8:00]
.
FW: ActiveArmor Firewall *Disabled* 
FW: COMODO Firewall *Enabled* 
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\User\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z013&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DVDTray] c:\program files\ahead\odd toolkit\DVDTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>] 
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANwA5ADQAMwA4ADUAMgAxAC0AQgAyAC0ARgBQADkAKwAzAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQA"&"prod=90"&"ver=9.0.894
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: PRISMGNA.DLL - PRISMGNA.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\lhgy4ups.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/webhp?ie=UTF-8&oe=UTF-8
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-8-18 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-8-18 25160]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-8-18 723632]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2009-8-21 57433]
S2 TlntSvr32;Telnet ;c:\windows\system32\scrrun32.exe --> c:\windows\system32\scrrun32.exe [?]
S4 AMPingService;AMPingService;c:\docume~1\user\locals~1\temp\AMPing.exe [2010-7-9 28480]
.
=============== Created Last 30 ================
.
2011-04-09 04:36:18 -------- d--h--w- c:\windows\PIF
2011-04-09 02:45:03 -------- d-----w- c:\program files\iPod
2011-04-09 02:45:00 -------- d-----w- c:\program files\iTunes
2011-04-07 06:00:31 -------- d-----w- c:\program files\Monstermarketplacecookie Removal Tool
2011-04-06 22:25:09 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-06 22:17:58 -------- d-----w- c:\docume~1\user\applic~1\HpUpdate
2011-04-06 22:17:37 264552 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-04-06 22:17:37 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-04-06 22:17:36 213352 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-04-06 22:16:16 1907560 ----a-r- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-04-06 22:13:52 -------- d-----w- c:\program files\HP
2011-04-06 22:13:18 -------- d-----w- c:\docume~1\user\locals~1\applic~1\HP
2011-03-29 18:55:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-29 18:55:07 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-29 18:55:07 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-29 18:55:07 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-29 18:55:07 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-29 18:55:07 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-29 18:55:07 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-29 18:55:07 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-25 05:31:52 -------- d-----w- c:\program files\Steam
2011-03-25 05:28:48 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-03-23 01:40:06 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-23 01:40:05 -------- d-----w- c:\program files\Trend Micro
2011-03-23 01:35:53 -------- d-----w- C:\ERDNT
2011-03-21 20:39:52 -------- d-----w- c:\windows\system32\NtmsData
2011-03-21 20:31:29 0 ---ha-w- c:\documents and settings\user\itptrherhl.tmp
2011-03-21 20:30:53 254464 ----a-w- c:\windows\system32\msscp32.dll
2011-03-21 20:30:52 -------- d-sh--w- c:\docume~1\user\applic~1\SysWin
2011-03-21 20:30:46 203776 ----a-w- c:\windows\system32\msscp32.exe
2011-03-21 03:48:28 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-21 03:26:30 -------- d-----w- c:\program files\Microsoft
2011-03-21 03:26:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2011-03-18 18:03:35 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Temp
2011-03-18 18:03:29 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Google
2011-03-16 19:45:27 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-12 20:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-12 20:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-02-03 05:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 20:43:52.06 ===============


----------



## Ashaman91 (Mar 23, 2011)

the GMER text will not fit..should i put it as an attachment?


----------



## CatByte (Feb 24, 2009)

Yes, please attach it


----------



## Ashaman91 (Mar 23, 2011)

Here is the attachment


----------



## CatByte (Feb 24, 2009)

Hi,

Please do the following:

Download *ComboFix *from one of the following locations:
*Link 1* 
*Link 2 *

VERY IMPORTANT !!! Save ComboFix.exe to your *Desktop *

* IMPORTANT - *Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here 

Double click on *ComboFix.exe* & follow the prompts.
As part of it's process, *ComboFix will check to see if the Microsoft Windows Recovery Console* is installed. With malware infections being as they are today, it's *strongly recommended *to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.











Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:











*Click on Yes*, to continue scanning for malware.
When finished, it shall produce a log for you.* Please include the C:\ComboFix.txt in your next reply.*
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


----------



## Ashaman91 (Mar 23, 2011)

ComboFix 11-04-10.01 - User 04/10/2011 20:43:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1489 [GMT -8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}


----------



## CatByte (Feb 24, 2009)

is that all there is of the log?

It should be located at C:/combofix.txt

if that is all there is, then please run combofix again, make certain your security programs are disabled and try running it in safe mode

To Enter Safemode 

Go to *Start> Shut off your Computer> Restart*
As the computer starts to boot-up, Tap the *F8 KEY* repeatedly,
this will bring up a *menu.*
Use the *Up and Down Arrow Keys* to scroll up to *Safemode *
Then press the *Enter Key* on your Keyboard 
go into your usual account


----------



## Ashaman91 (Mar 23, 2011)

ComboFix 11-04-10.01 - User 04/11/2011 11:59:22.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1796 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\LocalService\Application Data\0200000000b74fbd1209C.manifest
c:\documents and settings\LocalService\Application Data\0200000000b74fbd1209O.manifest
c:\documents and settings\LocalService\Application Data\0200000000b74fbd1209P.manifest
c:\documents and settings\LocalService\Application Data\0200000000b74fbd1209S.manifest
c:\documents and settings\User\Application Data\0200000000b74fbd697C.manifest
c:\documents and settings\User\Application Data\0200000000b74fbd697O.manifest
c:\documents and settings\User\Application Data\0200000000b74fbd697P.manifest
c:\documents and settings\User\Application Data\0200000000b74fbd697S.manifest
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\extensions\{8c53d5b8-1799-48b4-9223-32856d477474}\chrome.manifest
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\extensions\{8c53d5b8-1799-48b4-9223-32856d477474}\chrome\xulcache.jar
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\extensions\{8c53d5b8-1799-48b4-9223-32856d477474}\defaults\preferences\xulcache.js
c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\extensions\{8c53d5b8-1799-48b4-9223-32856d477474}\install.rdf
c:\documents and settings\User\Application Data\SysWin\lsass.exe
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
C:\xcrashdump.dat
G:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\xircom
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\wbem\snmp
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\program files\microsoft frontpage
2011-04-09 04:36 . 2011-04-09 04:36 -------- d--h--w- c:\windows\PIF
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iPod
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iTunes
2011-04-07 06:00 . 2011-04-07 06:17 -------- d-----w- c:\program files\Monstermarketplacecookie Removal Tool
2011-04-06 22:25 . 2004-08-04 07:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-06 22:17 . 2011-04-06 22:17 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2011-04-06 22:17 . 2010-06-14 20:19 264552 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-04-06 22:17 . 2010-06-14 20:19 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-04-06 22:17 . 2010-06-14 20:19 213352 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-04-06 22:16 . 2010-06-14 20:19 1907560 ----a-r- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-04-06 22:13 . 2011-04-06 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-04-06 22:13 . 2011-04-06 22:18 -------- d-----w- c:\program files\HP
2011-04-06 22:13 . 2011-04-06 22:13 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\HP
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-29 18:55 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-29 18:55 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-29 18:55 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-29 18:55 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-29 18:55 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-29 18:55 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-25 05:31 . 2011-03-25 05:31 -------- d-----w- c:\program files\Steam
2011-03-25 05:28 . 2011-03-25 05:28 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-03-23 01:40 . 2011-03-23 01:40 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-23 01:40 . 2011-03-23 01:40 -------- d-----w- c:\program files\Trend Micro
2011-03-23 01:35 . 2011-03-23 01:35 -------- d-----w- C:\ERDNT
2011-03-21 20:39 . 2011-03-21 20:41 -------- d-----w- c:\windows\system32\NtmsData
2011-03-21 20:31 . 2011-03-21 20:31 0 ---ha-w- c:\documents and settings\User\itptrherhl.tmp
2011-03-21 20:30 . 2011-03-21 20:30 254464 ----a-w- c:\windows\system32\msscp32.dll
2011-03-21 20:30 . 2011-03-21 20:30 203776 ----a-w- c:\windows\system32\msscp32.exe
2011-03-21 03:48 . 2011-04-11 19:58 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-21 03:26 . 2011-03-21 21:02 -------- d-----w- c:\program files\Microsoft
2011-03-21 03:26 . 2011-03-21 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2011-03-18 18:03 . 2011-03-25 15:13 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp
2011-03-18 18:03 . 2011-04-06 20:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Google
2011-03-16 19:45 . 2011-03-16 19:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-12 20:28 . 2011-03-12 20:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 20:28 . 2011-03-12 20:28 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 05:40 . 2010-05-02 20:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19 . 2009-08-18 22:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-03-18 17:53 . 2011-03-29 18:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2007-01-15 . BB4D3A8E6F7EB1D370BC4AD27AB23368 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-01 1800464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
2004-12-08 19:41 229465 ----a-w- c:\windows\system32\PRISMGNA.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless USB 2.0 WLAN Card Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk
backup=c:\windows\pss\Wireless USB 2.0 WLAN Card Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 9:54 AM 134344]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 9:54 AM 25160]
S2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/21/2009 11:10 PM 57433]
S2 TlntSvr32;Telnet ;c:\windows\system32\scrrun32.exe --> c:\windows\system32\scrrun32.exe [?]
S4 AMPingService;AMPingService;c:\docume~1\User\LOCALS~1\Temp\AMPing.exe --> c:\docume~1\User\LOCALS~1\Temp\AMPing.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z013&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/webhp?ie=UTF-8&oe=UTF-8
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 12:04
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-11 12:06:20
ComboFix-quarantined-files.txt 2011-04-11 20:06
.
Pre-Run: 14,304,309,248 bytes free
Post-Run: 14,266,765,312 bytes free
.
- - End Of File - - 4DFC3603E657DAF67D879DC3BDD56BCC


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click* Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box* - *Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
http://forums.techguy.org/7889087-post8.html

Collect::
c:\windows\system32\scrrun32.exe 
c:\docume~1\User\LOCALS~1\Temp\AMPing.exe

File::
c:\documents and settings\User\itptrherhl.tmp

Driver::
TlntSvr32
AMPingService
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')
*
Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File*;
2.Click *Save As*... Change the directory to your *desktop*;
3.Change the* Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save ...*










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*

CAUTION: *Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.

*NEXT*


Please open your *MalwareBytes AntiMalware* Program
Click the *Update Tab* and *search for updates*
If an update is found, it will download and install the latest version.
Once the program has loaded, select* "Perform Quick Scan"*, then click* Scan.*
The scan may take some time to finish, so please be patient.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Make sure that everything is checked, and click *Remove Selected*. <-- very important
When disinfection is completed, a *log* will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
*Copy&Paste the entire report in your next reply.*

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. 


*NEXT*

Go *here* to run an online scanner from *ESET.*

*Note:* You will need to use *Internet explorer* for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activeX control to install
Click *Start*
Make sure that the option *Remove found threats* is unticked and the *Scan Archives* option is ticked.
Click on Advanced Settings, ensure the options *Scan for potentially unwanted applications*, *Scan for potentially unsafe applications*, and *Enable Anti-Stealth Technology* are ticked.
Click *Scan*
Wait for the scan to finish
When the scan completes, press the *LIST OF THREATS FOUND* button
Press *EXPORT TO TEXT FILE *, name the file *ESETSCAN* and save it to your desktop 
Include the contents of this report in your next reply.
Press the *BACK* button.
Press *Finish*


----------



## Ashaman91 (Mar 23, 2011)

ComboFix 11-04-10.01 - User 04/11/2011 13:33:11.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1616 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"c:\documents and settings\User\itptrherhl.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\itptrherhl.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMPINGSERVICE
-------\Legacy_TLNTSVR32
-------\Service_AMPingService
-------\Service_TlntSvr32
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\xircom
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\wbem\snmp
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\program files\microsoft frontpage
2011-04-09 04:36 . 2011-04-09 04:36 -------- d--h--w- c:\windows\PIF
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iPod
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iTunes
2011-04-07 06:00 . 2011-04-07 06:17 -------- d-----w- c:\program files\Monstermarketplacecookie Removal Tool
2011-04-06 22:25 . 2004-08-04 07:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-06 22:17 . 2011-04-06 22:17 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2011-04-06 22:17 . 2010-06-14 20:19 264552 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-04-06 22:17 . 2010-06-14 20:19 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-04-06 22:17 . 2010-06-14 20:19 213352 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-04-06 22:16 . 2010-06-14 20:19 1907560 ----a-r- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-04-06 22:13 . 2011-04-06 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-04-06 22:13 . 2011-04-06 22:18 -------- d-----w- c:\program files\HP
2011-04-06 22:13 . 2011-04-06 22:13 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\HP
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-29 18:55 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-29 18:55 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-29 18:55 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-29 18:55 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-29 18:55 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-29 18:55 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-25 05:31 . 2011-03-25 05:31 -------- d-----w- c:\program files\Steam
2011-03-25 05:28 . 2011-03-25 05:28 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-03-23 01:40 . 2011-03-23 01:40 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-23 01:40 . 2011-03-23 01:40 -------- d-----w- c:\program files\Trend Micro
2011-03-23 01:35 . 2011-03-23 01:35 -------- d-----w- C:\ERDNT
2011-03-21 20:39 . 2011-03-21 20:41 -------- d-----w- c:\windows\system32\NtmsData
2011-03-21 20:30 . 2011-03-21 20:30 254464 ----a-w- c:\windows\system32\msscp32.dll
2011-03-21 20:30 . 2011-03-21 20:30 203776 ----a-w- c:\windows\system32\msscp32.exe
2011-03-21 03:48 . 2011-04-11 21:32 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-21 03:26 . 2011-03-21 21:02 -------- d-----w- c:\program files\Microsoft
2011-03-21 03:26 . 2011-03-21 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2011-03-18 18:03 . 2011-03-25 15:13 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp
2011-03-18 18:03 . 2011-04-06 20:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Google
2011-03-16 19:45 . 2011-03-16 19:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 05:40 . 2010-05-02 20:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19 . 2009-08-18 22:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-03-18 17:53 . 2011-03-29 18:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2007-01-15 . BB4D3A8E6F7EB1D370BC4AD27AB23368 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_20.04.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-11 21:39 . 2011-04-11 21:39 16384 c:\windows\temp\Perflib_Perfdata_6a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-01 1800464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [N/A]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-8-21 925803]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
2004-12-08 19:41 229465 ----a-w- c:\windows\system32\PRISMGNA.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 9:54 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 9:54 AM 25160]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/21/2009 11:10 PM 57433]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z013&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 13:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\PRISMSVR.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-11 13:41:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-11 21:41
ComboFix2.txt 2011-04-11 20:06
.
Pre-Run: 12,013,936,640 bytes free
Post-Run: 12,010,528,768 bytes free
.
- - End Of File - - 1A58003B223A450D83AF342F5DD7BD9A

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/11/2011 1:49:39 PM
mbam-log-2011-04-11 (13-49-39).txt

Scan type: Quick scan
Objects scanned: 115661
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\38\44fe75a6-69d7f69a multiple threats
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\52\e649f74-3d6aff37 multiple threats
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\58\fa8f07a-4ac395e9 probably a variant of Win32/Agent.DYXWUMY trojan
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\9\12e90809-78d5cf12 multiple threats
C:\Documents and Settings\User\My Documents\Downloads\MonstermarketplacecookieRemovalTool.exe probably unknown NewHeur_PE virus
C:\Documents and Settings\User\My Documents\Downloads\Xvid-Setup-dm-9(2).exe Win32/Toolbar.Zugo application
C:\Documents and Settings\User\My Documents\Downloads\Xvid-Setup-dm-9.exe Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\extensions\{8c53d5b8-1799-48b4-9223-32856d477474}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\extensions\{8c53d5b8-1799-48b4-9223-32856d477474}\chrome\xulcache.jar.vir JS/Agent.NCP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\User\Application Data\SysWin\lsass.exe.vir a variant of Win32/Kryptik.MGV trojan
C:\System Volume Information\_restore{7AED386F-6594-43DC-A3BE-40F6691CB2D2}\RP326\A0037870.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{7AED386F-6594-43DC-A3BE-40F6691CB2D2}\RP326\A0037871.exe a variant of Win32/Kryptik.MGV trojan
C:\WINDOWS\system32\msscp32.exe a variant of Win32/Kryptik.MGV trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ10.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ11.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ12.tmp  WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ13.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ14.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ15.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ16.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ17.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ18.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ19.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1A.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1B.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1C.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1D.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1E.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1F.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ20.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ21.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ22.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ23.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ24.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ25.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ26.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ27.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ28.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ29.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2A.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2B.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2C.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2D.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2E.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2F.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ30.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ31.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ32.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ33.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ34.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ35.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ36.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ37.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ38.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ39.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3A.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3B.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3C.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3D.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3E.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3F.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ4.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ40.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ41.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ42.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ43.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ44.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ6.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ7.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ8.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ9.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQA.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQB.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQC.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQD.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQE.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQF.tmp WMA/TrojanDownloader.GetCodec.C trojan
G:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\winrar.3.xx.generic.patch.exe a variant of Win32/HackTool.Patcher.A application
G:\Documents and Settings\User\My Documents\My Music\iTunes\iTunes Music\Apocalyptica - Fight Fire with Fire.mp3 WMA/TrojanDownloader.GetCodec.C trojan


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click* Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box* - *Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
http://forums.techguy.org/7889331-post10.html

Collect::
c:\windows\system32\msscp32.dll
c:\windows\system32\msscp32.exe

File::
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\38\44fe75a6-69d7f69a 
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\52\e649f74-3d6aff37 
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\58\fa8f07a-4ac395e9 
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\9\12e90809-78d5cf12 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1.tmp
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ10.tmp
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ11.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ12.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ13.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ14.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ15.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ16.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ17.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ18.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ19.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1A.tmp
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1B.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1C.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1D.tmp
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1E.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1F.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ20.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ21.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ22.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ23.tmp
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ24.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ25.tmp
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ26.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ27.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ28.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ29.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2A.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2B.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2C.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2D.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2E.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2F.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3.tmp
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ30.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ31.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ32.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ33.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ34.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ35.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ36.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ37.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ38.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ39.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3A.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3B.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3C.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3D.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3E.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3F.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ4.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ40.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ41.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ42.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ43.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ44.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ6.tmp
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ7.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ8.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ9.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQA.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQB.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQC.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQD.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQE.tmp 
G:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQF.tmp 
G:\Documents and Settings\All Users\Desktop\KEYGENS FOR PROGRAMS\winrar.3.xx.generic.patch.exe 
G:\Documents and Settings\User\My Documents\My Music\iTunes\iTunes Music\Apocalyptica - Fight Fire with Fire.mp3
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')
*
Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File*;
2.Click *Save As*... Change the directory to your *desktop*;
3.Change the* Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save ...*










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*

CAUTION: *Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.


----------



## Ashaman91 (Mar 23, 2011)

ComboFix 11-04-11.02 - User 04/11/2011 17:42:32.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1513 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\38\44fe75a6-69d7f69a"
"c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\52\e649f74-3d6aff37"
"c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\58\fa8f07a-4ac395e9"
"c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\9\12e90809-78d5cf12"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ10.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ11.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ12.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ13.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ14.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ15.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ16.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ17.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ18.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ19.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1A.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1B.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1C.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1D.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1E.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1F.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ20.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ21.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ22.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ23.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ24.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ25.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ26.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ27.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ28.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ29.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2A.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2B.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2C.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2D.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2E.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2F.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ30.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ31.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ32.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ33.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ34.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ35.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ36.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ37.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ38.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ39.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3A.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3B.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3C.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3D.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3E.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3F.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ4.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ40.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ41.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ42.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ43.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ44.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ6.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ7.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ8.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ9.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQA.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQB.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQC.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQD.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQE.tmp"
"g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQF.tmp"
"g:\documents and settings\All Users\Desktop\KEYGENS FOR PROGRAMS\winrar.3.xx.generic.patch.exe"
"g:\documents and settings\User\My Documents\My Music\iTunes\iTunes Music\Apocalyptica - Fight Fire with Fire.mp3"
.
file zipped: c:\windows\system32\msscp32.dll
file zipped: c:\windows\system32\msscp32.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\38\44fe75a6-69d7f69a
c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\52\e649f74-3d6aff37
c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\58\fa8f07a-4ac395e9
c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\9\12e90809-78d5cf12
c:\windows\system32\msscp32.dll
c:\windows\system32\msscp32.exe
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ10.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ11.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ12.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ13.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ14.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ15.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ16.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ17.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ18.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ19.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1A.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1B.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1C.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1D.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1E.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1F.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ20.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ21.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ22.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ23.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ24.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ25.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ26.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ27.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ28.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ29.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2A.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2B.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2C.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2D.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2E.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ2F.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ30.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ31.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ32.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ33.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ34.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ35.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ36.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ37.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ38.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ39.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3A.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3B.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3C.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3D.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3E.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ3F.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ4.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ40.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ41.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ42.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ43.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ44.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ5.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ6.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ7.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ8.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ9.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQA.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQB.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQC.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQD.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQE.tmp
g:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQF.tmp
g:\documents and settings\All Users\Desktop\KEYGENS FOR PROGRAMS\winrar.3.xx.generic.patch.exe
g:\documents and settings\User\My Documents\My Music\iTunes\iTunes Music\Apocalyptica - Fight Fire with Fire.mp3
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-11 21:51 . 2011-04-11 21:51 -------- d-----w- c:\program files\ESET
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\xircom
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\wbem\snmp
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\program files\microsoft frontpage
2011-04-09 04:36 . 2011-04-09 04:36 -------- d--h--w- c:\windows\PIF
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iPod
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iTunes
2011-04-07 06:00 . 2011-04-07 06:17 -------- d-----w- c:\program files\Monstermarketplacecookie Removal Tool
2011-04-06 22:25 . 2004-08-04 07:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-06 22:17 . 2011-04-06 22:17 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2011-04-06 22:17 . 2010-06-14 20:19 264552 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-04-06 22:17 . 2010-06-14 20:19 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-04-06 22:17 . 2010-06-14 20:19 213352 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-04-06 22:16 . 2010-06-14 20:19 1907560 ----a-r- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-04-06 22:13 . 2011-04-06 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-04-06 22:13 . 2011-04-06 22:18 -------- d-----w- c:\program files\HP
2011-04-06 22:13 . 2011-04-06 22:13 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\HP
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-29 18:55 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-29 18:55 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-29 18:55 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-29 18:55 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-29 18:55 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-29 18:55 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-25 05:31 . 2011-03-25 05:31 -------- d-----w- c:\program files\Steam
2011-03-25 05:28 . 2011-03-25 05:28 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-03-23 01:40 . 2011-03-23 01:40 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-23 01:40 . 2011-03-23 01:40 -------- d-----w- c:\program files\Trend Micro
2011-03-23 01:35 . 2011-03-23 01:35 -------- d-----w- C:\ERDNT
2011-03-21 20:39 . 2011-03-21 20:41 -------- d-----w- c:\windows\system32\NtmsData
2011-03-21 03:48 . 2011-04-12 01:40 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-21 03:26 . 2011-03-21 21:02 -------- d-----w- c:\program files\Microsoft
2011-03-21 03:26 . 2011-03-21 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2011-03-18 18:03 . 2011-03-25 15:13 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp
2011-03-18 18:03 . 2011-04-06 20:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Google
2011-03-16 19:45 . 2011-03-16 19:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 05:40 . 2010-05-02 20:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19 . 2009-08-18 22:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-03-18 17:53 . 2011-03-29 18:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2007-01-15 . BB4D3A8E6F7EB1D370BC4AD27AB23368 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_20.04.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-12 01:47 . 2011-04-12 01:47 16384 c:\windows\temp\Perflib_Perfdata_38c.dat
+ 2009-11-07 22:19 . 2010-04-29 23:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2009-11-07 22:19 . 2009-09-10 22:54 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-11-07 22:19 . 2010-04-29 23:39 20952 c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-01 1800464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [N/A]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-8-21 925803]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
2004-12-08 19:41 229465 ----a-w- c:\windows\system32\PRISMGNA.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 9:54 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 9:54 AM 25160]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/21/2009 11:10 PM 57433]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z013&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 17:48
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\PRISMSVR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-11 17:50:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-12 01:50
ComboFix2.txt 2011-04-11 21:41
ComboFix3.txt 2011-04-11 20:06
.
Pre-Run: 11,949,289,472 bytes free
Post-Run: 11,704,889,344 bytes free
.
- - End Of File - - A9036E994F723883448676E95B905E2B
Upload was successful


----------



## CatByte (Feb 24, 2009)

Please do the following:

Visit *ADOBE* and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

*NEXT*

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues.


----------



## Ashaman91 (Mar 23, 2011)

downloaded the new adobe and here is the new dds log
I havent had it redirect me yet so lets hope everything is ok.
.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by User at 19:09:10.21 on Mon 04/11/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1252 [GMT -8:00]
.
FW: ActiveArmor Firewall *Disabled* 
FW: COMODO Firewall *Disabled* 
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z013&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DVDTray] c:\program files\ahead\odd toolkit\DVDTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANwA5ADQAMwA4ADUAMgAxAC0AQgAyAC0ARgBQADkAKwAzAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQA"&"prod=90"&"ver=9.0.894
StartupFolder: c:\docume~1\user\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: PRISMGNA.DLL - PRISMGNA.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\lhgy4ups.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-8-18 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-8-18 25160]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-8-18 723632]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2009-8-21 57433]
.
=============== Created Last 30 ================
.
2011-04-11 21:51:35 -------- d-----w- c:\program files\ESET
2011-04-11 04:50:27 -------- d-----w- c:\windows\system32\xircom
2011-04-11 04:50:27 -------- d-----w- c:\windows\system32\wbem\snmp
2011-04-11 04:41:20 -------- d-sha-r- C:\cmdcons
2011-04-11 04:38:08 98816 ----a-w- c:\windows\sed.exe
2011-04-11 04:38:08 89088 ----a-w- c:\windows\MBR.exe
2011-04-11 04:38:08 256512 ----a-w- c:\windows\PEV.exe
2011-04-11 04:38:08 161792 ----a-w- c:\windows\SWREG.exe
2011-04-09 04:36:18 -------- d--h--w- c:\windows\PIF
2011-04-09 02:45:03 -------- d-----w- c:\program files\iPod
2011-04-09 02:45:00 -------- d-----w- c:\program files\iTunes
2011-04-07 06:00:31 -------- d-----w- c:\program files\Monstermarketplacecookie Removal Tool
2011-04-06 22:25:09 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-06 22:17:58 -------- d-----w- c:\docume~1\user\applic~1\HpUpdate
2011-04-06 22:17:37 264552 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-04-06 22:17:37 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-04-06 22:17:36 213352 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-04-06 22:16:16 1907560 ----a-r- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-04-06 22:13:52 -------- d-----w- c:\program files\HP
2011-04-06 22:13:18 -------- d-----w- c:\docume~1\user\locals~1\applic~1\HP
2011-03-29 18:55:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-29 18:55:07 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-29 18:55:07 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-29 18:55:07 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-29 18:55:07 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-29 18:55:07 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-29 18:55:07 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-29 18:55:07 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-25 05:31:52 -------- d-----w- c:\program files\Steam
2011-03-25 05:28:48 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-03-23 01:40:06 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-23 01:40:05 -------- d-----w- c:\program files\Trend Micro
2011-03-23 01:35:53 -------- d-----w- C:\ERDNT
2011-03-21 20:39:52 -------- d-----w- c:\windows\system32\NtmsData
2011-03-21 03:48:28 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-21 03:26:30 -------- d-----w- c:\program files\Microsoft
2011-03-21 03:26:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2011-03-18 18:03:35 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Temp
2011-03-18 18:03:29 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Google
2011-03-16 19:45:27 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
.
==================== Find3M ====================
.
2011-02-03 05:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 19:14:22.14 ===============


----------



## CatByte (Feb 24, 2009)

I just want a look into a couple of folders:

Please do the following:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click* Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box* - *Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
DirLook::
c:\docume~1\user\locals~1\applic~1\Temp
c:\docume~1\user\locals~1\applic~1\Google
c:\docume~1\alluse~1\applic~1\Common Files
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')
*
Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File*;
2.Click *Save As*... Change the directory to your *desktop*;
3.Change the* Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save ...*










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*

CAUTION: *Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.


----------



## Ashaman91 (Mar 23, 2011)

ComboFix 11-04-11.02 - User 04/11/2011 19:38:07.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1595 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-11 21:51 . 2011-04-11 21:51 -------- d-----w- c:\program files\ESET
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\xircom
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\wbem\snmp
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\program files\microsoft frontpage
2011-04-09 04:36 . 2011-04-09 04:36 -------- d--h--w- c:\windows\PIF
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iPod
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iTunes
2011-04-07 06:00 . 2011-04-07 06:17 -------- d-----w- c:\program files\Monstermarketplacecookie Removal Tool
2011-04-06 22:25 . 2004-08-04 07:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-06 22:17 . 2011-04-06 22:17 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2011-04-06 22:17 . 2010-06-14 20:19 264552 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-04-06 22:17 . 2010-06-14 20:19 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-04-06 22:17 . 2010-06-14 20:19 213352 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-04-06 22:16 . 2010-06-14 20:19 1907560 ----a-r- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-04-06 22:13 . 2011-04-06 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-04-06 22:13 . 2011-04-06 22:18 -------- d-----w- c:\program files\HP
2011-04-06 22:13 . 2011-04-06 22:13 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\HP
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-29 18:55 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-29 18:55 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-29 18:55 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-29 18:55 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-29 18:55 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-29 18:55 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-25 05:31 . 2011-03-25 05:31 -------- d-----w- c:\program files\Steam
2011-03-25 05:28 . 2011-03-25 05:28 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-03-23 01:40 . 2011-03-23 01:40 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-23 01:40 . 2011-03-23 01:40 -------- d-----w- c:\program files\Trend Micro
2011-03-23 01:35 . 2011-03-23 01:35 -------- d-----w- C:\ERDNT
2011-03-21 20:39 . 2011-03-21 20:41 -------- d-----w- c:\windows\system32\NtmsData
2011-03-21 03:48 . 2011-04-12 03:36 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-21 03:26 . 2011-03-21 21:02 -------- d-----w- c:\program files\Microsoft
2011-03-21 03:26 . 2011-03-21 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2011-03-18 18:03 . 2011-04-12 03:08 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp
2011-03-18 18:03 . 2011-04-06 20:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Google
2011-03-16 19:45 . 2011-03-16 19:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 05:40 . 2010-05-02 20:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19 . 2009-08-18 22:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-03-18 17:53 . 2011-03-29 18:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\docume~1\alluse~1\applic~1\Common Files ----
.
2011-03-16 19:45 . 2011-03-16 19:45 96 ---ha-w- c:\docume~1\alluse~1\applic~1\Common Files\FFD9DA98-C878-B085-7DE9-298D4644898C
.
---- Directory of c:\docume~1\user\locals~1\applic~1\Google ----
.
2011-03-28 06:26 . 2011-03-25 15:15 505 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Bookmarks.bak
2011-03-25 15:15 . 2011-03-29 18:41 1443 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Local State
2011-03-25 15:15 . 2011-03-29 18:41 206 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Current Tabs
2011-03-25 15:15 . 2011-03-28 06:26 373 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Last Tabs
2011-03-25 15:15 . 2011-03-25 15:15 19456 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Plugin Data\Google Gears\permissions.db
2011-03-25 15:15 . 2011-03-25 15:15 17408 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Plugin Data\Google Gears\localserver.db
2011-03-25 15:15 . 2011-03-25 15:15 8192 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Cache\data_3
2011-03-25 15:15 . 2011-03-25 15:15 8192 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Cache\data_2
2011-03-25 15:15 . 2011-03-29 18:41 270336 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Cache\data_1
2011-03-25 15:15 . 2011-03-29 18:41 45056 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Cache\data_0
2011-03-25 15:15 . 2011-03-25 15:15 262512 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Cache\index
2011-03-25 15:15 . 2011-03-29 18:41 254 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Current Session
2011-03-25 15:15 . 2011-03-28 06:26 414 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Last Session
2011-03-25 15:15 . 2011-03-25 15:15 505 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Bookmarks
2011-03-25 15:15 . 2011-03-25 15:15 131072 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Visited Links
2011-03-25 15:15 . 2011-03-25 15:15 6144 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Cookies
2011-03-25 15:15 . 2011-03-25 15:15 0 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\User StyleSheets\Custom.css
2011-03-25 15:15 . 2011-03-29 18:41 61440 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Web Data
2011-03-25 15:15 . 2011-03-25 15:15 86016 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\History Index 2011-03
2011-03-25 15:15 . 2011-03-25 15:15 53248 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Archived History
2011-03-25 15:15 . 2011-03-25 15:15 10240 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Favicons
2011-03-25 15:15 . 2011-03-25 15:15 143360 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\History
2011-03-25 15:15 . 2011-03-29 18:41 1665 ----a-w- c:\docume~1\user\locals~1\applic~1\Google\Chrome\User Data\Default\Preferences
.
---- Directory of c:\docume~1\user\locals~1\applic~1\Temp ----
.
.
.
------- Sigcheck -------
.
[-] 2007-01-15 . BB4D3A8E6F7EB1D370BC4AD27AB23368 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_20.04.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-12 01:47 . 2011-04-12 01:47 16384 c:\windows\temp\Perflib_Perfdata_38c.dat
+ 2009-11-07 22:19 . 2010-04-29 23:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2009-11-07 22:19 . 2009-09-10 22:54 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-11-07 22:19 . 2010-04-29 23:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-11-10 20:49 . 2010-11-10 20:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
+ 2011-04-12 03:08 . 2011-04-12 03:08 2283008 c:\windows\Installer\495ac4.msi
+ 2010-11-10 20:49 . 2010-11-10 20:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\495ac5.msp
+ 2010-11-10 20:49 . 2010-11-10 20:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-01 1800464]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [N/A]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-8-21 925803]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
2004-12-08 19:41 229465 ----a-w- c:\windows\system32\PRISMGNA.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 9:54 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 9:54 AM 25160]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/21/2009 11:10 PM 57433]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z013&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 19:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\msi.dll
.
Completion time: 2011-04-11 19:43:10
ComboFix-quarantined-files.txt 2011-04-12 03:43
ComboFix2.txt 2011-04-12 01:51
ComboFix3.txt 2011-04-11 21:41
ComboFix4.txt 2011-04-11 20:06
.
Pre-Run: 11,353,595,904 bytes free
Post-Run: 11,360,190,464 bytes free
.
- - End Of File - - E0BAE0777963A900A1CE9CD9270F6475


----------



## CatByte (Feb 24, 2009)

Hi

Please do the following:


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click* Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box* - *Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
http://forums.techguy.org/7889598-post16.html

Collect::
c:\docume~1\alluse~1\applic~1\Common Files\FFD9DA98-C878-B085-7DE9-298D4644898C

Folder::
c:\docume~1\user\locals~1\applic~1\Temp
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')
*
Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File*;
2.Click *Save As*... Change the directory to your *desktop*;
3.Change the* Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save ...*










Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. 
*Copy and paste the contents of the log in your next reply.*

CAUTION: *Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.


----------



## Ashaman91 (Mar 23, 2011)

ComboFix 11-04-11.02 - User 04/11/2011 20:14:55.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1559 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
file zipped: c:\docume~1\alluse~1\applic~1\Common Files\FFD9DA98-C878-B085-7DE9-298D4644898C
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\alluse~1\applic~1\Common Files\FFD9DA98-C878-B085-7DE9-298D4644898C
c:\docume~1\user\locals~1\applic~1\Temp
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-11 21:51 . 2011-04-11 21:51 -------- d-----w- c:\program files\ESET
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\xircom
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\windows\system32\wbem\snmp
2011-04-11 04:50 . 2011-04-11 04:50 -------- d-----w- c:\program files\microsoft frontpage
2011-04-09 04:36 . 2011-04-09 04:36 -------- d--h--w- c:\windows\PIF
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iPod
2011-04-09 02:45 . 2011-04-09 02:45 -------- d-----w- c:\program files\iTunes
2011-04-07 06:00 . 2011-04-07 06:17 -------- d-----w- c:\program files\Monstermarketplacecookie Removal Tool
2011-04-06 22:25 . 2004-08-04 07:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-06 22:17 . 2011-04-06 22:17 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2011-04-06 22:17 . 2010-06-14 20:19 264552 ----a-w- c:\windows\system32\hpinksts8911LM.dll
2011-04-06 22:17 . 2010-06-14 20:19 232296 ----a-w- c:\windows\system32\hpinksts8911.dll
2011-04-06 22:17 . 2010-06-14 20:19 213352 ----a-w- c:\windows\system32\hpinkcoi8911.dll
2011-04-06 22:16 . 2010-06-14 20:19 1907560 ----a-r- c:\windows\system32\HPScanMiniDrv_DJ1050_J410.dll
2011-04-06 22:13 . 2011-04-06 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2011-04-06 22:13 . 2011-04-06 22:18 -------- d-----w- c:\program files\HP
2011-04-06 22:13 . 2011-04-06 22:13 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\HP
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-29 18:55 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-29 18:55 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-29 18:55 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-29 18:55 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-29 18:55 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-29 18:55 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-29 18:55 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-25 05:31 . 2011-03-25 05:31 -------- d-----w- c:\program files\Steam
2011-03-25 05:28 . 2011-03-25 05:28 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-03-23 01:40 . 2011-03-23 01:40 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-23 01:40 . 2011-03-23 01:40 -------- d-----w- c:\program files\Trend Micro
2011-03-23 01:35 . 2011-03-23 01:35 -------- d-----w- C:\ERDNT
2011-03-21 20:39 . 2011-03-21 20:41 -------- d-----w- c:\windows\system32\NtmsData
2011-03-21 03:48 . 2011-04-12 04:14 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-21 03:26 . 2011-03-21 21:02 -------- d-----w- c:\program files\Microsoft
2011-03-21 03:26 . 2011-03-21 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2011-03-18 18:03 . 2011-04-06 20:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Google
2011-03-16 19:45 . 2011-04-12 04:16 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 05:40 . 2010-05-02 20:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19 . 2009-08-18 22:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-03-18 17:53 . 2011-03-29 18:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2007-01-15 . BB4D3A8E6F7EB1D370BC4AD27AB23368 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_20.04.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-12 04:18 . 2011-04-12 04:18 16384 c:\windows\temp\Perflib_Perfdata_448.dat
- 2009-11-07 22:19 . 2009-09-10 22:54 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-11-07 22:19 . 2010-04-29 23:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-11-07 22:19 . 2010-04-29 23:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-11-10 20:49 . 2010-11-10 20:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
+ 2011-04-12 03:08 . 2011-04-12 03:08 2283008 c:\windows\Installer\495ac4.msi
+ 2010-11-10 20:49 . 2010-11-10 20:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
+ 2010-11-10 20:49 . 2010-11-10 20:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-10 20:49 . 2010-11-10 20:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\495ac5.msp
+ 2010-11-10 20:49 . 2010-11-10 20:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-01 1800464]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [N/A]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-8-21 925803]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMGNA.DLL]
2004-12-08 19:41 229465 ----a-w- c:\windows\system32\PRISMGNA.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/18/2009 9:54 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/18/2009 9:54 AM 25160]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [8/21/2009 11:10 PM 57433]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\User\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\User\LOCALS~1\Temp\CFcatchme.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z013&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lhgy4ups.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 20:18
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\PRISMSVR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-11 20:20:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-12 04:20
ComboFix2.txt 2011-04-12 03:43
ComboFix3.txt 2011-04-12 01:51
ComboFix4.txt 2011-04-11 21:41
ComboFix5.txt 2011-04-12 04:14
.
Pre-Run: 11,381,030,912 bytes free
Post-Run: 11,368,341,504 bytes free
.
- - End Of File - - 1C02021C48F487374A3CDF41174F8AAD
Upload was successful


----------



## CatByte (Feb 24, 2009)

Hi

Just some housekeeping to do now,

please do the following:

You can delete the *DDS* and *GMER* logs and programs from your desktop.

*
NEXT*

*Follow these steps to uninstall Combofix *


Make sure your security programs are totally disabled.
Click *START* then *RUN*
Now copy/paste *Combofix /uninstall* into the *runbox* and click *OK.* Note the *space* between the *..X* and the */U*, it needs to be there.










*If there are any logs/tools remaining on your desktop > right click and delete them.*

*NEXT*

Below I have included a number of recommendations for how to protect your computer against malware infections.


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article *
Strong passwords: How to create and use them* Then consider a *password keeper,* to keep all your passwords safe.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

*Make Internet Explorer more secure*
Click *Start* > *Run*
Type *Inetcpl.cpl* & click *OK*
Click on the *Security* tab
Click *Reset all zones to default level*
Make sure the *Internet Zone* is selected & Click *Custom level*
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click *OK*, then *Apply* button and then *OK* to exit the Internet Properties page.

*Download* *TFC* *to your desktop*
Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*WOT*, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
*Green* to go 
*Yellow* for caution 
*Red* to stop
 WOT has an addon available for both Firefox and IE

*Keep a backup of your important files* - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
*PC Safety and Security--What Do I Need?.*

***Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. *

Should you wish to contribute to my ongoing fight against malware, donations are being accepted *>>Here<<*

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.


----------



## Ashaman91 (Mar 23, 2011)

thank you for all your help i really appreciate it


----------



## CatByte (Feb 24, 2009)

you are welcome

stay safe

~CB


----------

