ironoxide

Members

View Profile See their activity

Posts
11
Joined
July 2, 2012
Last visited
July 5, 2012

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by ironoxide

pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

Looks good - many, many thanks for your help!!
- July 5, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

Here it is: Status: Deleted (events: 4) 7/4/2012 11:29:10 AM Deleted Trojan program Trojan-FakeAV.Win32.SmartFixer.ajo C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{9BB1116C-DBCB-A01E-7575-44737EAFF9BB}-DKgPKMxgvSnGH.exe High 7/4/2012 11:29:10 AM Deleted Trojan program Trojan-FakeAV.Win32.SmartFixer.ajo C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{9BB1116C-DBCB-A01E-7575-44737EAFF9BB}-DKgPKMxgvSnGH.exe//PE-Crypt.XorPE High 7/4/2012 11:29:20 AM Deleted Trojan program Trojan-FakeAV.Win32.SmartFixer.ajo C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{EC25C262-5395-DD83-EFD5-E3A2F0AC4EBA}-DKgPKMxgvSnGH.exe High 7/4/2012 11:29:20 AM Deleted Trojan program Trojan-FakeAV.Win32.SmartFixer.ajo C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{EC25C262-5395-DD83-EFD5-E3A2F0AC4EBA}-DKgPKMxgvSnGH.exe//PE-Crypt.XorPE High Thanks!
- July 5, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

Here it is: ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK Thanks
- July 3, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

Here's the combofix log: ComboFix 12-07-02.01 - Clay 07/03/2012 15:43:30.2.2 - x64 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4093.2366 [GMT -4:00] Running from: c:\users\Clay\Desktop\ComboFix.exe Command switches used :: c:\users\Clay\Desktop\CFScript.txt AV: McAfee VirusScan *Disabled/Outdated* {2A28CCAF-2E53-0F80-A82C-9572D1C24D8C} FW: McAfee Personal Firewall *Disabled* {12134D8A-643C-0ED8-8373-3C472F110AF7} SP: McAfee VirusScan *Disabled/Outdated* {91492D4B-0869-000E-929C-AE00AA450731} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-06-03 to 2012-07-03 ))))))))))))))))))))))))))))))) . . 2012-07-03 20:40 . 2012-07-03 20:40 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-03 13:17 . 2012-07-03 20:45 -------- d-----w- c:\users\Clay\AppData\Local\temp 2012-06-28 15:00 . 2012-06-28 15:00 -------- d-----w- c:\windows\Sun 2012-06-27 15:18 . 2012-06-27 15:18 -------- d-----w- c:\users\Clay\AppData\Local\ElevatedDiagnostics 2012-06-23 19:45 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-23 19:45 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-23 19:45 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-23 19:45 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-23 19:44 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-23 19:44 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-23 19:44 . 2012-06-02 22:12 88576 ----a-w- c:\windows\SysWow64\wudriver.dll 2012-06-23 19:44 . 2012-06-02 22:19 35864 ----a-w- c:\windows\SysWow64\wups.dll 2012-06-23 19:44 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-23 19:44 . 2012-06-02 22:19 577048 ----a-w- c:\windows\SysWow64\wuapi.dll 2012-06-23 19:44 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-23 19:44 . 2012-06-02 19:19 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll 2012-06-23 19:44 . 2012-06-02 19:12 33792 ----a-w- c:\windows\SysWow64\wuapp.exe 2012-06-23 19:44 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-19 12:52 . 2012-06-19 12:52 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-19 12:52 . 2012-06-19 12:52 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-13 18:21 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-13 18:21 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys 2012-06-13 18:21 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll 2012-06-13 18:21 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll 2012-06-13 18:21 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll 2012-06-13 18:21 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll 2012-06-13 18:21 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-06-13 18:21 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-06-08 13:42 . 2012-06-08 13:42 -------- d-----w- c:\users\Clay\AppData\Local\MicroVision Applications . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-18 07:12 . 2012-07-03 14:20 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D9F6A11A-ED22-4172-902D-B976F55A4A13}\mpengine.dll 2012-05-31 04:04 . 2012-07-03 02:36 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D16200FB-14FB-4BBD-A41C-3D8C4453EDCF}\mpengine.dll 2012-05-31 04:04 . 2012-07-01 18:09 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-05-23 18:22 . 2012-05-23 18:22 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2012-05-07 11:56 . 2012-05-07 11:56 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll 2012-05-07 11:56 . 2010-04-17 13:52 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll 2012-04-18 18:05 . 2012-04-18 18:05 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-04-18 18:05 . 2012-04-18 18:05 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl . . ((((((((((((((((((((((((((((( SnapShot@2012-07-03_13.22.04 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-21 03:20 . 2012-07-02 15:01 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-01-21 03:20 . 2012-07-03 13:23 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-01-21 03:20 . 2012-07-02 15:01 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-01-21 03:20 . 2012-07-03 13:23 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-01-21 03:20 . 2012-07-03 13:23 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-01-21 03:20 . 2012-07-02 15:01 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-01-21 02:23 . 2012-07-03 20:46 75246 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2006-11-02 15:45 . 2012-07-03 20:46 79050 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2009-01-24 00:27 . 2012-07-03 20:46 12138 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3685218258-2805400690-4016621145-1000_UserData.bin - 2012-07-03 13:19 . 2012-07-03 13:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2012-07-03 20:43 . 2012-07-03 20:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2012-07-03 20:43 . 2012-07-03 20:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2012-07-03 13:19 . 2012-07-03 13:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2009-01-24 22:10 . 2012-07-03 18:39 369106 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin + 2006-11-02 12:46 . 2012-07-03 13:27 606630 c:\windows\system32\perfh009.dat - 2006-11-02 12:46 . 2012-07-03 12:16 606630 c:\windows\system32\perfh009.dat + 2006-11-02 12:46 . 2012-07-03 13:27 105230 c:\windows\system32\perfc009.dat - 2006-11-02 12:46 . 2012-07-03 12:16 105230 c:\windows\system32\perfc009.dat + 2010-01-23 02:07 . 2012-02-23 14:18 279656 c:\windows\system32\MpSigStub.exe - 2010-01-23 02:07 . 2012-01-31 12:44 279656 c:\windows\system32\MpSigStub.exe + 2011-02-10 20:45 . 2012-07-03 20:42 442432 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat - 2011-02-10 20:45 . 2012-07-03 13:18 442432 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2011-03-04 03:31 . 2012-07-03 20:42 4025088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3685218258-2805400690-4016621145-1000-8192.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "mcagent_exe"="c:\program files (x86)\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992] "PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392] "LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2009-09-21 305440] "TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2010-07-23 202256] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] . c:\users\Clay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656] OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut10_F66A31D978314FBABA02C411C0047CC5.exe [2009-1-12 53248] HD Writer.lnk - c:\program files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2011-9-10 292240] HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] NETGEAR WNA3100 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WNA3100\WNA3100.exe [2010-7-1 4562944] . c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux2"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 253088] S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [2008-07-28 86016] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs Themes . Contents of the 'Scheduled Tasks' folder . 2012-07-03 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 18:05] . 2012-07-03 c:\windows\Tasks\Google Software Updater.job - c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-12 00:26] . 2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-07 23:22] . 2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-07 23:22] . 2012-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3685218258-2805400690-4016621145-1000Core.job - c:\users\Clay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-11 23:00] . 2012-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3685218258-2805400690-4016621145-1000UA.job - c:\users\Clay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-11 23:00] . 2012-04-15 c:\windows\Tasks\McDefragTask.job - c:\progra~2\mcafee\mqc\QcConsol.exe [2009-01-12 19:32] . 2009-01-12 c:\windows\Tasks\McQcTask.job - c:\progra~2\mcafee\mqc\QcConsol.exe [2009-01-12 19:32] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlay] @="{B44A5D93-1351-41A1-BD91-5E92435D8ECD}" [HKEY_CLASSES_ROOT\CLSID\{B44A5D93-1351-41A1-BD91-5E92435D8ECD}] 2011-09-19 16:26 1695056 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveDownloadOverlay] @="{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}" [HKEY_CLASSES_ROOT\CLSID\{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}] 2011-09-19 16:26 1695056 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSharedOverlay] @="{84CEF1E4-1356-4063-845F-05047F4DD52C}" [HKEY_CLASSES_ROOT\CLSID\{84CEF1E4-1356-4063-845F-05047F4DD52C}] 2011-09-19 16:26 1695056 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveUploadOverlay] @="{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}" [HKEY_CLASSES_ROOT\CLSID\{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}] 2011-09-19 16:26 1695056 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RAVCpl64.exe" [2008-07-28 6431232] "Skytel"="Skytel.exe" [bU] "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032] "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.1 192.168.2.1 CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll FF - ProfilePath - c:\users\Clay\AppData\Roaming\Mozilla\Firefox\Profiles\xzafwix9.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ . - - - - ORPHANS REMOVED - - - - . ShellIconOverlayIdentifiers-{5A2A5978-6F74-4BD3-B09C-EB44A1457500} - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}] @Denied: (A 2) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0] @="Shockwave Flash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}] @Denied: (A 2) (Everyone) @="" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0] @="FlashBroker" . [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee] "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes] "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\ . ------------------------ Other Running Processes ------------------------ . c:\program files\Dell\DellDock\DockLogin.exe c:\program files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\SysWOW64\AstSrv.exe c:\program files (x86)\Bonjour\mDNSResponder.exe c:\programdata\SingleClick Systems\Advanced Networking Service\hnm_svc.exe c:\progra~2\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\windows\SysWOW64\rundll32.exe c:\program files (x86)\McAfee\MPF\MPFSrv.exe c:\program files (x86)\McAfee\MSK\MskSrver.exe c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe c:\progra~2\McAfee\MSC\mcmscsvc.exe c:\progra~2\mcafee.com\agent\mcagent.exe c:\progra~2\McAfee\VIRUSS~1\mcsysmon.exe c:\program files (x86)\Dell Remote Access\ezi_ra.exe c:\program files (x86)\OpenOffice.org 3\program\soffice.exe c:\program files (x86)\OpenOffice.org 3\program\soffice.bin c:\progra~2\COMMON~1\mcafee\mna\mcnasvc.exe c:\progra~2\mcafee\msc\mcuimgr.exe . ************************************************************************** . Completion time: 2012-07-03 16:53:15 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-03 20:53 ComboFix2.txt 2012-07-03 13:29 . Pre-Run: 72,020,078,592 bytes free Post-Run: 72,007,065,600 bytes free . - - End Of File - - 3719025FDC889197A101D9A4B8CC4B5A
- July 3, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

now its runnig again - will post the log when I have it - thanks
- July 3, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

Now ms has closed the program and the combofix appears to be hung up on stage 5......
- July 3, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

At stage 5 i got a popup saying "pev.3XE stopeed working - microsoft will close the program and find a solution, etc." - what should I do? Thanks
- July 3, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

Thanks - here it is: ComboFix 12-07-02.01 - Clay 07/03/2012 9:08.1.2 - x64 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4093.2610 [GMT -4:00] Running from: c:\users\Clay\Desktop\ComboFix.exe AV: McAfee VirusScan *Disabled/Outdated* {2A28CCAF-2E53-0F80-A82C-9572D1C24D8C} AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} FW: McAfee Personal Firewall *Disabled* {12134D8A-643C-0ED8-8373-3C472F110AF7} SP: McAfee VirusScan *Disabled/Outdated* {91492D4B-0869-000E-929C-AE00AA450731} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\43114232 c:\users\Clay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery c:\users\Clay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery\Uninstall Windows Vista Recovery.lnk c:\users\Clay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery\Windows Vista Recovery.lnk c:\users\Clay\g2mdlhlpx.exe c:\users\Public\sdelevURL.tmp c:\windows\SysWow64\Packet.dll c:\windows\SysWow64\pthreadVC.dll c:\windows\SysWow64\wpcap.dll . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_NPF . . ((((((((((((((((((((((((( Files Created from 2012-06-03 to 2012-07-03 ))))))))))))))))))))))))))))))) . . 2012-07-03 02:36 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D16200FB-14FB-4BBD-A41C-3D8C4453EDCF}\mpengine.dll 2012-07-01 18:09 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-06-28 15:00 . 2012-06-28 15:00 -------- d-----w- c:\windows\Sun 2012-06-27 15:18 . 2012-06-27 15:18 -------- d-----w- c:\users\Clay\AppData\Local\ElevatedDiagnostics 2012-06-23 19:45 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-23 19:45 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-23 19:45 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-23 19:45 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-23 19:44 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-23 19:44 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-23 19:44 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-23 19:44 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-23 19:44 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-19 12:52 . 2012-06-19 12:52 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-19 12:52 . 2012-06-19 12:52 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-13 18:21 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-13 18:21 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys 2012-06-13 18:21 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll 2012-06-13 18:21 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll 2012-06-13 18:21 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll 2012-06-13 18:21 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll 2012-06-13 18:21 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-06-13 18:21 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-06-13 13:33 . 2012-02-13 02:43 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01CEE7CE-ACCE-4228-8E32-BD62B98D4633}\gapaengine.dll 2012-06-08 13:42 . 2012-06-08 13:42 -------- d-----w- c:\users\Clay\AppData\Local\MicroVision Applications . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-02 22:19 . 2012-06-23 19:44 35864 ----a-w- c:\windows\SysWow64\wups.dll 2012-06-02 22:19 . 2012-06-23 19:44 577048 ----a-w- c:\windows\SysWow64\wuapi.dll 2012-06-02 22:12 . 2012-06-23 19:44 88576 ----a-w- c:\windows\SysWow64\wudriver.dll 2012-06-02 19:19 . 2012-06-23 19:44 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll 2012-06-02 19:12 . 2012-06-23 19:44 33792 ----a-w- c:\windows\SysWow64\wuapp.exe 2012-05-23 18:22 . 2012-05-23 18:22 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2012-05-17 22:35 . 2012-06-14 10:28 1129472 ----a-w- c:\windows\SysWow64\wininet.dll 2012-05-07 11:56 . 2012-05-07 11:56 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll 2012-05-07 11:56 . 2010-04-17 13:52 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll 2012-04-18 18:05 . 2012-04-18 18:05 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-04-18 18:05 . 2012-04-18 18:05 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-04-04 19:56 . 2011-01-31 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2012-01-23 247728] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "mcagent_exe"="c:\program files (x86)\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992] "PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392] "LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2009-09-21 305440] "TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2010-07-23 202256] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-08 421888] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] . c:\users\Clay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656] OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut10_F66A31D978314FBABA02C411C0047CC5.exe [2009-1-12 53248] HD Writer.lnk - c:\program files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2011-9-10 292240] HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360] McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] NETGEAR WNA3100 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WNA3100\WNA3100.exe [2010-7-1 4562944] . c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux2"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 253088] S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [2008-07-28 86016] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs Themes . Contents of the 'Scheduled Tasks' folder . 2012-07-03 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 18:05] . 2012-07-02 c:\windows\Tasks\Google Software Updater.job - c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-12 00:26] . 2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-07 23:22] . 2012-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-04-07 23:22] . 2012-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3685218258-2805400690-4016621145-1000Core.job - c:\users\Clay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-11 23:00] . 2012-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3685218258-2805400690-4016621145-1000UA.job - c:\users\Clay\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-11 23:00] . 2012-04-15 c:\windows\Tasks\McDefragTask.job - c:\progra~2\mcafee\mqc\QcConsol.exe [2009-01-12 19:32] . 2009-01-12 c:\windows\Tasks\McQcTask.job - c:\progra~2\mcafee\mqc\QcConsol.exe [2009-01-12 19:32] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlay] @="{B44A5D93-1351-41A1-BD91-5E92435D8ECD}" [HKEY_CLASSES_ROOT\CLSID\{B44A5D93-1351-41A1-BD91-5E92435D8ECD}] 2011-09-19 16:26 1695056 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveDownloadOverlay] @="{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}" [HKEY_CLASSES_ROOT\CLSID\{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}] 2011-09-19 16:26 1695056 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSharedOverlay] @="{84CEF1E4-1356-4063-845F-05047F4DD52C}" [HKEY_CLASSES_ROOT\CLSID\{84CEF1E4-1356-4063-845F-05047F4DD52C}] 2011-09-19 16:26 1695056 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveUploadOverlay] @="{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}" [HKEY_CLASSES_ROOT\CLSID\{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}] 2011-09-19 16:26 1695056 ----a-w- c:\program files (x86)\Livedrive\LivedriveExtensions.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RAVCpl64.exe" [2008-07-28 6431232] "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032] "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168] "combofix"="c:\combofix\CF25240.3XE" [2008-01-21 363008] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3214568 mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.1 192.168.2.1 CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll FF - ProfilePath - c:\users\Clay\AppData\Roaming\Mozilla\Firefox\Profiles\xzafwix9.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3214568&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3214568&SearchSource=2&q= . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{adca5064-9e30-43fe-9856-58b07a3149fe} - (no file) Wow6432Node-HKCU-Run-Livedrive - c:\program files (x86)\Livedrive\Livedrive.exe Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe Wow6432Node-HKLM-Run-hpqSRMon - (no file) ShellIconOverlayIdentifiers-{5A2A5978-6F74-4BD3-B09C-EB44A1457500} - (no file) HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe HKLM-Run-Skytel - Skytel.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}] @Denied: (A 2) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0] @="Shockwave Flash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}] @Denied: (A 2) (Everyone) @="" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0] @="FlashBroker" . [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee] "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes] "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\ . ------------------------ Other Running Processes ------------------------ . c:\program files\Dell\DellDock\DockLogin.exe c:\program files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\SysWOW64\AstSrv.exe c:\program files (x86)\Bonjour\mDNSResponder.exe c:\programdata\SingleClick Systems\Advanced Networking Service\hnm_svc.exe c:\progra~2\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\windows\SysWOW64\rundll32.exe c:\program files (x86)\McAfee\MPF\MPFSrv.exe c:\program files (x86)\McAfee\MSK\MskSrver.exe c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe c:\progra~2\McAfee\MSC\mcmscsvc.exe c:\progra~2\mcafee.com\agent\mcagent.exe c:\program files (x86)\Dell Remote Access\ezi_ra.exe c:\program files (x86)\OpenOffice.org 3\program\soffice.exe c:\program files (x86)\OpenOffice.org 3\program\soffice.bin c:\progra~2\COMMON~1\mcafee\mna\mcnasvc.exe c:\progra~2\mcafee\msc\mcuimgr.exe . ************************************************************************** . Completion time: 2012-07-03 09:29:05 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-03 13:29 . Pre-Run: 74,950,352,896 bytes free Post-Run: 75,880,611,840 bytes free . - - End Of File - - 542813697DE76AB149CCD22B616783D2
- July 3, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

Thank you - here are the results: MBAM Log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.07.03.04 Windows Vista Service Pack 2 x64 NTFS Internet Explorer 9.0.8112.16421 Clay :: CLAY-PC [administrator] 7/3/2012 7:38:46 AM mbam-log-2012-07-03 (07-38-46).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 221256 Time elapsed: 10 minute(s), 1 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) aswMBR log: (got a prompt to download Avast free anti-virus - did not do this, just ran the scan) aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-07-03 07:55:53 ----------------------------- 07:55:53.638 OS Version: Windows x64 6.0.6002 Service Pack 2 07:55:53.638 Number of processors: 2 586 0x1706 07:55:53.639 ComputerName: CLAY-PC UserName: Clay 07:55:55.496 Initialize success 07:56:32.876 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 07:56:32.878 Disk 0 Vendor: WDC_WD6400AAKS-75A7B0 01.03B01 Size: 610480MB BusType: 3 07:56:32.888 Disk 0 MBR read successfully 07:56:32.890 Disk 0 MBR scan 07:56:32.893 Disk 0 Windows VISTA default MBR code 07:56:32.904 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63 07:56:32.913 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15000 MB offset 81920 07:56:32.930 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 595439 MB offset 30801920 07:56:32.947 Disk 0 scanning C:\Windows\system32\drivers 07:56:40.781 Service scanning 07:56:55.191 Modules scanning 07:56:55.198 Disk 0 trace - called modules: 07:56:55.212 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 07:56:55.216 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b68110] 07:56:55.222 3 CLASSPNP.SYS[fffffa6000b7ec33] -> nt!IofCallDriver -> [0xfffffa800489a580] 07:56:55.227 5 acpi.sys[fffffa60008c1fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800489b940] 07:56:55.231 Scan finished successfully 07:57:44.672 Disk 0 MBR has been saved successfully to "C:\Users\Clay\Desktop\MBR.dat" 07:57:44.680 The log file has been saved successfully to "C:\Users\Clay\Desktop\aswMBR.txt"
- July 3, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide replied to ironoxide's topic in Resolved Malware Removal Logs

Sorry - here it the Attach.txt: UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume3 Install Date: 1/12/2009 8:31:37 AM System Uptime: 7/2/2012 10:54:49 AM (2 hours ago) . Motherboard: Dell Inc. | | 0K068D Processor: Intel® Core2 Duo CPU E7300 @ 2.66GHz | Socket 775 | 2667/266mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 581 GiB total, 61.337 GiB free. D: is FIXED (NTFS) - 15 GiB total, 7.651 GiB free. E: is CDROM () . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP1245: 6/18/2012 9:27:09 PM - Windows Update RP1246: 6/19/2012 3:25:00 PM - Scheduled Checkpoint RP1247: 6/20/2012 7:20:12 AM - Windows Update RP1248: 6/21/2012 9:06:16 AM - Windows Update RP1249: 6/22/2012 12:33:50 PM - Scheduled Checkpoint RP1250: 6/22/2012 2:46:08 PM - Windows Update RP1251: 6/23/2012 10:10:16 AM - Scheduled Checkpoint RP1252: 6/23/2012 3:43:44 PM - Windows Update RP1253: 6/23/2012 3:58:02 PM - Windows Update RP1254: 6/24/2012 10:21:27 AM - Scheduled Checkpoint RP1255: 6/25/2012 8:29:13 AM - Scheduled Checkpoint RP1256: 6/26/2012 8:47:51 AM - Scheduled Checkpoint RP1257: 6/27/2012 9:08:03 AM - Scheduled Checkpoint . ==== Installed Programs ====================== . . Acrobat.com Adobe AIR Adobe Download Manager Adobe Flash Player 10 ActiveX Adobe Flash Player 11 Plugin Adobe Reader 9.2 AGEIA PhysX v2.6.0 Apple Application Support Apple Software Update ATI Catalyst Control Center Bing Bar Browser Address Error Redirector BufferChm C4400 C4400_Help Canon MP Navigator EX 3.0 Canon MP250 series User Registration Canon Utilities Easy-PhotoPrint EX Canon Utilities My Printer Canon Utilities Solution Menu Cards_Calendar_OrderGift_DoMorePlugout Catalyst Control Center Core Implementation Catalyst Control Center Graphics Full Existing Catalyst Control Center Graphics Full New Catalyst Control Center Graphics Light Catalyst Control Center Graphics Previews Common Catalyst Control Center Graphics Previews Vista Catalyst Control Center InstallProxy Catalyst Control Center Localization Chinese Standard Catalyst Control Center Localization Chinese Traditional Catalyst Control Center Localization French Catalyst Control Center Localization German Catalyst Control Center Localization Hungarian Catalyst Control Center Localization Italian Catalyst Control Center Localization Japanese Catalyst Control Center Localization Korean Catalyst Control Center Localization Portuguese Catalyst Control Center Localization Spanish Catalyst Control Center Localization Turkish ccc-core-static CCC Help Chinese Standard CCC Help Chinese Traditional CCC Help English CCC Help French CCC Help German CCC Help Hungarian CCC Help Italian CCC Help Japanese CCC Help Korean CCC Help Portuguese CCC Help Spanish CCC Help Turkish Compatibility Pack for the 2007 Office system Copy CustomerResearchQFolder D1500 D1500_Help D3DX10 Dell-eBay Dell Best of Web Dell Getting Started Guide Dell Remote Access Dell Video Chat (remove only) DELL0604 Destination Component DeviceDiscovery DeviceManagementQFolder DGOControls DJ_SF_03_D1500_ProductContext DJ_SF_03_D1500_Software DJ_SF_03_D1500_Software_Min DocProc DocProcQFolder Dynamic Traders Group, Inc. DT6 ver 1 eSupportQFolder FileZilla Client 3.5.3 FreeTrack v2.2.0.267 Google Chrome Google Earth Google Toolbar for Internet Explorer Google Update Helper Google Updater GoToMeeting 5.2.0.952 GPBaseService GPBaseService2 HD Writer AE 3.0 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Photosmart Essential 2.5 HP Update HPPhotoSmartPhotobookWebPack1 HPProductAssistant HPSSupply Inkscape 0.48.2 Java Auto Updater Java 6 Update 32 Java 6 Update 7 Malwarebytes Anti-Malware version 1.61.0.1400 MarketResearch McAfee Security Scan Plus McAfee SecurityCenter MediaDirect MetaStock 11.0 Microsoft DirectX SDK (November 2008) Microsoft LifeCam Microsoft Office Outlook Connector Microsoft Office PowerPoint Viewer 2007 (English) Microsoft Office Small Business Edition 2003 Microsoft Silverlight Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft SQL Server Compact 3.5 SP2 ENU Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Works Mozilla Firefox 13.0.1 (x86 en-US) Mozilla Maintenance Service MSVCRT MSVCSetup MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Myst Online: Uru Live (remove only) NETGEAR WNA3100 wireless USB 2.0 adapter Old School Value Stock Spreadsheet OpenOffice.org 3.1 Over Flanders Fields - Between Heaven and Hell - Hat in the Rin PanoStandAlone Pinnacle Studio 15 PS_AIO_03_C4400_ProductContext PS_AIO_03_C4400_Software PS_AIO_03_C4400_Software_Min PSSWCORE QuickTime RealPlayer Realtek High Definition Audio Driver RealUpgrade 1.0 Roxio Creator Audio Roxio Creator Copy Roxio Creator Data Roxio Creator DE Roxio Creator Tools Roxio Express Labeler 3 Roxio Update Manager Scan Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841) Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Segoe UI Skins SmartWebPrinting SolutionCenter Status Stock Investor Professional The DownLoader 10.1 Thrustmaster Calibration Tool TomTom HOME 2.8.3.2499 TomTom HOME Visual Studio Merge Modules Toolbox TrackIR5 TrayApp UnloadSupport Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) VideoToolkit01 WebReg WildTangent Games Windows Live Communications Platform Windows Live Essentials Windows Live Installer Windows Live Mesh ActiveX Control for Remote Connections Windows Live Movie Maker Windows Live Photo Common Windows Live Photo Gallery Windows Live PIMT Platform Windows Live SOXE Windows Live SOXE Definitions Windows Live UX Platform Windows Live UX Platform Language Pack Windows Media Player Firefox Plugin . ==== Event Viewer Messages From Past Week ======== . 7/2/2012 9:45:28 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A} 7/2/2012 9:43:46 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C} 7/2/2012 9:41:56 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: CbFs mfehidk MpFilter spldr Wanarpv6 7/2/2012 9:41:56 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start. 7/2/2012 9:41:54 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030} 7/2/2012 9:41:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF} 7/2/2012 9:41:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 7/2/2012 9:41:32 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv64.dll Error Code: 21 7/2/2012 9:41:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 7/2/2012 8:19:10 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 7/2/2012 11:57:47 AM, Error: netbt [4321] - The name "ANNE-PC :0" could not be registered on the interface with IP address 192.168.2.103. The computer with the IP address 192.168.2.105 did not allow the name to be claimed by this computer. 7/2/2012 11:33:29 AM, Error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 3 time(s). 7/2/2012 11:22:42 AM, Error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 7/2/2012 11:14:08 AM, Error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 7/2/2012 11:05:28 AM, Error: Service Control Manager [7000] - The McAfee Inc. mferkdk service failed to start due to the following error: The specified procedure could not be found. 7/2/2012 10:59:08 AM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting. 7/1/2012 2:09:38 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.804.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x64&eng=0.0.0.0&sig=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070002 Error description: The system cannot find the file specified. 7/1/2012 2:09:38 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.804.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x64&eng=0.0.0.0&sig=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070002 Error description: The system cannot find the file specified. 7/1/2012 2:09:38 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.804.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x64&eng=0.0.0.0&sig=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070002 Error description: The system cannot find the file specified. 7/1/2012 2:09:38 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.804.0 Update Source: Microsoft Malware Protection Center Update Stage: Install Source Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x64&eng=0.0.0.0&sig=0.0.0.0∏=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x80070002 Error description: The system cannot find the file specified. 7/1/2012 2:09:08 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.441.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 7/1/2012 2:09:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 6/29/2012 8:39:38 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.441.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 6/29/2012 3:39:04 PM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control. 6/29/2012 3:36:35 PM, Error: EventLog [6008] - The previous system shutdown at 3:34:43 PM on 6/29/2012 was unexpected. 6/28/2012 10:22:51 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.441.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 6/28/2012 1:52:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service stisvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 6/27/2012 9:55:36 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.441.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 6/27/2012 9:42:38 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1115" attempting to start the service hpqcxs08 with arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE} 6/27/2012 9:42:38 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF} 6/27/2012 9:42:38 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 6/27/2012 9:33:05 AM, Error: Service Control Manager [7000] - The Diagnostic System Host service failed to start due to the following error: A system shutdown is in progress. 6/27/2012 9:26:47 AM, Error: netbt [4321] - The name "USJFNIND-L0006 :0" could not be registered on the interface with IP address 192.168.2.103. The computer with the IP address 192.168.2.106 did not allow the name to be claimed by this computer. 6/27/2012 7:05:15 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.441.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 6/27/2012 3:07:44 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.441.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 6/27/2012 11:30:37 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Advanced Networking Service service to connect. 6/27/2012 11:24:05 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.129.441.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8502.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode 6/26/2012 2:45:19 PM, Error: netbt [4321] - The name "ANNE-PC :0" could not be registered on the interface with IP address 192.168.2.103. The computer with the IP address 192.168.2.107 did not allow the name to be claimed by this computer. 6/26/2012 12:24:11 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSWNA3100 service. . ==== End Of File ===========================
- July 2, 2012
- 19 replies
pum.hijackstartupmenu help

ironoxide posted a topic in Resolved Malware Removal Logs

Hi - recently became infected with PUM.hijack.startmenu and PUP.toolbardownloader. Then started receiving "Catalyst Control Centre - host application has stopped working" notice. Have run MBAB several times and identified threats but they reoccur on restart. This morning ran "unhide" which seems to have helped - files are now visible again (not all were hidden) and am able to boot in normal mode, but I don't trust it: . DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_32 Run by Clay at 11:42:44 on 2012-07-02 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4093.2146 [GMT -4:00] . AV: McAfee VirusScan *Enabled/Outdated* {2A28CCAF-2E53-0F80-A82C-9572D1C24D8C} AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: McAfee VirusScan *Enabled/Updated* {91492D4B-0869-000E-929C-AE00AA450731} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} FW: McAfee Personal Firewall *Enabled* {12134D8A-643C-0ED8-8373-3C472F110AF7} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss c:\Program Files\Microsoft Security Client\MsMpEng.exe C:\Windows\system32\Ati2evxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\Ati2evxx.exe C:\Program Files\Dell\DellDock\DockLogin.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\WLANExt.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\AERTSr64.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Windows\SysWOW64\AstSrv.exe C:\Program Files (x86)\Bonjour\mDNSResponder.exe c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Windows\system32\taskeng.exe C:\Windows\RAVCpl64.exe C:\Windows\System32\mobsync.exe C:\Windows\vVX3000.exe C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe C:\Windows\system32\rundll32.exe C:\Windows\system32\rundll32.exe c:\PROGRA~2\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe C:\Program Files (x86)\Microsoft LifeCam\MSCamS64.exe C:\Program Files (x86)\McAfee\MSK\MskSrver.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\SearchIndexer.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe C:\Program Files (x86)\Dell Remote Access\ezi_ra.exe C:\Program Files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe C:\Program Files\Dell\DellDock\DellDock.exe C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation c:\PROGRA~2\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~2\mcafee\msc\mcuimgr.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\PROGRA~2\McAfee\MSC\mcsvrcnt.exe c:\PROGRA~2\mcafee\msc\mcupdui.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe c:\PROGRA~2\mcafee\VIRUSS~1\mcvsshld.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe c:\PROGRA~2\mcafee\SITEAD~1\saui.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3214568 uWindow Title = Internet Explorer provided by Dell uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1090112 uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll uURLSearchHooks: H - No File mWinlogon: Userinit=userinit.exe, BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\PROGRA~2\mcafee\msk\mcapbho.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - C:\Program Files (x86)\Dell\BAE\BAE.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll uRun: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" uRun: [Google Update] "C:\Users\Clay\AppData\Local\Google\Update\GoogleUpdate.exe" /c uRun: [Livedrive] "C:\Program Files (x86)\Livedrive\Livedrive.exe" uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun mRun: [mcagent_exe] C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe /runkey mRun: [PCMService] "C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe" mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" mRun: [hpqSRMon] mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" StartupFolder: C:\Users\Clay\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe StartupFolder: C:\Users\Clay\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLRE~1.LNK - c:\Windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut10_F66A31D978314FBABA02C411C0047CC5.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HDWRIT~1.LNK - C:\Program Files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab TCP: DhcpNameServer = 192.168.2.1 192.168.2.1 TCP: Interfaces\{3B8EDBCB-884C-4280-9598-46CB5DFC97E9} : DhcpNameServer = 192.168.2.1 192.168.2.1 Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll BHO-X64: HP Print Enhancer - No File BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: McAfee Phishing Filter: {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~2\mcafee\msk\mcapbho.dll BHO-X64: McAntiPhishingBHO - No File BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dll BHO-X64: scriptproxy - No File BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll BHO-X64: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll BHO-X64: Browser Address Error Redirector - No File BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll BHO-X64: HP Smart BHO Class - No File TB-X64: &Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun mRun-x64: [mcagent_exe] C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe /runkey mRun-x64: [PCMService] "C:\Program Files (x86)\Dell\MediaDirect\PCMService.exe" mRun-x64: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" mRun-x64: [hpqSRMon] mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun-x64: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Clay\AppData\Roaming\Mozilla\Firefox\Profiles\xzafwix9.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3214568&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3214568&SearchSource=2&q= FF - component: C:\Program Files (x86)\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: C:\Program Files (x86)\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll FF - plugin: C:\Users\Clay\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: C:\Users\Clay\AppData\Roaming\Mozilla\Firefox\Profiles\xzafwix9.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll FF - plugin: C:\Users\Clay\AppData\Roaming\Mozilla\Firefox\Profiles\xzafwix9.default\extensions\{adca5064-9e30-43fe-9856-58b07a3149fe}\plugins\np-mswmp.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll FF - plugin: C:\Windows\SysWOW64\npmproxy.dll . ============= SERVICES / DRIVERS =============== . R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?] R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?] R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\system32\DRIVERS\scmndisp.sys --> C:\Windows\system32\DRIVERS\scmndisp.sys [?] R1 CbFs;CbFs;\??\C:\Windows\system32\drivers\cbfs.sys --> C:\Windows\system32\drivers\cbfs.sys [?] R1 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?] R2 AERTFilters;Andrea RT Filters Service;C:\Windows\system32\AERTSr64.exe --> C:\Windows\system32\AERTSr64.exe [?] R2 Ast Service;Ast Service;C:\Windows\System32\ASTSRV.EXE [2010-6-3 57344] R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-24 155648] R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2011-1-18 103440] R2 McProxy;McAfee Proxy Service;C:\PROGRA~2\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-1-12 358224] R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-1-23 92592] R2 WSWNA3100;WSWNA3100;C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe [2010-7-1 278528] R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwlhigh664.sys --> C:\Windows\system32\DRIVERS\bcmwlhigh664.sys [?] R3 McSysmon;McAfee SystemGuards;C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe [2009-1-12 695624] R3 mfesmfk;McAfee Inc. mfesmfk;C:\Windows\system32\drivers\mfesmfk.sys --> C:\Windows\system32\drivers\mfesmfk.sys [?] R3 npusbio;npusbio;C:\Windows\system32\Drivers\npusbio_x64.sys --> C:\Windows\system32\Drivers\npusbio_x64.sys [?] S1 kdcbsdim;kdcbsdim;\??\C:\Windows\system32\drivers\kdcbsdim.sys --> C:\Windows\system32\drivers\kdcbsdim.sys [?] S1 rpkpmjcj;rpkpmjcj;\??\C:\Windows\system32\drivers\rpkpmjcj.sys --> C:\Windows\system32\drivers\rpkpmjcj.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 gupdate1c9b7d7c98ce4c5;Google Update Service (gupdate1c9b7d7c98ce4c5);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-7 133104] S2 McShield;McAfee Real-time Scanner;C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-1-12 153408] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-18 253088] S3 anvsnddrv;AnvSoft Virtual Sound Device;C:\Windows\system32\drivers\anvsnddrv.sys --> C:\Windows\system32\drivers\anvsnddrv.sys [?] S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560] S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-4-7 133104] S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?] S3 mferkdk;McAfee Inc. mferkdk;C:\Windows\system32\drivers\mferkdk.sys --> C:\Windows\system32\drivers\mferkdk.sys [?] S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-28 113120] S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?] S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696] S3 nosGetPlusHelper;getPlus® Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504] S3 NPF;Netgroup Packet Filter;C:\Windows\system32\DRIVERS\npf.sys --> C:\Windows\system32\DRIVERS\npf.sys [?] S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968] S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768] S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-19 89920] . =============== File Associations =============== . JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %* . =============== Created Last 30 ================ . 2012-07-02 15:33:57 50392 ----a-w- C:\Windows\System32\drivers\rpkpmjcj.sys 2012-07-02 15:15:07 50392 ----a-w- C:\Windows\System32\drivers\kdcbsdim.sys 2012-07-02 14:55:22 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E14DEAC9-7DDC-45F1-9B82-91B95B90D812}\offreg.dll 2012-07-01 18:09:17 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E14DEAC9-7DDC-45F1-9B82-91B95B90D812}\mpengine.dll 2012-06-27 15:18:22 -------- d-----w- C:\Users\Clay\AppData\Local\ElevatedDiagnostics 2012-06-26 01:18:37 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-06-23 19:45:06 2622464 ----a-w- C:\Windows\System32\wucltux.dll 2012-06-23 19:44:37 99840 ----a-w- C:\Windows\System32\wudriver.dll 2012-06-23 19:44:37 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll 2012-06-23 19:44:25 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe 2012-06-23 19:44:25 186752 ----a-w- C:\Windows\System32\wuwebv.dll 2012-06-23 19:44:25 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll 2012-06-23 19:44:24 36864 ----a-w- C:\Windows\System32\wuapp.exe 2012-06-19 12:52:20 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll 2012-06-19 12:52:20 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll 2012-06-13 18:21:50 209920 ----a-w- C:\Windows\System32\drivers\rdpwd.sys 2012-06-13 18:21:48 2767360 ----a-w- C:\Windows\System32\win32k.sys 2012-06-13 18:21:23 984064 ----a-w- C:\Windows\SysWow64\crypt32.dll 2012-06-13 18:21:23 98304 ----a-w- C:\Windows\SysWow64\cryptnet.dll 2012-06-13 18:21:23 174592 ----a-w- C:\Windows\System32\cryptsvc.dll 2012-06-13 18:21:23 133120 ----a-w- C:\Windows\SysWow64\cryptsvc.dll 2012-06-13 18:21:23 132096 ----a-w- C:\Windows\System32\cryptnet.dll 2012-06-13 18:21:23 1267200 ----a-w- C:\Windows\System32\crypt32.dll 2012-06-13 13:33:01 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{01CEE7CE-ACCE-4228-8E32-BD62B98D4633}\gapaengine.dll 2012-06-08 13:42:50 -------- d-----w- C:\Users\Clay\AppData\Local\MicroVision Applications . ==================== Find3M ==================== . 2012-06-26 16:57:07 60304 ----a-w- C:\Users\Clay\g2mdlhlpx.exe 2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll 2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll 2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll 2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2012-05-07 11:56:21 476960 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll 2012-05-07 11:56:21 472864 ----a-w- C:\Windows\SysWow64\deployJava1.dll 2012-04-18 18:05:11 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2012-04-18 18:05:10 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys . ============= FINISH: 11:43:58.81 =============== All advice greatly appreciated - many thanks!
- July 2, 2012
- 19 replies

Sign In

ironoxide

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by ironoxide

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

pum.hijackstartupmenu help

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information