Jump to content

sledhead627

Members
  • Posts

    18
  • Joined

  • Last visited

Reputation

0 Neutral
  1. All done. Do you recommend ESET for ongoing virus protection?
  2. Computer seems to be running fine. Reboots have gone well and I am not seeing any remnants of the Whitesmoke tool bar or other issues.
  3. Am I supposed to delete the quarantined files? ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=3e2720d7dc4e024ab81ac1cff5916894 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2012-09-23 10:16:45 # local_time=2012-09-23 05:16:45 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=138475 # found=13 # cleaned=13 # scan_time=9276 C:\Documents and Settings\Kevin Brown\My Documents\Downloads\freefileviewer.exe a variant of Win32/InstallIQ application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1224\A0124315.dll a variant of Win32/Toolbar.SearchSuite application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1226\A0126520.exe a variant of Win32/Obfuscated.NEU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1229\A0126656.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1229\A0126657.dll Win32/Toolbar.MyWebSearch.Q application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1229\A0126658.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1233\A0127068.exe probably a variant of Win32/WhiteSmoke application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1233\A0127118.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1233\A0127120.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1238\A0129304.exe a variant of Win32/Adware.iBryte.C application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\TDSSKiller_Quarantine\23.09.2012_10.20.33\mbr0000\tdlfs0000\tsk0001.dta probably a variant of Win32/Olmarik.AYH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\TDSSKiller_Quarantine\23.09.2012_10.20.33\mbr0000\tdlfs0000\tsk0006.dta Win32/Olmarik.AFK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\TDSSKiller_Quarantine\23.09.2012_10.20.33\mbr0000\tdlfs0000\tsk0007.dta Win64/Olmarik.AK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  4. ComboFix 12-09-23.02 - Kevin Brown 09/23/2012 13:33:29.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1099 [GMT -5:00] Running from: c:\documents and settings\Kevin Brown\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Kevin Brown\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Kevin Brown\Application Data\WhiteSmoke c:\documents and settings\Kevin Brown\Local Settings\Application Data\CRE c:\documents and settings\Kevin Brown\Local Settings\Application Data\CRE\kfkcangbigakljkjeglcofaomihpejif.crx . . ((((((((((((((((((((((((( Files Created from 2012-08-23 to 2012-09-23 ))))))))))))))))))))))))))))))) . . 2012-09-23 15:34 . 2012-09-23 15:34 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\Sun 2012-09-23 15:22 . 2012-09-23 15:22 -------- d-----w- C:\TDSSKiller_Quarantine 2012-09-23 15:08 . 2012-09-23 15:07 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-09-23 15:07 . 2012-09-23 15:07 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2012-09-23 15:07 . 2012-09-23 16:00 -------- d-----w- c:\program files\Java 2012-09-23 12:42 . 2012-09-23 12:42 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\No Company Name 2012-09-22 15:59 . 2012-09-22 15:59 -------- d-----w- c:\program files\VS Revo Group 2012-09-22 15:55 . 2012-09-23 15:07 821736 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-09-22 14:24 . 2012-09-22 14:24 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\Malwarebytes 2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-09-22 12:14 . 2012-09-07 22:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-09-17 02:03 . 2012-09-17 02:03 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\FileTypeAssistant 2012-09-17 01:44 . 2012-09-19 11:40 -------- d-----w- c:\program files\File Type Assistant 2012-09-07 23:58 . 2012-09-22 11:14 -------- dc----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\MigWiz 2012-09-03 12:11 . 2012-09-03 12:11 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 2012-09-02 16:06 . 2012-09-09 14:14 -------- d-----w- c:\documents and settings\Kevin Brown\syncdb 2012-09-02 02:51 . 2012-09-02 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe 2012-09-02 00:41 . 2012-09-02 00:41 -------- d-----w- C:\spoolerlogs 2012-09-01 18:58 . 2012-09-01 18:58 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\Akamai . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-09-23 17:45 . 2008-01-08 01:12 0 ----a-w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\WavXMapDrive.bat 2012-09-23 15:07 . 2010-05-12 10:30 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-09-09 15:15 . 2012-05-12 13:51 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-09-09 15:15 . 2011-06-29 03:24 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-08-28 15:14 . 2004-08-11 23:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec 2012-07-06 13:58 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\browser.dll 2012-07-04 14:05 . 2004-08-11 23:11 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-07-03 13:40 . 2004-08-11 23:00 1866112 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112] "SacReminder"="c:\documents and settings\All Users\Application Data\OfficeGuardian\reminder\SacReminder.exe" [2009-06-02 825152] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928] "Akamai NetSession Interface"="c:\documents and settings\Kevin Brown\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-08-10 4440896] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568] "nwiz"="nwiz.exe" [2007-05-31 1626112] "NVHotkey"="nvHotkey.dll" [2007-05-31 67584] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168] "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160] "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424] "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-12-20 125632] "EPSON PictureMate"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE" [2003-09-19 99840] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-05-20 223744] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240] "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-12-15 1446248] "MOTOPRINTUPnPPrintService"="c:\program files\Motorola\MOTOPRINT Host\PrintService.exe" [2011-07-04 323304] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe] 2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth relog_ap . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background "RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" "TuneClone"=c:\program files\TuneClone\TuneClone.exe /silence "SigmatelSysTrayApp"=stsystra.exe "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Documents and Settings\\Kevin Brown\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"= "c:\\Program Files\\File Type Assistant\\tsassist.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1158:TCP"= 1158:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface . R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [5/15/2008 9:12 PM 10112] R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [10/21/2009 10:02 AM 20352] R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432] R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120] R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2012 8:30 PM 106656] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2011 1:00 PM 136176] S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [8/13/2012 1:33 PM 3064000] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/12/2012 8:51 AM 250568] S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [11/7/2009 5:39 PM 297472] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2011 1:00 PM 136176] S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/20/2006 1:29 PM 116928] S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520] S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [10/21/2009 9:31 AM 25704] S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [10/21/2009 9:31 AM 25704] S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [10/21/2009 9:31 AM 25704] S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [10/21/2009 9:31 AM 25704] S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [10/21/2009 9:31 AM 25704] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder . 2012-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 15:15] . 2012-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57] . 2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 18:00] . 2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 18:00] . 2012-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2558596563-2776473477-71789554-1005Core.job - c:\documents and settings\Kevin Brown\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 09:11] . 2012-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2558596563-2776473477-71789554-1005UA.job - c:\documents and settings\Kevin Brown\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 09:11] . 2012-09-23 c:\windows\Tasks\ProgramUpdateCheck.job - c:\program files\File Type Assistant\tsassist.exe [2012-09-17 19:22] . 2012-09-23 c:\windows\Tasks\User_Feed_Synchronization-{32C2F02C-21BB-4241-BA77-B39202F6E787}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 09:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local;<local> uSearchAssistant = hxxp://www.google.com IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-09-23 13:42 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2558596563-2776473477-71789554-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1344) c:\windows\System32\BCMLogon.dll . - - - - - - - > 'lsass.exe'(1640) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll c:\windows\system32\relog_ap.dll c:\windows\System32\BCMLogon.dll . Completion time: 2012-09-23 13:44:21 ComboFix-quarantined-files.txt 2012-09-23 18:44 ComboFix2.txt 2012-09-23 17:53 . Pre-Run: 67,898,785,792 bytes free Post-Run: 67,885,727,744 bytes free . - - End Of File - - 52E118A4A4BE5C8688A75690745173D7
  5. Combofix log ComboFix 12-09-23.02 - Kevin Brown 09/23/2012 12:34:37.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.976 [GMT -5:00] Running from: c:\documents and settings\Kevin Brown\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\Kevin Brown\Application Data\EFA149 c:\documents and settings\Kevin Brown\g2mdlhlpx.exe C:\Install.exe C:\Thumbs.db c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf c:\windows\system32\test c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe . Infected copy of c:\windows\system32\Services.exe was found and disinfected Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe . . ((((((((((((((((((((((((( Files Created from 2012-08-23 to 2012-09-23 ))))))))))))))))))))))))))))))) . . 2012-09-23 15:34 . 2012-09-23 15:34 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\Sun 2012-09-23 15:22 . 2012-09-23 15:22 -------- d-----w- C:\TDSSKiller_Quarantine 2012-09-23 15:08 . 2012-09-23 15:07 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-09-23 15:07 . 2012-09-23 15:07 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2012-09-23 15:07 . 2012-09-23 16:00 -------- d-----w- c:\program files\Java 2012-09-23 12:42 . 2012-09-23 12:42 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\No Company Name 2012-09-23 01:28 . 2012-09-23 01:28 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\CRE 2012-09-22 15:59 . 2012-09-22 15:59 -------- d-----w- c:\program files\VS Revo Group 2012-09-22 15:55 . 2012-09-23 15:07 821736 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-09-22 14:24 . 2012-09-22 14:24 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\Malwarebytes 2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-09-22 12:14 . 2012-09-07 22:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-09-17 02:03 . 2012-09-17 02:03 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\FileTypeAssistant 2012-09-17 01:44 . 2012-09-19 11:40 -------- d-----w- c:\program files\File Type Assistant 2012-09-12 13:14 . 2012-09-22 16:07 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\WhiteSmoke 2012-09-07 23:58 . 2012-09-22 11:14 -------- dc----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\MigWiz 2012-09-03 12:11 . 2012-09-03 12:11 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 2012-09-02 16:06 . 2012-09-09 14:14 -------- d-----w- c:\documents and settings\Kevin Brown\syncdb 2012-09-02 02:51 . 2012-09-02 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe 2012-09-02 00:41 . 2012-09-02 00:41 -------- d-----w- C:\spoolerlogs 2012-09-01 18:58 . 2012-09-01 18:58 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\Akamai . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-09-23 17:45 . 2008-01-08 01:12 0 ----a-w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\WavXMapDrive.bat 2012-09-23 15:07 . 2010-05-12 10:30 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-09-09 15:15 . 2012-05-12 13:51 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-09-09 15:15 . 2011-06-29 03:24 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-08-28 15:14 . 2004-08-11 23:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec 2012-07-06 13:58 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\browser.dll 2012-07-04 14:05 . 2004-08-11 23:11 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-07-03 13:40 . 2004-08-11 23:00 1866112 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112] "SacReminder"="c:\documents and settings\All Users\Application Data\OfficeGuardian\reminder\SacReminder.exe" [2009-06-02 825152] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928] "Akamai NetSession Interface"="c:\documents and settings\Kevin Brown\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-08-10 4440896] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568] "nwiz"="nwiz.exe" [2007-05-31 1626112] "NVHotkey"="nvHotkey.dll" [2007-05-31 67584] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168] "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160] "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424] "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-12-20 125632] "EPSON PictureMate"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE" [2003-09-19 99840] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-05-20 223744] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240] "Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-12-15 1446248] "MOTOPRINTUPnPPrintService"="c:\program files\Motorola\MOTOPRINT Host\PrintService.exe" [2011-07-04 323304] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe] 2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth relog_ap . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background "RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" "TuneClone"=c:\program files\TuneClone\TuneClone.exe /silence "SigmatelSysTrayApp"=stsystra.exe "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Documents and Settings\\Kevin Brown\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"= "c:\\Program Files\\File Type Assistant\\tsassist.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1158:TCP"= 1158:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface . R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [5/15/2008 9:12 PM 10112] R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [10/21/2009 10:02 AM 20352] R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432] R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [8/13/2012 1:33 PM 3064000] R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120] R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2012 8:30 PM 106656] R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2011 1:00 PM 136176] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/12/2012 8:51 AM 250568] S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [11/7/2009 5:39 PM 297472] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2011 1:00 PM 136176] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/20/2006 1:29 PM 116928] S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520] S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [10/21/2009 9:31 AM 25704] S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [10/21/2009 9:31 AM 25704] S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [10/21/2009 9:31 AM 25704] S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [10/21/2009 9:31 AM 25704] S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [10/21/2009 9:31 AM 25704] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder . 2012-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 15:15] . 2012-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57] . 2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 18:00] . 2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 18:00] . 2012-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2558596563-2776473477-71789554-1005Core.job - c:\documents and settings\Kevin Brown\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 09:11] . 2012-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2558596563-2776473477-71789554-1005UA.job - c:\documents and settings\Kevin Brown\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 09:11] . 2012-09-23 c:\windows\Tasks\ProgramUpdateCheck.job - c:\program files\File Type Assistant\tsassist.exe [2012-09-17 19:22] . 2012-09-23 c:\windows\Tasks\User_Feed_Synchronization-{32C2F02C-21BB-4241-BA77-B39202F6E787}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 09:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local;<local> uSearchAssistant = hxxp://www.google.com IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB . - - - - ORPHANS REMOVED - - - - . Toolbar-10 - (no file) SafeBoot-58174150.sys SafeBoot-58806505.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-09-23 12:45 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2558596563-2776473477-71789554-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1344) c:\windows\System32\BCMLogon.dll . - - - - - - - > 'lsass.exe'(1640) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll c:\windows\system32\relog_ap.dll c:\windows\System32\BCMLogon.dll . - - - - - - - > 'explorer.exe'(3788) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\bcmwltry.exe c:\windows\System32\SCardSvr.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Dell\QuickSet\NICCONFIGSVC.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe c:\windows\system32\SearchIndexer.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\wscntfy.exe c:\windows\system32\msdtc.exe c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe c:\program files\Apoint\ApMsgFwd.exe c:\program files\Apoint\HidFind.exe c:\program files\Apoint\Apntex.exe c:\windows\system32\rundll32.exe c:\windows\system32\RUNDLL32.EXE c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe . ************************************************************************** . Completion time: 2012-09-23 12:53:38 - machine was rebooted ComboFix-quarantined-files.txt 2012-09-23 17:53 . Pre-Run: 67,284,123,648 bytes free Post-Run: 67,912,548,352 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - F9E9473FC2E11DAF12F671DA1CEA2462
  6. Also, I just purchased a new PC and I'm worried if some of the user files I've transferred over have issues and have now infected the new laptop. Should I start a new thread with the dds file and attach file to check out?
  7. OK, I am carefully running combo fix now per the bleeping computer user guide. Thanks. I'll post the log file soon.
  8. For the ComboFix "expert" do I call around tomorrow at local computer stores? Where can I find a qualified expert?
  9. AdwCleaner Log # AdwCleaner v2.002 - Logfile created 09/23/2012 at 12:08:42 # Updated 16/09/2012 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Kevin Brown - KRB2008 # Boot Mode : Normal # Running from : C:\Documents and Settings\Kevin Brown\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Deleted on reboot : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kfkcangbigakljkjeglcofaomihpejif Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer Folder Deleted : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Conduit ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\DataMngr Key Deleted : HKCU\Software\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4DE90BB-150D-4B33-95FE-6BAAC97E1C21} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2D6C718-7E52-428E-8852-365C4B1A6E36} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8} Key Deleted : HKCU\Software\SmartBar Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} Key Deleted : HKLM\Software\Freeze.com Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8} Key Deleted : HKLM\Software\Tarma Installer Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope] Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope] Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope] Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope] Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope] Restored : [HKU\S-1-5-21-2558596563-2776473477-71789554-1006\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope] Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Page] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} --> hxxp://www.google.com Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} --> hxxp://www.google.com Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} --> hxxp://www.google.com Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} --> hxxp://www.google.com -\\ Google Chrome v21.0.1180.89 File : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences Deleted [l.13] : homepage = "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48", Deleted [l.17] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ] Deleted [l.53] : icon_url = "hxxp://search.conduit.com/fav.ico", Deleted [l.56] : keyword = "search.conduit.com", Deleted [l.59] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3244149", Deleted [l.1362] : homepage = "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48", Deleted [l.1724] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ] ************************* AdwCleaner[R1].txt - [6294 octets] - [23/09/2012 10:54:05] AdwCleaner[R2].txt - [6354 octets] - [23/09/2012 12:08:03] AdwCleaner[s1].txt - [6798 octets] - [23/09/2012 12:08:42] ########## EOF - C:\AdwCleaner[s1].txt - [6858 octets] ##########
  10. New DDS LOG. . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2 Run by Kevin Brown at 11:01:44 on 2012-09-23 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.970 [GMT -5:00] . AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe -k HPService C:\Program Files\Java\jre7\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint\ApMsgFwd.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe C:\Program Files\Wave Systems Corp\SecureUpgrade.exe C:\WINDOWS\system32\KADxMain.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe C:\Program Files\Motorola\MOTOPRINT Host\PrintService.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Documents and Settings\All Users\Application Data\OfficeGuardian\reminder\SacReminder.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Update\1.3.21.123\GoogleCrashHandler.exe C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Akamai\netsession_win.exe C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Akamai\netsession_win.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\SearchProtocolHost.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} uSearch Bar = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080102 uInternet Settings,ProxyOverride = *.local;<local> uSearchAssistant = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll {ae07101b-46d4-4a98-af68-0333ea26e113} TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler uRun: [sacReminder] c:\documents and settings\all users\application data\officeguardian\reminder\SacReminder.exe uRun: [Google Update] "c:\documents and settings\kevin brown\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [Akamai NetSession Interface] "c:\documents and settings\kevin brown\local settings\application data\akamai\netsession_win.exe" mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /installquiet mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe mRun: [secureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe mRun: [KADxMain] c:\windows\system32\KADxMain.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [EPSON PictureMate] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized mRun: [MOTOPRINTUPnPPrintService] c:\program files\motorola\motoprint host\PrintService.exe shell.icon mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe" mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: &Search IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/oneclickfix/tgctlsr.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346521139078 DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab TCP: Interfaces\{1E547456-45EE-4063-B72F-1D695550CAD3} : DhcpNameServer = 68.87.72.130 68.87.77.130 68.87.66.196 TCP: Interfaces\{E2A90F7B-0AAC-4C0D-B6BF-A0EADAE01FA8} : DhcpNameServer = 68.87.72.130 68.87.77.130 68.87.66.196 Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Authentication Packages = msv1_0 wvauth relog_ap . ============= SERVICES / DRIVERS =============== . R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [2009-10-21 20352] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968] R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-12-20 1814720] R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120] R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-31 106656] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120921.002\naveng.sys [2012-9-21 92704] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120921.002\navex15.sys [2012-9-21 1601184] R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2008-5-15 10112] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-16 136176] S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000] S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-12 250568] S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-11-7 297472] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-16 136176] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-12-20 116928] S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520] S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-10-21 25704] S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2009-10-21 25704] S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2009-10-21 25704] S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2009-10-21 25704] S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2009-10-21 25704] . =============== Created Last 30 ================ . 2012-09-23 15:34:57 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\Sun 2012-09-23 15:22:15 -------- d-----w- C:\TDSSKiller_Quarantine 2012-09-23 15:08:01 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-09-23 15:07:53 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2012-09-23 13:50:32 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\Conduit 2012-09-23 12:42:41 -------- d-----w- c:\documents and settings\kevin brown\application data\No Company Name 2012-09-23 01:28:08 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\CRE 2012-09-22 15:59:57 -------- d-----w- c:\program files\VS Revo Group 2012-09-22 15:55:09 821736 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-09-22 14:24:37 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-09-22 12:14:24 -------- d-----w- c:\documents and settings\kevin brown\application data\Malwarebytes 2012-09-22 12:14:08 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2012-09-22 12:14:07 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-09-22 12:14:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-09-17 02:03:38 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\FileTypeAssistant 2012-09-17 01:44:37 -------- d-----w- c:\program files\File Type Assistant 2012-09-17 01:43:48 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer 2012-09-12 13:14:17 -------- d-----w- c:\documents and settings\kevin brown\application data\WhiteSmoke 2012-09-07 23:58:08 -------- dc----w- c:\documents and settings\kevin brown\local settings\application data\MigWiz 2012-09-03 12:11:17 -------- d-----w- c:\documents and settings\kevin brown\application data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 2012-09-02 16:06:30 -------- d-----w- c:\documents and settings\kevin brown\syncdb 2012-09-02 02:51:27 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe 2012-09-02 00:41:20 -------- d-----w- C:\spoolerlogs 2012-09-01 18:58:19 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\Akamai . ==================== Find3M ==================== . 2012-09-23 15:07:32 746984 ----a-w- c:\windows\system32\deployJava1.dll 2012-09-09 15:15:14 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-09-09 15:15:14 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec 2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll 2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 11:02:51.90 =============== .
  11. AswCleaner Log - your instructions did not say to perform the delete operation so I did not do that. # AdwCleaner v2.002 - Logfile created 09/23/2012 at 10:54:05 # Updated 16/09/2012 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Kevin Brown - KRB2008 # Boot Mode : Normal # Running from : C:\Documents and Settings\Kevin Brown\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** Folder Found : C:\Documents and Settings\All Users\Application Data\boost_interprocess Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer Folder Found : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Conduit Folder Found : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kfkcangbigakljkjeglcofaomihpejif ***** [Registry] ***** Key Found : HKCU\Software\AppDataLow\Software\Conduit Key Found : HKCU\Software\Conduit Key Found : HKCU\Software\DataMngr Key Found : HKCU\Software\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif Key Found : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31AD400D-1B06-4E33-A59A-90C2C140CBA0} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4DE90BB-150D-4B33-95FE-6BAAC97E1C21} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2D6C718-7E52-428E-8852-365C4B1A6E36} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8} Key Found : HKCU\Software\SmartBar Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D} Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113} Key Found : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} Key Found : HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} Key Found : HKLM\Software\Freeze.com Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8} Key Found : HKLM\Software\Tarma Installer Key Found : HKU\S-1-5-21-2558596563-2776473477-71789554-1005\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5} Key Found : HKU\S-1-5-21-2558596563-2776473477-71789554-1005\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E} Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}] Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}] Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}] ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 [HKCU\Software\Microsoft\Internet Explorer\Main - Search Page] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} [HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} -\\ Google Chrome v21.0.1180.89 File : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences Found [l.13] : homepage = "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48", Found [l.17] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ] Found [l.53] : icon_url = "hxxp://search.conduit.com/fav.ico", Found [l.56] : keyword = "search.conduit.com", Found [l.59] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3244149", Found [l.1362] : homepage = "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48", Found [l.1724] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ] ************************* AdwCleaner[R1].txt - [6165 octets] - [23/09/2012 10:54:05] ########## EOF - C:\AdwCleaner[R1].txt - [6225 octets] ##########
  12. Malwarebytes log Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Database version: v2012.09.23.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Kevin Brown :: KRB2008 [administrator] 9/23/2012 10:33:09 AM mbam-log-2012-09-23 (10-33-09).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 245561 Time elapsed: 12 minute(s), 44 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Documents and Settings\Kevin Brown\Local Settings\Temporary Internet Files\Content.IE5\RO0UEIAD\Setup[1].exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully. (end)
  13. Log #2 was too long to paste so I attached. TDSSKiller.2.8.10.0_23.09.2012_10.20.33_log.txt
  14. TDS Logs 3 were created #1: 10:15:40.0859 4028 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24 10:15:41.0187 4028 ============================================================ 10:15:41.0187 4028 Current date / time: 2012/09/23 10:15:41.0187 10:15:41.0187 4028 SystemInfo: 10:15:41.0187 4028 10:15:41.0187 4028 OS Version: 5.1.2600 ServicePack: 3.0 10:15:41.0187 4028 Product type: Workstation 10:15:41.0187 4028 ComputerName: KRB2008 10:15:41.0187 4028 UserName: Kevin Brown 10:15:41.0187 4028 Windows directory: C:\WINDOWS 10:15:41.0187 4028 System windows directory: C:\WINDOWS 10:15:41.0187 4028 Processor architecture: Intel x86 10:15:41.0187 4028 Number of processors: 2 10:15:41.0187 4028 Page size: 0x1000 10:15:41.0187 4028 Boot type: Normal boot 10:15:41.0187 4028 ============================================================ 10:15:43.0000 4028 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054 10:15:43.0015 4028 ============================================================ 10:15:43.0015 4028 \Device\Harddisk0\DR0: 10:15:43.0015 4028 MBR partitions: 10:15:43.0015 4028 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2738A, BlocksNum 0x129ED876 10:15:43.0015 4028 ============================================================ 10:15:43.0093 4028 C: <-> \Device\Harddisk0\DR0\Partition1 10:15:43.0093 4028 ============================================================ 10:15:43.0093 4028 Initialize success 10:15:43.0093 4028 ============================================================ 10:16:24.0250 4592 Deinitialize success and #3 10:26:28.0640 1548 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24 10:26:28.0750 1548 ============================================================ 10:26:28.0750 1548 Current date / time: 2012/09/23 10:26:28.0750 10:26:28.0750 1548 SystemInfo: 10:26:28.0750 1548 10:26:28.0750 1548 OS Version: 5.1.2600 ServicePack: 3.0 10:26:28.0750 1548 Product type: Workstation 10:26:28.0750 1548 ComputerName: KRB2008 10:26:28.0750 1548 UserName: Kevin Brown 10:26:28.0750 1548 Windows directory: C:\WINDOWS 10:26:28.0750 1548 System windows directory: C:\WINDOWS 10:26:28.0750 1548 Processor architecture: Intel x86 10:26:28.0750 1548 Number of processors: 2 10:26:28.0750 1548 Page size: 0x1000 10:26:28.0750 1548 Boot type: Normal boot 10:26:28.0750 1548 ============================================================ 10:26:30.0828 1548 BG loaded 10:26:31.0703 1548 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054 10:26:31.0703 1548 ============================================================ 10:26:31.0703 1548 \Device\Harddisk0\DR0: 10:26:31.0703 1548 MBR partitions: 10:26:31.0703 1548 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2738A, BlocksNum 0x129ED876 10:26:31.0703 1548 ============================================================ 10:26:31.0781 1548 C: <-> \Device\Harddisk0\DR0\Partition1 10:26:31.0796 1548 ============================================================ 10:26:31.0796 1548 Initialize success 10:26:31.0796 1548 ============================================================ 10:26:44.0578 0760 Deinitialize success
  15. When I run DDS it asks to disable script blockers - I don't really know how to do that so I just have disconnedtted from the internet and disabled virus program. Also, where are the Java Log files? I've gone through all the steps, but it looks like there is a setting in JavaRA2.0 to make log files - this was unchecked so maybe I don't have a log file to share. Anyway, I am about to send everthing else per your instructions above.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.