Bill_M
-
Posts
9 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Bill_M
-
-
I don't see anything to keep.
# AdwCleaner v2.108 - Logfile created 01/24/2013 at 21:11:20
# Updated 24/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Bill_2 - GKC8391
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Bill_2\Desktop\adwcleaner.exe
# Option [search]
***** [services] *****
***** [Files / Folders] *****
***** [Registry] *****
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\Software\Viewpoint
***** [internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [1218 octets] - [24/01/2013 21:11:20]
########## EOF - C:\AdwCleaner[R1].txt - [1278 octets] ##########
-
Execution of your last instructions and resulting log. PC seems to be running fine for all users.
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-2301580660-910432840-3679377455-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-2301580660-910432840-3679377455-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-2301580660-910432840-3679377455-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Google Search\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Translate English Word\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Backward Links\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Translate Page into English\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
OTL by OldTimer - Version 3.2.69.0 log created on 01242013_204331
-
-
PC is running fine. Although I have not ran or done anything other that what you have instructed me to do.
Remeber the problem occured when another user with a limited account was logged in. I have been working under my admin account and have not attempted to log back into the limited account.
-
Execution of previous directions and resulting log:
ComboFix 13-01-23.01 - Bill_2 01/23/2013 21:58:00.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3710.2817 [GMT -5:00]
Running from: c:\documents and settings\Bill_2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bill_2\Desktop\CFScript.txt
AV: eEye Digital Security Blink Anti-Virus *Disabled/Outdated* {C4821238-EFD9-4B79-B2A5-40CE68D50E68}
FW: eEye Digital Security Blink Firewall *Disabled* {AC6BB248-92AF-4E26-A70A-6E5FDB75C144}
* Created a new restore point
.
FILE ::
"c:\documents and settings\Missy\Local Settings\Application Data\d3d9caps.tmp"
.
.
((((((((((((((((((((((((( Files Created from 2012-12-24 to 2013-01-24 )))))))))))))))))))))))))))))))
.
.
2013-01-23 02:45 . 2013-01-23 02:45 -------- d-----w- c:\documents and settings\Bill_2\Local Settings\Application Data\Conceiva
2013-01-03 22:45 . 2013-01-03 22:45 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\Conceiva
2013-01-03 01:20 . 2013-01-03 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Conceiva
2013-01-03 01:19 . 2013-01-03 01:19 -------- d-----w- c:\program files\Conceiva
2013-01-01 20:53 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2012-12-29 16:45 . 2012-12-29 16:45 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\MyEditor v5.00
2012-12-29 16:45 . 2012-12-29 16:45 -------- d-----w- c:\windows\lhsp
2012-12-29 16:44 . 2012-12-29 16:44 -------- d-----w- c:\program files\myeditor
2012-12-29 16:44 . 2012-12-29 16:44 -------- d-----w- c:\documents and settings\All Users\MyEditor v5.00
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-22 22:22 . 2012-04-10 01:16 664 ----a-w- c:\documents and settings\Missy\Local Settings\Application Data\d3d9caps.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-28 160592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2009-03-27 96816]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-08-03 2250088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
c:\documents and settings\Missy\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-5-11 546816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Blink.lnk - c:\program files\eEye Digital Security\Blink\Blink.exe [2012-4-28 273920]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-3-3 81997]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 08:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMonitor]
2010-08-25 16:27 84464 ----a-w- c:\program files\Roxio\CinePlayer\5.0\CPMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Disc Tool]
2010-06-30 13:10 477680 ----a-w- c:\program files\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Garmin Lifetime Updater]
2012-01-06 20:30 1446760 ----a-w- c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-29 06:47 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2010-07-16 10:48 307184 ----a-w- c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]
2011-06-01 16:42 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\APC\\PowerChute Business Edition\\agent\\pbeagent.exe"=
"c:\\Program Files\\APC\\PowerChute Business Edition\\server\\pbeserver.exe"=
"c:\\Program Files\\Common Files\\eEye Digital Security\\Application Bus\\eeyeevnt.exe"=
"c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\WiselinkPro.exe"=
"c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\http_ss_win_pro.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"53168:TCP"= 53168:TCP:Mezzmo Media Server Service
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/21/2011 7:15 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/21/2011 7:15 PM 15856]
R1 eeyeh;eeyeh;c:\windows\system32\drivers\eeyehf.sys [4/28/2012 8:09 PM 185560]
R1 eeyen;eEye NDIS driver;c:\windows\system32\drivers\eeyen.sys [12/13/2011 8:08 PM 61264]
R1 eeyet;eEye TDI driver;c:\windows\system32\drivers\eeyet.sys [4/28/2012 8:09 PM 78792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/21/2011 7:15 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\App\SaibSVC.exe [6/2/2009 6:05 PM 457200]
R2 APCPBEAgent;APC PBE Agent;c:\progra~1\APC\POWERC~1\agent\pbeagent.exe [5/8/2011 10:41 AM 28672]
R2 APCPBEServer;APC PBE Server;c:\progra~1\APC\POWERC~1\server\PBESER~1.EXE [5/8/2011 10:44 AM 45134]
R2 BlinkRM;eEye Blink Rule Manager;c:\program files\eEye Digital Security\Blink\BLINKRM.exe [4/28/2012 8:08 PM 189472]
R2 blinksvc;eEye Blink Engine;c:\program files\eEye Digital Security\Blink\blinksvc.exe [4/28/2012 8:08 PM 90568]
R2 BOT4Service;BOT4Service;c:\program files\Roxio\BackOnTrack\App\BService.exe [8/30/2010 10:14 PM 39408]
R2 eEyeUpdateSvc;eEye Update Service;c:\program files\Common Files\eEye Digital Security\SyncIt\eEyeUpdateSvc.exe [11/10/2011 2:34 PM 91576]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [1/14/2011 4:47 PM 70016]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2010 10:50 PM 654408]
R2 Mezzmo;Mezzmo;c:\program files\Conceiva\Mezzmo\MezzmoMediaServer.exe [1/2/2013 8:20 PM 3119472]
R2 ndiskio;eEye DirectDisk Access Driver;c:\windows\system32\drivers\Ndiskio.sys [3/2/2010 4:31 PM 20448]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/10/2004 1:50 PM 5120]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [2/21/2011 9:07 PM 251736]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 11:05 PM 54960]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2010 10:50 PM 22344]
R3 PciSPorts;High-Speed PCI Serial Port;c:\windows\system32\drivers\PciSPorts.sys [5/8/2011 9:37 AM 119808]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/21/2009 7:46 PM 47360]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1562096]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [7/16/2010 5:48 AM 354288]
S3 AllShare;SAMSUNG AllShare Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [7/16/2010 4:23 PM 6638080]
S3 RoxMediaDB13;RoxMediaDB13;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [7/16/2010 5:48 AM 1099248]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-07-11 20:31]
.
2013-01-19 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-07-11 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-23 22:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{82C3E419-1ABB-8FB4-3F58-1D22AF8C97DB}\InProcServer32*]
"oagamicbndlbdkchomabmklmmbnkbi"=hex:6a,61,70,68,69,65,69,6f,61,6c,67,6a,63,64,
66,62,66,65,62,6c,00,e1
"nagackiddfipglmnknaflkbfdclj"=hex:6a,61,70,68,6a,65,62,6e,67,68,66,6c,65,63,
67,6f,6e,68,64,64,00,f9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(1044)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2013-01-23 22:04:56
ComboFix-quarantined-files.txt 2013-01-24 03:04
ComboFix2.txt 2013-01-24 02:15
.
Pre-Run: 636,231,680 bytes free
Post-Run: 683,393,024 bytes free
.
- - End Of File - - 1B2349A95C72561C426ED44EF7EEEC48
-
Here's the requested log.
************** Is it safe for this PC to be connected to the internet now? *******************************
ComboFix 13-01-23.01 - Bill_2 01/23/2013 20:55:01.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3710.2920 [GMT -5:00]
Running from: c:\documents and settings\Bill_2\Desktop\ComboFix.exe
AV: eEye Digital Security Blink Anti-Virus *Disabled/Outdated* {C4821238-EFD9-4B79-B2A5-40CE68D50E68}
FW: eEye Digital Security Blink Firewall *Disabled* {AC6BB248-92AF-4E26-A70A-6E5FDB75C144}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\SET140.tmp
c:\windows\system32\SET14C.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system64
.
.
((((((((((((((((((((((((( Files Created from 2012-12-24 to 2013-01-24 )))))))))))))))))))))))))))))))
.
.
2013-01-23 02:45 . 2013-01-23 02:45 -------- d-----w- c:\documents and settings\Bill_2\Local Settings\Application Data\Conceiva
2013-01-03 22:45 . 2013-01-03 22:45 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\Conceiva
2013-01-03 01:20 . 2013-01-03 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Conceiva
2013-01-03 01:19 . 2013-01-03 01:19 -------- d-----w- c:\program files\Conceiva
2013-01-01 20:53 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2012-12-29 16:45 . 2012-12-29 16:45 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\MyEditor v5.00
2012-12-29 16:45 . 2012-12-29 16:45 -------- d-----w- c:\windows\lhsp
2012-12-29 16:44 . 2012-12-29 16:44 -------- d-----w- c:\program files\myeditor
2012-12-29 16:44 . 2012-12-29 16:44 -------- d-----w- c:\documents and settings\All Users\MyEditor v5.00
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-22 22:22 . 2012-04-10 01:16 664 ----a-w- c:\documents and settings\Missy\Local Settings\Application Data\d3d9caps.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-02-28 160592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2009-03-27 96816]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-08-03 2250088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
c:\documents and settings\Missy\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-5-11 546816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Blink.lnk - c:\program files\eEye Digital Security\Blink\Blink.exe [2012-4-28 273920]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-3-3 81997]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 08:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMonitor]
2010-08-25 16:27 84464 ----a-w- c:\program files\Roxio\CinePlayer\5.0\CPMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Disc Tool]
2010-06-30 13:10 477680 ----a-w- c:\program files\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Garmin Lifetime Updater]
2012-01-06 20:30 1446760 ----a-w- c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-29 06:47 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2010-07-16 10:48 307184 ----a-w- c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Dashboard]
2011-06-01 16:42 79112 ----a-w- c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\APC\\PowerChute Business Edition\\agent\\pbeagent.exe"=
"c:\\Program Files\\APC\\PowerChute Business Edition\\server\\pbeserver.exe"=
"c:\\Program Files\\Common Files\\eEye Digital Security\\Application Bus\\eeyeevnt.exe"=
"c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\WiselinkPro.exe"=
"c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\http_ss_win_pro.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"53168:TCP"= 53168:TCP:Mezzmo Media Server Service
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/21/2011 7:15 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/21/2011 7:15 PM 15856]
R1 eeyeh;eeyeh;c:\windows\system32\drivers\eeyehf.sys [4/28/2012 8:09 PM 185560]
R1 eeyen;eEye NDIS driver;c:\windows\system32\drivers\eeyen.sys [12/13/2011 8:08 PM 61264]
R1 eeyet;eEye TDI driver;c:\windows\system32\drivers\eeyet.sys [4/28/2012 8:09 PM 78792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/21/2011 7:15 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\App\SaibSVC.exe [6/2/2009 6:05 PM 457200]
R2 APCPBEAgent;APC PBE Agent;c:\progra~1\APC\POWERC~1\agent\pbeagent.exe [5/8/2011 10:41 AM 28672]
R2 APCPBEServer;APC PBE Server;c:\progra~1\APC\POWERC~1\server\PBESER~1.EXE [5/8/2011 10:44 AM 45134]
R2 BlinkRM;eEye Blink Rule Manager;c:\program files\eEye Digital Security\Blink\BLINKRM.exe [4/28/2012 8:08 PM 189472]
R2 blinksvc;eEye Blink Engine;c:\program files\eEye Digital Security\Blink\blinksvc.exe [4/28/2012 8:08 PM 90568]
R2 BOT4Service;BOT4Service;c:\program files\Roxio\BackOnTrack\App\BService.exe [8/30/2010 10:14 PM 39408]
R2 eEyeUpdateSvc;eEye Update Service;c:\program files\Common Files\eEye Digital Security\SyncIt\eEyeUpdateSvc.exe [11/10/2011 2:34 PM 91576]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [1/14/2011 4:47 PM 70016]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2010 10:50 PM 654408]
R2 Mezzmo;Mezzmo;c:\program files\Conceiva\Mezzmo\MezzmoMediaServer.exe [1/2/2013 8:20 PM 3119472]
R2 ndiskio;eEye DirectDisk Access Driver;c:\windows\system32\drivers\Ndiskio.sys [3/2/2010 4:31 PM 20448]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/10/2004 1:50 PM 5120]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\USB Safely Remove\USBSRService.exe [2/21/2011 9:07 PM 251736]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 11:05 PM 54960]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2010 10:50 PM 22344]
R3 PciSPorts;High-Speed PCI Serial Port;c:\windows\system32\drivers\PciSPorts.sys [5/8/2011 9:37 AM 119808]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/21/2009 7:46 PM 47360]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1562096]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [7/16/2010 5:48 AM 354288]
S3 AllShare;SAMSUNG AllShare Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [7/16/2010 4:23 PM 6638080]
S3 RoxMediaDB13;RoxMediaDB13;c:\program files\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [7/16/2010 5:48 AM 1099248]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-07-11 20:31]
.
2013-01-19 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-07-11 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe
MSConfigStartUp-BuildBU - c:\dell\bldbubg.exe
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM_ActiveSetup-{DA89EF83-F349-41D6-A897-BA11E8A3968C} - MSIEXEC
AddRemove-LAME for Audacity_is1 - h:\portableapps\AudacityPortable\App\LAME\unins000.exe
AddRemove-{06706400-70cb-47eb-9fce-5acaed849161} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{13301a6f-7e55-4323-8b66-aaf46c5ff3a1} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{14c6d91a-b5fb-4895-a6ec-d5077ad1ee0b} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{2dd63795-f001-4223-a9aa-2838186e4668} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{46ea72bb-c98b-42c0-922a-bd844004e593} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{4e146242-3240-498a-8eb7-2ddd0f9264f5} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{67e18946-97e8-453d-8fa2-18271ffd41a2} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{69973e6a-e059-4b52-87cf-30be3423c681} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{7423d301-90ac-4f12-b9be-add0ab7ae7c1} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{8342c926-94f8-49dc-9baa-5e2b696be261} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{862bf750-880b-4f22-88fb-db9e2dce3b2f} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{9fe766cb-3142-4098-aab5-586af92f5bc7} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{cc21c02c-fc49-416f-87d7-1ab658addb65} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{d3f3095a-f786-4e14-92d4-84331c753e37} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{d714e37a-142f-486c-a1aa-0b2849ea6f2c} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{e9b226d4-41f0-4490-a75c-de74742de5a9} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
AddRemove-{f6421e28-059c-458c-ac3a-d9bc19ad85fb} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-23 21:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{82C3E419-1ABB-8FB4-3F58-1D22AF8C97DB}\InProcServer32*]
"oagamicbndlbdkchomabmklmmbnkbi"=hex:6a,61,70,68,69,65,69,6f,61,6c,67,6a,63,64,
66,62,66,65,62,6c,00,e1
"nagackiddfipglmnknaflkbfdclj"=hex:6a,61,70,68,6a,65,62,6e,67,68,66,6c,65,63,
67,6f,6e,68,64,64,00,f9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2013-01-23 21:15:50
ComboFix-quarantined-files.txt 2013-01-24 02:15
.
Pre-Run: 480,907,264 bytes free
Post-Run: 609,714,176 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1B1948D618837D71B5AFFE6B26D4C178
-
RogueKiller Log as requested:
RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Bill_2 [Admin rights]
Mode : Scan -- Date : 01/23/2013 18:21:32
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x806240F6 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB0360EFE)
SSDT[63] : NtDeleteKey @ 0x80624592 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB036136C)
SSDT[65] : NtDeleteValueKey @ 0x80624762 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB0361344)
SSDT[119] : NtOpenKey @ 0x806254D4 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB03610BA)
SSDT[247] : NtSetValueKey @ 0x80622668 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB03611FA)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB0362740)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB036224C)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (\SystemRoot\system32\DRIVERS\eeyehf.sys @ 0xB0361F34)
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
[...]
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST3160828AS +++++
--- User ---
[MBR] 2ec62ffd137035f6192c2104643b5816
[bSP] 74c3e5f98933aa316c7c225b4c7cf3a6 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 30004 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 304303230 | Size: 4000 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61561080 | Size: 118526 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: WDC WD1001FALS-00J7B0 +++++
--- User ---
[MBR] caac2e3fa058d4277820d50353b957f9
[bSP] c6ec5bbfedb2566dee2fe2327358ed06 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 20482875 | Size: 943865 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 10001 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1]_S_01232013_02d1821.txt >>
RKreport[1]_S_01232013_02d1821.txt
You didn't request DDS logs but they are attached if needed.
-
My computer is infected with what is being described as the FBI Moneypak virus. It first appeared yesterday.
Sequence of events from yesterday (01/22/2013) in order of occurrence:
1) User Missy is logged in with limited account.
2) Early a.m. scheduled Malwarebytes scan:
Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org
Database version: v2013.01.22.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Missy :: GKC8391 [limited]
Protection: Enabled
1/22/2013 5:36:25 AM
mbam-log-2013-01-22 (05-36-25).txt
Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 121204
Time elapsed: 1 minute(s), 43 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
3) Later in the day, Malwarebytes pop-up window indicates a detection and user selects quarantine.
4) Sometime later, entire screen is filled with an intimidating message; FBI has locked your computer, etc. and a request for $200 to be paid through Moneypak.
5) I was able to switch to another user account.
6) User Bill is logged in with admin. account and user Missy is disconnected / logged out using task manager.
7) A Malwarebytes flash scan is initiated by me:
Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org
Database version: v2013.01.22.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Bill :: GKC8391 [administrator]
Protection: Disabled
1/22/2013 8:04:47 PM
mbam-log-2013-01-22 (20-04-47).txt
Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 208411
Time elapsed: 1 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Documents and Settings\Missy\Application Data\skype.dat (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
8) Here’s the protection log from yesterday showing detections if useful:
2013/01/22 01:00:00 -0500 GKC8391 Missy MESSAGE Executing scheduled scan: Quick Scan | Daily
2013/01/22 01:00:00 -0500 GKC8391 Missy MESSAGE Scheduled scan executed successfully
2013/01/22 05:36:00 -0500 GKC8391 Missy MESSAGE Executing scheduled update: Flash Scan | Daily
2013/01/22 05:36:12 -0500 GKC8391 Missy MESSAGE Starting database refresh
2013/01/22 05:36:12 -0500 GKC8391 Missy MESSAGE Scheduled update executed successfully: database updated from version v2013.01.21.10 to version v2013.01.22.02
2013/01/22 05:36:12 -0500 GKC8391 Missy MESSAGE Stopping IP protection
2013/01/22 05:36:12 -0500 GKC8391 Missy MESSAGE IP Protection stopped
2013/01/22 05:36:15 -0500 GKC8391 Missy MESSAGE Executing scheduled scan: Flash Scan | -terminate
2013/01/22 05:36:15 -0500 GKC8391 Missy MESSAGE Scheduled scan executed successfully
2013/01/22 05:36:27 -0500 GKC8391 Missy MESSAGE Database refreshed successfully
2013/01/22 05:36:27 -0500 GKC8391 Missy MESSAGE Starting IP protection
2013/01/22 05:37:20 -0500 GKC8391 Missy MESSAGE IP Protection started successfully
2013/01/22 17:14:29 -0500 GKC8391 Missy IP-BLOCK 69.6.27.100 (Type: outgoing)
2013/01/22 17:14:34 -0500 GKC8391 Missy DETECTION C:\Documents and Settings\Missy\Local Settings\Temp\LIF4R7TU3.exe Backdoor.0Access QUARANTINE
2013/01/22 17:14:38 -0500 GKC8391 Missy IP-BLOCK 69.6.27.100 (Type: outgoing)
2013/01/22 17:15:11 -0500 GKC8391 Missy DETECTION C:\Documents and Settings\Missy\Local Settings\Temp\~!#12A.tmp Trojan.Medfos QUARANTINE
2013/01/22 20:03:54 -0500 GKC8391 Bill_2 MESSAGE Stopping IP protection
2013/01/22 20:03:54 -0500 GKC8391 Bill_2 MESSAGE IP Protection stopped
9) Screen shot of quarantine list shown below.
10) I unplugged the network cable after reading similar posts.
11) A Malwarebytes scan from this morning (01/23/2013) shows no detections.
No doubt this is not the end of it.
I will not be able to use system restore to correct the problem. I am at work now and will download DDS to a flash drive and take home with me. I will run it tonight and post resulting logs from another PC.
I am running RoboForm password manager application, on the infected PC, which utilizes encryption. Do I need to be concerned about stolen passwords?
Feel free to post any other instructions for me in the mean time. Thanks!
FBI / MoneyPak infection - Please help
in Resolved Malware Removal Logs
Posted
AdwCleaner log after delete option followed by Security Check checkup.txt:
# AdwCleaner v2.108 - Logfile created 01/24/2013 at 21:54:27
# Updated 24/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Bill_2 - GKC8391
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Bill_2\Desktop\adwcleaner.exe
# Option [Delete]
***** [services] *****
***** [Files / Folders] *****
***** [Registry] *****
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\Software\Viewpoint
***** [internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [1347 octets] - [24/01/2013 21:11:20]
AdwCleaner[R2].txt - [1407 octets] - [24/01/2013 21:53:01]
AdwCleaner[s1].txt - [1356 octets] - [24/01/2013 21:54:27]
########## EOF - C:\AdwCleaner[s1].txt - [1416 octets] ##########
*****************************************************************************************************************************
*****************************************************************************************************************************
Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
HKR,,EventMessageFile,0x00020000,%%SystemRoot%%\System32\IoLogMsg.dll;%%SystemRoot%%\System32\drivers\PciPPorts.sys
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Norton Ghost
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 15
Java 2 Runtime Environment, SE v1.4.2_03
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.1.102.64 Flash Player out of Date!
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 5%
````````````````````End of Log``````````````````````