david888m

Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4170 Windows 5.0.2195 Service Pack 4 Internet Explorer 5.00.3700.1000 6/6/2010 1:54:41 AM mbam-log-2010-06-06 (01-54-41).txt Scan type: Full scan (C:\|D:\|E:\|G:\|H:\|I:\|U:\|) Objects scanned: 203894 Time elapsed: 4 hour(s), 19 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

If I try to go to youtube.com on the Dell, Firefox goes to myfreevideos.info instead. However, the latter page cannot be loaded.

I doubt that the boot virus was a false positive by Avira because Dr. Web detected a boot virus with status "NYB". Avira, Dr. Web and the BIOS of 2 computers warned of the same boot viruses on several floppies. I reformatted all but one of the infected floppies. Have you found out whether your developers want the remaining infected floppy yet? If it was an ISP issue, I believe it should have affected all my computers at the same time and duration on the network; DSL access was never disabled on one computer. Using the recently installed XP on the Dell, I scanned with Trend Micro's Housecalls. It detected and fixed a rootkit identified as "HIDDEN PROC" that is not in their database. I'm using multiple scanners every day. I believe that all the infections are gone. Thanks.

I reported earlier that nothing related to "Ask" was in my program list on Asus and therefore couldn't remove it. I believe it sneaked in with Foxit. The Ask.com toolbar is doing something once an hour from a Panda scan: 04/23/2010 11:12 TaskName: Scheduled Update for Ask Toolbar 04/23/2010 11:12 Next Run Time: 12:01:00, 4/23/2010 04/23/2010 11:12 Status: 04/23/2010 11:12 Last Run Time: 11:01:00, 4/23/2010 04/23/2010 11:12 Last Result: 0 04/23/2010 11:12 Creator: aida 04/23/2010 11:12 Schedule: Every 1 hour(s) from 1:01 AM for 24 hour(s) every day, starting 1/1/2008 04/23/2010 11:12 Task To Run: C:\Program Files\Ask.com\UpdateTask.exe 04/23/2010 11:12 Start In: N/A 04/23/2010 11:12 Comment: N/A 04/23/2010 11:12 Scheduled Task State: Enabled 04/23/2010 11:12 Scheduled Type: Hourly 04/23/2010 11:12 Start Time: 01:01:00 04/23/2010 11:12 Start Date: 1/1/2008 04/23/2010 11:12 End Date: N/A 04/23/2010 11:12 Days: Everyday 04/23/2010 11:12 Months: N/A 04/23/2010 11:12 Run As User: ADMIN\aida 04/23/2010 11:12 Delete Task If Not Rescheduled: Disabled 04/23/2010 11:12 Stop Task If Runs X Hours and X Mins: 72:0 04/23/2010 11:12 Repeat: Every: 1 Hour(s) 04/23/2010 11:12 Repeat: Until: Time: None 04/23/2010 11:12 Repeat: Until: Duration: 24 Hour(s): 0 Minute(s) 04/23/2010 11:12 Repeat: Stop If Still Running: Disabled 04/23/2010 11:12 Idle Time: Disabled 04/23/2010 11:12 Power Management: No Start On Batteries

The Avira rescue CD detected, but couldn't remove the same boot virus on the computer for which DSL service was temporarily restored with System Restore. Either high formatting or swapping in 2 other network cards also restored DSL service temporarily. BIOS flashing, MBR repair, fdisking, and high formatting were all needed to make DSL service restoration more than temporary for all 3 network cards and elimination of other symptoms. The DSL service was restored with System Restore and running over 5 weeks without interruption on the Asus, which never had any other symptoms and the same boot virus was never detected.

Actually, the DSL problem on DELL began immediately upon clicking on a link at Avira; I did this after the Avira rescue CD detected but could not remove the boot virus. The DSL and 3 modem icons also disappeared and could not be recreated. My DSL services on 2 other computers on the same networked were knocked out soon afterward, but were restored (temporarily for 1 computer) with System Restore. I did try swapping in 3 different network cards. All 6 network cards that were affected, some repeatedly, are now fine. Thanks.

For the 3rd computer, the mbr scan gave the same results as DELL and ASUS. The 3rd computer never had any of the symptoms that DELL and ASUS had. Thanks.

I haven't inserted the infected floppy for several weeks. Should I toss it or send it to one of the many antimalware firms that couldn't detect it? The mbr scans for both the DELL and ASUS are below: for the DELL: Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK for the AUSU: Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK Thanks.

Dell's motherboard, case, power supply are 7-8 years old, but I swap the hard disks and other components in and out of of various computers. It seems strange that these symptoms started on the same day on 2 computers when viruses were definitely detected. Also, my DSL access was eventually disabled (one of the symptoms) on a third computer (the Asus), which was restored by System Restore. One of my floppies is still infected with the boot virus that was detected on 2 computers. Avira identifies it as simply Boot.1 virus, but it's not in their database. Dr. Web reported for another computer: "A: Boot Sector" and status as "NYB". The reports on the symptoms and virulence of the "NYB" virus are inconsistent. The bios of a computer warned me of a boot virus. None of the numerous other antimalware solutions could detect anything. Is there any way I can submit the virus on the floppy? Perhaps I need to send the floppy itself. Thanks.

That worked the first time. Do you think that Dell is still infected? Thanks.

I'm having trouble reinstalling XP (as an additional boot OS) on Dell's d: hard drive while running 2k on 3 attempts. After I accepted "download updated install files", I got the message "Cannot Complete the Windows XP Setup Wizard". However, I had been able to reinstall win 2k on Dell's c: drive after flashing the bios, fixing the boot sector, fdisking, and high formatting. Reinstalling and/or repairing 2K and XP repeatedly aborted on 2 computers at various points when the virus(es) infected my boot sectors and my bioses. I'm now trying to install XP using a 98 boot floppy and running winnt.exe to see whether I can bypass the problem.

Avira found HTML/Infected.WebPage.Gen earlier today. I quarantined it.

When the Dell was definitely infected, there was no blue screen crash preceding the disappearance of the icons.

I was browsing early last week when the Dell froze with a blue screen. After rebooting, I lost my DSL. The DSL network icon is gone. The modem icons are present, but modified and nonfunctional. The modem and nics are gone from Device Manager. These are some of the symptoms (ie. disabling of device drivers and disappearance of the icons) I had before, but everything came back after some fiddling around this time unlike before. I haven't had any problems since the icons came back.

I've been running Malwarebytes almost every day since reformatting Dell over 2 weeks ago. I posted logs from many tools on Mar 29 2010, 11:10 PM, Post #11. The Combofix log reported 3 infected system files. The same 3 system files were reported to be infected in the newer Combofix log done on April 7th below. However, Malwarebytes never found any infection in the past 2 1/2 weeks; I'm posting the most recent log (showing no infection) below the Combofix log. Dr. Web and Trendmicro hasn't found anything also, but Avira found and removed 2 other viruses on Dell in the last 2 1/2 weeks. Thanks. ComboFix 10-04-05.06 - Administrator 04/07/2010 0:27.2.1 - FAT32x86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.148 [GMT -4:00] Running from: c:\documents and settings\Administrator\Desktop\TEMP\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\system32\comres.dll . . . is infected!! c:\winnt\system32\qmgr.dll . . . is infected!! c:\winnt\system32\comres.dll . . . is infected!! . ((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 ))))))))))))))))))))))))))))))) . 2010-04-07 04:38 . 2010-04-07 04:38 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_4e0.dat 2010-04-06 23:31 . 2010-04-06 23:31 -------- d-----w- C:\WUTemp 2010-04-06 22:26 . 2010-04-06 22:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer 2010-04-06 22:23 . 2010-04-06 22:23 -------- d-----w- c:\program files\QuickTime 2010-04-06 22:23 . 2010-04-06 22:23 -------- d-----w- c:\program files\Apple Software Update 2010-04-06 22:22 . 2010-04-06 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2010-04-05 02:41 . 2010-04-05 02:41 -------- d-----w- c:\program files\ToniArts 2010-04-05 02:41 . 2010-04-05 02:41 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-04-03 18:33 . 2010-04-03 18:33 -------- d-----w- C:\FOUND.000 2010-03-31 16:27 . 2010-03-31 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! 2010-03-31 16:26 . 2010-03-31 16:26 -------- d-----w- c:\program files\Yahoo! 2010-03-30 20:43 . 2010-03-30 20:43 -------- d-s---w- c:\documents and settings\Administrator\UserData 2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- c:\program files\NetZero 2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NetZero 2010-03-30 05:46 . 2010-03-30 05:46 -------- d-----w- C:\NetZeroInstaller 2010-03-29 04:52 . 2010-03-29 04:52 -------- d-----w- c:\program files\FXDD - MetaTrader 4 2010-03-28 21:56 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\dllcache\chtbrkr.dll 2010-03-28 21:56 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\chtbrkr.dll 2010-03-28 21:56 . 1999-12-06 20:00 1577216 ----a-w- c:\winnt\system32\dllcache\cjime.exe 2010-03-28 21:56 . 1999-12-06 20:00 1577216 ----a-w- c:\winnt\system32\cjime.exe 2010-03-28 21:55 . 1999-12-06 20:00 1409792 ----a-w- c:\winnt\system32\phime.exe 2010-03-28 21:55 . 1999-12-06 20:00 1409792 ----a-w- c:\winnt\system32\dllcache\phime.exe 2010-03-28 21:36 . 1999-08-05 20:11 290816 ----a-w- c:\winnt\system32\IMEPAD.DLL 2010-03-28 21:36 . 1999-08-05 20:11 290816 ----a-w- c:\winnt\system32\dllcache\imepad.dll 2010-03-28 21:25 . 2010-03-28 21:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon 2010-03-28 20:52 . 2010-03-28 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit Software 2010-03-28 20:51 . 2010-03-28 20:51 -------- d-----w- c:\program files\Foxit Software 2010-03-28 20:51 . 2010-03-28 20:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit 2010-03-28 20:20 . 2010-03-28 20:21 -------- d-----w- c:\program files\IZArc 2010-03-28 20:18 . 2010-03-28 20:18 -------- d-----w- c:\winnt\ShellNew 2010-03-28 20:16 . 2010-03-28 20:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Web Folders 2010-03-28 19:35 . 2010-03-28 19:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY.users 2010-03-28 19:34 . 2010-03-28 19:34 -------- d-----w- c:\program files\SogouInput 2010-03-28 19:34 . 2010-03-28 19:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\SogouPY 2010-03-28 19:31 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\dllcache\chsbrkr.dll 2010-03-28 19:31 . 1999-12-06 20:00 12560 ----a-w- c:\winnt\system32\chsbrkr.dll 2010-03-28 19:31 . 1999-12-06 20:00 3442432 ----a-w- c:\winnt\system32\pyime.exe 2010-03-28 19:31 . 1999-12-06 20:00 3442432 ----a-w- c:\winnt\system32\dllcache\pyime.exe 2010-03-28 10:08 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe 2010-03-28 10:01 . 1998-10-29 20:45 306688 ----a-w- c:\winnt\IsUninst.exe 2010-03-28 09:57 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe 2010-03-28 09:56 . 2010-03-28 09:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3 2010-03-28 09:53 . 2010-03-28 09:53 -------- d-----w- C:\dell 2010-03-28 09:43 . 1996-01-09 14:38 283648 ----a-w- c:\winnt\uninst.exe 2010-03-28 09:10 . 2010-03-28 09:10 2829 ----a-w- c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Quattro.pif 2010-03-28 06:47 . 2010-03-28 06:47 -------- d-----w- c:\winnt\system32\Macromed 2010-03-28 06:18 . 2010-03-28 06:18 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft 2010-03-28 00:05 . 2010-03-28 00:05 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb 2010-03-27 18:57 . 2010-03-30 07:57 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-27 18:54 . 2010-03-27 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\program files\Avira 2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-03-27 17:58 . 2009-03-30 13:32 97512 ----a-w- c:\winnt\system32\drivers\avipbb.sys 2010-03-27 17:58 . 2009-03-24 19:07 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys 2010-03-27 17:58 . 2009-02-13 15:28 18520 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys 2010-03-27 17:58 . 2009-02-13 15:16 64488 ----a-w- c:\winnt\system32\drivers\avgntdd.sys 2010-03-27 17:58 . 2010-03-27 17:58 -------- d-----w- c:\winnt\winsxs 2010-03-27 17:54 . 2010-03-27 17:54 -------- d-----w- c:\winnt\system32\Windows Media 2010-03-27 17:53 . 2010-03-27 17:54 -------- d--h--w- c:\winnt\$NtUpdateRollupPackUninstall$ 2010-03-27 17:53 . 2010-03-27 17:54 -------- d-----w- c:\winnt\msiinst.tmp 2010-03-27 17:52 . 2010-03-27 17:52 -------- d-----w- c:\winnt\ime 2010-03-27 17:52 . 2010-03-27 17:52 -------- d-----w- c:\winnt\system32\Microsoft 2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\system32\ie_de 2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\system32\CertSrv 2010-03-27 17:47 . 2010-03-27 17:47 -------- d-----w- c:\winnt\ServicePackFiles 2010-03-27 17:46 . 2003-06-19 16:05 3856 ------w- c:\winnt\system32\SVCPACK1.DLL 2010-03-27 17:44 . 2003-06-19 18:05 977680 ----a-w- c:\winnt\system32\vfpodbc.dll 2010-03-27 17:43 . 2003-06-19 18:05 85776 ----a-w- c:\winnt\system32\smlogsvc.exe 2010-03-27 17:42 . 2003-06-19 18:05 444176 ----a-w- c:\winnt\system32\oieng400.dll 2010-03-27 17:41 . 2003-06-19 18:05 33616 ------w- c:\winnt\system32\drivers\fips.sys 2010-03-27 17:40 . 2003-06-19 18:05 305664 ----a-w- c:\winnt\system32\msihnd.dll 2010-03-27 17:40 . 2003-09-20 01:53 64512 ----a-w- c:\winnt\system32\msiexec.exe 2010-03-27 17:40 . 2003-06-19 18:05 2017792 ----a-w- c:\winnt\system32\msi.dll 2010-03-27 17:40 . 2004-07-19 23:56 319760 ----a-w- c:\winnt\system32\msexcl40.dll 2010-03-27 17:40 . 2003-09-26 07:42 512272 ----a-w- c:\winnt\system32\msexch40.dll 2010-03-27 17:40 . 2003-06-19 18:05 4126 ----a-w- c:\winnt\system32\msdxmlc.dll 2010-03-27 17:37 . 2003-06-19 18:05 74000 ----a-w- c:\winnt\system32\uniime.dll 2010-03-27 17:37 . 2003-06-19 18:05 74000 ----a-w- c:\winnt\system32\dllcache\uniime.dll 2010-03-27 17:35 . 2003-06-19 18:05 206096 ----a-w- c:\winnt\system32\infosoft.dll 2010-03-27 17:34 . 2004-03-11 18:29 97552 ----a-w- c:\winnt\system32\comrepl.dll 2010-03-27 17:33 . 2010-03-27 17:33 0 ----a-w- c:\winnt\nsreg.dat 2010-03-27 17:33 . 2010-03-27 17:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2010-03-27 17:10 . 2010-03-30 04:46 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys 2010-03-27 17:10 . 2010-03-30 04:45 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys 2010-03-27 17:10 . 2010-03-27 17:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-27 17:10 . 2010-03-27 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-27 16:52 . 2010-03-27 16:52 -------- d-----w- C:\UNINST 2010-03-27 08:44 . 2010-03-27 08:44 -------- d-----w- C:\UTIL 2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\SSH Communications Security 2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\RegClean 2010-03-27 08:43 . 2010-03-27 08:43 -------- d-----w- c:\program files\QPRO 2010-03-27 08:42 . 2010-03-27 08:42 -------- d-----w- c:\program files\ATF Cleaner 2010-03-27 08:35 . 2010-03-27 08:35 -------- d-----w- c:\program files\Juno 2010-03-27 08:33 . 2010-04-04 17:24 -------- d-----r- C:\MYDOCS 2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\juno2 2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\juno1 2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\Index 2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\Futures 2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\FOREX 2010-03-27 08:33 . 2010-03-27 08:33 -------- d-----w- C:\EXPORT 2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\COMM 2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\BAT 2010-03-27 08:32 . 2010-03-27 08:32 -------- d-----w- C:\antbar 2010-03-27 08:29 . 2010-03-27 08:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Scansoft 2010-03-27 08:15 . 2006-09-13 04:00 74240 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMsr83.dll 2010-03-27 08:15 . 2006-09-13 04:00 73216 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMlr83.dll 2010-03-27 08:15 . 2006-09-13 04:00 42496 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMsr83.dll 2010-03-27 08:15 . 2006-09-13 04:00 334848 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMur83.dll 2010-03-27 08:15 . 2006-09-13 04:00 249344 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0411\CNMur83.dll 2010-03-27 08:15 . 2006-09-13 04:00 130048 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon MP160 Printer\LanguageModules\0409\CNMlr83.dll 2010-03-27 08:15 . 2003-06-19 18:05 12592 ----a-w- c:\winnt\system32\drivers\usbscan.sys 2010-03-27 08:15 . 2010-03-27 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield 2010-03-27 08:15 . 2010-03-27 08:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\ScanSoft 2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\program files\Common Files\ScanSoft Shared 2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft 2010-03-27 08:14 . 2010-03-27 08:14 -------- d-----w- c:\program files\ScanSoft 2010-03-27 08:13 . 2010-03-27 08:13 -------- d-----w- c:\program files\Common Files\InstallShield 2010-03-27 08:13 . 2010-03-27 08:13 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ 2010-03-27 08:13 . 2006-09-13 04:00 69632 ----a-w- c:\winnt\system32\Spool\prtprocs\w32x86\CNMPP83.DLL 2010-03-27 08:13 . 2006-09-13 04:00 27136 ----a-w- c:\winnt\system32\Spool\prtprocs\w32x86\CNMPD83.DLL 2010-03-27 08:13 . 2006-09-13 04:00 197632 ----a-w- c:\winnt\system32\CNMLM83.DLL 2010-03-27 08:13 . 2010-03-27 08:13 -------- d--h--w- c:\winnt\system32\CanonIJ Uninstaller Information 2010-03-27 08:12 . 2006-05-26 09:54 135168 ----a-w- c:\winnt\system32\CNCL160.DLL 2010-03-27 08:12 . 2006-04-13 15:22 73728 ----a-w- c:\winnt\system32\CNCU160.DLL 2010-03-27 08:12 . 2010-03-27 08:12 -------- d--h--w- c:\program files\CanonBJ . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-28 21:25 . 2010-03-28 21:25 5058 ----a-w- c:\winnt\Help\hhcolreg.dat 2010-03-27 07:42 . 2010-03-27 07:42 -------- d-----w- c:\program files\microsoft frontpage 2010-03-27 07:41 . 2010-03-27 07:41 558142 ----a-w- c:\winnt\java\Packages\4LBHFJ9J.ZIP 2010-03-27 07:41 . 2010-03-27 07:41 2678 ----a-w- c:\winnt\java\Packages\Data\6QB53FP3.DAT 2010-03-27 07:41 . 2010-03-27 07:41 2474 ----a-w- c:\winnt\java\Packages\Data\31FP37D7.DAT 2010-03-27 07:41 . 2010-03-27 07:41 2678 ----a-w- c:\winnt\java\Packages\Data\9JZ13T7H.DAT 2010-03-27 07:41 . 2010-03-27 07:41 2474 ----a-w- c:\winnt\java\Packages\Data\3PFFHBNZ.DAT 2010-03-27 07:41 . 2010-03-27 07:41 156441 ----a-w- c:\winnt\java\Packages\LVLZZVF5.ZIP 2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\TVF5BRTV.DAT 2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\NDZLZ7H7.DAT 2010-03-27 07:41 . 2010-03-27 07:40 2678 ----a-w- c:\winnt\java\Packages\Data\L31VFPJX.DAT 2010-03-27 07:40 . 2010-03-27 07:40 21952 ---h--w- c:\program files\folder.htt 2010-03-27 07:39 . 2010-03-27 07:39 15012 ----a-w- c:\winnt\system32\emptyregdb.dat 2010-03-27 07:38 . 2010-03-27 07:38 -------- d-----w- c:\program files\Accessories . ((((((((((((((((((((((((((((( SnapShot@2010-04-05_04.31.08 ))))))))))))))))))))))))))))))))))))))))) . + 2010-03-27 07:30 . 2010-04-06 21:23 99048 c:\winnt\system32\FNTCACHE.DAT - 2010-03-27 07:30 . 2010-04-04 20:57 99048 c:\winnt\system32\FNTCACHE.DAT + 2010-04-06 22:23 . 2010-04-06 22:23 24064 c:\winnt\Installer\{A260B422-70E1-41E2-957D-F76FA21266D5}\AppleSoftwareUpdateIco.exe + 2010-03-27 17:42 . 2003-06-19 18:05 244224 c:\winnt\system32\dllcache\qmgr.dll + 2010-04-06 22:23 . 2010-04-06 22:23 7424000 c:\winnt\Installer\4b5e8.msi + 2010-04-06 22:23 . 2010-04-06 22:23 1527808 c:\winnt\Installer\4b5e4.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2009-10-05 1779712] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe" [2003-06-19 111376] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] . Contents of the 'Scheduled Tasks' folder 2010-04-06 c:\winnt\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42] . . ------- Supplementary Scan ------- . uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm LSP: %SystemRoot%\system32\msafd.dll DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ort6yxoa.default\ FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-07 00:38 Windows 5.0.2195 Service Pack 4 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(164) c:\winnt\system32\wzcdlg.dll c:\winnt\system32\WZCSAPI.DLL - - - - - - - > 'explorer.exe'(324) c:\winnt\AppPatch\AcLayers.DLL c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll c:\winnt\system32\msi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\sched.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\winnt\system32\regsvc.exe c:\winnt\system32\MSTask.exe c:\winnt\system32\stisvc.exe c:\winnt\System32\WBEM\WinMgmt.exe . ************************************************************************** . Completion time: 2010-04-07 00:41:37 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-07 04:41 ComboFix2.txt 2010-04-05 04:33 Pre-Run: 763,559,936 bytes free Post-Run: 815,276,032 bytes free - - End Of File - - F40A69E0183B7F3235CFFAE566600581 Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3970 Windows 5.0.2195 Service Pack 4 Internet Explorer 6.0.2600.0000 4/12/2010 6:26:21 AM mbam-log-2010-04-12 (06-26-21).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 138863 Time elapsed: 3 hour(s), 6 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)