Jump to content

hausarian

Honorary Members
  • Posts

    35
  • Joined

  • Last visited

Everything posted by hausarian

  1. I have read the sticky and run the Farbar tool and attached the logs requested. I have been having general issues with malware. recently malwarebytes found a variety of items and removed them. Since then I have had difficulty with tapintsall.exe and I am unable to update Windows (I will admit that I shut off updates for awhile to avoid getting stealth upgraded). Hoping you guys can help with this step in troubleshooting before I reimage the whole thing. Thanks in advance. Addition.txt FRST.txt
  2. No popups or issues have some up. All scans I have run come back clean (eset, malwarebytes)
  3. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK esets_scanner_update returned -1 esets_gle=53251 Here is the log file. I ran an initial scan that produced 5 objects that eset said were cleaned. I closed the window as instructed but the log doesn't appear to have kept the information. I ran another scan and found 0 objects.
  4. Here is the new combofix log ComboFix 12-08-05.02 - temp 08/06/2012 11:30:30.4.2 - x86 MINIMAL Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2039.1698 [GMT -4:00] Running from: c:\users\temp\Desktop\hide.exe Command switches used :: c:\users\temp\Desktop\CFScript.txt SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\assembly\GAC\Desktop.ini c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7} . . --------------- FCopy --------------- . c:\windows\ERDNT\cache\services.exe --> c:\windows\System32\services.exe . ((((((((((((((((((((((((( Files Created from 2012-07-06 to 2012-08-06 ))))))))))))))))))))))))))))))) . . 2012-08-06 15:37 . 2012-08-06 15:42 -------- d-----w- c:\users\temp\AppData\Local\temp 2012-08-06 15:37 . 2012-08-06 15:37 -------- d-----w- c:\users\Public\AppData\Local\temp 2012-08-06 15:37 . 2012-08-06 15:37 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-06 03:06 . 2012-08-06 15:29 -------- d-----w- C:\ComboFix 2012-08-02 05:06 . 2012-08-03 11:51 -------- d-----w- c:\programdata\036DFF6A000CE2FE004DA8BB2F3B6FDA 2012-07-27 02:27 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax 2012-07-27 02:27 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2012-07-27 02:27 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll 2012-07-27 02:26 . 2012-07-27 02:26 -------- d-----w- c:\program files\PricePeep 2012-07-27 02:25 . 2012-07-29 22:58 -------- d-----w- c:\users\temp\AppData\Local\GigglingGamesSA 2012-07-27 01:10 . 2012-07-27 01:10 -------- d-----w- c:\program files\1ClickDownload 2012-07-09 23:40 . 2012-07-09 23:40 -------- d-sh--w- c:\windows\system32\%APPDATA% . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-09 23:28 . 2012-05-04 16:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-09 23:28 . 2011-05-29 15:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-03 17:46 . 2009-08-03 12:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-28 14:36 . 2009-08-25 18:03 444952 ----a-w- c:\windows\system32\wrap_oal.dll 2012-06-28 14:36 . 2009-08-25 18:03 109080 ----a-w- c:\windows\system32\OpenAL32.dll 2012-06-13 06:00 . 2012-06-13 06:00 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-06-13 06:00 . 2010-05-20 15:35 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-06-02 22:19 . 2012-06-27 15:21 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-27 15:21 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-27 15:20 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-27 15:20 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-27 15:21 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-27 15:21 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-27 15:20 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 19:19 . 2012-06-27 15:20 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 19:12 . 2012-06-27 15:20 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-17 22:45 . 2012-06-15 07:02 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35 . 2012-06-15 07:02 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35 . 2012-06-15 07:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29 . 2012-06-15 07:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24 . 2012-06-15 07:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-05-15 19:51 . 2012-06-14 19:58 2045440 ----a-w- c:\windows\system32\win32k.sys 2012-06-19 15:03 . 2011-06-29 06:32 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}] 2012-07-10 00:10 483696 ----a-w- c:\program files\PricePeep\pricepeep.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144] "KanevaTray"="c:\program files\Kaneva\Star\3296\KanevaTray.exe" [2012-07-05 378600] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Module Loader"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2007-07-18 57344] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi Surround 5.1\Volume Panel\VolPanlu.exe" [2007-12-19 217192] "Creative SB Monitoring Utility"="sbavmon.dll" [2007-06-28 93696] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-08 198160] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] . c:\users\temp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IMVU.lnk - c:\users\temp\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux6"=wdmaud.drv . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc bthsvcs REG_MULTI_SZ BthServ LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder . 2012-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114659253-1989471645-1613028585-1000Core.job - c:\users\temp\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-09 00:54] . 2012-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114659253-1989471645-1613028585-1000UA.job - c:\users\temp\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-09 00:54] . 2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{14C62BA9-EC35-4695-9990-F41EFCBFD02A}.job - c:\windows\system32\msfeedssync.exe [2012-04-08 07:10] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\users\temp\AppData\Roaming\Mozilla\Firefox\Profiles\iep06hw9.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p= FF - user.js: extensions.autoDisableScopes - 14 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-08-06 11:41 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . ------------------------ Other Running Processes ------------------------ . c:\program files\Creative\Shared Files\CTAudSvc.exe c:\windows\system32\Hpservice.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\TomTom HOME 2\TomTomHOMEService.exe c:\windows\System32\rundll32.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\\?\c:\windows\system32\wbem\WMIADAP.EXE . ************************************************************************** . Completion time: 2012-08-06 11:46:48 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-06 15:46 ComboFix2.txt 2012-08-06 03:28 ComboFix3.txt 2012-08-06 02:39 ComboFix4.txt 2011-12-14 01:06 ComboFix5.txt 2012-08-06 15:29 . Pre-Run: 10,868,568,064 bytes free Post-Run: 8,698,904,576 bytes free . - - End Of File - - 6AA42AB3B76CC3E8D4D27703EF162506
  5. ComboFix 12-08-05.02 - temp 08/05/2012 22:17:39.2.2 - x86 Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2039.1263 [GMT -4:00] Running from: c:\users\temp\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\BasicScan c:\program files\BasicScan\uninstall.exe c:\programdata\BasicScan c:\programdata\da6d155bca25c109f0ff158361c0a68e_c c:\windows\$NtUninstallKB38198$ c:\windows\$NtUninstallKB38198$\4185158341 c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\@ c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\L\00000004.@ c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\L\1afb2d56 c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\L\201d3dde c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\00000004.@ c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\00000008.@ c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\000000cb.@ c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\80000000.@ c:\windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\80000032.@ c:\windows\system32\tmp3084.tmp c:\windows\system32\tmp31BD.tmp c:\windows\system32\tmpC284.tmp c:\windows\system32\tmpC3BD.tmp c:\windows\system32\URTTemp c:\windows\system32\URTTemp\regtlib.exe . c:\windows\system32\services.exe . . . is infected!! . . ((((((((((((((((((((((((( Files Created from 2012-07-06 to 2012-08-06 ))))))))))))))))))))))))))))))) . . 2012-08-06 02:28 . 2012-08-06 02:32 -------- d-----w- c:\users\temp\AppData\Local\temp 2012-08-06 02:28 . 2012-08-06 02:28 -------- d-----w- c:\users\Public\AppData\Local\temp 2012-08-06 02:28 . 2012-08-06 02:28 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-02 05:06 . 2012-08-03 11:51 -------- d-----w- c:\programdata\036DFF6A000CE2FE004DA8BB2F3B6FDA 2012-07-27 02:27 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax 2012-07-27 02:27 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2012-07-27 02:27 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll 2012-07-27 02:26 . 2012-07-27 02:26 -------- d-----w- c:\program files\PricePeep 2012-07-27 02:25 . 2012-07-29 22:58 -------- d-----w- c:\users\temp\AppData\Local\GigglingGamesSA 2012-07-27 01:10 . 2012-07-27 01:10 -------- d-----w- c:\program files\1ClickDownload 2012-07-09 23:40 . 2012-07-09 23:40 -------- d-sh--w- c:\windows\system32\%APPDATA% . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-09 23:28 . 2012-05-04 16:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-09 23:28 . 2011-05-29 15:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-03 17:46 . 2009-08-03 12:33 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-28 14:36 . 2009-08-25 18:03 444952 ----a-w- c:\windows\system32\wrap_oal.dll 2012-06-28 14:36 . 2009-08-25 18:03 109080 ----a-w- c:\windows\system32\OpenAL32.dll 2012-06-13 06:00 . 2012-06-13 06:00 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-06-13 06:00 . 2010-05-20 15:35 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-06-02 22:19 . 2012-06-27 15:21 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-27 15:21 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-27 15:20 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-27 15:20 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-27 15:21 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-27 15:21 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-27 15:20 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 19:19 . 2012-06-27 15:20 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 19:12 . 2012-06-27 15:20 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-17 22:45 . 2012-06-15 07:02 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35 . 2012-06-15 07:02 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35 . 2012-06-15 07:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29 . 2012-06-15 07:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24 . 2012-06-15 07:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-05-15 19:51 . 2012-06-14 19:58 2045440 ----a-w- c:\windows\system32\win32k.sys 2012-06-19 15:03 . 2011-06-29 06:32 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2009-04-11 . D4E6D91C1349B7BFB3599A6ADA56851B . 279552 . . [6.0.6000.16386] . . c:\windows\ERDNT\cache\services.exe [-] 2009-04-11 . 8737764F4FD36D6808EE80578409C843 . 279552 . . [6.0.6000.16386] . . c:\windows\System32\services.exe [7] 2009-04-11 . D4E6D91C1349B7BFB3599A6ADA56851B . 279552 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe [7] 2008-01-21 . 2B336AB6286D6C81FA02CBAB914E3C6C . 279040 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}] 2012-07-10 00:10 483696 ----a-w- c:\program files\PricePeep\pricepeep.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144] "KanevaTray"="c:\program files\Kaneva\Star\3296\KanevaTray.exe" [2012-07-05 378600] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Module Loader"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2007-07-18 57344] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi Surround 5.1\Volume Panel\VolPanlu.exe" [2007-12-19 217192] "Creative SB Monitoring Utility"="sbavmon.dll" [2007-06-28 93696] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-08 198160] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] . c:\users\temp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IMVU.lnk - c:\users\temp\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [N/A] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux6"=wdmaud.drv . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc bthsvcs REG_MULTI_SZ BthServ LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder . 2012-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114659253-1989471645-1613028585-1000Core.job - c:\users\temp\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-09 00:54] . 2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114659253-1989471645-1613028585-1000UA.job - c:\users\temp\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-09 00:54] . 2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{14C62BA9-EC35-4695-9990-F41EFCBFD02A}.job - c:\windows\system32\msfeedssync.exe [2012-04-08 07:10] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local LSP: mswsock.dll TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\users\temp\AppData\Roaming\Mozilla\Firefox\Profiles\iep06hw9.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p= FF - user.js: extensions.autoDisableScopes - 14 . - - - - ORPHANS REMOVED - - - - . AddRemove-Xvid Video Codec 1.3.1 - c:\program files\Xvid\uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-08-05 22:33 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . ------------------------ Other Running Processes ------------------------ . c:\program files\Creative\Shared Files\CTAudSvc.exe c:\windows\system32\Hpservice.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\TomTom HOME 2\TomTomHOMEService.exe c:\windows\System32\rundll32.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Yahoo!\Messenger\ymsgr_tray.exe c:\windows\system32\SLUI.exe . ************************************************************************** . Completion time: 2012-08-05 22:39:37 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-06 02:39 ComboFix2.txt 2011-12-14 01:06 ComboFix3.txt 2011-08-06 03:24 . Pre-Run: 8,987,484,160 bytes free Post-Run: 8,972,955,648 bytes free . - - End Of File - - C94AA7A2588CB6B1FF62A9E2BF836071
  6. OTL window states: "OTL cannot be run from a temporary folder! Please download it to your Desktop or other suitable location." Running it from the Desktop of the infected laptop.
  7. OTL is unable to run on teh infected PC...specifically i get a message that says it cannot be run from a temporary folder, but it is on the Desktop.
  8. Having trouble getting OTL from oldtimers... is there an alternate link or could i try using hijackthis?
  9. . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33 Run by temp at 8:38:41 on 2012-08-03 Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2039.1327 [GMT -4:00] . SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files\Creative\Shared Files\CTAudSvc.exe C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\Hpservice.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\taskeng.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Creative\Sound Blaster X-Fi Surround 5.1\Volume Panel\VolPanlu.exe C:\Windows\System32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe C:\Program Files\Kaneva\Star\3296\kanevatray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: PricePeep: {fd6d90c0-e6ee-4bc6-b9f7-9ed319698007} - c:\program files\pricepeep\pricepeep.dll uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe" uRun: [Google Update] "c:\users\temp\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [KanevaTray] "c:\program files\kaneva\star\3296\KanevaTray.exe" --autostart mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi surround 5.1\volume panel\VolPanlu.exe" /r mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\users\temp\appdata\roaming\micros~1\windows\startm~1\programs\startup\imvu.lnk - c:\users\temp\appdata\roaming\imvuclient\IMVUQualityAgent.exe mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL LSP: mswsock.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{B1CAFC66-03AB-42A3-BBF0-EE5479F742AC} : DhcpNameServer = 192.168.2.1 . ================= FIREFOX =================== . FF - ProfilePath - c:\users\temp\appdata\roaming\mozilla\firefox\profiles\iep06hw9.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p= FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll FF - plugin: c:\users\temp\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll FF - plugin: c:\windows\system32\npdeployJava1.dll FF - plugin: c:\windows\system32\npmproxy.dll FF - plugin: c:\windows\system32\npOGPPlugin.dll . ---- FIREFOX POLICIES ---- FF - user.js: extensions.autoDisableScopes - 14 . ============= SERVICES / DRIVERS =============== . R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504] R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-14 88192] R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-11-2 30720] S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-8-25 450944] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-8 113120] . =============== Created Last 30 ================ . 2012-08-02 05:06:09 -------- d-----w- c:\programdata\036DFF6A000CE2FE004DA8BB2F3B6FDA 2012-07-27 02:27:39 650752 ----a-w- c:\windows\system32\xvidcore.dll 2012-07-27 02:27:39 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2012-07-27 02:27:39 152064 ----a-w- c:\windows\system32\xvid.ax 2012-07-27 02:26:02 -------- d-----w- c:\programdata\BasicScan 2012-07-27 02:26:02 -------- d-----w- c:\program files\BasicScan 2012-07-27 02:26:00 -------- d-----w- c:\program files\PricePeep 2012-07-27 02:25:33 -------- d-----w- c:\users\temp\appdata\local\GigglingGamesSA 2012-07-27 01:10:46 -------- d-----w- c:\program files\1ClickDownload 2012-07-09 23:40:34 -------- d-sh--w- c:\windows\system32\%APPDATA% . ==================== Find3M ==================== . 2012-07-09 23:28:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-09 23:28:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-28 14:36:19 444952 ----a-w- c:\windows\system32\wrap_oal.dll 2012-06-28 14:36:19 109080 ----a-w- c:\windows\system32\OpenAL32.dll 2012-06-13 06:00:08 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-06-13 06:00:08 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-05-15 19:51:08 2045440 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 8:39:25.57 =============== Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.03.04 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 temp :: NC6400 [administrator] 8/3/2012 7:57:14 AM mbam-log-2012-08-03 (07-57-14).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 180569 Time elapsed: 11 minute(s), 51 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 6 C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot. C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\00000004.@ (Rootkit.Zaccess) -> Quarantined and deleted successfully. C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully. C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully. C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\80000000.@ (Rootkit.0Access) -> Quarantined and deleted successfully. C:\Windows\Installer\{f354f5df-93dc-acb4-b5e6-06e14e6c28c7}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully. (end) thanks maniac....followed directions as instructed...here's the new logs
  10. thanks in advance for the help . DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33 Run by temp at 4:54:42 on 2012-08-03 Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2039.1709 [GMT -4:00] . SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\Explorer.EXE C:\Windows\helppane.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uInternet Settings,ProxyOverride = *.local uURLSearchHooks: YTD Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\ytd toolbar\ie\6.2\ytdToolbarIE.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: YTD Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\ytd toolbar\ie\6.2\ytdToolbarIE.dll BHO: PricePeep: {fd6d90c0-e6ee-4bc6-b9f7-9ed319698007} - c:\program files\pricepeep\pricepeep.dll TB: YTD Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\ytd toolbar\ie\6.2\ytdToolbarIE.dll uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe" uRun: [Google Update] "c:\users\temp\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [KanevaTray] "c:\program files\kaneva\star\3296\KanevaTray.exe" --autostart mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi surround 5.1\volume panel\VolPanlu.exe" /r mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [<NO NAME>] mRun: [searchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe" StartupFolder: c:\users\temp\appdata\roaming\micros~1\windows\startm~1\programs\startup\imvu.lnk - c:\users\temp\appdata\roaming\imvuclient\IMVUQualityAgent.exe mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL LSP: mswsock.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{B1CAFC66-03AB-42A3-BBF0-EE5479F742AC} : DhcpNameServer = 192.168.2.1 . ================= FIREFOX =================== . FF - ProfilePath - c:\users\temp\appdata\roaming\mozilla\firefox\profiles\iep06hw9.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p= FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll FF - plugin: c:\users\temp\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll FF - plugin: c:\windows\system32\npdeployJava1.dll FF - plugin: c:\windows\system32\npmproxy.dll FF - plugin: c:\windows\system32\npOGPPlugin.dll . ---- FIREFOX POLICIES ---- FF - user.js: extensions.autoDisableScopes - 14 . ============= SERVICES / DRIVERS =============== . S2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2012-7-26 794560] S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504] S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168] S2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712] S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-9-14 88192] S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2009-8-25 450944] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-2 40776] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-8 113120] S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-11-2 30720] . =============== Created Last 30 ================ . 2012-08-02 23:09:50 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-08-02 05:06:09 -------- d-----w- c:\programdata\036DFF6A000CE2FE004DA8BB2F3B6FDA 2012-07-31 16:51:29 -------- d-----w- c:\program files\YTD Toolbar 2012-07-31 16:51:29 -------- d-----w- c:\program files\common files\Spigot 2012-07-31 16:51:29 -------- d-----w- c:\program files\Application Updater 2012-07-27 02:27:39 650752 ----a-w- c:\windows\system32\xvidcore.dll 2012-07-27 02:27:39 240640 ----a-w- c:\windows\system32\xvidvfw.dll 2012-07-27 02:27:39 152064 ----a-w- c:\windows\system32\xvid.ax 2012-07-27 02:26:02 -------- d-----w- c:\programdata\BasicScan 2012-07-27 02:26:02 -------- d-----w- c:\program files\BasicScan 2012-07-27 02:26:00 -------- d-----w- c:\program files\PricePeep 2012-07-27 02:25:33 -------- d-----w- c:\users\temp\appdata\local\GigglingGamesSA 2012-07-27 01:10:46 -------- d-----w- c:\program files\1ClickDownload 2012-07-09 23:40:34 -------- d-sh--w- c:\windows\system32\%APPDATA% . ==================== Find3M ==================== . 2012-07-09 23:28:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-09 23:28:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-28 14:36:19 444952 ----a-w- c:\windows\system32\wrap_oal.dll 2012-06-28 14:36:19 109080 ----a-w- c:\windows\system32\OpenAL32.dll 2012-06-13 06:00:08 476936 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-06-13 06:00:08 472840 ----a-w- c:\windows\system32\deployJava1.dll 2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-05-15 19:51:08 2045440 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 4:56:21.73 =============== attach.txt dds.txt
  11. I can use my browser again on the infected machine, here is the mbam log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6567 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/13/2011 9:24:35 AM mbam-log-2011-05-13 (09-24-35).txt Scan type: Quick scan Objects scanned: 144851 Time elapsed: 4 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 6 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Bench 1\Local Settings\Application Data\ivi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Bench 1\Local Settings\Application Data\ivi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Bench 1\Local Settings\Application Data\ivi.exe" -a "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\Bench 1\local settings\application data\ivi.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
  12. renamed mbam to iexplore and it still will not launch
  13. I cannot browse any sites in Firefox, XP Total Security message is blocking any pages saying they are "Dangerous"
  14. My 2nd computer has been infected with xp total security. I have been through this cleanup with similar infections. I tried following the guide for cleaning this particular infection, however i cannot get malwarebytes to run. I am also having trouble getting gmer to run a full scan without the computer rebooting out of safe mode. I did get one item from gmer that I have included in the attach. I have run the other scans and the results are posted here. Thanks in advance for the help. Here is DDS: . DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL Run by Bench 1 at 3:57:33.81 on Fri 05/13/2011 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2753 [GMT -4:00] . AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Bench 1\Local Settings\Application Data\ivi.exe C:\Documents and Settings\Bench 1\Desktop\cleaning\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.8.11.dll BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot mRun: [steelSeries World of Warcraft MMO Gaming Mouse] c:\program files\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.8.11.dll/206 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194125623140 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194125618625 DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://smarthelp.ihost.com/wps/com/ibm/gesc/selfenab/contextroot/SEP_UserProfile/plugins/IbmEgath.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\bench1~1\applic~1\mozilla\firefox\profiles\r0ydh2rt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20110204232027812&tb_oid=04-02-2011&tb_mrud=04-02-2011 FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20110204232027812&tb_oid=04-02-2011&tb_mrud=04-02-2011&query= FF - component: c:\documents and settings\bench 1\application data\mozilla\firefox\profiles\r0ydh2rt.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll FF - component: c:\documents and settings\bench 1\application data\mozilla\firefox\profiles\r0ydh2rt.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll FF - component: c:\documents and settings\bench 1\application data\mozilla\firefox\profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - plugin: c:\documents and settings\bench 1\application data\mozilla\firefox\profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll FF - plugin: c:\windows\system32\npOGPPlugin.dll FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} FF - Ext: Aero Fox: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66} FF - Ext: BitComet Video Downloader: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB} - %profile%\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB} FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension . ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false ============= SERVICES / DRIVERS =============== . R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2010-7-9 11136] S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-6 28544] S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944] S2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\drivers\BWCDRV.SYS [2003-12-21 19840] S2 gupdate1c9bd89c539fe72;Google Update Service (gupdate1c9bd89c539fe72);c:\program files\google\update\GoogleUpdate.exe [2009-4-15 133104] S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-11-3 104000] S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960] S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872] S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [2005-7-11 372480] S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-11-3 72264] S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-11-3 34152] S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-11-3 168776] S3 ndisva;Avaya VPNet Virtual Adapter Driver;c:\windows\system32\drivers\vadapter.sys --> c:\windows\system32\drivers\vadapter.sys [?] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-12-24 100456] S3 XDva285;XDva285;\??\c:\windows\system32\xdva285.sys --> c:\windows\system32\XDva285.sys [?] S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-15 133104] . =============== Created Last 30 ================ . 2011-05-13 03:37:46 226165 --sha-w- c:\docume~1\bench1~1\locals~1\applic~1\ivi.exe . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 19:00:29 832512 ----a-w- c:\windows\system32\wininet.dll 2011-02-17 19:00:28 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-02-17 19:00:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl 2011-02-17 19:00:27 17408 ----a-w- c:\windows\system32\corpol.dll 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-17 11:44:16 389120 ----a-w- c:\windows\system32\html.iec 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll . ============= FINISH: 3:58:41.37 =============== If it helps, here is a Hijackthis log as well: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 5:08:14 AM, on 5/13/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.17096) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Bench 1\Local Settings\Application Data\ivi.exe C:\Documents and Settings\Bench 1\Desktop\cleaning\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: AOL Messaging Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll O2 - BHO: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.8.11.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [steelSeries World of Warcraft MMO Gaming Mouse] C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.4.8.11.dll/206 (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194125623140 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194125618625 O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://smarthelp.ihost.com/wps/com/ibm/gesc/selfenab/contextroot/SEP_UserProfile/plugins/IbmEgath.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BUFFALO Wireless Configuration Service (bwcsrv) - Unknown owner - C:\WINDOWS\system32\Drivers\bwcsrv.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate1c9bd89c539fe72) (gupdate1c9bd89c539fe72) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 8164 bytes attach.zip
  15. DDS (Ver_10-11-10.01) - NTFSx86 Run by temp at 16:24:19.65 on Sat 11/13/2010 Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_20 Microsoft Attach.txt
  16. Here is the log from del.bat Deleting files "F:\Movie backup\Spyware Doctor v4.0.0.2618\sdsetup.exe" deleted "K:\Movie backup\Spyware Doctor v4.0.0.2618\sdsetup.exe" deleted Completing other steps to cleanup as instructed. Thank you so much. Are there any further instructions to follow after these steps.
  17. Completed the steps above. Here are the new logs from the mbam and eset scans: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4131 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 5/23/2010 12:09:15 AM mbam-log-2010-05-23 (00-09-15).txt Scan type: Quick scan Objects scanned: 126404 Time elapsed: 6 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=3a8551906a81b14088e78166552e41cd # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-05-23 07:27:01 # local_time=2010-05-23 03:27:01 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=193319 # found=11 # cleaned=0 # scan_time=11328 C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\smss.exe.vir a variant of Win32/TrojanDownloader.Unruy.BR trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\svchost.exe.vir a variant of Win32/TrojanDownloader.Unruy.BR trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\_smss_.exe.zip a variant of Win32/TrojanDownloader.Unruy.BR trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\_svchost_.exe.zip a variant of Win32/TrojanDownloader.Unruy.BR trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\WINDOWS\Njosia.exe.vir Win32/TrojanDownloader.FakeAlert.AQI trojan 00000000000000000000000000000000 I C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\imapi.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{2668AE92-1EE7-493C-B65D-0180A0C39C1E}\RP1\A0000046.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{2668AE92-1EE7-493C-B65D-0180A0C39C1E}\RP1\A0000088.exe Win32/TrojanDownloader.FakeAlert.AQI trojan 00000000000000000000000000000000 I C:\WINDOWS\system32\spool\prtprocs\w32x86\b00006d58.dll a variant of Win32/Kryptik.EJF trojan 00000000000000000000000000000000 I F:\Movie backup\Spyware Doctor v4.0.0.2618\sdsetup.exe probably a variant of Win32/Spy.Agent trojan 00000000000000000000000000000000 I K:\Movie backup\Spyware Doctor v4.0.0.2618\sdsetup.exe probably a variant of Win32/Spy.Agent trojan 00000000000000000000000000000000 I
  18. When i type fixmbr I get this message: **CAUTION** This computer appears to have a non-standard or invalid master boot record. FIXMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible If you are not having problems accessing your drive, do not continue. Are you sure you want to write a new MBR? What should I do?
  19. Completed the steps above to submit, are there other steps to complete?
  20. 2010-05-23 00:41:40 . 2010-05-23 00:41:40 38,034 ----a-w- C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\_svchost_.exe.zip 2010-05-23 00:41:39 . 2010-05-23 00:41:39 44,064 ----a-w- C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\_smss_.exe.zip 2010-05-23 00:38:38 . 2010-05-23 00:38:38 1,396 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_pkzlkrr.reg.dat 2010-05-23 00:38:38 . 2010-05-23 00:38:38 2,534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_isaxbox.reg.dat 2010-05-23 00:38:38 . 2010-05-23 00:38:38 660 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_b1204ba5.reg.dat 2010-05-23 00:38:38 . 2010-05-23 00:38:38 1,480 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_aikebxbw.reg.dat 2010-05-23 00:38:37 . 2010-05-23 00:38:37 1,034 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_PKZLKRR.reg.dat 2010-05-23 00:38:37 . 2010-05-23 00:38:37 1,208 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_ISAXBOX.reg.dat 2010-05-23 00:38:37 . 2010-05-23 00:38:37 1,220 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_AIKEBXBW.reg.dat 2010-05-23 00:35:38 . 2010-05-23 00:35:39 179,020 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-05-22_20.35.23.zip 2010-05-22 22:22:12 . 2010-05-22 22:22:12 1,286 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-NVIDIA Display Control Panel.reg.dat 2010-05-22 22:21:49 . 2010-05-22 22:21:49 660 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-13453124.reg.dat 2010-05-22 22:07:54 . 2010-05-22 22:07:54 790 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_PRAGMArppmhenbvg.reg.dat 2010-05-22 22:07:54 . 2010-05-22 22:07:54 808 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_IAS.reg.dat 2010-05-22 22:07:54 . 2010-05-22 22:07:54 774 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat 2010-05-22 04:08:09 . 2010-05-22 22:07:54 1,402 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_PRAGMArppmhenbvg.reg.dat 2010-05-22 03:26:44 . 2010-05-22 22:12:41 57,953 ----a-w- C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\smss.exe.vir 2010-05-22 03:26:29 . 2010-05-22 22:12:31 51,915 ----a-w- C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\svchost.exe.vir 2010-05-15 04:12:17 . 2010-05-22 04:09:27 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\aikebxbw.sys.vir 2010-05-15 04:11:17 . 2010-05-15 04:11:06 174,592 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Njosia.exe.vir 2010-05-11 02:37:23 . 2010-05-11 13:36:39 108 ----a-w- C:\Qoobox\Quarantine\C\feed.txt.vir 2010-05-11 02:37:23 . 2010-05-11 13:36:39 100 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Bench 1\Local Settings\Application Data\Windows Server\flags.ini.vir 2010-05-11 02:37:23 . 2010-05-11 13:36:39 50 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Bench 1\Local Settings\Application Data\Windows Server\uses32.dat.vir 2010-05-10 16:45:50 . 2010-05-10 16:45:50 74 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Bench 1\Application Data\ATManager\metafiles\e7e2135bcdfc87179deacdb1cdac8b7a.torrent.vir 2009-10-03 17:34:39 . 2009-10-03 17:34:39 13,717 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ukokyw.dll.vir 2009-10-03 17:34:38 . 2009-10-03 17:34:38 16,757 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\orynixotuz.exe.vir 2009-10-03 17:34:38 . 2009-10-03 17:34:38 17,538 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\biga.sys.vir 2009-10-03 17:34:38 . 2009-10-03 17:34:38 14,031 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\lezacadenu.db.vir 2009-10-03 17:34:38 . 2009-10-03 17:34:38 10,402 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\qevynake.lib.vir 2009-10-03 17:34:38 . 2009-10-03 17:34:38 10,073 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\yrohihely._sy.vir 2009-10-03 17:34:38 . 2009-10-03 17:34:38 12,221 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\pejotamyb.scr.vir 2009-10-03 17:09:00 . 2009-10-03 17:09:00 16,653 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\gebasus.lib.vir 2009-10-03 17:09:00 . 2009-10-03 17:09:00 10,579 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\widy.bat.vir 2009-10-03 17:09:00 . 2009-10-03 17:09:00 17,864 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\uqarywe.dat.vir 2009-10-03 17:08:59 . 2009-10-03 17:09:00 16,503 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\yqep.exe.vir 2009-10-03 17:08:59 . 2009-10-03 17:08:59 17,704 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ypijitym.exe.vir 2009-10-03 17:08:59 . 2009-10-03 17:08:59 10,597 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\azimuty.com.vir 2009-10-03 17:08:59 . 2009-10-03 17:08:59 10,689 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\pypat.dl.vir 2009-10-03 17:08:59 . 2009-10-03 17:08:59 12,858 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\iropijytev.pif.vir 2009-10-03 17:08:59 . 2009-10-03 17:08:59 15,416 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\hixytovy.inf.vir 2009-07-15 05:25:16 . 2009-07-15 05:25:16 754 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_UACd.sys.reg.dat 2009-07-15 05:24:52 . 2009-07-15 05:24:52 1,305 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_hjgruiuxtstfon.reg.dat 2009-07-15 04:49:47 . 2009-07-15 04:49:47 310 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmpxddbauxt.dat.vir 2009-07-13 16:28:32 . 2009-07-14 22:44:25 3,976,714 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uactmp.db.vir 2009-07-13 16:26:41 . 2009-07-15 04:50:20 91 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiqtdslmxt.dat.vir 2009-07-13 16:26:32 . 2009-07-14 22:58:11 1,110,399 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdrudtllfvgrihvsyh.db.vir 2009-07-13 16:25:24 . 2009-07-15 04:50:20 58,029 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruifmyouivl.dat.vir 2009-07-13 16:25:23 . 2009-07-15 03:08:48 6,219 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uacinit.dll.vir 2009-07-13 16:25:16 . 2009-07-15 04:21:10 310 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjcpbgffbcqvoijxjy.dat.vir 2009-07-13 16:24:50 . 2009-07-13 16:24:50 10 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\run.log.vir 2009-07-06 23:43:51 . 2009-07-06 23:43:51 2,656 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_wscsvcWudfSvc.reg.dat 2009-07-06 23:43:50 . 2009-07-06 23:43:50 878 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_wscsvcwudfsvc.reg.dat 2009-07-06 23:43:45 . 2010-05-23 00:38:31 10,782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-07-06 23:39:05 . 2010-05-23 00:41:41 697 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-05-27 04:31:02 . 2009-06-05 23:17:56 100 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\2688857570.dat.vir 2009-05-27 04:30:55 . 2009-05-27 04:31:04 16 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\wiaservim.log.vir 2009-04-23 06:22:44 . 2009-04-23 06:22:44 9,229 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Bench 1\Local Settings\Application Data\{9A18B99C-C415-4FB7-9C47-3B01B907C90E}\chrome\content\overlay.xul.vir 2009-04-23 06:22:44 . 2009-04-23 06:22:44 3,323 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Bench 1\Local Settings\Application Data\{9A18B99C-C415-4FB7-9C47-3B01B907C90E}\chrome\content\c.js.vir 2009-04-23 06:22:43 . 2009-04-23 06:22:44 2,127 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Bench 1\Local Settings\Application Data\{9A18B99C-C415-4FB7-9C47-3B01B907C90E}\chrome\content\_cfg.js.vir 2009-04-23 06:22:43 . 2009-04-23 06:22:44 770 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Bench 1\Local Settings\Application Data\{9A18B99C-C415-4FB7-9C47-3B01B907C90E}\install.rdf.vir 2009-04-23 06:22:43 . 2009-04-23 06:22:43 120 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Bench 1\Local Settings\Application Data\{9A18B99C-C415-4FB7-9C47-3B01B907C90E}\chrome.manifest.vir 2009-01-11 02:39:05 . 2009-01-11 02:39:05 9,229 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{3C684FE8-49AE-459E-A9C1-F472AE19F821}\chrome\content\overlay.xul.vir 2009-01-11 02:39:05 . 2009-01-11 02:39:05 3,323 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{3C684FE8-49AE-459E-A9C1-F472AE19F821}\chrome\content\c.js.vir 2009-01-11 02:39:05 . 2009-01-11 02:39:06 2,117 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{3C684FE8-49AE-459E-A9C1-F472AE19F821}\chrome\content\_cfg.js.vir 2009-01-11 02:39:05 . 2009-01-11 02:39:06 770 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{3C684FE8-49AE-459E-A9C1-F472AE19F821}\install.rdf.vir 2009-01-11 02:39:05 . 2009-01-11 02:39:05 120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{3C684FE8-49AE-459E-A9C1-F472AE19F821}\chrome.manifest.vir 2004-08-04 12:00:00 . 2008-04-14 00:11:56 2,304 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\isaxbox.sys.vir 2004-08-04 12:00:00 . 2008-04-13 18:40:58 42,112 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\imapi.sys.vir
  21. Here is the latest combofix log ComboFix 10-05-21.04 - Bench 1 05/22/2010 20:35:40.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2622 [GMT -4:00] Running from: c:\documents and settings\Bench 1\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Bench 1\Desktop\CFScript.txt AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} file zipped: c:\program files\Common Files\azimuty.com file zipped: c:\program files\Common Files\biga.sys file zipped: c:\program files\Common Files\gebasus.lib file zipped: c:\program files\Common Files\hixytovy.inf file zipped: c:\program files\Common Files\iropijytev.pif file zipped: c:\program files\Common Files\lezacadenu.db file zipped: c:\program files\Common Files\pejotamyb.scr file zipped: c:\program files\Common Files\pypat.dl file zipped: c:\program files\Common Files\qevynake.lib file zipped: c:\program files\Common Files\uqarywe.dat file zipped: c:\program files\Common Files\widy.bat file zipped: c:\program files\Common Files\yqep.exe file zipped: c:\program files\Common Files\yrohihely._sy file zipped: c:\windows\system32\drivers\aikebxbw.sys file zipped: c:\windows\system32\isaxbox.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Common Files\azimuty.com c:\program files\Common Files\biga.sys c:\program files\Common Files\gebasus.lib c:\program files\Common Files\hixytovy.inf c:\program files\Common Files\iropijytev.pif c:\program files\Common Files\lezacadenu.db c:\program files\Common Files\pejotamyb.scr c:\program files\Common Files\pypat.dl c:\program files\Common Files\qevynake.lib c:\program files\Common Files\uqarywe.dat c:\program files\Common Files\widy.bat c:\program files\Common Files\yqep.exe c:\program files\Common Files\yrohihely._sy c:\system volume information\_restore{d5fffa500b1b} c:\system volume information\_restore{d5fffa500b1b}\smss.exe c:\system volume information\_restore{d5fffa500b1b}\svchost.exe c:\windows\system32\drivers\aikebxbw.sys c:\windows\system32\isaxbox.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AIKEBXBW -------\Legacy_ISAXBOX -------\Legacy_PKZLKRR -------\Service_aikebxbw -------\Service_b1204ba5 -------\Service_isaxbox -------\Service_pkzlkrr ((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 ))))))))))))))))))))))))))))))) . 2010-05-21 22:39 . 2010-05-21 22:39 -------- d--h--w- c:\windows\system32\GroupPolicy 2010-05-21 22:02 . 2010-05-22 23:23 -------- d-----w- c:\documents and settings\Bench 1\Application Data\QuickScan 2010-05-20 17:57 . 2010-05-20 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2010-05-20 17:57 . 2010-05-20 17:57 -------- d-----w- c:\documents and settings\Bench 1\Application Data\Office Genuine Advantage 2010-05-20 02:41 . 2008-04-15 14:05 11136 ----a-w- c:\windows\system32\drivers\Mo3Fltr.sys 2010-05-20 02:41 . 2010-05-20 02:41 -------- d-----w- c:\documents and settings\Bench 1\Application Data\InstallShield 2010-05-16 16:07 . 2010-05-16 16:07 -------- d-----w- C:\!KillBox 2010-05-15 07:03 . 2010-05-15 07:03 -------- d-----w- C:\swsetup 2010-05-15 05:34 . 2010-05-15 05:34 44056 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-05-15 05:23 . 2010-05-15 06:18 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ptrrqvnra 2010-05-15 05:22 . 2010-05-15 05:22 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe 2010-05-15 04:13 . 2010-05-15 04:13 -------- d-----w- C:\spoolerlogs 2010-05-15 04:11 . 2010-05-15 04:42 -------- d-----w- c:\documents and settings\Bench 1\Local Settings\Application Data\qcfbwthqe 2010-05-15 04:11 . 2010-05-15 04:11 84992 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00006d58.dll 2010-04-27 22:57 . 2010-04-27 22:57 -------- d-----w- c:\program files\iPod 2010-04-27 22:57 . 2010-04-27 22:58 -------- d-----w- c:\program files\iTunes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-21 23:31 . 2008-04-22 04:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-05-21 02:25 . 2007-11-03 23:00 -------- d-----w- c:\program files\World of Warcraft 2010-05-20 17:49 . 2008-05-25 10:07 -------- d-----w- c:\program files\BitComet 2010-05-18 21:21 . 2010-05-21 22:02 702120 ----a-w- c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll 2010-05-18 21:21 . 2010-05-21 22:02 868456 ----a-w- c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll 2010-05-16 16:28 . 2008-11-01 14:06 -------- d-----w- c:\program files\VPNremote for Windows XP 2010-05-15 07:10 . 2008-06-27 18:48 -------- d-----w- c:\documents and settings\Bench 1\Application Data\dvdcss 2010-05-15 03:40 . 2009-09-15 03:44 -------- d-----w- c:\program files\YouTube Downloader 2010-05-14 04:43 . 2008-05-25 15:35 -------- d-----w- c:\program files\Steam 2010-04-30 00:23 . 2009-07-15 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-29 19:39 . 2009-07-15 02:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2009-07-15 02:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-27 22:57 . 2007-11-04 03:50 -------- d-----w- c:\program files\Common Files\Apple 2010-04-27 22:53 . 2008-07-13 12:55 -------- d-----w- c:\program files\Bonjour 2010-04-27 22:51 . 2010-04-27 22:51 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe 2010-04-21 21:36 . 2007-11-04 03:52 -------- d-----w- c:\documents and settings\Bench 1\Application Data\Apple Computer 2010-04-21 21:33 . 2010-04-21 21:32 -------- d-----w- c:\program files\NVIDIA Corporation 2010-04-21 21:33 . 2010-04-21 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation 2010-04-20 06:06 . 2010-04-20 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-04-20 06:02 . 2010-04-20 06:01 -------- d-----w- c:\program files\QuickTime 2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll 2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe 2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe 2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll 2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll 2010-04-03 23:22 . 2010-04-03 23:22 81920 ----a-w- c:\windows\system32\nvwddi.dll 2010-04-02 20:54 . 2009-02-13 17:01 600680 ----a-w- c:\windows\system32\NVUNINST.EXE 2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216] "SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-12-23 415232] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] c:\windows\system32\dumprep 0 -u [X] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "15954:TCP"= 15954:TCP:BitComet 15954 TCP "15954:UDP"= 15954:UDP:BitComet 15954 UDP "10007:TCP"= 10007:TCP:BitComet 10007 TCP "10007:UDP"= 10007:UDP:BitComet 10007 UDP "59999:TCP"= 59999:TCP:BitComet 59999 TCP "59999:UDP"= 59999:UDP:BitComet 59999 UDP "59007:TCP"= 59007:TCP:BitComet 59007 TCP "59007:UDP"= 59007:UDP:BitComet 59007 UDP R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/6/2009 8:00 PM 28544] R2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\drivers\BWCDRV.SYS [12/21/2003 4:21 AM 19840] R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [7/11/2005 1:46 AM 372480] R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [5/19/2010 10:41 PM 11136] S2 gupdate1c9bd89c539fe72;Google Update Service (gupdate1c9bd89c539fe72);c:\program files\Google\Update\GoogleUpdate.exe [4/15/2009 1:19 AM 133104] S3 ndisva;Avaya VPNet Virtual Adapter Driver;c:\windows\system32\DRIVERS\vadapter.sys --> c:\windows\system32\DRIVERS\vadapter.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2010-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 05:19] 2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 05:19] 2010-05-23 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html FF - ProfilePath - c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= FF - component: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll FF - component: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - plugin: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npkanevapatch.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-22 19:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(6188) c:\windows\system32\WININET.dll c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\system volume information\_restore{d5fffa500b1b}\svchost.exe c:\system volume information\_restore{d5fffa500b1b}\smss.exe c:\windows\system32\nvsvc32.exe c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\Drivers\bwcsrv.exe c:\program files\Juniper Networks\Common Files\dsNcService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\McAfee\Common Framework\FrameworkService.exe c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe c:\program files\McAfee\Common Framework\naPrdMgr.exe c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe . ************************************************************************** . Completion time: 2010-05-22 19:48:43 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-22 23:48 ComboFix2.txt 2010-05-22 22:22 ComboFix3.txt 2009-07-15 06:00 ComboFix4.txt 2009-07-06 23:54 Pre-Run: 13,361,209,344 bytes free Post-Run: 13,317,857,280 bytes free - - End Of File - - 3331382EFC3B3AC5158D9B38F181EE38
  22. No worries on the delay, I am just grateful for the help. Running CFScript now and will post the log when it is complete.
  23. OK Gringo, here is the combofix log ComboFix 10-05-21.04 - Bench 1 05/22/2010 17:59:03.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2564 [GMT -4:00] Running from: c:\documents and settings\Bench 1\Desktop\ComboFix.exe AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Bench 1\Application Data\ATManager c:\documents and settings\Bench 1\Application Data\ATManager\metafiles\e7e2135bcdfc87179deacdb1cdac8b7a.torrent c:\documents and settings\Bench 1\Local Settings\Application Data\Windows Server c:\documents and settings\Bench 1\Local Settings\Application Data\Windows Server\flags.ini c:\documents and settings\Bench 1\Local Settings\Application Data\Windows Server\uses32.dat C:\feed.txt c:\windows\Njosia.exe c:\windows\orynixotuz.exe c:\windows\run.log c:\windows\system32\2688857570.dat c:\windows\ukokyw.dll c:\windows\wiaservim.log c:\windows\ypijitym.exe Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_IAS -------\Legacy_PRAGMArppmhenbvg -------\Service_PRAGMArppmhenbvg ((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 ))))))))))))))))))))))))))))))) . 2010-05-21 22:39 . 2010-05-21 22:39 -------- d--h--w- c:\windows\system32\GroupPolicy 2010-05-21 22:02 . 2010-05-21 22:02 -------- d-----w- c:\documents and settings\Bench 1\Application Data\QuickScan 2010-05-20 17:57 . 2010-05-20 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2010-05-20 17:57 . 2010-05-20 17:57 -------- d-----w- c:\documents and settings\Bench 1\Application Data\Office Genuine Advantage 2010-05-20 02:41 . 2008-04-15 14:05 11136 ----a-w- c:\windows\system32\drivers\Mo3Fltr.sys 2010-05-20 02:41 . 2010-05-20 02:41 -------- d-----w- c:\documents and settings\Bench 1\Application Data\InstallShield 2010-05-16 16:07 . 2010-05-16 16:07 -------- d-----w- C:\!KillBox 2010-05-15 07:03 . 2010-05-15 07:03 -------- d-----w- C:\swsetup 2010-05-15 05:34 . 2010-05-15 05:34 44056 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-05-15 05:23 . 2010-05-15 06:18 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\ptrrqvnra 2010-05-15 05:22 . 2010-05-15 05:22 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe 2010-05-15 04:13 . 2010-05-15 04:13 -------- d-----w- C:\spoolerlogs 2010-05-15 04:12 . 2010-05-22 04:09 0 ----a-w- c:\windows\system32\drivers\aikebxbw.sys 2010-05-15 04:11 . 2010-05-15 04:42 -------- d-----w- c:\documents and settings\Bench 1\Local Settings\Application Data\qcfbwthqe 2010-05-15 04:11 . 2010-05-15 04:11 84992 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00006d58.dll 2010-04-27 22:57 . 2010-04-27 22:57 -------- d-----w- c:\program files\iPod 2010-04-27 22:57 . 2010-04-27 22:58 -------- d-----w- c:\program files\iTunes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-21 23:31 . 2008-04-22 04:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-05-21 02:25 . 2007-11-03 23:00 -------- d-----w- c:\program files\World of Warcraft 2010-05-20 17:49 . 2008-05-25 10:07 -------- d-----w- c:\program files\BitComet 2010-05-16 16:28 . 2008-11-01 14:06 -------- d-----w- c:\program files\VPNremote for Windows XP 2010-05-15 07:10 . 2008-06-27 18:48 -------- d-----w- c:\documents and settings\Bench 1\Application Data\dvdcss 2010-05-15 03:40 . 2009-09-15 03:44 -------- d-----w- c:\program files\YouTube Downloader 2010-05-14 04:43 . 2008-05-25 15:35 -------- d-----w- c:\program files\Steam 2010-04-30 00:23 . 2009-07-15 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-29 19:39 . 2009-07-15 02:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2009-07-15 02:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-27 22:57 . 2007-11-04 03:50 -------- d-----w- c:\program files\Common Files\Apple 2010-04-27 22:53 . 2008-07-13 12:55 -------- d-----w- c:\program files\Bonjour 2010-04-21 21:36 . 2007-11-04 03:52 -------- d-----w- c:\documents and settings\Bench 1\Application Data\Apple Computer 2010-04-21 21:33 . 2010-04-21 21:32 -------- d-----w- c:\program files\NVIDIA Corporation 2010-04-21 21:33 . 2010-04-21 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation 2010-04-20 06:06 . 2010-04-20 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-04-20 06:02 . 2010-04-20 06:01 -------- d-----w- c:\program files\QuickTime 2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll 2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe 2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe 2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll 2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll 2010-04-03 23:22 . 2010-04-03 23:22 81920 ----a-w- c:\windows\system32\nvwddi.dll 2010-04-02 20:54 . 2009-02-13 17:01 600680 ----a-w- c:\windows\system32\NVUNINST.EXE 2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2009-10-03 17:34 . 2009-10-03 17:34 17538 ----a-w- c:\program files\Common Files\biga.sys 2009-10-03 17:34 . 2009-10-03 17:34 14031 ----a-w- c:\program files\Common Files\lezacadenu.db 2009-10-03 17:34 . 2009-10-03 17:34 12221 ----a-w- c:\program files\Common Files\pejotamyb.scr 2009-10-03 17:34 . 2009-10-03 17:34 10402 ----a-w- c:\program files\Common Files\qevynake.lib 2009-10-03 17:34 . 2009-10-03 17:34 10073 ----a-w- c:\program files\Common Files\yrohihely._sy 2009-10-03 17:09 . 2009-10-03 17:09 17864 ----a-w- c:\program files\Common Files\uqarywe.dat 2009-10-03 17:09 . 2009-10-03 17:09 16653 ----a-w- c:\program files\Common Files\gebasus.lib 2009-10-03 17:09 . 2009-10-03 17:09 10579 ----a-w- c:\program files\Common Files\widy.bat 2009-10-03 17:09 . 2009-10-03 17:08 16503 ----a-w- c:\program files\Common Files\yqep.exe 2009-10-03 17:08 . 2009-10-03 17:08 15416 ----a-w- c:\program files\Common Files\hixytovy.inf 2009-10-03 17:08 . 2009-10-03 17:08 12858 ----a-w- c:\program files\Common Files\iropijytev.pif 2009-10-03 17:08 . 2009-10-03 17:08 10689 ----a-w- c:\program files\Common Files\pypat.dl 2009-10-03 17:08 . 2009-10-03 17:08 10597 ----a-w- c:\program files\Common Files\azimuty.com 2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216] "SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-12-23 415232] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] c:\windows\system32\dumprep 0 -u [X] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "15954:TCP"= 15954:TCP:BitComet 15954 TCP "15954:UDP"= 15954:UDP:BitComet 15954 UDP "10007:TCP"= 10007:TCP:BitComet 10007 TCP "10007:UDP"= 10007:UDP:BitComet 10007 UDP "59999:TCP"= 59999:TCP:BitComet 59999 TCP "59999:UDP"= 59999:UDP:BitComet 59999 UDP "59007:TCP"= 59007:TCP:BitComet 59007 TCP "59007:UDP"= 59007:UDP:BitComet 59007 UDP R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/6/2009 8:00 PM 28544] R2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\drivers\BWCDRV.SYS [12/21/2003 4:21 AM 19840] R3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\drivers\BCMWL5.SYS [7/11/2005 1:46 AM 372480] R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [5/19/2010 10:41 PM 11136] S1 b1204ba5;b1204ba5;c:\windows\system32\drivers\b1204ba5.sys --> c:\windows\system32\drivers\b1204ba5.sys [?] S2 gupdate1c9bd89c539fe72;Google Update Service (gupdate1c9bd89c539fe72);c:\program files\Google\Update\GoogleUpdate.exe [4/15/2009 1:19 AM 133104] S2 pkzlkrr;pkzlkrr;c:\windows\system32\drivers\zafsjkqn.sys --> c:\windows\system32\drivers\zafsjkqn.sys [?] S3 isaxbox;isaxbox;c:\windows\system32\isaxbox.sys [8/4/2004 8:00 AM 2304] S3 ndisva;Avaya VPNet Virtual Adapter Driver;c:\windows\system32\DRIVERS\vadapter.sys --> c:\windows\system32\DRIVERS\vadapter.sys [?] S4 aikebxbw;aikebxbw;c:\windows\system32\drivers\aikebxbw.sys [5/15/2010 12:12 AM 0] . Contents of the 'Scheduled Tasks' folder 2010-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 05:19] 2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-15 05:19] 2010-05-22 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = http=127.0.0.1:5555 uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html FF - ProfilePath - c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= FF - component: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll FF - component: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - plugin: c:\documents and settings\Bench 1\Application Data\Mozilla\Firefox\Profiles\r0ydh2rt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npkanevapatch.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-13453124 - c:\documents and settings\All Users\Application Data\13453124\13453124.exe AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-22 18:14 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1052) c:\windows\system32\WININET.dll c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\McAfee\VirusScan Enterprise\Scriptcl.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll . ------------------------ Other Running Processes ------------------------ . c:\system volume information\_restore{d5fffa500b1b}\svchost.exe c:\system volume information\_restore{d5fffa500b1b}\smss.exe c:\windows\system32\nvsvc32.exe c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\Drivers\bwcsrv.exe c:\program files\Juniper Networks\Common Files\dsNcService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\McAfee\Common Framework\FrameworkService.exe c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe c:\program files\McAfee\Common Framework\naPrdMgr.exe c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-05-22 18:22:51 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-22 22:22 ComboFix2.txt 2009-07-15 06:00 ComboFix3.txt 2009-07-06 23:54 Pre-Run: 13,334,126,592 bytes free Post-Run: 13,353,996,288 bytes free - - End Of File - - 87A26C14E6A879CFA75FE1DCC5DFA96C
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.