Jump to content

aseire

Members
 View Profile  See their activity

  • Posts

    15

  • Joined

  • Last visited

Reputation

0 Neutral
  1. aseire
    Thanks for all the replies. Since the issue no longer appears to exist, and is not reproducible, there is not much more I can say. Personally I know something in the cleanup process (rKill, ComboFix, ?) killed my own batch files (identified in ComboFix) during the "Program Compability Assistant" malware identification and removal process. I am very grateful for MBAM's removal of the malicious "Program Compability Assistant" malware ("Compability" as misspelled in the malware).
  2. aseire
    I found the log where my batch files got deleted (see attached ComboFix.txt 8/13/2010). I realise that using the "%systemdrive%\Documents and Settings\User\My Documents\My Music" in XP is not a good idea. The issue does not appear to happen with the current version of MBAM. I am posting this as a "please please" do not trash users batch files ad hoc no matter where they are. Are these trashed batch files buried anywhere on my HDD for me to retrieve? ComboFix.txt
  3. aseire
    I concede, I cannot replicate any longer, please close "cannot replicate", Aseire
  4. aseire
    Sample batch file attached (any batch file gets deleted) that would get deleted and a developer scan log. Also made sure that I am fully updated with definitions before posting. Aseire submission_20101107.zip
  5. aseire
    In windows XP a Malwarebytes scan deletes all batch Files in the "%systemdrive%\Documents and Settings\" folder. I tested this by creating a test batch file in the Documents and Settings folder and then ran Malwarebytes scan and found the test batch file erased. I am unsure of the extent (what folders are targeted) of batch files that are deleted but Malwarebytes does not delete all batch files in all folders. The reason I do not want batch files deleted is that I wrote the batch files myself. Also, the "%systemdrive%\Documents and Settings\" folder is a very convenient place for batch files that are run as a "cmd" opens directly to this folder.
  6. aseire
    A special thank you from our dog Dottie to you Mieke! Great work and wishing you great success with malwarebytes, Aseire
  7. aseire
    http://forums.malwarebytes.org/style_emoti...ult/biggrin.gif Mieke, C:\\DOCUME~1\\FDR\\LOCALS~1\\Temp\\6E.tmp - verified gone by %temp% in the run box HKEY_CURRENT_USER\Software\Classes\CLSID\{08C72DD4-19AD-49f1-83DA-8542B4D302C5} - deleted manually Great job - Anything else you need from me? Aseire
  8. aseire
    Good addition to malwarebytes Mieke! Here is the path under this GUID HKEY_CURRENT_USER\Software\Classes\CLSID\{08C72DD4-19AD-49f1-83DA-8542B4D302C5}\InprocServer32 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Classes\CLSID\{08C72DD4-19AD-49f1-83DA-8542B4D302C5}\InprocServer32] @="C:\\DOCUME~1\\FDR\\LOCALS~1\\Temp\\6E.tmp" Reboot - complete ComboFix /Uninstall - complete step with regedit - complete What cache do you want me to clean? So I guess the destructive payload is in 6E.tmp?
  9. aseire
    Sweet find Mieke, It looks like Combofix already took out that bad reg key - see attached: [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\video/x-flv]
  10. aseire
    The
  11. aseire
    [Aseire] CS4 is what I am using (not CS3) but I will try removing the codecs first to see the effect. This uninstall / reinstall takes quite a while - typically 1-2 hours so please be patient as I will eventually respond. If the display is not malware then why does it go to www.totalcodec.com? The fact that other users have seen the same "Program Compability Assistant" splash screen after suffering from "desktop security 2010" malware bug makes me convinced I still have malware in my system.
  12. aseire
    Understood and no problem Mieke, As requested, I have re-run DDS again - here is the log (I no longer see Runservices keys still listed): DDS (Ver_10-03-17.01) - NTFSx86 Run by FDR at 12:08:17.17 on Fri 08/13/2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2761 [GMT -7:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Wave Systems Corp\Common\DataServer.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Quink\Quink.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Documents and Settings\FDR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Download\Malwarebytes\DDS\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell.com uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070404 uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll uRun: [Google Update] "c:\documents and settings\fdr\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [Quink] c:\program files\quink\Quink.exe mRun: [VX3000] c:\windows\vVX3000.exe mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime dRunOnce: [RunNarrator] Narrator.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Trusted Zone: turbotax.com DPF: ATLApplicationLocatorAXInstall - hxxp://146.186.47.11/LaunchVCPC.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} - hxxp://www.teechart.net/files/activex/public/teechart.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813 DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/45.19/uploader2.cab DPF: {693BC536-57DD-427A-9032-58A2F36E35EC} - hxxp://63.193.118.175/test/flex/xwavloop.cab DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.dotphoto.com/ImageUploader4.cab DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.ikanos.com/dana-cached/setup/JuniperSetupSP1.cab DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} - file://d:\controls\sdkinst.cab Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\windows\system32\wxvault.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Authentication Packages = msv1_0 wvauth ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\fdr\applic~1\mozilla\firefox\profiles\t3v47vsl.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\fdr\application data\mozilla\firefox\profiles\t3v47vsl.default\extensions\{cf40acc5-e1bb-4aff-ac72-04c2f616bca7}\plugins\npwavloop.dll FF - plugin: c:\documents and settings\fdr\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\ksolo\npAVX.dll FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-9-7 21920] S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?] S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?] S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112] =============== Created Last 30 ================ 2010-08-13 18:16:20 0 d-sha-r- C:\cmdcons 2010-08-13 18:12:00 98816 ----a-w- c:\windows\sed.exe 2010-08-13 18:12:00 77312 ----a-w- c:\windows\MBR.exe 2010-08-13 18:12:00 256512 ----a-w- c:\windows\PEV.exe 2010-08-13 18:12:00 161792 ----a-w- c:\windows\SWREG.exe 2010-08-12 19:49:54 0 d--h--w- c:\windows\PIF 2010-08-12 16:15:16 0 d-----w- c:\documents and settings\all users\AdobeTemp 2010-08-11 21:17:00 0 d-----w- C:\Virus 2010-08-11 20:38:20 0 d-----w- c:\program files\Trend Micro 2010-08-10 12:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-08-10 12:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-08-04 19:59:18 2464 ----a-w- c:\documents and settings\fdr\j.2.bat 2010-07-29 15:25:30 23392 ----a-w- c:\windows\system32\nscompat.tlb 2010-07-29 15:25:30 16832 ----a-w- c:\windows\system32\amcompat.tlb ==================== Find3M ==================== 2010-08-10 19:47:05 3338 ----a-w- c:\documents and settings\fdr\j.bat 2010-06-23 18:08:46 1072 ----a-w- c:\documents and settings\fdr\j.1.bat 2010-06-18 18:30:03 493 ----a-w- c:\documents and settings\fdr\d.bat 2010-05-26 22:29:01 278 ----a-w- c:\documents and settings\fdr\j.0.bat ============= FINISH: 12:08:50.17 =============== Attach.zip
  13. aseire
    Hi Mieke and thank you again for helping, J.*.bat are all safe. Yes, I created them. mRun: [Quink] c:\program files\quink\Quink.exe. Safe, I created it. Adobe soundbooth: Safe, I purchased Adobe soundbooth directly from Adobe. I have been using their "shrink wrapped" original CD's for installation. As requested ComboFix log follows: ComboFix 10-08-12.03 - FDR 08/13/2010 11:22:39.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2675 [GMT -7:00] Running from: c:\download\Malwarebytes\ComboFix\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NETWORK -------\Service_network ((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 ))))))))))))))))))))))))))))))) . 2010-08-12 19:49 . 2010-08-12 19:49 -------- d--h--w- c:\windows\PIF 2010-08-12 16:15 . 2010-08-12 16:38 -------- d-----w- c:\documents and settings\All Users\AdobeTemp 2010-08-11 21:17 . 2010-08-13 17:15 -------- d-----w- C:\Virus 2010-08-11 20:38 . 2010-08-11 20:38 -------- d-----w- c:\program files\Trend Micro 2010-08-04 19:59 . 2010-07-22 00:32 2464 ----a-w- c:\documents and settings\FDR\j.2.bat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-13 16:38 . 2009-05-24 20:04 -------- d-----w- c:\program files\AirPort 2010-08-13 16:37 . 2007-04-20 04:42 -------- d-----w- c:\program files\Common Files\Adobe 2010-08-13 02:35 . 2009-11-25 03:24 -------- d-----w- c:\program files\QuickTime 2010-08-12 21:33 . 2008-05-15 23:43 75304 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-08-12 19:46 . 2010-07-01 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-11 20:58 . 2007-04-04 06:58 -------- d-----w- c:\program files\Java 2010-08-10 19:47 . 2010-05-26 22:21 3338 ----a-w- c:\documents and settings\FDR\j.bat 2010-07-29 15:38 . 2007-08-01 14:56 -------- d-----w- c:\program files\Windows Media Connect 2 2010-07-01 23:42 . 2010-07-01 23:42 -------- d-----w- c:\documents and settings\FDR\Application Data\Malwarebytes 2010-07-01 22:14 . 2010-07-01 22:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-07-01 22:14 . 2010-07-01 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-07-01 21:59 . 2010-07-01 21:59 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-06-23 18:08 . 2010-06-23 20:53 1072 ----a-w- c:\documents and settings\FDR\j.1.bat 2010-06-18 18:30 . 2010-06-18 18:48 493 ----a-w- c:\documents and settings\FDR\d.bat 2010-05-26 22:29 . 2010-06-17 20:41 278 ----a-w- c:\documents and settings\FDR\j.0.bat 1999-01-15 17:51 . 2007-11-23 01:29 266 -c--a-w- c:\program files\internet explorer\plugins\Efile.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\FDR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-31 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624] "Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784] "Quink"="c:\program files\Quink\Quink.exe" [2007-05-15 110592] "VX3000"="c:\windows\vVX3000.exe" [2006-10-14 707376] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-14 277296] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-09-17 611712] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-4 24576] EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-8-25 192512] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-5-15 394856] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\wxvault.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\tyvcprog\\mxHello\\SpeakFreely\\Nocrypto\\Speakfre.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Speak Freely\\Speakfre.exe"= "c:\\tyvcprog\\mxHello\\SpeakFreely\\WinDebug\\Speakfre.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"= "c:\\NewProducts\\MxHello\\RentaCoder\\evgeny777\\VoipBasic_20090508\\wavloop.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\tyvcprog\\mxHello\\VoipBasicSource_20090512\\wavloop___Win32_Release\\wavloop.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\tyvcprog\\mxHello\\VoipBasicSource_20090512\\wavloop___Win32_Debug\\wavloop.exe"= "c:\\tyvcprog\\mxHello\\VoipBasicSourceMemLeakFix_20091201\\wavloop___Win32_Debug\\wavloop.exe"= "c:\\tyvcprog\\mxHello\\VoipBasicSourceMemLeakFix_20091201\\wavloop___Win32_Release\\wavloop.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp "3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp "3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "5353:UDP"= 5353:UDP:Bonjour R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [9/7/2008 9:02 PM 21920] S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112] . Contents of the 'Scheduled Tasks' folder 2010-08-11 c:\windows\Tasks\defragBatch.job - c:\windows\system32\defragBatch.bat [2007-07-17 23:02] 2009-04-10 c:\windows\Tasks\generalBackup.job - c:\backup\generalBACKUP.BAT [2008-03-27 02:39] 2010-08-11 c:\windows\Tasks\outlookBACKUP.job - c:\backup\outlookBACKUP.BAT [2008-03-18 21:32] 2010-08-11 c:\windows\Tasks\robocopyBACKUP.job - c:\backup\robocopyBACKUP.BAT [2009-04-10 20:04] 2008-05-20 c:\windows\Tasks\runAdaware.job - c:\lavasoft\runAdaware.BAT [2008-05-19 17:58] . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.dell.com uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070404 uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: turbotax.com Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - DPF: ATLApplicationLocatorAXInstall - hxxp://146.186.47.11/LaunchVCPC.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} - hxxp://www.teechart.net/files/activex/public/teechart.cab DPF: {693BC536-57DD-427A-9032-58A2F36E35EC} - hxxp://63.193.118.175/test/flex/xwavloop.cab FF - ProfilePath - c:\documents and settings\FDR\Application Data\Mozilla\Firefox\Profiles\t3v47vsl.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\FDR\Application Data\Mozilla\Firefox\Profiles\t3v47vsl.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\npwavloop.dll FF - plugin: c:\documents and settings\FDR\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\kSolo\npAVX.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\firefox.exe Notify-WgaLogon - (no file) AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe AddRemove-Faverolle - c:\windows\system32\javaws.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-13 11:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\KB2183461.log 1988 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(972) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll - - - - - - - > 'explorer.exe'(808) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKeeper.exe c:\windows\System32\SCardSvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Wave Systems Corp\Common\DataServer.exe c:\program files\Juniper Networks\Common Files\dsNcService.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft LifeCam\MSCamS32.exe c:\program files\Dell\QuickSet\NICCONFIGSVC.exe c:\windows\system32\HPZipm12.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe c:\windows\stsystra.exe c:\windows\system32\igfxsrvc.exe c:\program files\Apoint\HidFind.exe c:\program files\Apoint\Apntex.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-08-13 11:40:49 - machine was rebooted ComboFix-quarantined-files.txt 2010-08-13 18:40 Pre-Run: 12,963,766,272 bytes free Post-Run: 14,279,249,920 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - ECB2DC8A5C6D00E05CABACFA75325E39
  14. aseire
    Hi Mieke and thank you very much for helping, I am not sure when this started as I had never used Adobe Soundbooth before although I installed it a year ago. Recently my computer was infected with the "desktop security" malware bug and I was able to eliminate it using Malwarebytes. As requested, Attach.txt is attached As requested, A copy and paste of the contents of DDS.txt is here: DDS (Ver_10-03-17.01) - NTFSx86 Run by FDR at 7:49:59.96 on Fri 08/13/2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2740 [GMT -7:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Wave Systems Corp\Common\DataServer.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Quink\Quink.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\AirPort\APAgent.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Documents and Settings\FDR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Download\Malwarebytes\dds.scr ============== Pseudo HJT Report =============== uSearch Bar = hxxp://www.google.com/ie uSearch Page = hxxp://www.google.com uStart Page = hxxp://www.google.com/ mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.dell.com uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070404 uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe uRun: [Google Update] "c:\documents and settings\fdr\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [Quink] c:\program files\quink\Quink.exe mRun: [VX3000] c:\windows\vVX3000.exe mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\firefox.exe" /runcleanupscript mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRunServices: [pdfupd] c:\docume~1\fdr\locals~1\temp\pdfupd.exe mRunServices: [digitaldigital] c:\program files\hp\digital imaging\{3a316611-45d1-429c-aa26-b71259c44689}\imaginghpofxd08.exe mRunServices: [gleeglren] c:\program files\matlab\r2009a student\bin\win32\unicodewindows6.6.exe mRunServices: [QuickTimeResourcesQuickTime] c:\program files\quicktime\propertypanels\proppanelhelpers.resources\fr.lproj\quicktimeresourcesquicktime.exe mRunServices: [HPOFXD08imaging] c:\program files\hp\digital imaging\{3a316611-45d1-429c-aa26-b71259c44689}\imaginghpofxd08.exe mRunServices: [OfficePluginResiepluginres] c:\program files\adobe\adobe contribute cs4\en_us\resources\npcontributeresofficepluginres5.0.0.3264.exe mRunServices: [QuickTimeQuickTimeResources] c:\program files\quicktime\propertypanels\proppanelhelpers.resources\fr.lproj\quicktimeresourcesquicktime.exe mRunServices: [moreRefer] c:\program files\online services\internetrefer.exe mRunServices: [resourcesMicrosoft] c:\program files\microsoft silverlight\3.0.50106.0\de\mscorlibvisualbasic3.0.50106.0.exe dRunOnce: [RunNarrator] Narrator.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Trusted Zone: turbotax.com DPF: ATLApplicationLocatorAXInstall - hxxp://146.186.47.11/LaunchVCPC.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} - hxxp://www.teechart.net/files/activex/public/teechart.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813 DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/45.19/uploader2.cab DPF: {693BC536-57DD-427A-9032-58A2F36E35EC} - hxxp://63.193.118.175/test/flex/xwavloop.cab DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.dotphoto.com/ImageUploader4.cab DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.ikanos.com/dana-cached/setup/JuniperSetupSP1.cab DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} - file://d:\controls\sdkinst.cab Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - c:\docume~1\fdr\locals~1\temp\6E.tmp Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll AppInit_DLLs: wxvault.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Authentication Packages = msv1_0 wvauth ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\fdr\applic~1\mozilla\firefox\profiles\t3v47vsl.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\fdr\application data\mozilla\firefox\profiles\t3v47vsl.default\extensions\{cf40acc5-e1bb-4aff-ac72-04c2f616bca7}\plugins\npwavloop.dll FF - plugin: c:\documents and settings\fdr\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\ksolo\npAVX.dll FF - plugin: c:\program files\npapi karaoke plugin\npwavloop.dll FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-9-7 21920] S2 network;network;c:\windows\system32\svchost.exe -k network [2004-8-10 14336] S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?] S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?] S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112] =============== Created Last 30 ================ 2010-08-12 19:49:54 0 d--h--w- c:\windows\PIF 2010-08-12 16:15:16 0 d-----w- c:\documents and settings\all users\AdobeTemp 2010-08-11 21:17:00 0 d-----w- C:\Virus 2010-08-11 20:38:20 0 d-----w- c:\program files\Trend Micro 2010-08-10 12:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-08-10 12:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-08-04 19:59:18 2464 ----a-w- c:\documents and settings\fdr\j.2.bat 2010-07-29 15:25:30 23392 ----a-w- c:\windows\system32\nscompat.tlb 2010-07-29 15:25:30 16832 ----a-w- c:\windows\system32\amcompat.tlb ==================== Find3M ==================== 2010-08-10 19:47:05 3338 ----a-w- c:\documents and settings\fdr\j.bat 2010-06-23 18:08:46 1072 ----a-w- c:\documents and settings\fdr\j.1.bat 2010-06-18 18:30:03 493 ----a-w- c:\documents and settings\fdr\d.bat 2010-05-26 22:29:01 278 ----a-w- c:\documents and settings\fdr\j.0.bat ============= FINISH: 7:50:50.76 ===============
  15. aseire
    Hi Malwarebytes please help - I cannot use my Adobe Soundbooth - I am using windows XP SP2: When opening Soundbooth the Soundbooth splash screen displays normally for a few seconds. Then a
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.