Jump to content

Entire ComObjects folder infected!


Recommended Posts

Hi,

For a while I was noticing lupdater.exe constantly showing up in Task Manager - the initiating program appeared to be Firefox but I switched from Firefox to Chrome ages ago and haven't used it in months. I have Norton 360 installed and scans with that didn't pick up anything. I ran a Malwarebytes scan and have attached the log below. I didn't want to delete the entire folder because I think it's an important folder (? but I'm not sure). Also, I looked at the pinned topic for what to do if my comp is infected and the bleepingcomputer link (the one to download dds.scr) isn't working. Hope you can help me!

Thanks in advance,

Kish.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8368

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

14/12/2011 17:17:21

mbam-log-2011-12-14 (17-17-14).txt

Scan type: Flash scan

Objects scanned: 145131

Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 21

Files Infected: 210

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\program files\common files\comobject (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\autoconfig (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\pref (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\profile (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\profile\chrome (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\dictionaries (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\extensions (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\greprefs (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\plugins (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\dtd (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\entitytables (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\fonts (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\html (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\searchplugins (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\uninstall (Trojan.ObCom) -> No action taken.

Files Infected:

c:\program files\common files\comobject\blocklist.xml (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\LICENSE (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\accessiblemarshal.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\application.ini (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\browserconfig.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\crashreporter-override.ini (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\crashreporter.exe (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\crashreporter.ini (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\freebl3.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\js3250.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\lupdater.exe (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\mozcrt19.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\nspr4.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\nss3.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\nssckbi.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\nssdbm3.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\nssutil3.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\platform.ini (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\plc4.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\plds4.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\README.txt (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\smime3.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\softokn3.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\SP.exe (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\sqlite3.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\ssl3.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\update.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\update.locale (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\updater.exe (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\updater.ini (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\wSock.exe (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\xpcom.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\xul.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\browser.jar (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\browser.manifest (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\classic.jar (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\classic.manifest (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\comm.jar (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\comm.manifest (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\en-US.jar (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\en-us.manifest (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\pippki.jar (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\pippki.manifest (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\reporter.jar (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\reporter.manifest (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\toolkit.jar (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\chrome\toolkit.manifest (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\browser.xpt (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\browserdirprovider.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\brwsrcmp.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\components.list (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\compreg.dat (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\feedconverter.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\feedprocessor.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\feedwriter.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\fuelapplication.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\gpsdgeolocationprovider.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\networkgeolocationprovider.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsaddonrepository.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsbadcerthandler.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsblocklistservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsbrowsercontenthandler.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsbrowserglue.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nscontentdispatchchooser.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nscontentprefservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsdownloadmanagerui.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsextensionmanager.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsformautocomplete.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nshandlerservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nshelperappdlg.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nslivemarkservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nslogininfo.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsloginmanager.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsloginmanagerprompter.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsmicrosummaryservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsplacesautocomplete.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsplacesdbflush.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsplacestransactionsservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsprivatebrowsingservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsproxyautoconfig.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nssafebrowsingapplication.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nssearchservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nssessionstartup.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nssessionstore.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nssetdefaultbrowser.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nssidebar.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nstaggingservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nstrytoclose.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsupdateservice.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsupdateservicestub.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsupdatetimermanager.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\jsconsole-clhandler.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsdefaultclh.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nssearchsuggestions.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsurlclassifierlib.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsurlclassifierlistmanager.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nsurlformatter.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\nswebhandlerapp.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\pluginglue.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\storage-legacy.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\storage-mozstorage.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\txexsltregexfunctions.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\webcontentconverter.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\components\xpti.dat (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\autoconfig\platform.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\autoconfig\prefcalls.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\pref\channel-prefs.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\pref\firefox-branding.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\pref\firefox-l10n.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\pref\firefox.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\pref\reporter.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\profile\bookmarks.html (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\profile\localstore.rdf (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\profile\mimetypes.rdf (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\profile\prefs.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\profile\chrome\userchrome-example.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\defaults\profile\chrome\usercontent-example.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\dictionaries\en-US.aff (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\dictionaries\en-US.dic (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\preview.png (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\greprefs\all.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\greprefs\security-prefs.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\greprefs\xpinstall.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\certutils.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\ctypes.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\debug.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\distribution.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\downloadlastdir.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\downloadutils.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\fileutils.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\iso8601dateutils.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\lightweightthemeconsumer.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\lightweightthememanager.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\microformats.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\NetUtil.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\networkprioritizer.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\openlocationlasturl.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\placesdbutils.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\pluralform.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\spatialnavigation.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\utils.js (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\windowdraggingutils.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\windowspreviewpertab.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\modules\xpcomutils.jsm (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\plugins\npbasic.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\plugins\npnul32.dll (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-column-after-active.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\arrow.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\arrowd.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\broken-image.png (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\charsetalias.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\charsetdata.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\contenteditable.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\designmode.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\editoroverride.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\forms.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\grabber.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\hiddenwindow.html (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\html.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\langgroups.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\language.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\loading-image.png (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\mathml.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\quirk.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\svg.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-column-after-hover.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-column-after.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-column-before-active.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-column-before-hover.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-column-before.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-row-after-active.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-row-after-hover.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-row-after.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-row-before-active.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-row-before-hover.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-add-row-before.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-remove-column-active.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-remove-column-hover.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-remove-column.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-remove-row-active.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-remove-row-hover.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\table-remove-row.gif (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\ua.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\viewsource.css (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\wincharset.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\dtd\mathml.dtd (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\dtd\xhtml11.dtd (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\entitytables\html40latin1.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\entitytables\html40special.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\entitytables\html40symbols.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\entitytables\htmlentityversions.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\entitytables\mathml20.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\entitytables\transliterate.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\fonts\mathfont.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\fonts\mathfontstandardsymbolsl.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\fonts\mathfontstixnonunicode.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\fonts\mathfontstixsize1.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\fonts\mathfontsymbol.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\fonts\mathfontunicode.properties (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\res\html\folder.png (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\searchplugins\amazondotcom.xml (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\searchplugins\answers.xml (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\searchplugins\creativecommons.xml (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\searchplugins\eBay.xml (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\searchplugins\google.xml (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\searchplugins\wikipedia.xml (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\searchplugins\yahoo.xml (Trojan.ObCom) -> No action taken.

c:\program files\common files\comobject\uninstall\helper.exe (Trojan.ObCom) -> No action taken.

mbam-log-2011-12-14 (17-17-14).txt

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Be sure to remove what is found

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Hi there,

Thank you so much for helping me. I removed everything mbam picked up (or rather, it quarantined it) and when it said to reboot, I did. When it started up it launched Dreamweaver straight away with a file called 'LMIR0003.tmp.bat.js' open in edit mode. This file contained the following code:

function DeleteCleanup() {

var fso = new ActiveXObject("Scripting.FileSystemObject");

var scriptFile = WScript.ScriptFullName;

while(fso.FileExists(scriptFile)) {try { fso.DeleteFile(scriptFile, true); } catch (e) {}}

var batchFile = "\"C:/Users/KishMish/AppData/Local/Temp/LMIR0003.tmp.bat\"";

while(fso.FileExists(batchFile)) {

try { fso.DeleteFile(batchFile, true); } catch (e) {}

}

}

try {

var so = new ActiveXObject("Wscript.Shell");

so.Run("\"C:/Users/KishMish/AppData/Local/Temp/LMIR0003.tmp.bat\"", 0);

DeleteCleanup();

} catch (e) {

}

The desktop, task bar, start button - NOTHING has come up. The only way I got my browser and mbam to run again was by pressing Ctrl-Alt-Del for the task manager and running programs from there. I tried starting explorer.exe from there as well but although I have two instances of explorer now running, I still have no desktop! I ran a full mbam scan and here is the result:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8368

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

15/12/2011 11:36:22

mbam-log-2011-12-15 (11-36-22).txt

Scan type: Full scan (C:\|)

Objects scanned: 450128

Time elapsed: 2 hour(s), 45 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

So this appears to have removed the trojan but how do I get my desktop back? I killed both explorer processes from Task Manager and restarted the explorer process, and that brought my desktop back but I don't want to do it everytime!

Also, I always thought the comobjects folder was an important folder! Was I wrong or can my computer and programs function fine without it?

Once again, thanks for your help!

Kish.

Link to post
Share on other sites

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Download unhide.exe & save it to your windows folder:

Right click on unhide.exe and select Run as administrator (In case you have Vista or Win7)

Reboot

This will unhide folders/files that were set to be hidden by the infection you had.

After running the unhide tool you may still be missing most of your start menu shortcuts… They can be found in a folder named smtmp inside:

(XP)- C:\Documents and Settings\Username\Local Settings\Temp

(W7)- C:\Users\Username\AppData\Local\Temp

C:\Windows\Temp

Example:

%Temp%\smtmp\1 "%AllUsersProfile%\Start Menu"

%Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch"

%Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"

%Temp%\smtmp\4 "%AllUsersProfile%\Desktop

These will be there unless you have removed temp files / folders

There might be three numbered folders inside C:\Documents and Settings\Your User Name\Local Settings\Temp\smtmp folder. The folders will be numbered 1, 2 and 4.

Inside the 1 folder is a folder named “Programs.” This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.

Inside the 2 folder are the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Your User Name\Application Data\Microsoft\Internet Explorer\Quick Launch.

Inside the 4 folder are the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.

Let me know if everything was there and how it's running now.

For Windows 7 users, the all users start menu is C:\ProgramData\Microsoft\Windows\Start Menu\Programs and the all users desktop folder is C:\Users\Public\Desktop

Also you can use this option With Windows 7 / Vista:

You can restore the Start menu to its original, default settings.

1.Open Taskbar and Start Menu Properties by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Taskbar and Start Menu.

2.Click the Start Menu tab, and then click Customize.

3.In the Customize Start Menu dialog box, click Use Default Settings, and then click OK.

Link to post
Share on other sites

LDTate, you are my star! unhide.exe worked fine. All my start programs are back too - I didn't have to do anything to restore those. Is my system clean now?

I asked before but I think it got lost in all the log file text: I always thought the comobjects folder was an important folder! Was I wrong or can my computer and programs function fine without it?

Thanks a million for your help!

Kish.

Link to post
Share on other sites

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Drop-FS/detailed-analysis.aspx

Lets give combofix a run.

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hi LDTate,

Thanks for the sophos link.

I did as you said - ran ComboFix from the desktop and it ran up till stage 50 or so, then came up with a BSOD and almost immediately rebooted my system. All I could read in the short time the BSOD was up was something about an error in catchme.sys and something about a non-paging area? I have no idea what that means.

I have Norton 360, and turned off Smart Firewall and Antivirus Autoprotect before running ComboFix, but it wouldn't let me kill anything else. (I am logged in with an admin account btw). I went to the c: drive to see if ComboFix had put a text file in there, but the only thing related there that I can see is a folder called ComboFix (the icon isn't one of a folder though - it looks like a My Computer icon, but the properties list it as a folder!) and when I double-click on it, the 'My Computer' explorer window opens up.

Any ideas?

And I have no idea if this is related to my recent virus issue, but my gmail account notified me that someone accessed my account from Japan! (I live in Germany and am currently in India) I've changed the password but am worried there may be a keylogger or something on my system - I can't believe Norton failed so spectacularly.

Thanks again for your help. What should I do next?

Cheers,

Kish.

Link to post
Share on other sites

Hi,

The scan came back totally clean:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8393

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

19/12/2011 03:15:42

mbam-log-2011-12-19 (03-15-42).txt

Scan type: Full scan (C:\|)

Objects scanned: 452696

Time elapsed: 3 hour(s), 30 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I don't know if this is related but I can no longer connect to my wireless network at home. My ipad connects fine, and my mom's laptop connects fine, but I have to run a cable directly from the dsl router to my ethernet port to get a connection. When I'm connected to the wireless, my comp finds the network and connects to it, but I can't surf the net at all (I've tried Chrome, Firefox and even IE!) - trying Diagnose and Repair sometimes tells me the connection is fine, or it resets the wireless adapter but that doesn't help.

What should i do next?

Thanks a mill,

Kish.

Link to post
Share on other sites

Hi again!

Re-downloaded and ran ComboFix (I believe the earlier BSOD was because I didn't shut Norton 360 all the way down - it is a pain to close it properly!) successfully:

ComboFix 11-12-19.01 - KishMish 20/12/2011 0:55.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.607 [GMT 5.5:30]

Running from: c:\users\KishMish\Desktop\ComboFix.exe

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Common Files\Temp

c:\program files\Common Files\Temp\Dream.Chronicles.4.Book.Air.CE.exe

c:\program files\Common Files\Temp\unins000.dat

c:\program files\Common Files\Temp\unins000.exe

c:\program files\iWin Games\iWinGamesHookIE.dll

c:\programdata\hpe7EDF.dll

c:\programdata\Microsoft Corporation\2007 Microsoft Office system

c:\programdata\Roaming

c:\users\KishMish\AppData\Roaming\.#

c:\users\KishMish\AppData\Roaming\inst.exe

c:\users\KishMish\AppData\Roaming\Local

c:\users\KishMish\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi

c:\users\KishMish\AppData\Roaming\Local\Temp\DDM\Settings\parker_radius_park_half.mp4.ddr

c:\users\KishMish\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi

c:\users\KishMish\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\parker_radius_park_half.mp4

c:\users\KishMish\AppData\Roaming\log.txt

c:\users\KishMish\AppData\Roaming\Microsoft Corporation\2007 Microsoft Office system

c:\users\KishMish\AppData\Roaming\toolplugin\toolbar.dll

c:\users\KishMish\AppData\Roaming\vso_ts_preview.xml

.

.

((((((((((((((((((((((((( Files Created from 2011-11-19 to 2011-12-19 )))))))))))))))))))))))))))))))

.

.

2011-12-19 19:43 . 2011-12-19 19:43 -------- d-----w- c:\users\GuestShared\AppData\Local\temp

2011-12-19 19:43 . 2011-12-19 19:43 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-18 08:22 . 2011-12-18 08:22 -------- d-----w- c:\users\KishMish\AppData\Roaming\Alawar Entertainment

2011-12-17 04:53 . 2011-12-17 04:53 -------- d-----w- c:\users\GuestShared\AppData\Roaming\Malwarebytes

2011-12-15 14:08 . 2011-12-15 14:08 684297 ----a-w- c:\windows\unhide.exe

2011-12-14 15:39 . 2011-12-14 17:53 -------- d-----w- c:\users\KishMish\AppData\Local\NPE

2011-12-14 14:56 . 2011-12-14 14:56 -------- d-----w- c:\users\KishMish\AppData\Roaming\Tific

2011-12-14 03:35 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2011-12-14 03:31 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-12-14 03:31 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-12-14 03:30 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-12-14 03:30 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys

2011-12-14 03:30 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-12-14 03:25 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll

2011-12-13 19:09 . 2011-12-13 19:09 388096 ----a-r- c:\users\KishMish\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-12-13 19:09 . 2011-12-13 19:09 -------- d-----w- c:\program files\Trend Micro

2011-12-13 15:08 . 2011-12-13 15:08 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-12-13 15:08 . 2011-12-13 15:08 -------- d-----w- c:\programdata\Hitman Pro

2011-11-24 08:16 . 2011-12-04 19:19 -------- d-----w- c:\program files\Black Market

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-15 12:44 . 2011-11-15 12:46 861696 ----a-w- c:\windows\system32\drivers\mod7700.sys

2011-11-15 12:44 . 2011-11-15 12:45 24192 ----a-w- c:\windows\system32\drivers\tcpipBM.sys

2011-11-15 12:44 . 2011-11-15 12:46 90112 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys

2011-11-15 12:44 . 2011-11-15 12:46 73216 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys

2011-11-15 12:44 . 2011-11-15 12:46 64384 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys

2011-11-15 12:44 . 2011-11-15 12:46 26624 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys

2011-11-15 12:44 . 2011-11-15 12:46 25856 ----a-w- c:\windows\system32\drivers\ewdcsc.sys

2011-11-15 12:44 . 2011-11-15 12:46 235392 ----a-w- c:\windows\system32\drivers\ewusbnet.sys

2011-11-15 12:44 . 2011-11-15 12:46 193792 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys

2011-11-15 12:44 . 2011-11-15 12:46 19200 ----a-w- c:\windows\system32\drivers\ew_hwupgrade.sys

2011-11-15 12:44 . 2011-11-15 12:46 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys

2011-11-15 12:44 . 2011-11-15 12:46 1108320 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01007.dll

2011-11-15 12:44 . 2011-11-15 12:46 102784 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys

2011-11-15 12:44 . 2011-11-15 12:45 13184 ----a-w- c:\windows\system32\drivers\BMLoad.sys

2011-11-15 12:44 . 2009-10-06 06:25 1108320 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll

2011-11-15 12:44 . 2011-11-15 12:45 13712 ----a-w- c:\windows\system32\sporder.dll

2011-11-15 12:43 . 2011-11-15 12:45 724608 ----a-w- c:\windows\system32\bmutil.dll

2011-11-15 12:43 . 2011-11-15 12:45 480384 ----a-w- c:\windows\system32\bmnet.dll

2011-11-15 12:43 . 2011-11-15 12:45 308352 ----a-w- c:\windows\system32\bminstall.dll

2011-11-15 12:43 . 2011-11-15 12:45 132224 ----a-w- c:\windows\system32\bmdumpd.bin

2011-10-24 13:29 . 2011-10-24 13:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 13:29 . 2011-10-24 13:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-16 08:49 . 2011-05-15 13:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 04:06 . 2010-06-24 21:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-09-20 21:02 . 2011-11-15 13:58 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-09-29 06:53 . 2011-03-29 11:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

2010-03-17 13:45 2355224 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Windows Home Server.lnk.disabled [2011-12-8 2359]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux3"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Users^KishMish^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\users\KishMish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^KishMish^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\users\KishMish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exe.Startup

backupExtension=.Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdshost]

wscript [X]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-27 15:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2011-11-01 17:55 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eAudio]

2007-06-11 13:54 1286144 ------w- c:\acer\Empowering Technology\eAudio\eAudio.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]

2007-04-25 23:33 457216 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSLoader.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]

2009-01-12 08:54 669520 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]

2011-10-07 20:47 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]

2010-11-05 21:54 283160 ----a-w- c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-12-07 20:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]

2010-06-10 11:22 554328 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2009-04-30 22:07 13781536 ----a-w- c:\windows\System32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

2009-11-11 05:27 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]

2007-05-24 20:38 206952 ------w- c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]

2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-10-13 07:27 17351304 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2009-09-24 09:11 434176 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSDMonitor]

2010-11-15 14:05 112600 ----a-w- c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 03:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]

2010-02-19 11:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskMngr]

2009-04-11 06:28 155648 ----a-w- c:\windows\System32\wscript.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]

2006-11-05 20:48 57344 ----a-w- c:\acer\WR_PopUp\WarReg_PopUp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\DatacardService\HWDeviceService.exe [2011-01-28 270176]

R2 Internet Manager. RunOuc;Internet Manager. OUC;c:\program files\T-Mobile\InternetManager_H\UpdateDog\ouc.exe [2011-11-15 224096]

R3 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]

R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2011-11-15 102784]

R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [2011-11-15 11136]

R3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 136176]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 136176]

R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [2011-11-15 90112]

R3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\DRIVERS\ew_jucdcecm.sys [2011-11-15 64384]

R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [2011-11-15 26624]

R3 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2010-04-14 78104]

R3 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]

R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]

R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]

S0 BMLoad;Bytemobile Boot Time Load Driver;c:\windows\system32\drivers\BMLoad.sys [2011-11-15 13184]

S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [2011-05-24 51144]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-06 717296]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SYMDS.SYS [2011-01-27 340088]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SYMEFA.SYS [2011-03-15 744568]

S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111210.003\BHDrvx86.sys [2011-11-14 819320]

S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111216.001\IDSvix86.sys [2011-08-18 368248]

S1 ndasfat;NDAS FAT;c:\windows\system32\DRIVERS\ndasfat.sys [2007-11-27 372584]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.SYS [2011-01-27 136312]

S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\N360\0501000.01D\SYMTDIV.SYS [2011-03-22 331384]

S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 13560]

S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2008-01-23 501560]

S2 arXfrSvc;TV-Archiv-Übertragungsdienst für Windows Media Center;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-07 239464]

S2 esClient;Windows Media Center-Clientdienst;c:\program files\Windows Home Server\esClient.exe [2009-10-07 97128]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]

S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-01-28 632792]

S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-05-24 376352]

S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe [2011-10-24 520040]

S2 SSUService;Splashtop Software Updater Service;c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe [2011-11-10 370504]

S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]

S2 WHSConnector;Windows Home Server-Connectordienst;c:\program files\Windows Home Server\WHSConnector.exe [2009-10-07 376680]

S3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [2009-10-07 44776]

S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2007-03-07 32256]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-15 106104]

S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2011-11-15 73216]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]

S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2009-07-12 47360]

S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

*Deregistered* - MBAMSwissArmy

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-19 c:\windows\Tasks\Epson Printer Software Downloader.job

- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-01-23 14:03]

.

2011-12-19 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-10 20:47]

.

2011-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 07:47]

.

2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 07:47]

.

2011-12-19 c:\windows\Tasks\Norton Security Scan for KishMish.job

- c:\progra~1\NORTON~3\Engine\301~1.8\Nss.exe [2011-01-20 22:47]

.

2011-12-19 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-08-18 08:02]

.

.

------- Supplementary Scan -------

.

uStart Page = https://www.one.com/admin/frontpage.do

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://en.uk.acer.yahoo.com

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: SYSTRAN Lookup - c:\program files\SYSTRAN\6\\GUIres.dll/lookup.js

IE: SYSTRAN Translate - c:\program files\SYSTRAN\6\\GUIres.dll/translate.js

TCP: DhcpNameServer = 218.248.255.194 218.248.255.146

FF - ProfilePath - c:\users\KishMish\AppData\Roaming\Mozilla\Firefox\Profiles\n1g17c41.default\

FF - prefs.js: browser.search.selectedEngine - Search the web

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php

FF - prefs.js: keyword.URL - hxxp://www.browsersafesearch.com?client=mozilla-firefox&cd=UTF-8&search=1&q=

FF - prefs.js: network.proxy.ftp - 207.135.129.5

FF - prefs.js: network.proxy.gopher - 207.135.129.5

FF - prefs.js: network.proxy.http - 207.135.129.5

FF - prefs.js: network.proxy.type - 1

FF - user.js: browser.search.selectedEngine - Search the web

FF - user.js: browser.search.order.1 - Search the web

FF - user.js: browser.search.defaultenginename - Search the web

FF - user.js: keyword.URL - hxxp://www.browsersafesearch.com?client=mozilla-firefox&cd=UTF-8&search=1&q=

FF - user.js: privacy.item.cookies - false

FF - user.js: privacy.sanitize.promptOnSanitize - false

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-eRecoveryService - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-20 01:13

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]

"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2011-12-20 01:22:54

ComboFix-quarantined-files.txt 2011-12-19 19:52

.

Pre-Run: 9,322,123,264 bytes free

Post-Run: 9,216,966,656 bytes free

.

- - End Of File - - 22F18FF127C553DC1BF5954FB4F710B0

What next?

Thanks,

Kish.

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\users\KishMish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
c:\windows\pss\PowerReg Scheduler V3.exe.
c:\program files\iWin Games\iWinTrusted.exe

Folder::
c:\program files\iWin Games

DDS::
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

FireFox::
FF - ProfilePath - c:\users\KishMish\AppData\Roaming\Mozilla\Firefox\Profiles\n1g17c41.default\
FF - prefs.js: browser.search.selectedEngine - Search the web
FF - prefs.js: keyword.URL - hxxp://www.browsersafesearch.com?client=mozilla-firefox&cd=UTF-8&search=1&q=
FF - prefs.js: network.proxy.ftp - 207.135.129.5
FF - prefs.js: network.proxy.gopher - 207.135.129.5
FF - prefs.js: network.proxy.http - 207.135.129.5
FF - prefs.js: network.proxy.type - 1
FF - user.js: browser.search.selectedEngine - Search the web
FF - user.js: browser.search.order.1 - Search the web
FF - user.js: browser.search.defaultenginename - Search the web

Registry::
[-HKLM\~\startupfolder\C:^Users^KishMish^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hi LDTate,

Okay. So my wireless started working on its own last night, it's intermittent now which makes me think that it was an unrelated issue but I don't know. I dragged the CFScript file into ComboFix, which then hung (I didn't click on it or anything, it just stayed open for about 40 minutes without even getting to the Stage 1, 2, 3 etc part). I did a hard reboot and everything seems to be working okay. Should I try the script thing again?

Other than the wireless issue, my comp seems to be functioning fine, even the boot time is better! :)

Thanks,

Kish.

Link to post
Share on other sites

Hi there,

I ran an MBAM scan again and it was clean, so I ran the CFScript again and this time it worked! Here's the log:

ComboFix 11-12-19.01 - KishMish 21/12/2011 8:25.3.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.1138 [GMT 5.5:30]

Running from: c:\users\KishMish\Desktop\ComboFix.exe

Command switches used :: c:\users\KishMish\Desktop\CFScript.txt

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\program files\iWin Games\iWinTrusted.exe"

"c:\users\KishMish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe"

"c:\windows\pss\PowerReg Scheduler V3.exe."

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\iWin Games

c:\program files\iWin Games\AdminWorker.exe

c:\program files\iWin Games\firefox\chrome.manifest

c:\program files\iWin Games\firefox\chrome\iwinarcade.jar

c:\program files\iWin Games\firefox\install.rdf

c:\program files\iWin Games\firefox\iWinArcadeLauncher.exe

c:\program files\iWin Games\firefox\version

c:\program files\iWin Games\ftdownload.dat

c:\program files\iWin Games\gamepage\buynow.html

c:\program files\iWin Games\gamepage\common.js

c:\program files\iWin Games\gamepage\css\offline.css

c:\program files\iWin Games\gamepage\disconnected-upsell.html

c:\program files\iWin Games\gamepage\end.html

c:\program files\iWin Games\gamepage\expired.html

c:\program files\iWin Games\gamepage\images\alert32x32.gif

c:\program files\iWin Games\gamepage\images\bg_header.gif

c:\program files\iWin Games\gamepage\images\buttons\close-blue-28.gif

c:\program files\iWin Games\gamepage\images\buttons\continue-orange-132.gif

c:\program files\iWin Games\gamepage\images\buttons\yesiwantabackupcd-orange-197.gif

c:\program files\iWin Games\gamepage\images\common\header-bg.gif

c:\program files\iWin Games\gamepage\images\common\header-small-bg.gif

c:\program files\iWin Games\gamepage\images\common\loading.gif

c:\program files\iWin Games\gamepage\images\continuefreetrial-32.gif

c:\program files\iWin Games\gamepage\images\global\logo-invis.gif

c:\program files\iWin Games\gamepage\images\global\logo.gif

c:\program files\iWin Games\gamepage\images\global\page-bg-swirly.gif

c:\program files\iWin Games\gamepage\images\global\page-bg.gif

c:\program files\iWin Games\gamepage\images\global\page-header-small-bg.jpg

c:\program files\iWin Games\gamepage\images\logo.jpg

c:\program files\iWin Games\gamepage\images\misc\blue-bottom-triangle.gif

c:\program files\iWin Games\gamepage\images\misc\information.gif

c:\program files\iWin Games\gamepage\images\ous\divider.gif

c:\program files\iWin Games\gamepage\images\ous\eus.jpg

c:\program files\iWin Games\gamepage\images\ous\hotel-bg.gif

c:\program files\iWin Games\gamepage\images\ous\hotel-iwin.gif

c:\program files\iWin Games\gamepage\images\ous\opal.gif

c:\program files\iWin Games\gamepage\images\ous\opalbox.jpg

c:\program files\iWin Games\gamepage\images\ous\ous-promo-banner.jpg

c:\program files\iWin Games\gamepage\images\plans\plan1.gif

c:\program files\iWin Games\gamepage\images\plans\plan2.gif

c:\program files\iWin Games\gamepage\images\plans\plan3.gif

c:\program files\iWin Games\gamepage\images\product\feature.jpg

c:\program files\iWin Games\gamepage\open.html

c:\program files\iWin Games\gamepage\operationfailed.html

c:\program files\iWin Games\gamepage\scripts\disconnected-upsell.js

c:\program files\iWin Games\gamepage\scripts\popups.js

c:\program files\iWin Games\gamepage\scripts\prototype-1.6.js

c:\program files\iWin Games\gamepage\styles\base.css

c:\program files\iWin Games\gamepage\styles\disconnected-upsell.css

c:\program files\iWin Games\gamepage\styles\shoppingcart.css

c:\program files\iWin Games\gamepage\success.html

c:\program files\iWin Games\host.cfg

c:\program files\iWin Games\iWinGames.exe

c:\program files\iWin Games\iWinInfo.dll

c:\program files\iWin Games\iWinTrusted.exe

c:\program files\iWin Games\pages\alert32x32.gif

c:\program files\iWin Games\pages\arcadeCheck.js

c:\program files\iWin Games\pages\blank.html

c:\program files\iWin Games\pages\blank2.html

c:\program files\iWin Games\pages\error.html

c:\program files\iWin Games\pages\error404.css

c:\program files\iWin Games\pages\iwin_logo.gif

c:\program files\iWin Games\pages\login.html

c:\program files\iWin Games\pages\maintenance.html

c:\program files\iWin Games\pages\offline.css

c:\program files\iWin Games\pages\offline.html

c:\program files\iWin Games\pages\offline.jpg

c:\program files\iWin Games\pages\offline_tag.gif

c:\program files\iWin Games\pages\offlineBg.gif

c:\program files\iWin Games\pages\orange-im-connected-60.gif

c:\program files\iWin Games\pages\terrie404.gif

c:\program files\iWin Games\pages\test.html

c:\program files\iWin Games\sounds\animation.wav

c:\program files\iWin Games\sounds\animationBack.wav

c:\program files\iWin Games\sounds\button_click.wav

c:\program files\iWin Games\sounds\coins.wav

c:\program files\iWin Games\sounds\download_completed.wav

c:\program files\iWin Games\sounds\slidebackin.wav

c:\program files\iWin Games\sounds\slideout.wav

c:\program files\iWin Games\sounds\start.wav

c:\program files\iWin Games\Uninstall.exe

c:\program files\iWin Games\WebInstaller.exe

c:\program files\iWin Games\WebUpdater.bmp

c:\program files\iWin Games\WebUpdater.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_iWinTrusted

-------\Service_iWinTrusted

.

.

((((((((((((((((((((((((( Files Created from 2011-11-21 to 2011-12-21 )))))))))))))))))))))))))))))))

.

.

2011-12-21 03:09 . 2011-12-21 03:23 -------- d-----w- c:\users\KishMish\AppData\Local\temp

2011-12-21 03:09 . 2011-12-21 03:09 -------- d-----w- c:\users\GuestShared\AppData\Local\temp

2011-12-21 03:09 . 2011-12-21 03:09 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-18 08:22 . 2011-12-18 08:22 -------- d-----w- c:\users\KishMish\AppData\Roaming\Alawar Entertainment

2011-12-17 04:53 . 2011-12-17 04:53 -------- d-----w- c:\users\GuestShared\AppData\Roaming\Malwarebytes

2011-12-15 14:08 . 2011-12-15 14:08 684297 ----a-w- c:\windows\unhide.exe

2011-12-14 15:39 . 2011-12-14 17:53 -------- d-----w- c:\users\KishMish\AppData\Local\NPE

2011-12-14 14:56 . 2011-12-14 14:56 -------- d-----w- c:\users\KishMish\AppData\Roaming\Tific

2011-12-14 03:35 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2011-12-14 03:31 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-12-14 03:31 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-12-14 03:30 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-12-14 03:30 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys

2011-12-14 03:30 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-12-14 03:25 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll

2011-12-13 19:09 . 2011-12-13 19:09 388096 ----a-r- c:\users\KishMish\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-12-13 19:09 . 2011-12-13 19:09 -------- d-----w- c:\program files\Trend Micro

2011-12-13 15:08 . 2011-12-13 15:08 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-12-13 15:08 . 2011-12-13 15:08 -------- d-----w- c:\programdata\Hitman Pro

2011-11-24 08:16 . 2011-12-04 19:19 -------- d-----w- c:\program files\Black Market

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-15 12:44 . 2011-11-15 12:46 861696 ----a-w- c:\windows\system32\drivers\mod7700.sys

2011-11-15 12:44 . 2011-11-15 12:45 24192 ----a-w- c:\windows\system32\drivers\tcpipBM.sys

2011-11-15 12:44 . 2011-11-15 12:46 90112 ----a-w- c:\windows\system32\drivers\ew_jucdcacm.sys

2011-11-15 12:44 . 2011-11-15 12:46 73216 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys

2011-11-15 12:44 . 2011-11-15 12:46 64384 ----a-w- c:\windows\system32\drivers\ew_jucdcecm.sys

2011-11-15 12:44 . 2011-11-15 12:46 26624 ----a-w- c:\windows\system32\drivers\ew_juextctrl.sys

2011-11-15 12:44 . 2011-11-15 12:46 25856 ----a-w- c:\windows\system32\drivers\ewdcsc.sys

2011-11-15 12:44 . 2011-11-15 12:46 235392 ----a-w- c:\windows\system32\drivers\ewusbnet.sys

2011-11-15 12:44 . 2011-11-15 12:46 193792 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys

2011-11-15 12:44 . 2011-11-15 12:46 19200 ----a-w- c:\windows\system32\drivers\ew_hwupgrade.sys

2011-11-15 12:44 . 2011-11-15 12:46 11136 ----a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys

2011-11-15 12:44 . 2011-11-15 12:46 1108320 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01007.dll

2011-11-15 12:44 . 2011-11-15 12:46 102784 ----a-w- c:\windows\system32\drivers\ew_hwusbdev.sys

2011-11-15 12:44 . 2011-11-15 12:45 13184 ----a-w- c:\windows\system32\drivers\BMLoad.sys

2011-11-15 12:44 . 2009-10-06 06:25 1108320 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll

2011-11-15 12:44 . 2011-11-15 12:45 13712 ----a-w- c:\windows\system32\sporder.dll

2011-11-15 12:43 . 2011-11-15 12:45 724608 ----a-w- c:\windows\system32\bmutil.dll

2011-11-15 12:43 . 2011-11-15 12:45 480384 ----a-w- c:\windows\system32\bmnet.dll

2011-11-15 12:43 . 2011-11-15 12:45 308352 ----a-w- c:\windows\system32\bminstall.dll

2011-11-15 12:43 . 2011-11-15 12:45 132224 ----a-w- c:\windows\system32\bmdumpd.bin

2011-10-24 13:29 . 2011-10-24 13:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 13:29 . 2011-10-24 13:29 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-16 08:49 . 2011-05-15 13:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 04:06 . 2010-06-24 21:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-09-29 06:53 . 2011-03-29 11:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

2010-03-17 13:45 2355224 ----a-w- c:\program files\Vuze_Remote\tbVuze.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Windows Home Server.lnk.disabled [2011-12-8 2359]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,c:\program files\Soluto\soluto.exe /userinit"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux3"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Users^KishMish^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\users\KishMish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rdshost]

wscript [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-27 15:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]

2011-11-01 17:55 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eAudio]

2007-06-11 13:54 1286144 ------w- c:\acer\Empowering Technology\eAudio\eAudio.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]

2007-04-25 23:33 457216 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSLoader.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]

2009-01-12 08:54 669520 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]

2011-10-07 20:47 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]

2010-11-05 21:54 283160 ----a-w- c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-12-07 20:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]

2010-06-10 11:22 554328 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2009-04-30 22:07 13781536 ----a-w- c:\windows\System32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

2009-11-11 05:27 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]

2007-05-24 20:38 206952 ------w- c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]

2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-10-13 07:27 17351304 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2009-09-24 09:11 434176 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSDMonitor]

2010-11-15 14:05 112600 ----a-w- c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 03:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]

2010-02-19 11:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TaskMngr]

2009-04-11 06:28 155648 ----a-w- c:\windows\System32\wscript.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]

2006-11-05 20:48 57344 ----a-w- c:\acer\WR_PopUp\WarReg_PopUp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 Internet Manager. RunOuc;Internet Manager. OUC;c:\program files\T-Mobile\InternetManager_H\UpdateDog\ouc.exe [2011-11-15 224096]

R3 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]

R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2011-11-15 102784]

R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [2011-11-15 11136]

R3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 136176]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 136176]

R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [2011-11-15 90112]

R3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\DRIVERS\ew_jucdcecm.sys [2011-11-15 64384]

R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [2011-11-15 26624]

R3 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]

R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]

R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]

S0 BMLoad;Bytemobile Boot Time Load Driver;c:\windows\system32\drivers\BMLoad.sys [2011-11-15 13184]

S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [2011-05-24 51144]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-09-06 717296]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SYMDS.SYS [2011-01-27 340088]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SYMEFA.SYS [2011-03-15 744568]

S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111210.003\BHDrvx86.sys [2011-11-14 819320]

S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111219.001\IDSvix86.sys [2011-08-18 368248]

S1 ndasfat;NDAS FAT;c:\windows\system32\DRIVERS\ndasfat.sys [2007-11-27 372584]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.SYS [2011-01-27 136312]

S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\N360\0501000.01D\SYMTDIV.SYS [2011-03-22 331384]

S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 13560]

S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2008-01-23 501560]

S2 arXfrSvc;TV-Archiv-Übertragungsdienst für Windows Media Center;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-07 239464]

S2 esClient;Windows Media Center-Clientdienst;c:\program files\Windows Home Server\esClient.exe [2009-10-07 97128]

S2 HWDeviceService.exe;HWDeviceService.exe;c:\programdata\DatacardService\HWDeviceService.exe [2011-01-28 270176]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-05 13336]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 N360;Norton 360;c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]

S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-01-28 632792]

S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-05-24 376352]

S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe [2011-10-24 520040]

S2 SSUService;Splashtop Software Updater Service;c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe [2011-11-10 370504]

S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-30 2358656]

S2 WHSConnector;Windows Home Server-Connectordienst;c:\program files\Windows Home Server\WHSConnector.exe [2009-10-07 376680]

S3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [2009-10-07 44776]

S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2007-03-07 32256]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-15 106104]

S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2011-11-15 73216]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]

S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2009-07-12 47360]

S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-20 c:\windows\Tasks\Epson Printer Software Downloader.job

- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-01-23 14:03]

.

2011-12-21 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-10 20:47]

.

2011-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 07:47]

.

2011-12-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-23 07:47]

.

2011-12-19 c:\windows\Tasks\Norton Security Scan for KishMish.job

- c:\progra~1\NORTON~3\Engine\301~1.8\Nss.exe [2011-01-20 22:47]

.

2011-12-20 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-08-18 08:02]

.

.

------- Supplementary Scan -------

.

uStart Page = https://www.one.com/admin/frontpage.do

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://en.uk.acer.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: SYSTRAN Lookup - c:\program files\SYSTRAN\6\\GUIres.dll/lookup.js

IE: SYSTRAN Translate - c:\program files\SYSTRAN\6\\GUIres.dll/translate.js

TCP: DhcpNameServer = 218.248.255.194 218.248.255.146

FF - ProfilePath - c:\users\KishMish\AppData\Roaming\Mozilla\Firefox\Profiles\n1g17c41.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php

FF - user.js: privacy.item.cookies - false

FF - user.js: privacy.sanitize.promptOnSanitize - false

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-iWinArcade - c:\program files\iWin Games\Uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-21 08:53

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]

"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5880)

c:\windows\system32\BatMeter.dll

c:\windows\ehome\ehSSO.dll

c:\windows\System32\netshell.dll

c:\windows\system32\pnidui.dll

c:\program files\Stardock\Fences\FencesMenu.dll

c:\program files\stardock\fences\DesktopDock.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\program files\Microsoft Virtual PC\VPCShExH.DLL

c:\windows\System32\srchadmin.dll

c:\windows\System32\SyncCenter.dll

c:\windows\system32\mscms.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\WLANExt.exe

c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\acer\Empowering Technology\eDataSecurity\eDSService.exe

c:\windows\ehome\ehRecvr.exe

c:\windows\ehome\ehsched.exe

c:\programdata\Internet Manager\OnlineUpdate\ouc.exe

c:\program files\NDAS\System\ndassvc.exe

c:\windows\system32\DllHost.exe

c:\program files\Bonjour\mDNSResponder.exe

.

**************************************************************************

.

Completion time: 2011-12-21 08:59:07 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-21 03:29

ComboFix2.txt 2011-12-19 19:52

.

Pre-Run: 10,049,339,392 bytes free

Post-Run: 9,287,426,048 bytes free

.

- - End Of File - - 5D66669115A52D298F78A4369FF0F024

Thanks,

Kish.

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

MBAM is not a anti-virus nor a FireWall program.

If you want a free anti-virus after Norton's runs out, I suggest either one of these free ones.

Only run one Anti-Virus at a time.

Use an AntiVirus Software - Choose only one - More than one will conflict. It is very important that your computer has anti-virus software running to protect against viruses. Update Antivirus prior to manual scans as necessary or as used. Please only choose one, having more than one can cause problems, such as crashes and your computer to slow down.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.