Malwarebytes intercepting svchost.exe pings

LDTate · January 5, 2012

Download ComboFix from one of these locations:

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have XP SP3, use the XP SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

biffgnar · January 6, 2012

Tried system restores to two different save points and didn't fix. I will run Combofx again.

LDTate · January 6, 2012

ok

biffgnar · January 6, 2012

ComboFix 12-01-05.04 - Eric 01/05/2012 19:57:24.4.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.978 [GMT -5:00]

Running from: c:\users\Eric\Desktop\ComboFix2.exe

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))

.

2012-01-06 01:09 . 2012-01-06 01:09 -------- d-----w- c:\users\Eric\AppData\Local\temp

2012-01-06 01:09 . 2012-01-06 01:09 -------- d-----w- c:\users\Rachel\AppData\Local\temp

2012-01-06 01:09 . 2012-01-06 01:09 -------- d-----w- c:\users\Joshua\AppData\Local\temp

2012-01-06 01:09 . 2012-01-06 01:09 -------- d-----w- c:\users\Heather\AppData\Local\temp

2012-01-06 01:09 . 2012-01-06 01:09 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-06 01:09 . 2012-01-06 01:09 -------- d-----w- c:\users\Cindy\AppData\Local\temp

2012-01-03 23:50 . 2011-11-30 07:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D84E2452-780C-419A-BE7A-5C6936A1C1B1}\mpengine.dll

2011-12-31 19:01 . 2012-01-04 01:15 -------- d-----w- C:\ComboFix

2011-12-31 16:47 . 2011-12-31 16:48 -------- d-----w- c:\users\Eric\AppData\Roaming\QuickScan

2011-12-31 14:51 . 2011-12-31 14:51 -------- d-----w- c:\users\Eric\AppData\Roaming\SUPERAntiSpyware.com

2011-12-31 14:51 . 2011-12-31 14:54 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-12-31 14:51 . 2011-12-31 14:51 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-12-31 01:22 . 2011-12-31 01:22 -------- d-----w- c:\users\Eric\AppData\Roaming\Malwarebytes

2011-12-31 01:20 . 2011-12-31 01:20 -------- d-----w- c:\programdata\Malwarebytes

2011-12-31 01:20 . 2011-12-31 01:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-31 01:20 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-16 00:01 . 2011-12-16 00:01 -------- d-----w- c:\users\Eric\AppData\Local\DDMSettings

2011-12-15 05:29 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll

2011-12-15 05:28 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-12-15 05:28 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-12-15 05:28 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys

2011-12-15 05:28 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2011-12-15 05:28 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-12-15 05:28 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-08 00:01 . 2011-05-14 11:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-15 19:29 . 2010-06-23 03:16 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll

2009-08-14 17:33 . 2009-08-14 17:33 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2009-08-14 17:33 . 2009-08-14 17:33 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2009-08-14 17:33 . 2009-08-14 17:33 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2009-08-14 17:33 . 2009-08-14 17:33 20824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2009-08-14 17:34 . 2009-08-14 17:34 206160 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2009-08-14 17:33 . 2009-08-14 17:33 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2009-08-14 17:33 . 2009-08-14 17:33 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-03-16 22:33 . 2007-03-16 22:33 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 22:33 . 2007-03-16 22:33 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 22:33 . 2007-03-16 22:33 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2009-08-14 16:50 . 2009-08-14 16:50 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2009-08-14 17:33 . 2009-08-14 17:33 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-31 4616064]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]

"RtHDVCpl"="RtHDVCpl.exe" [2007-05-08 4374528]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]

"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]

"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-12-12 312200]

"dlcqmon.exe"="c:\program files\Dell Photo AIO Printer 966\dlcqmon.exe" [2007-01-12 292336]

"DLCQCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-13 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-13 8497696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-13 81920]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-1-19 711472]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-8-2 610120]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-07-19 22:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-10-18 16:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

.

R2 0213611324512046mcinstcleanup;McAfee Application Installer Cleanup (0213611324512046);c:\windows\TEMP\021361~1.EXE [x]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 23:33]

.

2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 23:33]

.

2011-12-31 c:\windows\Tasks\Norton Security Scan for Eric.job

- c:\progra~1\NORTON~1\NORTON~1\Engine\301~1.8\Nss.exe [2011-01-11 04:47]

.

2012-01-06 c:\windows\Tasks\User_Feed_Synchronization-{53CF0712-FC3E-411B-B93E-104173FC8404}.job

- c:\windows\system32\msfeedssync.exe [2011-05-19 22:10]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.google.com/mail/#inbox

mStart Page = hxxp://www.alienware.com/mothership

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

LSP: c:\windows\system32\wpclsp.dll

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{BA707ACE-D004-4A79-905F-6E7B6E65E099}: NameServer = 8.8.8.8

FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\cydrn59k.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Norton Toolbar: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn

FF - Ext: McAfee SiteAdvisor: {4ED1F68A-5463-4931-9384-8FFF5ED91D92} - c:\program files\McAfee\SiteAdvisor

FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Eric\AppData\Roaming\Move Networks

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-05 20:09

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCQCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.3.6\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.3.6\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,38,12,8d,ec,f8,

7b,2b,25,27,06,e7,c4,bc,f0,98,15,0d,de

"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}"=hex:51,66,7a,6c,4c,1d,38,12,26,bd,a8,

0a,e6,f4,22,0e,f1,4c,12,2a,bb,94,a4,70

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,

02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7

"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,38,12,60,d8,39,

64,cd,04,79,07,f5,b7,d6,9a,c1,81,e0,1c

"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,38,12,ea,ef,40,

69,9c,24,e9,02,d1,f8,b7,22,8a,5f,45,18

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,

aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83

"{B164E929-A1B6-4A06-B104-2CD0E90A88FF}"=hex:51,66,7a,6c,4c,1d,38,12,47,ea,77,

b5,84,ef,68,0f,ce,12,6f,90,ec,54,cc,eb

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,

fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17

"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,

b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:1f,3a,9c,78,ed,c9,cc,01

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(4452)

c:\windows\system32\btmmhook.dll

c:\windows\system32\fdproxy.dll

.

Completion time: 2012-01-05 20:14:05

ComboFix-quarantined-files.txt 2012-01-06 01:13

ComboFix2.txt 2012-01-05 00:03

ComboFix3.txt 2012-01-04 01:36

.

Pre-Run: 37,107,855,360 bytes free

Post-Run: 38,362,492,928 bytes free

.

- - End Of File - - 9F4072FC539C21FC276514DC0764D771

LDTate · January 6, 2012

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

FireFox::
FF - ProfilePath - c:\users\Eric\AppData\Roaming\Mozilla\Firefox\Profiles\cydrn59k.default\
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Eric\AppData\Roaming\Move Networks

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

biffgnar · January 6, 2012

Copied the text in and after I got the start window for Combofix everything froze. Had to reboot. Froze again trying to get back here. I must have screwed up something.

LDTate · January 6, 2012

Try uninstalling FireFox and download a fresh copy.

Be sure to export your FF favorites, etc first.

Click the link and download FireFox and give it a try.

http://www.mozilla.com/firefox/

biffgnar · January 6, 2012

Try uninstalling FireFox and download a fresh copy.
Be sure to export your FF favorites, etc first.
Click the link and download FireFox and give it a try.
http://www.mozilla.com/firefox/

Done. Doesn't seem to have changed anything.

LDTate · January 6, 2012

Run a new combofix

biffgnar · January 7, 2012

ComboFix 12-01-06.03 - Eric 01/06/2012 18:28:05.5.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.700 [GMT -5:00]

Running from: c:\users\Eric\Desktop\ComboFix2.exe

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))

.

2012-01-06 23:40 . 2012-01-06 23:40 -------- d-----w- c:\users\Eric\AppData\Local\temp

2012-01-06 23:40 . 2012-01-06 23:40 -------- d-----w- c:\users\Rachel\AppData\Local\temp

2012-01-06 23:40 . 2012-01-06 23:40 -------- d-----w- c:\users\Joshua\AppData\Local\temp

2012-01-06 23:40 . 2012-01-06 23:40 -------- d-----w- c:\users\Heather\AppData\Local\temp

2012-01-06 23:40 . 2012-01-06 23:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-06 23:40 . 2012-01-06 23:40 -------- d-----w- c:\users\Cindy\AppData\Local\temp

2012-01-06 23:03 . 2012-01-06 23:03 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BA325CBF-E43A-48A2-B746-ED17AC54B987}\offreg.dll

2012-01-06 23:03 . 2011-11-30 07:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BA325CBF-E43A-48A2-B746-ED17AC54B987}\mpengine.dll

2012-01-06 22:42 . 2011-12-21 07:24 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll