Jump to content

Recommended Posts

Apparently, I have been attacked by several different trojans etc. (googleupdater) in the last couple days. Macafee will not scan. Spybot will not open or scan. Windows defender scanned and cleaned a few things and Trend Micro Housecall also scanned and cleaned a few things.

After those two scanned I started receiving the TotalSecurity2009 popups and screens. Another site directed to disable in startup, and delete from task manager. Did that. After a couple hours it was back harrassing with the popups/screens.

I also have issues with msn forums & hotmail as well as when searching with google and clicking a link it goes to other things other than site clicked on.

I found instructions to download a process explorer and rename it iexplorer, I did download it and then got scared and deleted it. I'm so confused now as to what is legit help and what is not and remembered the forum here and feel safe here.

I can still access internet and safe modes if you need to know that.

Here's my HijackThis log as directed. Thank you in advance for your help.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:40:10 PM, on 9/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\IDrive\IDriveE Service.exe

C:\Program Files\IDrive\IDriveWebM.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61

-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\AT&T\Internet Security Wizard\ISW.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\HP\Personal Printing Solutions Product Research\HP

Product Research.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\370\LOCALS~1\Temp\login.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\IDrive\IDriveETray.exe

C:\Program Files\IDrive\IDriveEBackground.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication

Foundation\infocard.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.swagbucks.com/?cmd=home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

R3 - URLSearchHook: twitter search Toolbar - {e85b2fb9-5de8-4565-83bd

-302de8e528d1} - C:\Program Files\twitter_search\tbtwi1.dll

R3 - URLSearchHook: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-

8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-

7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: C:\WINDOWS\system32\nzfiu3h78di.dll - {BA603215-23F2-42AD-

F4E4-00AAC39CAA53} - C:\WINDOWS\system32\nzfiu3h78di.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88}

- C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} -

C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-

516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: twitter search Toolbar - {e85b2fb9-5de8-4565-83bd-

302de8e528d1} - C:\Program Files\twitter_search\tbtwi1.dll

O3 - Toolbar: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-

8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP

Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch

Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [iSW.exe] "C:\Program Files\AT&T\Internet Security

Wizard\ISW.exe" /AUTORUN

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program

Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing

Solutions Product Research\HP Product Research.exe a

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1

\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software

Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6

\bin\jusched.exe"

O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iDriveE Startup] "C:\Program

Files\IDrive\IDrvieEStartup.exe" Hide

O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe

O4 - HKCU\..\Run: [WIndows Rescue Disk] C:\DOCUME~1\370\LOCALS~1

\Temp\login.exe

O4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program

Files\AdvancedVirusRemover\PAVRM.exe

O4 - Startup: IDrive Tray.lnk = C:\Program

Files\IDrive\IDriveEReg2ini.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program

Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,

DisableRegedit=1

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD}

- C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-

AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}

- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-

4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.att.net

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation

Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup

Player 2K2) - http://www.xdrive.com/downloads/std_install/setup.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O21 - SSODL: domehajus - {365d81ab-c128-41e9-a1f4-b44155aa2a97} -

c:\windows\system32\fegenope.dll (file missing)

O22 - SharedTaskScheduler: ksfe98wjkodsngiwiojndg873hundggdd -

{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32

\nzfiu3h78di.dll

O22 - SharedTaskScheduler: jugezatag - {365d81ab-c128-41e9-a1f4-

b44155aa2a97} - c:\windows\system32\fegenope.dll (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program

Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development

Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. -

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: IDriveE Service - Pro Softnet Corporation - C:\Program

Files\IDrive\IDriveE Service.exe

O23 - Service: IDrivePlugin - Pro-Softnet - C:\Program

Files\IDrive\IDriveWebM.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050

\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman

Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1

\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61

-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. -

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program

Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McciCMService - Motive Communications, Inc. -

C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee,

Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service

(default)) - Analog Devices, Inc. - C:\Program Files\Analog

Devices\SoundMAX\SMAgent.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 11476 bytes

Link to post
Share on other sites

Welcome to the forum LisaB

Visit the webpage below for instructions for downloading and running ComboFix:

But proir to running Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it.

A right click disable is not enough they need to be thoughly disbled.

Please visit HERE if you don't know how. http://www.bleepingcomputer.com/forums/topic114351.html

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post combofix's log which will open automaticly when complete, if not it is located here. C:\combofix.txt

Note: If windows auto-update comes up cancel it for now.

For others looking for a solution, please do not try my advice to this user, post for help yourself.

Link to post
Share on other sites

LonnyRJ: Thanks for your reply. I have done the step by steps to run combofix. It is sitting on my desktop and will not respond just like Malwarebytes. I disabled all security programs that I know of and that was on the instructions (McAfee, Windowsdefender)

When I click on the combofix icon it does nothing.

Waiting for your instructions to follow,

LisaB

Welcome to the forum LisaB

Visit the webpage below for instructions for downloading and running ComboFix:

But proir to running Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it.

A right click disable is not enough they need to be thoughly disbled.

Please visit HERE if you don't know how. http://www.bleepingcomputer.com/forums/topic114351.html

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post combofix's log which will open automaticly when complete, if not it is located here. C:\combofix.txt

Note: If windows auto-update comes up cancel it for now.

For others looking for a solution, please do not try my advice to this user, post for help yourself.

Link to post
Share on other sites

LonnyRJ: Yey! I finally got it to run. It didnt go step by step like the instructions said, but here is the ComboFix log:

ComboFix 09-09-22.03 - 370 09/23/2009 13:30.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.190 [GMT -5:00]

Running from: c:\documents and settings\370\Desktop\iexplorer.com.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\370\LOCALS~1\Temp\taskmgr.exe

c:\docume~1\370\LOCALS~1\Temp\winlogon.exe

C:\p2hhr.bat

c:\program files\\setup.exe

c:\recycler\NPROTECT

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\Installer\1b98aba.msp

c:\windows\Installer\1b98abb.msp

c:\windows\Installer\2f08e7.msi

c:\windows\system32\_000009_.tmp.dll

c:\windows\system32\_000025_.tmp.dll

c:\windows\system32\_000111_.tmp.dll

c:\windows\system32\~.exe

c:\windows\system32\18467.exe

c:\windows\system32\41.exe

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\lowsec\user.ds.lll

c:\windows\system32\nzfiu3h78di.dll

c:\windows\system32\sdra64.exe

c:\windows\system32\vajafeti.exe

c:\windows\system32\volizita.dll

c:\windows\system32\wbem\proquota.exe

c:\windows\system32\wewusigo.exe

c:\windows\system32\wisdstr.exe

c:\windows\system32\wscsvc32.exe

c:\windows\system32\yojonaso.dll

c:\windows\system32\zeyoheko.exe

D:\Autorun.inf

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))

.

2009-09-23 18:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-23 18:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-09-21 03:04 . 2009-09-21 03:04 -------- d-----w- c:\program files\Trend Micro

2009-09-21 01:00 . 2009-09-21 01:07 10752 ----a-w- c:\windows\DCEBoot.exe

2009-09-19 16:55 . 2009-09-19 16:55 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2009-09-19 15:59 . 2009-09-19 15:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-19 15:20 . 2009-09-19 15:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-19 01:42 . 2009-09-19 01:42 -------- d-----w- c:\documents and settings\370\Application Data\McAfee

2009-09-18 16:01 . 2009-09-23 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\11795314

2009-09-18 03:47 . 2009-09-18 03:47 17920 ----a-w- C:\joxa.exe

2009-09-18 03:47 . 2009-09-18 03:47 49152 ----a-w- C:\vhlyrkv.exe

2009-09-18 03:47 . 2009-09-18 03:47 73728 ----a-w- C:\kqjopjiq.exe

2009-09-18 03:47 . 2009-09-18 03:47 6656 ----a-w- C:\rhjdpc.exe

2009-09-12 19:25 . 2009-09-12 19:26 -------- d-----w- c:\documents and settings\370\Local Settings\Application Data\Swag_Bucks

2009-09-12 19:25 . 2009-09-12 19:25 -------- d-----w- c:\program files\Swag_Bucks

2009-09-11 15:32 . 2009-09-11 15:32 -------- d-----w- c:\program files\Conduit

2009-09-11 15:32 . 2009-09-11 15:32 -------- d-----w- c:\documents and settings\370\Local Settings\Application Data\Conduit

2009-09-11 15:32 . 2009-09-12 13:39 -------- d-----w- c:\documents and settings\370\Local Settings\Application Data\twitter_search

2009-09-11 15:32 . 2009-09-11 15:34 -------- d-----w- c:\program files\twitter_search

2009-09-11 15:31 . 2009-09-11 15:31 1495312 ----a-w- c:\program files\twitter_search0.exe

2009-09-10 23:13 . 2009-09-10 23:13 4155512 ----a-w- c:\program files\greetingcardcreator.exe

2009-09-09 15:24 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-03 14:47 . 2009-09-03 14:48 1594640 ----a-w- c:\program files\Swag_Bucks.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-23 18:53 . 2009-01-02 12:23 -------- d-----w- c:\program files\IDrive

2009-09-23 16:07 . 2007-10-19 02:41 -------- d-----w- c:\program files\calendarmakereval

2009-09-19 19:41 . 2007-10-05 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-19 18:01 . 2009-06-19 18:01 88064 --sha-w- c:\windows\system32\vofehafi.dll

2009-09-19 15:26 . 2006-10-29 17:21 84880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-19 04:00 . 2009-06-19 04:00 89088 --sha-w- c:\windows\system32\vimoveta.dll

2009-09-19 01:42 . 2008-11-28 13:41 -------- d-----w- c:\program files\McAfee

2009-09-19 01:42 . 2008-11-28 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-19 00:06 . 2006-06-18 14:19 682 ----a-w- c:\documents and settings\370\Application Data\wklnhst.dat

2009-09-18 19:40 . 2007-05-24 12:56 5120 --sha-w- c:\program files\Thumbs.db

2009-09-18 16:01 . 2009-06-18 16:00 49664 --sha-w- c:\windows\system32\murevalo.dll

2009-09-18 15:30 . 2006-02-05 13:27 -------- d-----w- c:\program files\Java

2009-09-13 03:14 . 2007-12-24 08:10 -------- d-----w- c:\program files\Coupons

2009-09-12 13:28 . 2009-09-12 13:28 104 ----a-w- c:\program files\Shortcut to Microsoft Outlook.lnk

2009-09-12 13:28 . 2006-07-03 06:51 -------- d-----w- c:\program files\AT&T

2009-09-11 02:14 . 2008-11-28 18:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-18 14:42 . 2006-06-01 05:21 84880 ----a-w- c:\documents and settings\370\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-10 04:46 . 2009-08-10 04:46 -------- d-----w- c:\program files\MSBuild

2009-08-10 04:46 . 2009-08-10 04:46 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-25 10:23 . 2008-11-08 19:29 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 08:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-23 16:43 . 2009-05-23 16:43 1014 ----a-w- c:\program files\PhotoImpression 2000.lnk

2009-05-11 21:50 . 2007-12-20 03:59 1277680 ----a-w- c:\program files\CouponPrinter.exe

2009-03-01 05:43 . 2009-03-01 05:43 780 ----a-w- c:\program files\GIMP 2.lnk

2009-01-02 12:23 . 2009-01-02 12:23 1570 ----a-w- c:\program files\IDrive.lnk

2009-01-02 12:21 . 2009-01-02 12:21 9285608 ----a-w- c:\program files\IDriveSetup.exe

2008-12-01 04:17 . 2008-12-01 04:17 7513456 ----a-w- c:\program files\rminstall.exe

2008-11-30 15:33 . 2008-11-30 15:33 3487115 ----a-w- c:\program files\RegistryPatrolSetup.exe

2008-11-30 04:54 . 2008-11-30 04:53 8009920 ----a-w- c:\program files\SpywareTerminator_Setup.exe

2008-11-29 17:53 . 2008-11-29 17:53 5154304 ----a-w- c:\program files\WindowsDefender.msi

2008-11-29 17:35 . 2008-11-29 17:35 3523632 ----a-w- c:\program files\XoftSpySE_Setup_RW.exe

2008-11-28 13:30 . 2008-11-28 13:30 1226248 ----a-w- c:\program files\DMSetup-Serial.exe

2007-11-28 23:41 . 2007-11-28 23:41 3673721 ----a-w- c:\program files\pixplay270.exe

2007-11-03 19:18 . 2007-11-03 19:18 171 ----a-w- c:\program files\Broderbund.com.url

2007-09-03 23:22 . 2007-09-03 23:22 7026346 ----a-w- c:\program files\vicman.exe

2007-09-03 18:45 . 2007-09-03 18:44 2228534 ----a-w- c:\program files\audacity-win-1.2.6.exe

2007-05-13 21:00 . 2007-05-13 21:00 45026 ----a-w- c:\program files\mothersday.jpg

2007-05-13 14:03 . 2007-05-13 14:03 37873216 ----a-w- c:\program files\iTunesSetup.exe

2006-12-25 02:45 . 2006-12-25 02:45 520976 ----a-w- c:\program files\santasetup.exe

2006-08-11 23:06 . 2006-08-11 23:06 916 ----a-w- c:\program files\webdl.symantec.htm

2006-07-03 06:59 . 2006-07-03 06:59 2624 ----a-w- c:\program files\reconfigure34f7df37.ins

2006-02-05 13:19 . 2006-02-05 13:19 1284 ----a-w- c:\program files\Extended Service.LNK

2006-07-04 05:35 . 2006-07-04 05:35 22 --sha-w- c:\windows\SMINST\HPCD.sys

2009-06-19 18:01 . 2009-06-19 18:01 50688 --sha-w- c:\windows\system32\vopuvemi.dll

2009-06-18 03:48 . 2009-06-18 03:48 49152 --sha-w- c:\windows\system32\vorosuka.dll.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{e85b2fb9-5de8-4565-83bd-302de8e528d1}"= "c:\program files\twitter_search\tbtwi1.dll" [2009-09-11 2215960]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{e85b2fb9-5de8-4565-83bd-302de8e528d1}"= "c:\program files\twitter_search\tbtwi1.dll" [2009-09-11 2215960]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{E85B2FB9-5DE8-4565-83BD-302DE8E528D1}"= "c:\program files\twitter_search\tbtwi1.dll" [2009-09-11 2215960]

"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2008-11-06 87504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]

"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-04-09 1176808]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]

"HP Metrics"="c:\program files\HP\Personal Printing Solutions Product Research\HP Product Research.exe" [2003-09-08 368640]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\370\Start Menu\Programs\Startup\

IDrive Tray.lnk - c:\program files\IDrive\IDriveEReg2ini.exe [2009-1-2 208896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\AT&T\\Internet Security Wizard\\ISW.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=

"c:\\Program Files\\HPQ\\Quick Launch Buttons\\eabservr.exe"=

"c:\\Program Files\\Hp\\HP Software Update\\hpwuSchd2.exe"=

"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=

"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=

R2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [1/2/2009 7:23 AM 131072]

R2 IDrivePlugin;IDrivePlugin;c:\program files\IDrive\IDriveWebM.exe [1/2/2009 7:23 AM 58832]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/28/2008 8:48 AM 203280]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/11/2008 12:13 AM 33752]

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [5/4/2007 8:06 PM 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-22 c:\windows\Tasks\mcafeequickclean.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 13:57]

2009-08-16 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 13:57]

2009-03-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 13:57]

2009-09-23 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-04-30 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-09-23 c:\windows\Tasks\User_Feed_Synchronization-{5AB80DCD-A80A-4627-9107-4373D05F996D}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.swagbucks.com/?cmd=home

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: blogger.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-posogageb - c:\windows\system32\fegenope.dll

HKLM-Run-11795314 - c:\documents and settings\All Users\Application Data\11795314\11795314.exe

SharedTaskScheduler-{365d81ab-c128-41e9-a1f4-b44155aa2a97} - (no file)

SSODL-domehajus-{365d81ab-c128-41e9-a1f4-b44155aa2a97} - (no file)

SafeBoot-mfehidk

SafeBoot-mferkdk

SafeBoot-mfetdik

SafeBoot-mfetdik.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 13:52

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,43,2e,17,13,16,b2,43,b3,f6,40,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,43,2e,17,13,16,b2,43,b3,f6,40,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2616)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\program files\Apoint2K\ApntEx.exe

c:\program files\IDrive\IDriveETray.exe

c:\program files\IDrive\IDriveEBackground.exe

c:\program files\Symantec\LiveUpdate\AUPDATE.EXE

c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

.

**************************************************************************

.

Completion time: 2009-09-23 14:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-23 19:01

Pre-Run: 43,876,601,856 bytes free

Post-Run: 44,710,342,656 bytes free

311 --- E O F --- 2009-09-15 12:45

What now boss?

Rename combofix.exe to iexplorer.com

restart your PC then attempt to run the program.

Link to post
Share on other sites

Good

Now run mbam update to a quickscan, take action on items found and post the log.

If you were prompted to restart the PC do so now.

Next Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

Link to post
Share on other sites

LonnyRJ: Here's the quickscan mbam log. I'm off to run the eset.

Malwarebytes' Anti-Malware 1.41

Database version: 2854

Windows 5.1.2600 Service Pack 3

9/23/2009 10:02:49 PM

mbam-log-2009-09-23 (22-02-49).txt

Scan type: Quick Scan

Objects scanned: 108397

Time elapsed: 13 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\11795314 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\joxa.exe (Trojan.Sasfis) -> Quarantined and deleted successfully.

C:\kqjopjiq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\vhlyrkv.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\murevalo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vorosuka.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11795314\11795314 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11795314\pc11795314ins (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\rhjdpc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Good

Now run mbam update to a quickscan, take action on items found and post the log.

If you were prompted to restart the PC do so now.

Next Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

Link to post
Share on other sites

LonnyRJ: Here's what the eset log says. Not much. Did I do something wrong?

Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

LonnyRJ: Here's the quickscan mbam log. I'm off to run the eset.

Malwarebytes' Anti-Malware 1.41

Database version: 2854

Windows 5.1.2600 Service Pack 3

9/23/2009 10:02:49 PM

mbam-log-2009-09-23 (22-02-49).txt

Scan type: Quick Scan

Objects scanned: 108397

Time elapsed: 13 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\11795314 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\joxa.exe (Trojan.Sasfis) -> Quarantined and deleted successfully.

C:\kqjopjiq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\vhlyrkv.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\murevalo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vorosuka.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11795314\11795314 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\11795314\pc11795314ins (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\rhjdpc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites

You might try this one instead

Perform an online scan with Panda ActiveScan

  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on RegisterPandaActiveScan_step3_register.jpg
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To
    Panda2_export_button.jpg
  • Export the log and save it to your desktop.
  • Please attach the contents of that log to your next post

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Link to post
Share on other sites

LonnyRJ: I ran the eset again (before you replied and requested Panda to be run). After it ran I received a popup for RegistryCure, which I clicked on red x. Eset found 8 threats but of course did not remove them.

I'm awaiting your instructions to proceed. I really appreciate all your wonderful help. Computer is booting up without errors and running more efficiently than before.

Here's is the log from the second run:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

# version=6

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=39a2f3208a21d0429b16b270119a5a4e

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2009-09-24 08:27:40

# local_time=2009-09-24 03:27:40 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 37 100 88 115038885312500

# compatibility_mode=5889 61 66 100 782132705312500

# scanned=114712

# found=8

# cleaned=0

# scan_time=9960

C:\Qoobox\Quarantine\C\WINDOWS\system32\sdra64.exe.vir Win32/Spy.Zbot.UN trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\vajafeti.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\volizita.dll.vir a variant of Win32/Adware.Virtumonde.NFM application 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir a variant of Win32/Kryptik.ANC trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\yojonaso.dll.vir a variant of Win32/Kryptik.AOD trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.ANC trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACxyjdkrpfsx.sys.vir a variant of Win32/Olmarik.HI trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir a variant of Win32/Kryptik.ANC trojan 00000000000000000000000000000000 I

LonnyRJ: Here's what the eset log says. Not much. Did I do something wrong?

Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

Link to post
Share on other sites

LonnyRJ

Here's the most recent log from combofix. It froze up at the end right after posting the log.

I don't remember anything else about the Registry Cure except that it was a pop up window telling me how many files were infected. It was almost identical to the Total Security window. I assumed it was spyware/trojan/virus etc and I clicked the red x.

I have no idea what the twitter search is or how to get rid of it. I do use twitter but dont remember downloading anything. I'll check.

As far as removing swagbucks. Do you mind me asking what you are referring to? I have swagbucks set as my home page. I also have a swagbucks search/tool bar. Are these not ok to have?

ComboFix 09-09-23.02 - 370 09/24/2009 19:22.3.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.284 [GMT -5:00]

Running from: c:\documents and settings\370\Desktop\iexplorer.com.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\system32\BSTIEPrintCtl1.dll

.

((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))

.

2009-09-24 03:27 . 2009-09-24 03:27 -------- d-----w- c:\program files\ESET

2009-09-24 02:36 . 2009-09-24 02:36 -------- d-----w- c:\documents and settings\370\Application Data\Malwarebytes

2009-09-24 02:35 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-24 02:35 . 2009-09-24 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-24 02:35 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-24 02:35 . 2009-09-24 03:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-23 18:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-23 18:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-09-23 18:28 . 2009-09-23 19:01 -------- d-----w- C:\iexplorer.com

2009-09-21 03:04 . 2009-09-21 03:04 -------- d-----w- c:\program files\Trend Micro

2009-09-21 01:00 . 2009-09-21 01:07 10752 ----a-w- c:\windows\DCEBoot.exe

2009-09-19 16:55 . 2009-09-19 16:55 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2009-09-19 15:59 . 2009-09-19 15:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-19 15:20 . 2009-09-19 15:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-19 01:42 . 2009-09-19 01:42 -------- d-----w- c:\documents and settings\370\Application Data\McAfee

2009-09-12 19:25 . 2009-09-12 19:26 -------- d-----w- c:\documents and settings\370\Local Settings\Application Data\Swag_Bucks

2009-09-12 19:25 . 2009-09-12 19:25 -------- d-----w- c:\program files\Swag_Bucks

2009-09-11 15:32 . 2009-09-11 15:32 -------- d-----w- c:\program files\Conduit

2009-09-11 15:32 . 2009-09-11 15:32 -------- d-----w- c:\documents and settings\370\Local Settings\Application Data\Conduit

2009-09-11 15:32 . 2009-09-12 13:39 -------- d-----w- c:\documents and settings\370\Local Settings\Application Data\twitter_search

2009-09-11 15:32 . 2009-09-11 15:34 -------- d-----w- c:\program files\twitter_search

2009-09-11 15:31 . 2009-09-11 15:31 1495312 ----a-w- c:\program files\twitter_search0.exe

2009-09-10 23:13 . 2009-09-10 23:13 4155512 ----a-w- c:\program files\greetingcardcreator.exe

2009-09-09 15:24 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-03 14:47 . 2009-09-03 14:48 1594640 ----a-w- c:\program files\Swag_Bucks.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-24 12:14 . 2009-01-02 12:23 -------- d-----w- c:\program files\IDrive

2009-09-24 00:59 . 2007-12-24 08:10 -------- d-----w- c:\program files\Coupons

2009-09-23 16:07 . 2007-10-19 02:41 -------- d-----w- c:\program files\calendarmakereval

2009-09-19 19:41 . 2007-10-05 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-19 15:26 . 2006-10-29 17:21 84880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-19 01:42 . 2008-11-28 13:41 -------- d-----w- c:\program files\McAfee

2009-09-19 01:42 . 2008-11-28 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-19 00:06 . 2006-06-18 14:19 682 ----a-w- c:\documents and settings\370\Application Data\wklnhst.dat

2009-09-18 19:40 . 2007-05-24 12:56 5120 --sha-w- c:\program files\Thumbs.db

2009-09-18 15:30 . 2006-02-05 13:27 -------- d-----w- c:\program files\Java

2009-09-12 13:28 . 2009-09-12 13:28 104 ----a-w- c:\program files\Shortcut to Microsoft Outlook.lnk

2009-09-12 13:28 . 2006-07-03 06:51 -------- d-----w- c:\program files\AT&T

2009-09-11 02:14 . 2008-11-28 18:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-08-18 14:42 . 2006-06-01 05:21 84880 ----a-w- c:\documents and settings\370\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-10 04:46 . 2009-08-10 04:46 -------- d-----w- c:\program files\MSBuild

2009-08-10 04:46 . 2009-08-10 04:46 -------- d-----w- c:\program files\Reference Assemblies

2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-25 10:23 . 2008-11-08 19:29 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 15:08 . 2004-08-04 08:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-08-04 08:00 915456 ------w- c:\windows\system32\wininet.dll

2009-05-23 16:43 . 2009-05-23 16:43 1014 ----a-w- c:\program files\PhotoImpression 2000.lnk

2009-05-11 21:50 . 2007-12-20 03:59 1277680 ----a-w- c:\program files\CouponPrinter.exe

2009-03-01 05:43 . 2009-03-01 05:43 780 ----a-w- c:\program files\GIMP 2.lnk

2009-01-02 12:23 . 2009-01-02 12:23 1570 ----a-w- c:\program files\IDrive.lnk

2009-01-02 12:21 . 2009-01-02 12:21 9285608 ----a-w- c:\program files\IDriveSetup.exe

2008-12-01 04:17 . 2008-12-01 04:17 7513456 ----a-w- c:\program files\rminstall.exe

2008-11-30 15:33 . 2008-11-30 15:33 3487115 ----a-w- c:\program files\RegistryPatrolSetup.exe

2008-11-30 04:54 . 2008-11-30 04:53 8009920 ----a-w- c:\program files\SpywareTerminator_Setup.exe

2008-11-29 17:53 . 2008-11-29 17:53 5154304 ----a-w- c:\program files\WindowsDefender.msi

2008-11-29 17:35 . 2008-11-29 17:35 3523632 ----a-w- c:\program files\XoftSpySE_Setup_RW.exe

2008-11-28 13:30 . 2008-11-28 13:30 1226248 ----a-w- c:\program files\DMSetup-Serial.exe

2007-11-28 23:41 . 2007-11-28 23:41 3673721 ----a-w- c:\program files\pixplay270.exe

2007-11-03 19:18 . 2007-11-03 19:18 171 ----a-w- c:\program files\Broderbund.com.url

2007-09-03 23:22 . 2007-09-03 23:22 7026346 ----a-w- c:\program files\vicman.exe

2007-09-03 18:45 . 2007-09-03 18:44 2228534 ----a-w- c:\program files\audacity-win-1.2.6.exe

2007-05-13 21:00 . 2007-05-13 21:00 45026 ----a-w- c:\program files\mothersday.jpg

2007-05-13 14:03 . 2007-05-13 14:03 37873216 ----a-w- c:\program files\iTunesSetup.exe

2006-12-25 02:45 . 2006-12-25 02:45 520976 ----a-w- c:\program files\santasetup.exe

2006-08-11 23:06 . 2006-08-11 23:06 916 ----a-w- c:\program files\webdl.symantec.htm

2006-07-03 06:59 . 2006-07-03 06:59 2624 ----a-w- c:\program files\reconfigure34f7df37.ins

2006-02-05 13:19 . 2006-02-05 13:19 1284 ----a-w- c:\program files\Extended Service.LNK

2006-07-04 05:35 . 2006-07-04 05:35 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-09-23_18.52.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-06-01 05:09 . 2009-09-24 20:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2006-06-01 05:09 . 2009-09-23 17:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2006-06-01 05:09 . 2009-09-24 20:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-06-01 05:09 . 2009-09-23 17:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-06-16 01:40 . 2009-09-23 17:46 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-06-16 01:40 . 2009-09-24 20:41 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-09-23 21:53 . 2009-09-24 20:41 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2006-06-01 05:09 . 2009-09-23 17:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{e85b2fb9-5de8-4565-83bd-302de8e528d1}"= "c:\program files\twitter_search\tbtwi1.dll" [2009-09-11 2215960]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{e85b2fb9-5de8-4565-83bd-302de8e528d1}"= "c:\program files\twitter_search\tbtwi1.dll" [2009-09-11 2215960]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{E85B2FB9-5DE8-4565-83BD-302DE8E528D1}"= "c:\program files\twitter_search\tbtwi1.dll" [2009-09-11 2215960]

"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{e85b2fb9-5de8-4565-83bd-302de8e528d1}]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2008-11-06 87504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]

"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-04-09 1176808]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]

"HP Metrics"="c:\program files\HP\Personal Printing Solutions Product Research\HP Product Research.exe" [2003-09-08 368640]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\370\Start Menu\Programs\Startup\

IDrive Tray.lnk - c:\program files\IDrive\IDriveEReg2ini.exe [2009-1-2 208896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\AT&T\\Internet Security Wizard\\ISW.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=

"c:\\Program Files\\HPQ\\Quick Launch Buttons\\eabservr.exe"=

"c:\\Program Files\\Hp\\HP Software Update\\hpwuSchd2.exe"=

"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe"=

"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [5/4/2007 8:06 PM 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-22 c:\windows\Tasks\mcafeequickclean.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 13:57]

2009-08-16 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 13:57]

2009-03-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-28 13:57]

2009-09-24 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-09-24 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-09-24 c:\windows\Tasks\User_Feed_Synchronization-{5AB80DCD-A80A-4627-9107-4373D05F996D}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.swagbucks.com/?cmd=home

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: blogger.com\www

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-24 19:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,43,2e,17,13,16,b2,43,b3,f6,40,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,43,2e,17,13,16,b2,43,b3,f6,40,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)

c:\windows\system32\igfxdev.dll

.

Completion time: 2009-09-25 19:42

ComboFix-quarantined-files.txt 2009-09-25 00:42

ComboFix2.txt 2009-09-23 19:01

Pre-Run: 44,699,394,048 bytes free

Post-Run: 44,674,179,072 bytes free

241 --- E O F --- 2009-09-15 12:45

Esets scan is ok, those items are what combofix Quarantine'd

Explain more about this RegistryCure message ?

Optional recommended items to uninstall

twitter_search and Swag_Bucks

Run Combofix (let it update) and post its log once more please.

Link to post
Share on other sites

twitter search should be uninstalled in my opinion , marked as optional here

http://www.systemlookup.com/lists.php?list...;search=twitter

As you can see in the logs you've posted, parts of it are targeted

swagbucks looks related to the above, I'd remove but the choice is yours.

Uninstall combofix, go start run type

combofix /u

press enter, you should see a confirmation message ?

Are there any questions or current problems ?

Link to post
Share on other sites

LonnyRJ: So my next step is to uninstall combofix? Am I cured?

The only other question I have is how do I prevent these problems. I used to use Spybot Search & Destroy. I've also used Panda and AVG in the past. None of them seem to play well with McAfee (which I don't like but my provider AT&T does). Maybe it was because I didn't know how to use them together or set them up. Is there a way to use one of these peacefully with McAfee?

twitter search should be uninstalled in my opinion , marked as optional here

http://www.systemlookup.com/lists.php?list...;search=twitter

As you can see in the logs you've posted, parts of it are targeted

swagbucks looks related to the above, I'd remove but the choice is yours.

Uninstall combofix, go start run type

combofix /u

press enter, you should see a confirmation message ?

Are there any questions or current problems ?

Link to post
Share on other sites

Yes your good to go

mcaffee, Get second opinions from free (well known) antivirus online scans occasional, once or even twice a month.

Think Prevention: Put in place a good hosts file

http://www.mvps.org/winhelp2002/hosts.htm

Repeat that proccess about once or even twice a month

To help avoid reinfection see "So how did I get infected in the first place?" http://www.malwarebytes.org/forums/index.p...65&hl=place?

Note: Make sure your programs are up to date - older versions may contain Security Leaks.

To find out what programs need to be updated, run the Secunia Software Inspector Scan.

http://secunia.com/software_inspector/

Surf Safe

Link to post
Share on other sites

LonnyRJ: When I get the HP popup box stating to update my HP laptop, should I do this? Which free antivirus do you recommend?

Yes your good to go

mcaffee, Get second opinions from free (well known) antivirus online scans occasional, once or even twice a month.

Think Prevention: Put in place a good hosts file

http://www.mvps.org/winhelp2002/hosts.htm

Repeat that proccess about once or even twice a month

To help avoid reinfection see "So how did I get infected in the first place?" http://www.malwarebytes.org/forums/index.p...65&hl=place?

Note: Make sure your programs are up to date - older versions may contain Security Leaks.

To find out what programs need to be updated, run the Secunia Software Inspector Scan.

http://secunia.com/software_inspector/

Surf Safe

Link to post
Share on other sites

LonnyRJ: I'm so happy, I'm jumping up and down. Thank you so much for all your help. I will do as you have advised. The "host" thingy I will check into. I read a little about it already.

As far as the HP update popup box, it's just a little light blue box that pops up in the bottom right corner and says something to the effect that an update is available. I will write it down the next time it pops up.

Once again, thank you so much for your expertise.

LisaB

What is HP saying is the update ?

If it is no longer under warrantee you can uninstall that paticular nuisance via windows addremove programs.

We did on our old HP.

Im currently using Avast, avira and avg are also good.

Do not install more than one antivirus

Link to post
Share on other sites

LonnyJ, Now that I have had a few days to play around on the computer I've noticed that it is very slow to respond when I want to open my explorer browser to get on the internet. Also it hangs up a lot and displays the "not responding" window.

Do you have any suggestions for me?

LisaB

Im glad we could help LisaB
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.