Jump to content

My Log

Franknbeans
 Share

Recommended Posts

Franknbeans

Franknbeans

Posted
Posted

Let me provide some background first. I have twice used Malwarebytes with no problems but this time (and I even downloaded the latest version from 9/9/9) I am getting the message Unable to execute file c:\program files\Malwarebytes' Anti malware\mbam.exe. Create process failed; Code 2. The system cannot fiind the file specified. I followed directions for creating logs and since I could not run the Malware bytes scan, I am providing the HijackThis log below.

Thanks

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:31:14 AM, on 10/20/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\PGPserv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe

C:\WINDOWS\system32\winupdate.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Temp\_ex-08.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Eraser\Eraser.exe

C:\Documents and Settings\brmartin.AD\Application Data\seres.exe

C:\Documents and Settings\brmartin.AD\Application Data\svcst.exe

C:\DOCUME~1\brmartin.AD\LOCALS~1\Temp\notepad.exe

C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: ::1 localhost

O1 - Hosts: 209.44.111.62 surety.microsoft.com

O1 - Hosts: 209.44.111.62 aware-protect.com

O1 - Hosts: 209.44.111.62 www.aware-protect.com

O2 - BHO: C:\WINDOWS\system32\jjlghj.dll - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\jjlghj.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0

O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe

O4 - HKLM\..\Run: [unayifopawuqewid] rundll32.exe "C:\WINDOWS\uyusupahogevope.dll",Startup

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide

O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\brmartin.AD\Application Data\seres.exe

O4 - HKCU\..\Run: [svchost] C:\Documents and Settings\brmartin.AD\Application Data\svcst.exe

O4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\brmartin.AD\LOCALS~1\Temp\notepad.exe

O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - Global Startup: PGPtray.exe.lnk = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.bu.edu

O17 - HKLM\Software\..\Telephony: DomainName = ad.bu.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.bu.edu

O20 - AppInit_DLLs: mad.dll PGPmapih.dll,fosifopu.dll

O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\system32\kkmemlnh.dll (file missing)

O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\jjlghj.dll

O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe

--

End of file - 7521 bytes

Link to post
Share on other sites
Franknbeans

Franknbeans

Posted
  • Author
Posted
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Here's what I did Rosty. I couldn't wait for a response so I went ahead and downloaded the Anti-Malware program on my home computer, put it on a flash drive and then placed it on my work computer. That enabled me to run mbam.exe. I did the full scan and that seemed to work except after it was done it said it could not delete a handful of files and that they would be added to the Delete on Reboot list. So, I re-booted and then I received a bunch of error messages to the effect that the image is not valid (mainly in .dll and .exe files). I just clicked out of all of them by saying OK and my computer is working better and I am not getting the incessant messages popping up saying I need to download an anti-viris program. I did notice that the text below all of my desktop icons is now highlighted as if I clicked on them but I didn't. I am re-running mbam.exe (the quick scan) to see if it comes up with anything else.

During the quick scan, Malwarebytes found 10 additional infections. Again, when I tried to remove selected files, I am getting a message saying that certain items could not be removed. All items that could not be removed have been added to the delete on reboot list.

I am pasting the log from the second (quick) run of the Anti-Malware program...

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 2

10/21/2009 9:56:37 AM

mbam-log-2009-10-21 (09-56-37).txt

Scan type: Quick Scan

Objects scanned: 186287

Time elapsed: 34 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\SYSTEM32\fujobila.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{d9fa0c23-4b0a-4153-b335-8274d440dbf5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miyoviboz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d9fa0c23-4b0a-4153-b335-8274d440dbf5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pajusumon (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fujobila.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fujobila.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\SYSTEM32\fujobila.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\brmartin.AD\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

I appreciate any help you can provide.

Link to post
Share on other sites
Franknbeans

Franknbeans

Posted
  • Author
Posted
Can you please follow my first advice and download and run ComboFix.

Post that log here for me so I can take a look.

Sorry Rosty for getting impatient but here it is...

ComboFix 09-10-20.03 - brmartin 10/21/2009 13:31.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.177 [GMT -4:00]

Running from: c:\documents and settings\brmartin.AD\My Documents\Downloads\ComboFix.exe

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\brmartin.AD\Application Data\lizkavd.exe

c:\documents and settings\brmartin.AD\Application Data\seres.exe

c:\documents and settings\brmartin.AD\Local Settings\Temporary Internet Files\Tvm.log

c:\documents and settings\brmartin.AD\ntuser.dll

c:\documents and settings\brmartin.AD\Start Menu\Programs\Startup\scandisk.dll

c:\documents and settings\brmartin.AD\Start Menu\Programs\Startup\scandisk.lnk

c:\documents and settings\brmartin\Local Settings\Temporary Internet Files\Tvm.log

c:\documents and settings\luziwei\Local Settings\Temporary Internet Files\Tvm.log

c:\program files\WinPCap

c:\program files\WinPCap\rpcapd.exe

c:\windows\Installer\4449403.msp

c:\windows\Installer\4449404.msp

c:\windows\Installer\4449405.msp

c:\windows\Installer\4449406.msp

c:\windows\Installer\4449407.msp

c:\windows\Installer\4449408.msp

c:\windows\system32\calc.dll

c:\windows\system32\config\systemprofile\ntuser.dll

c:\windows\system32\drivers\npf.sys

c:\windows\system32\fosifopu.dll.tmp

c:\windows\system32\gatinuro.dll

c:\windows\system32\hidekeli.dll.tmp

c:\windows\system32\juneteyo.dll

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\sikafupo.dll.tmp

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

c:\windows\system32\yesigoju.dll

c:\windows\uyusupahogevope.dll

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://wsus.bumc.bu.edu

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))

.

2009-10-21 17:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-10-21 17:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-21 11:01 . 2009-10-21 11:01 -------- d-----w- c:\windows\Sun

2009-10-21 09:32 . 2009-10-21 13:55 -------- d-----w- c:\program files\MWdump

2009-10-20 14:34 . 2009-10-20 14:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-20 14:30 . 2009-10-20 14:30 -------- d-----w- c:\program files\Trend Micro

2009-10-20 13:41 . 2009-10-21 09:31 0 ----a-w- c:\windows\Gqutubovisidubad.bin

2009-10-20 13:41 . 2009-10-21 11:32 120 ----a-w- c:\windows\Bmoqahukurubohoj.dat

2009-10-20 13:41 . 2009-10-20 13:41 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\{23E74077-D5D0-42F5-83CE-DEC845862F9D}

2009-10-20 13:26 . 2009-10-20 13:26 27648 ----a-w- C:\vyiy.exe

2009-10-20 13:26 . 2009-10-20 13:26 53248 ----a-w- C:\ldvx.exe

2009-10-20 13:26 . 2009-10-20 13:26 23040 ----a-w- C:\dtacmawh.exe

2009-10-20 13:26 . 2009-10-20 13:26 19456 ----a-w- C:\chhite.exe

2009-10-20 13:26 . 2009-10-20 13:26 50688 ----a-w- C:\buxuhto.exe

2009-10-19 18:10 . 2009-10-19 18:10 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\SAS Institute Inc

2009-10-19 18:06 . 2009-10-19 18:07 -------- d-----w- c:\program files\Java

2009-10-19 18:06 . 2009-10-19 18:06 -------- d-----w- c:\program files\Common Files\Java

2009-10-19 18:06 . 2009-10-19 18:06 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\Sun

2009-10-19 18:01 . 2009-10-19 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SAS

2009-10-19 18:00 . 2009-10-19 18:00 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\SAS

2009-10-14 09:58 . 2009-09-04 20:45 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

2009-10-01 14:41 . 2004-08-04 06:08 31744 ----a-w- c:\windows\system32\drivers\wceusbsh.sys

2009-10-01 14:41 . 2004-08-04 06:08 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-20 14:23 . 2008-12-10 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-19 18:09 . 2003-03-19 21:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-19 18:08 . 2005-10-26 14:11 -------- d-----w- c:\program files\SAS

2009-10-19 17:54 . 2004-11-01 18:01 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\AdobeUM

2009-10-01 19:07 . 2009-08-06 14:08 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\U3

2009-09-24 11:27 . 2005-07-13 17:10 78688 ----a-w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 14:33 . 2001-08-18 13:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 18:54 . 2008-12-10 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2008-12-10 15:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-09 15:20 . 2009-09-09 12:12 -------- d-----w- c:\program files\Uniblue

2009-09-09 13:01 . 2009-09-09 13:01 -------- d-----w- c:\program files\Common Files\i4j_jres

2009-09-04 20:45 . 2001-08-18 13:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:16 . 2003-03-31 18:42 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-06 23:24 . 2004-08-14 09:00 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2004-08-14 09:00 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2005-07-13 17:15 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2004-08-14 09:00 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2003-03-31 18:43 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2003-03-31 18:38 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2004-08-14 09:00 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2003-03-31 18:43 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:11 . 2003-03-31 18:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 14:00 . 1980-01-01 06:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 13:13 . 1980-01-01 06:00 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-07-23 19:26 . 2009-07-23 19:26 66484 ----a-w- c:\windows\system32\PGPlspRollback.reg

2004-08-04 18:29 . 2004-09-02 12:38 94208 ----a-w- c:\program files\mozilla firefox\components\BrandRes.dll

2004-08-04 18:29 . 2004-09-02 12:38 150912 ----a-w- c:\program files\mozilla firefox\components\fullsoft.dll

2004-08-04 18:28 . 2004-09-02 12:38 53349 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2004-08-04 18:29 . 2004-09-02 12:38 61535 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2004-08-04 18:29 . 2004-09-02 12:38 24685 ----a-w- c:\program files\mozilla firefox\components\qfaservices.dll

2004-08-04 18:28 . 2004-09-02 12:38 168039 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2009-07-20 14:34 . 2009-07-20 14:34 27136 --sha-w- c:\windows\SYSTEM32\lojaloke.exe

2009-07-21 09:30 . 2009-07-21 09:30 53760 --sha-w- c:\windows\SYSTEM32\zudeyuwi.dll

2009-03-21 14:18 . 2001-08-18 13:00 23552 --sha-w- c:\windows\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\scandisk.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]

@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"

[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]

2009-03-04 23:19 612920 ----a-w- c:\windows\SYSTEM32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]

"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-12-08 77824]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\MWdump\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

PGPtray.exe.lnk - c:\windows\Installer\{6798F012-57C5-49AD-9A9D-4097616F4E1B}\Icon6560581611.exe [2009-7-23 55296]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0ntdel.exe mad.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-848115496-1524922173-1168901340-63456\Scripts\Logon\0\0]

"Script"=WRQAudit.V3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-848115496-1524922173-1168901340-63456\Scripts\Logon\1\0]

"Script"=WRQAudit.V3.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk

backup=c:\windows\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^brmartin.AD^Start Menu^Programs^Startup^Rapid Antivirus.lnk]

path=c:\documents and settings\brmartin.AD\Start Menu\Programs\Startup\Rapid Antivirus.lnk

backup=c:\windows\pss\Rapid Antivirus.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pgpfs;PGP File Sharing;c:\windows\SYSTEM32\DRIVERS\PGPfsfd.sys [3/4/2009 7:19 PM 135736]

R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [5/8/2002 11:51 AM 212992]

R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 6:05 PM 39680]

R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 6:06 PM 23744]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\PGPlsp.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\brmartin.AD\Application Data\Mozilla\Firefox\Profiles\default.ezn\

FF - prefs.js: browser.startup.homepage - hxxp://dellnet.msn.com/

FF - component: c:\program files\Mozilla Firefox\components\qfaservices.dll

FF - HiddenExtension: XULRunner: {23E74077-D5D0-42F5-83CE-DEC845862F9D} - c:\documents and settings\brmartin.AD\Local Settings\Application Data\{23E74077-D5D0-42F5-83CE-DEC845862F9D}

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.block.target_new_window", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.popup_allowed_events", "change click dblclick reset submit");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.negotiate-auth.trusted-uris", "https://");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\greprefs\all.js - pref("bidi.clipboardtextmode", 3);

c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.manual_confirm", true);

c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.enabled", true);

c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.interval", 1);

c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.lastDate", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", "0.9");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.url", "chrome://mozapps/locale/update/update.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updatesAvailable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateVersion", "");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateDescription", "");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateURL", "");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.autoUpdate", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 604800000); // every 7 days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.lastUpdateDate", 0); // UTC offset when last update was performed.

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.count", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.disable_open_during_load", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("javascript.options.showInConsole", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocols.useSystemDefaults", false); // set to true if user links should use system default handlers

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.external.news" , true); // for news

.

- - - - ORPHANS REMOVED - - - -

BHO-{7d170e2d-a179-48e5-ab83-bca887b63425} - howibovu.dll

HKLM-Run-Unayifopawuqewid - c:\windows\uyusupahogevope.dll

HKLM-Run-vozinolozo - gatinuro.dll

SharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)

AddRemove-RDS Analysis Tool 5.6 - z:\sph\DCC\Dept\HIV Surveillance\RDSAT\rdsatdw\uninstall.exe

AddRemove-WinTools_AD - c:\program files\Common files\WinTools\WToolsA.exe

AddRemove-WinTools_ES - c:\program files\Common files\WinTools\WToolsA.exe

AddRemove-WinTools_IES - c:\program files\Common files\WinTools\WToolsA.exe

AddRemove-WinTools_KW - c:\program files\Common files\WinTools\WToolsA.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-21 15:03

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)

c:\windows\system32\BUGina.dll

c:\windows\system32\PGPlsp.dll

- - - - - - - > 'lsass.exe'(764)

c:\windows\system32\PGPlsp.dll

- - - - - - - > 'explorer.exe'(3484)

c:\windows\system32\WININET.dll

c:\windows\system32\PGPhk.dll

c:\windows\system32\PGPfsshl.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Dell\OpenManage\Client\Iap.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\Network Associates\VirusScan\mcshield.exe

c:\program files\Network Associates\VirusScan\vstskmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\windows\system32\PGPserv.exe

c:\combofix\CF30377.exe

c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe

c:\program files\Java\jre1.5.0_12\bin\jucheck.exe

c:\combofix\PEV.cfxxe

.

**************************************************************************

.

Completion time: 2009-10-21 15:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-21 19:12

Pre-Run: 61,560,115,200 bytes free

Post-Run: 64,437,444,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - E751178FD1FF996554E712B590F4CB33

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\Gqutubovisidubad.bin

c:\windows\Bmoqahukurubohoj.dat

C:\vyiy.exe

C:\ldvx.exe

C:\dtacmawh.exe

C:\chhite.exe

C:\buxuhto.exe

c:\windows\SYSTEM32\lojaloke.exe

c:\windows\SYSTEM32\zudeyuwi.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Link to post
Share on other sites
Franknbeans

Franknbeans

Posted
  • Author
Posted

Comboxfix.txt...

ComboFix 09-10-26.03 - brmartin 10/27/2009 6:07.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.196 [GMT -4:00]

Running from: c:\documents and settings\brmartin.AD\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\brmartin.AD\Desktop\CFScript.txt

* Resident AV is active

FILE ::

"C:\buxuhto.exe"

"C:\chhite.exe"

"C:\dtacmawh.exe"

"C:\ldvx.exe"

"C:\vyiy.exe"

"c:\windows\Bmoqahukurubohoj.dat"

"c:\windows\Gqutubovisidubad.bin"

"c:\windows\SYSTEM32\lojaloke.exe"

"c:\windows\SYSTEM32\zudeyuwi.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\chhite.exe

c:\documents and settings\All Users\Desktop\nudetube.com.lnk

c:\documents and settings\All Users\Desktop\pornotube.com.lnk

c:\documents and settings\All Users\Desktop\youporn.com.lnk

C:\dtacmawh.exe

c:\windows\Bmoqahukurubohoj.dat

c:\windows\Gqutubovisidubad.bin

c:\windows\SYSTEM32\lojaloke.exe

.

((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))

.

2009-10-21 17:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe

2009-10-21 17:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-21 11:01 . 2009-10-21 11:01 -------- d-----w- c:\windows\Sun

2009-10-21 09:32 . 2009-10-21 13:55 -------- d-----w- c:\program files\MWdump

2009-10-20 14:34 . 2009-10-20 14:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-20 14:30 . 2009-10-20 14:30 -------- d-----w- c:\program files\Trend Micro

2009-10-20 13:41 . 2009-10-20 13:41 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\{23E74077-D5D0-42F5-83CE-DEC845862F9D}

2009-10-19 18:10 . 2009-10-19 18:10 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\SAS Institute Inc

2009-10-19 18:06 . 2009-10-19 18:07 -------- d-----w- c:\program files\Java

2009-10-19 18:06 . 2009-10-19 18:06 -------- d-----w- c:\program files\Common Files\Java

2009-10-19 18:06 . 2009-10-19 18:06 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\Sun

2009-10-19 18:01 . 2009-10-19 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SAS

2009-10-19 18:00 . 2009-10-19 18:00 -------- d-----w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\SAS

2009-10-14 09:58 . 2009-09-04 20:45 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

2009-10-01 14:41 . 2004-08-04 06:08 31744 ----a-w- c:\windows\system32\drivers\wceusbsh.sys

2009-10-01 14:41 . 2004-08-04 06:08 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-20 14:23 . 2008-12-10 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-19 18:09 . 2003-03-19 21:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-19 18:08 . 2005-10-26 14:11 -------- d-----w- c:\program files\SAS

2009-10-19 17:54 . 2004-11-01 18:01 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\AdobeUM

2009-10-01 19:07 . 2009-08-06 14:08 -------- d-----w- c:\documents and settings\brmartin.AD\Application Data\U3

2009-09-24 11:27 . 2005-07-13 17:10 78688 ----a-w- c:\documents and settings\brmartin.AD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-11 14:33 . 2001-08-18 13:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 18:54 . 2008-12-10 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2008-12-10 15:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-09 15:20 . 2009-09-09 12:12 -------- d-----w- c:\program files\Uniblue

2009-09-09 13:01 . 2009-09-09 13:01 -------- d-----w- c:\program files\Common Files\i4j_jres

2009-09-04 20:45 . 2001-08-18 13:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll

2009-08-26 08:16 . 2003-03-31 18:42 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-06 23:24 . 2004-08-14 09:00 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2004-08-14 09:00 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2005-07-13 17:15 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2004-08-14 09:00 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2003-03-31 18:43 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2003-03-31 18:38 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2004-08-14 09:00 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2003-03-31 18:43 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-05 09:11 . 2003-03-31 18:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 14:00 . 1980-01-01 06:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 13:13 . 1980-01-01 06:00 2057728 ------w- c:\windows\system32\ntkrnlpa.exe

2004-08-04 18:29 . 2004-09-02 12:38 94208 ----a-w- c:\program files\mozilla firefox\components\BrandRes.dll

2004-08-04 18:29 . 2004-09-02 12:38 150912 ----a-w- c:\program files\mozilla firefox\components\fullsoft.dll

2004-08-04 18:28 . 2004-09-02 12:38 53349 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2004-08-04 18:29 . 2004-09-02 12:38 61535 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2004-08-04 18:29 . 2004-09-02 12:38 24685 ----a-w- c:\program files\mozilla firefox\components\qfaservices.dll

2004-08-04 18:28 . 2004-09-02 12:38 168039 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_19.03.22 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-10-26 09:44 . 2009-10-26 09:44 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]

@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"

[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]

2009-03-04 23:19 612920 ----a-w- c:\windows\SYSTEM32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]

"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-12-08 77824]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\MWdump\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

PGPtray.exe.lnk - c:\windows\Installer\{6798F012-57C5-49AD-9A9D-4097616F4E1B}\Icon6560581611.exe [2009-7-23 55296]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0ntdel.exe mad.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-848115496-1524922173-1168901340-63456\Scripts\Logon\0\0]

"Script"=WRQAudit.V3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-848115496-1524922173-1168901340-63456\Scripts\Logon\1\0]

"Script"=WRQAudit.V3.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk

backup=c:\windows\pss\PrecisionTime.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^brmartin.AD^Start Menu^Programs^Startup^Rapid Antivirus.lnk]

path=c:\documents and settings\brmartin.AD\Start Menu\Programs\Startup\Rapid Antivirus.lnk

backup=c:\windows\pss\Rapid Antivirus.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pgpfs;PGP File Sharing;c:\windows\SYSTEM32\DRIVERS\PGPfsfd.sys [3/4/2009 7:19 PM 135736]

R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [5/8/2002 11:51 AM 212992]

R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 6:05 PM 39680]

R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 6:06 PM 23744]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [12/10/2008 11:20 AM 38224]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY

*NewlyCreated* - MBR

*Deregistered* - mbr

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar =

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\PGPlsp.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\brmartin.AD\Application Data\Mozilla\Firefox\Profiles\default.ezn\

FF - prefs.js: browser.startup.homepage - hxxp://dellnet.msn.com/

FF - component: c:\program files\Mozilla Firefox\components\qfaservices.dll

FF - HiddenExtension: XULRunner: {23E74077-D5D0-42F5-83CE-DEC845862F9D} - c:\documents and settings\brmartin.AD\Local Settings\Application Data\{23E74077-D5D0-42F5-83CE-DEC845862F9D}

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.block.target_new_window", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.popup_allowed_events", "change click dblclick reset submit");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.negotiate-auth.trusted-uris", "https://");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery

c:\program files\Mozilla Firefox\greprefs\all.js - pref("bidi.clipboardtextmode", 3);

c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.manual_confirm", true);

c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.enabled", true);

c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.interval", 1);

c:\program files\Mozilla Firefox\greprefs\xpinstall.js - pref("xpinstall.notifications.lastDate", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version", "0.9");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.url", "chrome://mozapps/locale/update/update.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updatesAvailable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateVersion", "");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateDescription", "");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.app.updateURL", "");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.autoUpdate", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 604800000); // every 7 days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.lastUpdateDate", 0); // UTC offset when last update was performed.

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.extensions.count", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.disable_open_during_load", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("javascript.options.showInConsole", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocols.useSystemDefaults", false); // set to true if user links should use system default handlers

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.external.news" , true); // for news

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-27 06:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)

c:\windows\system32\BUGina.dll

c:\windows\system32\PGPlsp.dll

c:\windows\system32\igfxsrvc.dll

c:\windows\system32\hccutils.DLL

- - - - - - - > 'lsass.exe'(752)

c:\windows\system32\PGPlsp.dll

.

Completion time: 2009-10-27 6:38

ComboFix-quarantined-files.txt 2009-10-27 10:37

ComboFix2.txt 2009-10-21 19:12

Pre-Run: 64,342,167,552 bytes free

Post-Run: 64,426,061,824 bytes free

- - End Of File - - C157223C162673B247FDA28F0611B374

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:45:57 AM, on 10/27/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\WINDOWS\system32\PGPserv.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Eraser\Eraser.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe

C:\Program Files\MWdump\mbam.exe

C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\SYSTEM32\CALC.EXE

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\MWdump\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - Global Startup: PGPtray.exe.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.bu.edu

O17 - HKLM\Software\..\Telephony: DomainName = ad.bu.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.bu.edu

O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe

--

End of file - 5345 bytes

Link to post
Share on other sites
Rosty

Rosty

Posted
Posted

Your computer now seems to be clean.

The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.

  • Go to Start
  • Click on Run
  • Type ComboFix /u (Note: This command is case sensitive.)
    CFuninstall.png

  1. Clean out Temporary Files etc.
    This program is for Vista, XP and Windows 2000 only
    Please download ATF Cleaner by Atribune.

    2. Double-click ATF-Cleaner.exe to run the program.
    3. Under Main choose: Select All. Then remove the check mark for cookies
    4. Click the Empty Selected button.

If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • Remove the check mark for Cookies
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt if asked .

If you use Opera browser

  • Click Opera at the top and
  • choose: Select All.
  • Remove the check mark for Cookies
  • Click the Empty Selected button.

It is a good idea to do this every few weeks as a lot of junk collects there over time.

[*]Create a new, clean System Restore point which you can use in case of future system problems:

Press Start->All Programs->Accessories->System Tools->System Restore

Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:

Next click Start->Run and type cleanmgr in the box and press OK

Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.

Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt

Press OK and Yes to confirm

[*]Set correct settings for files that should be hidden in Windows XP

  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK

[*]Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.

[*]Download and install the free version of Malwarebytes' Anti-Malware to your desktop. Check for the latest updates and perform a full system scan. This is an on-demand scanner and runs very well with Winpatrol.

[*]If you are using Internet Explorer v. 7 please read and follow the recommendations at this site. http://surfthenetsafely.com/ieseczone8.htm

[*]Update your Anti Virus Software - It is imperative that you update your Anti virus software at least a few times a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.

[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recommended.

Be restrictive with granting access to the Internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.

[*]Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.

[*]Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.

[*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

[*]Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html that will give you more information on some of the points above.

[*]Please check out Tony Klein's article "How did I get infected in the first place?"

Follow this list and your potential for being infected again will reduce dramatically. (preventionspeech by Elrond)

Regards,

Rosty.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.