Jump to content
KPP

Bugs killed - Have host of other problems

Recommended Posts

1. What is the DELL model and / or if possible the Service Tag on the computer ?

2. Do you use the Yahoo messenger or the Address AutoComplete feature ?

3. Do you have or did you have Roxio CD or DVD writing software installed at some point?

1. Dell Dimension Desktop

2. No

3. Yes, in the past, not now.

Share this post


Link to post
Share on other sites

ComboFix 10-07-19.04 - Kate 07/20/2010 8:23.9.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.112 [GMT -5:00]

Running from: c:\documents and settings\Kate\Desktop\RON 2\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Kate\Recent\Thumbs.db

c:\windows\system32\winsusrm.dll

.

((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))

.

2010-06-27 05:48 . 2010-06-27 05:48 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-06-27 05:22 . 2010-06-27 05:22 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-06-27 05:02 . 2010-06-27 05:02 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-27 04:21 . 2010-06-27 04:21 -------- d-----w- c:\documents and settings\Kate\Application Data\DivX

2010-06-27 04:10 . 2010-06-27 05:48 -------- d-----w- c:\program files\DivX

2010-06-27 04:10 . 2010-06-27 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-20 09:44 . 2008-09-26 05:29 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 22:38 . 2010-03-03 11:39 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-27 05:01 . 2004-06-27 04:51 -------- d-----w- c:\program files\Google

2010-06-14 14:31 . 2005-07-10 02:43 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-05-04 17:20 . 2004-01-08 20:23 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2008-09-21 22:45 1851264 ----a-w- c:\windows\system32\win32k.sys

2008-06-19 08:42 . 2006-04-27 04:24 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-03-26 1442888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 23:36]

2010-07-20 c:\windows\Tasks\User_Feed_Synchronization-{566C0DF4-C73B-4F7B-A67A-6B19000EC267}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dallas.craigslist.org/dal/wri/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: abc.com

Trusted Zone: abc.com\ll.media

Trusted Zone: bluemountain.com\www

Trusted Zone: fox.com\gksrv

Trusted Zone: fox.com\www

Trusted Zone: go.com\abc

Trusted Zone: go.com\fep.abc

Trusted Zone: google.com\www

Trusted Zone: ncspearson.com

FF - ProfilePath - c:\documents and settings\Kate\Application Data\Mozilla\Firefox\Profiles\dav8808z.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://dallas.craigslist.org/dal/etc/

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\Kate\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-20 08:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-07-20 08:52:50

ComboFix-quarantined-files.txt 2010-07-20 13:52

ComboFix2.txt 2009-12-06 13:29

ComboFix3.txt 2009-12-05 11:00

ComboFix4.txt 2009-11-29 19:37

ComboFix5.txt 2010-07-20 13:19

Pre-Run: 6,740,811,776 bytes free

Post-Run: 7,120,580,608 bytes free

- - End Of File - - A2F68DC239D3EFBE9545848704277897

Share this post


Link to post
Share on other sites

That log just doesn't look right.

Please uninstall Combofix using the following. Then reboot the computer and download a new fresh copy and run it again and post back the new log please.

Disable your AntiVirus temporarily so that it does not block removal of Combofix.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

combofix_run_uninstall.png

This will uninstall ComboFix. It will also implement some cleanup procedures.

Then do the reboot and come back and download a new copy and run it (with your AV disabled)

Download ComboFix from below:

Combofix download

Share this post


Link to post
Share on other sites

Ron,

The new ComboFix log is below. Since you told me to completely remove Avira, I no longer have it on my computer. Where should I download it from so I can go back online?

Also, should I uninstall ComboFix again?

Kate

ComboFix 10-07-20.03 - Kate 07/21/2010 0:45.10.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.111 [GMT -5:00]

Running from: c:\documents and settings\Kate\Desktop\RON 2\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))

.

2010-06-27 05:48 . 2010-06-27 05:48 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-06-27 05:02 . 2010-06-27 05:02 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-27 04:21 . 2010-06-27 04:21 -------- d-----w- c:\documents and settings\Kate\Application Data\DivX

2010-06-27 04:10 . 2010-06-27 05:48 -------- d-----w- c:\program files\DivX

2010-06-27 04:10 . 2010-06-27 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-20 09:44 . 2008-09-26 05:29 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 22:38 . 2010-03-03 11:39 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-27 05:22 . 2010-06-27 05:22 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-06-27 05:01 . 2004-06-27 04:51 -------- d-----w- c:\program files\Google

2010-06-14 14:31 . 2005-07-10 02:43 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-05-04 17:20 . 2004-01-08 20:23 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2008-09-21 22:45 1851264 ----a-w- c:\windows\system32\win32k.sys

2008-06-19 08:42 . 2006-04-27 04:24 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-03-26 1442888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 23:36]

2010-07-21 c:\windows\Tasks\User_Feed_Synchronization-{566C0DF4-C73B-4F7B-A67A-6B19000EC267}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dallas.craigslist.org/dal/wri/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: abc.com

Trusted Zone: abc.com\ll.media

Trusted Zone: bluemountain.com\www

Trusted Zone: fox.com\gksrv

Trusted Zone: fox.com\www

Trusted Zone: go.com\abc

Trusted Zone: go.com\fep.abc

Trusted Zone: google.com\www

Trusted Zone: ncspearson.com

FF - ProfilePath - c:\documents and settings\Kate\Application Data\Mozilla\Firefox\Profiles\dav8808z.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://dallas.craigslist.org/dal/etc/

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-21 00:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(892)

c:\windows\system32\WININET.dll

c:\windows\system32\IEFRAME.dll

.

Completion time: 2010-07-21 01:07:18

ComboFix-quarantined-files.txt 2010-07-21 06:07

ComboFix2.txt 2010-07-20 13:52

Pre-Run: 9,096,564,736 bytes free

Post-Run: 9,084,166,144 bytes free

- - End Of File - - 85DBB18BD195D59D0231DF44641B3467

Share this post


Link to post
Share on other sites

Hi Kate,

Still having issues here. These are NOT the correct Combofix logs. If you are editing them before sending them then please do not edit them. Post them completely as they are.

Uninstall Combofix as shown before.

Then set your files to unhidden

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

Then locate and DELETE this folder if it exists after the removal of Combofix.

C:\Qoobox

Then delete this file if it still exists: C:\COMBOFIX.TXT

Then delete any other copy of Combofix on your system, empty your cache from your browser and download a new copy of CF

Download ComboFix from below:

Combofix download

Run it as before and attach or post an unedited copy of the log.

Share this post


Link to post
Share on other sites

Ron,

I am NOT editing them. I AM POSTING THEM COMPLETELY FROM THE LOG TEXT. Based on that, should I still follow the directions you just gave me?

Kate

Share this post


Link to post
Share on other sites

Then please run the following.

Download RSIT by random/random and save it to your Desktop.

  • Double click RSIT.exe to start the tool and click Continue at the disclaimer.
  • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
  • Please post the contents of both logs here in your next reply.

Share this post


Link to post
Share on other sites

When running Combofix please do not run it from here: c:\documents and settings\Kate\Desktop\RON 2\

Please run it from here: c:\documents and settings\Kate\Desktop

Share this post


Link to post
Share on other sites

Logfile of random's system information tool 1.08 (written by random/random)

Run by Kate at 2010-07-21 01:58:04

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 9 GB (30%) free of 29 GB

Total RAM: 254 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:04:04 AM, on 7/21/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Kate\Desktop\RON 2\RSIT.exe

C:\Program Files\trend micro\Kate.exe

C:\Program Files\123 Free Solitaire\123FreeSolitaire.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dallas.craigslist.org/dal/wri/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O15 - Trusted Zone: ll.media.abc.com

O15 - Trusted Zone: http://*.abc.com

O15 - Trusted Zone: gksrv.fox.com

O15 - Trusted Zone: http://www.fox.com

O15 - Trusted Zone: http://abc.go.com

O15 - Trusted Zone: fep.abc.go.com

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

--

End of file - 3667 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\Google Software Updater.job

C:\WINDOWS\tasks\User_Feed_Synchronization-{566C0DF4-C73B-4F7B-A67A-6B19000EC267}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"itype"=C:\Program Files\Microsoft IntelliType Pro\itype.exe [2009-03-26 1442888]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760]

"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-19 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoResolveSearch"=1

"HonorAutoRunSetting"=1

"NoDriveAutoRun"=67108863

"NoDriveTypeAutoRun"=323

"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-07-21 01:58:04 ----D---- C:\rsit

2010-07-21 01:07:26 ----D---- C:\WINDOWS\temp

2010-07-21 01:07:19 ----A---- C:\ComboFix.txt

2010-07-21 00:41:50 ----A---- C:\WINDOWS\zip.exe

2010-07-21 00:41:50 ----A---- C:\WINDOWS\SWXCACLS.exe

2010-07-21 00:41:50 ----A---- C:\WINDOWS\SWSC.exe

2010-07-21 00:41:50 ----A---- C:\WINDOWS\SWREG.exe

2010-07-21 00:41:50 ----A---- C:\WINDOWS\sed.exe

2010-07-21 00:41:50 ----A---- C:\WINDOWS\PEV.exe

2010-07-21 00:41:50 ----A---- C:\WINDOWS\NIRCMD.exe

2010-07-21 00:41:50 ----A---- C:\WINDOWS\MBR.exe

2010-07-21 00:41:50 ----A---- C:\WINDOWS\grep.exe

2010-07-21 00:41:16 ----D---- C:\Qoobox

2010-07-15 01:40:59 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$

2010-06-27 00:48:30 ----D---- C:\Program Files\Common Files\DivX Shared

2010-06-26 23:21:31 ----D---- C:\Documents and Settings\Kate\Application Data\DivX

2010-06-26 23:10:38 ----D---- C:\Program Files\DivX

2010-06-26 23:10:03 ----D---- C:\Documents and Settings\All Users\Application Data\DivX

======List of files/folders modified in the last 1 months======

2010-07-21 02:04:04 ----D---- C:\Program Files\Trend Micro

2010-07-21 01:07:26 ----D---- C:\WINDOWS

2010-07-21 00:57:43 ----N---- C:\WINDOWS\system.ini

2010-07-21 00:53:27 ----D---- C:\WINDOWS\system32\drivers

2010-07-21 00:53:27 ----D---- C:\WINDOWS\system32

2010-07-21 00:53:27 ----D---- C:\WINDOWS\AppPatch

2010-07-21 00:53:24 ----D---- C:\Program Files\Common Files

2010-07-21 00:45:27 ----D---- C:\WINDOWS\system32\CatRoot2

2010-07-21 00:42:18 ----A---- C:\WINDOWS\SchedLgU.Txt

2010-07-21 00:41:34 ----D---- C:\WINDOWS\ERDNT

2010-07-21 00:38:00 ----SHD---- C:\System Volume Information

2010-07-21 00:38:00 ----D---- C:\WINDOWS\system32\Restore

2010-07-20 08:52:56 ----D---- C:\WINDOWS\Prefetch

2010-07-20 08:50:56 ----SD---- C:\WINDOWS\Tasks

2010-07-20 08:41:40 ----D---- C:\WINDOWS\system32\drivers\etc

2010-07-20 08:05:36 ----D---- C:\Program Files

2010-07-15 14:11:29 ----HD---- C:\WINDOWS\inf

2010-07-15 14:08:25 ----D---- C:\WINDOWS\system32\NtmsData

2010-07-15 01:41:06 ----RSHDC---- C:\WINDOWS\system32\dllcache

2010-07-15 01:37:52 ----HD---- C:\WINDOWS\$hf_mig$

2010-07-09 21:53:09 ----D---- C:\Config.Msi

2010-07-09 21:51:06 ----SHD---- C:\WINDOWS\Installer

2010-07-02 14:39:05 ----AC---- C:\WINDOWS\system32\MRT.exe

2010-06-29 17:38:20 ----D---- C:\Program Files\Microsoft Silverlight

2010-06-29 08:01:00 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

2010-06-27 00:38:54 ----D---- C:\WINDOWS\SxsCaPendDel

2010-06-27 00:19:37 ----D---- C:\WINDOWS\WinSxS

2010-06-27 00:03:31 ----D---- C:\WINDOWS\system32\config

2010-06-27 00:02:40 ----D---- C:\WINDOWS\system32\wbem

2010-06-27 00:02:39 ----D---- C:\WINDOWS\Registration

2010-06-27 00:01:51 ----D---- C:\Program Files\Google

2010-06-24 01:44:18 ----D---- C:\WINDOWS\Microsoft.NET

2010-06-24 01:44:12 ----RSD---- C:\WINDOWS\assembly

2010-06-23 22:35:48 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_2K;Cdr4_2K; C:\WINDOWS\system32\drivers\Cdr4_2K.sys [2005-07-02 52464]

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]

R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]

R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\fallback.sys [2001-07-18 310899]

R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\fsksnt.sys [2001-07-18 127405]

R2 K56;K56; C:\WINDOWS\System32\DRIVERS\k56nt.sys [2001-07-18 426783]

R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\faxnt.sys [2001-07-18 217019]

R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\tonesnt.sys [2001-07-18 56607]

R2 V124;V124; C:\WINDOWS\System32\DRIVERS\v124nt.sys [2001-07-18 534125]

R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]

R3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\basic2.sys [2001-07-18 77426]

R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-07-15 43136]

R3 catchme;catchme; \??\C:\DOCUME~1\Kate\LOCALS~1\Temp\catchme.sys []

R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]

R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]

R3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\rksample.sys [2001-07-18 67654]

R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\system32\DRIVERS\RT2500.sys [2005-04-21 242176]

R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-12-19 539008]

R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]

R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2001-07-25 584336]

S1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []

S3 BCM42RLY;BCM42RLY; \??\C:\WINDOWS\System32\BCM42RLY.SYS []

S3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []

S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-23 542879]

S3 mbr;mbr; \??\C:\DOCUME~1\Kate\LOCALS~1\Temp\mbr.sys []

S3 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []

S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []

S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []

S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []

S3 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []

S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCTINDIS5.SYS []

S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []

S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []

S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]

R2 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [2008-09-23 303104]

R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]

R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S3 getPlusHelper;getPlus® Helper; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.08 2010-07-21 02:04:10

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

123 Free Solitaire-->C:\PROGRA~1\123FRE~1\UNWISE.EXE C:\PROGRA~1\123FRE~1\INSTALL.LOG

2WIRE Wireless LAN - USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{581CE7EA-A30D-0000-1211-088635773309}\Setup.exe" -l0x9

7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"

Acrobat.com-->msiexec /qb /x {FFE62AAA-60EC-71CF-0505-740B8E797647}

Acrobat.com-->MsiExec.exe /I{FFE62AAA-60EC-71CF-0505-740B8E797647}

Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall

Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}

Adobe Download Manager-->"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex

Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Reader 9.3.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}

Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"

Adobe

Share this post


Link to post
Share on other sites
When running Combofix please do not run it from here: c:\documents and settings\Kate\Desktop\RON 2\

Please run it from here: c:\documents and settings\Kate\Desktop

Oh, ok. Should I re-run it?

Share this post


Link to post
Share on other sites

Should I go thru the uninstall process, then reinstall?

Share this post


Link to post
Share on other sites

Ron,

BTW, upon reflection, I'm not sure I answered this question correctly. In fact, I don't really know what it means. I don't use messenger, but the other I'm not sure of.

"2. Do you use the Yahoo messenger or the Address AutoComplete feature ?"

Kate

Share this post


Link to post
Share on other sites
Please see the PM I sent you Kate and we'll go from there.

Thanks

Ok. But while I was waiting for your reply, I went ahead and reran ComboFix. Here's the new log.

ComboFix 10-07-20.03 - Kate 07/21/2010 2:51.11.1 - x86

Running from: c:\documents and settings\Kate\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))

.

2010-07-21 07:41 . 2010-07-21 07:41 -------- d-----w- c:\documents and settings\Kate\Application Data\Avira

2010-07-21 07:20 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-07-21 07:20 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-07-21 07:20 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-07-21 07:20 . 2010-07-21 07:20 -------- d-----w- c:\program files\Avira

2010-07-21 07:20 . 2010-07-21 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-07-21 06:58 . 2010-07-21 07:04 -------- d-----w- C:\rsit

2010-06-27 05:48 . 2010-06-27 05:48 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-06-27 05:02 . 2010-06-27 05:02 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-27 04:21 . 2010-06-27 04:21 -------- d-----w- c:\documents and settings\Kate\Application Data\DivX

2010-06-27 04:10 . 2010-06-27 05:48 -------- d-----w- c:\program files\DivX

2010-06-27 04:10 . 2010-06-27 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-21 07:04 . 2009-10-12 06:29 -------- d-----w- c:\program files\Trend Micro

2010-07-20 09:44 . 2008-09-26 05:29 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 22:38 . 2010-03-03 11:39 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-27 05:22 . 2010-06-27 05:22 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-06-27 05:01 . 2004-06-27 04:51 -------- d-----w- c:\program files\Google

2010-06-14 14:31 . 2005-07-10 02:43 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-05-04 17:20 . 2004-01-08 20:23 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2008-09-21 22:45 1851264 ----a-w- c:\windows\system32\win32k.sys

2008-06-19 08:42 . 2006-04-27 04:24 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-03-26 1442888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULERSERVICE

*NewlyCreated* - ANTIVIRSERVICE

*NewlyCreated* - AVGIO

*NewlyCreated* - AVGNTFLT

*NewlyCreated* - AVIPBB

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 23:36]

2010-07-21 c:\windows\Tasks\User_Feed_Synchronization-{566C0DF4-C73B-4F7B-A67A-6B19000EC267}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dallas.craigslist.org/dal/wri/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: abc.com

Trusted Zone: abc.com\ll.media

Trusted Zone: bluemountain.com\www

Trusted Zone: fox.com\gksrv

Trusted Zone: fox.com\www

Trusted Zone: go.com\abc

Trusted Zone: go.com\fep.abc

Trusted Zone: google.com\www

Trusted Zone: ncspearson.com

FF - ProfilePath - c:\documents and settings\Kate\Application Data\Mozilla\Firefox\Profiles\dav8808z.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://dallas.craigslist.org/dal/etc/

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-21 03:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2268)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2010-07-21 03:13:58

ComboFix-quarantined-files.txt 2010-07-21 08:13

ComboFix2.txt 2010-07-21 06:07

Pre-Run: 8,887,685,120 bytes free

Post-Run: 8,877,858,816 bytes free

- - End Of File - - D3918ECEA8F3368ED299CF2BA8D6FEE7

Share this post


Link to post
Share on other sites

That is an old log Kate. It is the 3rd time combofix has been run which was the exact same as the last one so it has to be the same log file.

Go ahead and reply back to my PM and we'll go from there.

Share this post


Link to post
Share on other sites
That is an old log Kate. It is the 3rd time combofix has been run which was the exact same as the last one so it has to be the same log file.

Go ahead and reply back to my PM and we'll go from there.

Ron,

Once again, I don't understand. I uninstalled/reinstalled ComboFix and re-ran it. It took forever (20+ min). The log I posted is the log that popped up. This time ComboFix was run from the desktop.

Kate

Share this post


Link to post
Share on other sites

No problem. Answer my last question from PM and we'll start some cleanup as you have a ton of stuff that can be removed or at least stopped from Auto running when the computer runs.

Share this post


Link to post
Share on other sites

Ron,

I can't tell you how thrilled I'll be if we can pump up the power of my 'puter. :)

Kate

Share this post


Link to post
Share on other sites

Kate,

Please try the following. I don't think you need this service but let's check and make sure.

It is a service that was potentially added by your ISP but should not be needed. We won't delete it but we'll stop it to test.

Please print out this page just in case you need it for reference.

Please click on START - RUN and copy/paste the following and click OK

CMD /C NET STOP McciCMService

Then see if you can still access the Internet with your browser and applications.

Do you have or use Wireless with this computer? There is a driver that shows you have the following

RT2500 Linksys Wireless-G PCI Adapter

If you do have issues accessing the Internet after turning the above off then simply run the following or restart the computer.

Please click on START - RUN and copy/paste the following and click OK

CMD /C NET START McciCMService

Then let me know about the above.

Share this post


Link to post
Share on other sites

Please download and run the following.

Provide System Specifications:

  • Please download Speccy from here and save the installer to your desktop or another location where you can easily find it.
  • Double-click the file to begin installation and follow the onscreen steps to complete the installation and make sure that the checkbox next to Run Speccy is checked before you click on Finish at the end.
  • Once the program starts it will analyze your system, please be patient as it may take a few moments to complete.
  • Once it finishes and none of the areas say Analyzing click on the File button at the top and select Save Snapshot...
  • Save the file to your desktop and click Ok to confirm
  • Go to your desktop and right click on the file you just created and hover over Send to and select Compressed (zipped) Folder
  • Please attach the zip file you just created to your next post

Share this post


Link to post
Share on other sites

Then run the following.

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

STEP 02

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Driver::
Cdr4_2K
catchme
bdftdif
Profos
Trufos
Bonjour Service
File::
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{566C0DF4-C73B-4F7B-A67A-6B19000EC267}.job
C:\WINDOWS\system32\drivers\Cdr4_2K.sys
C:\DOCUME~1\Kate\LOCALS~1\Temp\catchme.sys
C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys
C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys
Folder::
C:\Program Files\Common Files\BitDefender

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

Click on START - RUN and copy/paste the following into the run line.

cmd /c sc delete Bonjour

please go into your Control Panel, Add/Remove and remove the following applications.

Coupon Printer for Windows

DivX Web Player

Google Desktop

Yahoo! Address AutoComplete

Adobe Reader 7.1.0

Bonjour

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

Google Desktop

Google Toolbar for Firefox

Google Updater

Yahoo! Address AutoComplete

Move Media Player

Vista Codec Package

If you're not using this Program then I'd recommend you uninstall it too.

NBC Sports

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.