Rootkit asc3550p resistant to Anti-Malware

DougAAAAA · February 23, 2010

Hello,

As noted, a rootkit remains after all else has been cleared up. Some other strange behavior. McAfee was on the system before the Malwarebytes, and it picks up a "Buffer Overflow Blocked". Have had a couple of reboots.

As per the instructions, here is the dds.txt

DDS (Ver_09-12-01.01) - NTFSx86

Run by Doug at 23:43:59.68 on Mon 02/22/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1335 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

H:\WINDOWS\System32\svchost.exe -k netsvcs

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

svchost.exe

H:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

H:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe

H:\WINDOWS\system32\CTsvcCDA.EXE

H:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

H:\Program Files\Java\jre6\bin\jqs.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

h:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\system32\svchost.exe -k imgsvc

H:\Program Files\Viewpoint\Common\ViewpointService.exe

H:\WINDOWS\system32\MsPMSPSv.exe

H:\Program Files\McAfee.com\Agent\mcagent.exe

H:\WINDOWS\system32\Rundll32.exe

H:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

H:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

H:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

H:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

H:\Program Files\Canon\CAL\CALMAIN.exe

H:\Program Files\Canon\MyPrinter\BJMyPrt.exe

H:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

H:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

H:\Program Files\Messenger\msmsgs.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe

H:\Documents and Settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

H:\Program Files\Logitech\SetPoint\SetPoint.exe

H:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

H:\Program Files\McAfee\MPF\MPFSrv.exe

H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

H:\Documents and Settings\Doug\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Bar =

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre6\bin\ssv.dll

BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - h:\program files\comcasttb\comcastdx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - h:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - h:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - h:\program files\comcasttb\comcastdx.dll

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File

uRun: [<NO NAME>]

uRun: [MSMSGS] "h:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe

uRun: [Aim6]

uRun: [ComcastAntispyClient] "h:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide

uRun: [sansaDispatch] h:\documents and settings\doug\application data\sandisk\sansa updater\SansaDispatch.exe

mRun: [REGSHAVE] h:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [mcagent_exe] "h:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [CTSysVol] h:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [sSBkgdUpdate] "h:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "h:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [WrtMon.exe] h:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [CanonSolutionMenu] h:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] h:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [ArcSoft Connection Service] h:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime

mRun: [Kputiyojoqoziyi] rundll32.exe "h:\windows\enoxofip.dll",Startup

mRun: [Malwarebytes' Anti-Malware] "h:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: h:\docume~1\doug\startm~1\programs\startup\onenot~1.lnk - h:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - h:\program files\logitech\setpoint\SetPoint.exe

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - h:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {67DDCD98-1120-47C3-B47E-A4E6820A571F} - hxxp://www.pbworldnet.com/components/intranet.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238020536250

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - h:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll

mASetup: ccc-core-static - msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\doug\applic~1\mozilla\firefox\profiles\wasbwg57.default\

FF - prefs.js: browser.search.selectedEngine - Comcast Search

FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyeBay&gbh=1&&_trksid=m37&guest=1

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=hTV9Ev5FXTm3vXOKIXfYew&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - plugin: h:\documents and settings\doug\application data\mozilla\plugins\npPxPlay.dll

FF - plugin: h:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: h:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: h:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: h:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: h:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: h:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: h:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: h:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: XULRunner: {682F6FCB-8949-4E6E-B38B-2D412875716A} - h:\documents and settings\doug\local settings\application data\{682F6FCB-8949-4E6E-B38B-2D412875716A}

FF - HiddenExtension: XUL Cache: {F13EE702-7E49-4958-989C-E5021544F27B} - h:\documents and settings\sue\local settings\application data\{F13EE702-7E49-4958-989C-E5021544F27B}

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {8D4C9ACA-156C-46E3-BF54-C1EC598090BF} - h:\documents and settings\honored guest\local settings\application data\{8d4c9aca-156c-46e3-bf54-c1ec598090bf}\

FF - HiddenExtension: XUL Cache: No Registry Reference - h:\program files\mozilla firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}

FF - HiddenExtension: XUL Cache: No Registry Reference - h:\program files\mozilla firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

h:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;h:\windows\system32\drivers\mfehidk.sys [2008-1-30 214664]

R2 AntiSpywareService;Comcast AntiSpyware;h:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]

R2 MBAMService;MBAMService;h:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-25 236368]

R2 McProxy;McAfee Proxy Service;h:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-30 359952]

R2 McShield;McAfee Real-time Scanner;h:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-30 144704]

R2 Viewpoint Manager Service;Viewpoint Manager Service;h:\program files\viewpoint\common\ViewpointService.exe [2008-2-24 24652]

R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [2010-1-25 19160]

R3 McSysmon;McAfee SystemGuards;h:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-30 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;h:\windows\system32\drivers\mfeavfk.sys [2008-1-30 79816]

R3 mfebopk;McAfee Inc. mfebopk;h:\windows\system32\drivers\mfebopk.sys [2008-1-30 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;h:\windows\system32\drivers\mfesmfk.sys [2008-1-30 40552]

S2 gupdate;Google Update Service (gupdate);h:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]

S3 mferkdk;McAfee Inc. mferkdk;h:\windows\system32\drivers\mferkdk.sys [2008-1-30 34248]

=============== Created Last 30 ================

2010-02-23 04:43:04 0 ----a-w- h:\documents and settings\doug\defogger_reenable

2010-02-22 03:37:27 0 d-----w- h:\program files\Trend Micro

2010-01-30 03:48:44 56816 ----a-w- h:\windows\system32\drivers\avgntflt.sys

2010-01-26 00:02:15 0 d-----w- h:\docume~1\doug\applic~1\Malwarebytes

2010-01-26 00:02:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

2010-01-26 00:02:08 19160 ----a-w- h:\windows\system32\drivers\mbam.sys

2010-01-26 00:02:08 0 d-----w- h:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-26 00:02:07 0 d-----w- h:\program files\Malwarebytes' Anti-Malware

2010-01-25 12:09:28 0 ----a-w- h:\windows\Qpeduworu.bin

2010-01-25 12:09:27 120 ----a-w- h:\windows\Kditodovuje.dat

2010-01-25 09:41:43 0 ----a-w- h:\windows\system32\23281.exe

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- h:\windows\system32\drivers\srv.sys

2009-12-22 05:21:05 667136 ----a-w- h:\windows\system32\wininet.dll

2009-12-22 05:20:58 81920 ----a-w- h:\windows\system32\ieencode.dll

2009-12-16 18:43:27 343040 ----a-w- h:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- h:\windows\system32\csrsrv.dll

2009-12-08 19:26:15 2145280 ----a-w- h:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:51 2023936 ----a-w- h:\windows\system32\ntkrnlpa.exe

2009-11-27 17:11:44 17920 ----a-w- h:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- h:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- h:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- h:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- h:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- h:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- h:\windows\system32\msrle32.dll

============= FINISH: 23:44:56.50 ===============

Thank you in advance for any help!

DougAAAAA

mbam_log_2010_02_22__13_14_35_.txt

Attach_2_22_10.zip

Elise · February 24, 2010

Hello , and welcome to Malwarebytes forums!

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please read and follow all these instructions very carefully.

Please download GooredFix and save it to your Desktop.
Double-click GooredFix.exe to run it.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

In your next reply, please include the following:

Combofix.txt
Goored log

DougAAAAA · February 25, 2010

As requested, here are Combofix.txt and Goored.txt.

By the way, I disabled McAfee AND Malwarebytes Anti-Malware. Should they stay disabled until there's a reply.

Thank you. DougAAAAA

ComboFix 10-02-24.01 - Doug 02/24/2010 21:50:11.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1402 [GMT -5:00]

Running from: h:\documents and settings\Doug\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}\chrome.manifest

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}\chrome\content\_cfg.js

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}\chrome\content\overlay.xul

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}\install.rdf

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}\chrome.manifest

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}\chrome\content\_cfg.js

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}\chrome\content\overlay.xul

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}\install.rdf

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\chrome.manifest

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\chrome\content\_cfg.js

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\chrome\content\c.js

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\chrome\content\overlay.xul

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\install.rdf

h:\program files\Mozilla Firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}

h:\program files\Mozilla Firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}\chrome.manifest

h:\program files\Mozilla Firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}\chrome\content\overlay.xul

h:\program files\Mozilla Firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}\install.rdf

h:\program files\Mozilla Firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}

h:\program files\Mozilla Firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}\chrome.manifest

h:\program files\Mozilla Firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}\chrome\content\overlay.xul

h:\program files\Mozilla Firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}\install.rdf

h:\windows\COUPON~1.OCX

h:\windows\CouponPrinter.ocx

h:\windows\run.log

h:\windows\system32\23281.exe

h:\windows\system32\AutoRun.inf

h:\windows\system32\config\40332276.Evt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3550P

-------\Service_asc3550p

((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))

.

2010-02-22 03:37 . 2010-02-22 03:37 -------- d-----w- h:\program files\Trend Micro

2010-02-18 01:38 . 2010-02-18 01:38 -------- d-----w- h:\documents and settings\Doug\Application Data\Apple Computer

2010-01-30 03:48 . 2010-01-31 05:15 56816 ----a-w- h:\windows\system32\drivers\avgntflt.sys

2010-01-27 00:13 . 2010-01-27 00:13 -------- d-----w- h:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2010-01-26 03:15 . 2010-01-26 03:15 -------- d-----w- h:\documents and settings\Sue\Application Data\CallingID

2010-01-26 03:15 . 2010-01-26 03:15 -------- d-----w- h:\documents and settings\Sue\Application Data\comcasttb

2010-01-26 03:15 . 2010-01-26 03:15 -------- d-----w- h:\documents and settings\Sue\Local Settings\Application Data\ArcSoft

2010-01-26 03:15 . 2010-01-26 03:15 -------- d-----w- h:\documents and settings\Sue\Application Data\ArcSoft

2010-01-26 03:11 . 2010-01-26 03:11 -------- d-----w- h:\documents and settings\Honored Guest\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-24 21:54 . 2009-01-01 17:00 -------- d-----w- h:\documents and settings\All Users\Application Data\Google Updater

2010-02-24 21:22 . 2009-05-30 01:35 -------- d-----w- h:\documents and settings\All Users\Application Data\CanonIJPLM

2010-02-22 04:05 . 2010-01-26 00:02 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware

2010-02-22 03:04 . 2009-12-26 22:14 -------- d-----w- h:\documents and settings\Doug\Application Data\ZoomBrowser EX

2010-02-18 02:45 . 2009-12-26 22:06 -------- d-----w- h:\documents and settings\Doug\Application Data\CameraWindowDC

2010-02-18 01:52 . 2008-11-20 01:59 -------- d-----w- h:\documents and settings\Doug\Application Data\ArcSoft

2010-02-17 20:18 . 2008-01-31 03:59 -------- d-----w- h:\program files\McAfee

2010-02-13 19:26 . 2009-12-31 23:47 -------- d-----w- h:\documents and settings\Doug\Application Data\comcasttb

2010-02-13 19:26 . 2009-12-31 23:48 -------- d-----w- h:\documents and settings\Doug\Application Data\CallingID

2010-02-04 04:07 . 2009-01-01 17:00 -------- d-----w- h:\program files\Google

2010-01-30 23:19 . 2010-01-01 21:00 -------- d-----w- h:\program files\QuickTime

2010-01-29 06:00 . 2010-01-25 12:09 0 ----a-w- h:\windows\Qpeduworu.bin

2010-01-26 03:15 . 2008-01-24 20:19 78224 ----a-w- h:\documents and settings\Sue\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-26 03:12 . 2010-01-03 05:42 -------- d-----w- h:\documents and settings\Honored Guest\Application Data\comcasttb

2010-01-26 03:00 . 2010-01-25 12:09 120 ----a-w- h:\windows\Kditodovuje.dat

2010-01-26 00:02 . 2010-01-26 00:02 -------- d-----w- h:\documents and settings\Doug\Application Data\Malwarebytes

2010-01-26 00:02 . 2010-01-26 00:02 -------- d-----w- h:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-18 20:59 . 2010-01-18 20:59 354744 ----a-w- h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe

2010-01-18 20:59 . 2010-01-18 20:59 79872 ----a-w- h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

2010-01-18 20:59 . 2010-01-18 20:59 574344 ----a-w- h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe

2010-01-18 20:58 . 2008-11-30 23:56 -------- d-----w- h:\documents and settings\Doug\Application Data\SanDisk

2010-01-07 21:07 . 2010-01-26 00:02 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2010-01-26 00:02 19160 ----a-w- h:\windows\system32\drivers\mbam.sys

2010-01-02 18:01 . 2010-01-02 18:01 -------- d-----w- h:\documents and settings\Honored Guest\Application Data\ArcSoft

2010-01-01 21:01 . 2008-01-24 20:06 -------- d--h--w- h:\program files\InstallShield Installation Information

2010-01-01 21:00 . 2010-01-01 20:51 -------- d-----w- h:\documents and settings\All Users\Application Data\ArcSoft

2010-01-01 21:00 . 2010-01-01 21:00 -------- d-----w- h:\documents and settings\All Users\Application Data\Apple Computer

2010-01-01 20:59 . 2010-01-01 20:59 -------- d-----w- h:\program files\Common Files\Apple

2010-01-01 20:59 . 2010-01-01 20:59 -------- d-----w- h:\program files\Apple Software Update

2010-01-01 20:59 . 2010-01-01 20:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Apple

2010-01-01 20:51 . 2010-01-01 20:50 -------- d-----w- h:\program files\Common Files\ArcSoft

2010-01-01 20:50 . 2010-01-01 20:50 -------- d-----w- h:\program files\Kodak

2009-12-31 23:48 . 2009-12-31 23:47 -------- d-----w- h:\program files\comcasttb

2009-12-31 23:48 . 2009-03-25 22:24 -------- d-----w- h:\program files\Common Files\Scanner

2009-12-31 16:50 . 2008-01-18 21:48 353792 ----a-w- h:\windows\system32\drivers\srv.sys

2009-12-22 05:21 . 2008-01-18 22:13 667136 ----a-w- h:\windows\system32\wininet.dll

2009-12-22 05:20 . 2008-01-18 19:57 81920 ----a-w- h:\windows\system32\ieencode.dll

2009-12-16 18:43 . 2008-01-20 17:18 343040 ----a-w- h:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2008-01-18 18:19 33280 ----a-w- h:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2008-01-18 20:59 2145280 ----a-w- h:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- h:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2008-01-18 20:29 455424 ----a-w- h:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2008-01-18 21:20 1291776 ----a-w- h:\windows\system32\quartz.dll

2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- h:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2008-01-18 20:47 28672 ----a-w- h:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- h:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2008-01-18 20:45 11264 ----a-w- h:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2008-01-18 18:04 84992 ----a-w- h:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- h:\windows\system32\iyuv_32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="h:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ComcastAntispyClient"="h:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]

"SansaDispatch"="h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-01-18 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"REGSHAVE"="h:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"mcagent_exe"="h:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"P17Helper"="P17.dll" [2004-06-10 60928]

"CTSysVol"="h:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"SSBkgdUpdate"="h:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="h:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"WrtMon.exe"="h:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"CanonSolutionMenu"="h:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]

"CanonMyPrinter"="h:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]

"ArcSoft Connection Service"="h:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"Malwarebytes' Anti-Malware"="h:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

h:\documents and settings\Honored Guest\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

h:\documents and settings\Sue\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

h:\documents and settings\Doug\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

h:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - h:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-23 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 06:42 72208 ----a-w- h:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-12 03:16 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2007-08-24 12:00 33648 ----a-w- h:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2006-11-10 17:35 90112 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-12-22 19:40 136600 ----a-w- h:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 05:00 90112 ------w- h:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"h:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"h:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"h:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"h:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"h:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"h:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 AntiSpywareService;Comcast AntiSpyware;h:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408]

R2 MBAMService;MBAMService;h:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/25/2010 7:02 PM 236368]

R2 Viewpoint Manager Service;Viewpoint Manager Service;h:\program files\Viewpoint\Common\ViewpointService.exe [2/24/2008 1:26 AM 24652]

R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [1/25/2010 7:02 PM 19160]

S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 10:00 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-01-27 h:\windows\Tasks\AppleSoftwareUpdate.job

- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-25 h:\windows\Tasks\Google Software Updater.job

- h:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-01 03:20]

2010-02-25 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- h:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:00]

2010-02-24 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- h:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:00]

2010-02-24 h:\windows\Tasks\Malwarebytes' Scheduled Scan for Doug.job

- h:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-26 21:07]

2010-02-24 h:\windows\Tasks\Malwarebytes' Scheduled Update for Doug.job

- h:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-26 21:07]

2010-01-15 h:\windows\Tasks\McDefragTask.job

- h:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-31 16:22]

2010-02-01 h:\windows\Tasks\McQcTask.job

- h:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-31 16:22]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {67DDCD98-1120-47C3-B47E-A4E6820A571F} - hxxp://www.pbworldnet.com/components/intranet.CAB

FF - ProfilePath - h:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\wasbwg57.default\

FF - prefs.js: browser.search.selectedEngine - Comcast Search

FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyeBay&gbh=1&&_trksid=m37&guest=1

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=hTV9Ev5FXTm3vXOKIXfYew&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - plugin: h:\documents and settings\Doug\Application Data\Mozilla\plugins\npPxPlay.dll

FF - plugin: h:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll

FF - plugin: h:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: h:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: h:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: h:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: h:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: h:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: h:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-Kputiyojoqoziyi - h:\windows\enoxofip.dll

ActiveSetup-ccc-core-static - msiexec

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-24 21:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)

h:\windows\system32\Ati2evxx.dll

h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

h:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3444)

h:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll

h:\program files\Logitech\SetPoint\lgscroll.dll

h:\windows\system32\WPDShServiceObj.dll

h:\windows\system32\PortableDeviceTypes.dll

h:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

h:\windows\system32\Ati2evxx.exe

h:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

h:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

h:\windows\system32\CTsvcCDA.EXE

h:\program files\Canon\IJPLM\IJPLMSVC.EXE

h:\program files\Java\jre6\bin\jqs.exe

h:\progra~1\McAfee\MSC\mcmscsvc.exe

h:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

h:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

h:\progra~1\McAfee\VIRUSS~1\mcshield.exe

h:\windows\system32\MsPMSPSv.exe

h:\program files\ATI Technologies\ATI.ACE\Core-Static\mom.exe

h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

h:\program files\Canon\CAL\CALMAIN.exe

h:\progra~1\mcafee.com\agent\mcagent.exe

h:\windows\system32\wscntfy.exe

h:\windows\system32\Rundll32.exe

h:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe

h:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

h:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

h:\program files\McAfee\MPF\MPFSrv.exe

.

**************************************************************************

.

Completion time: 2010-02-24 22:05:27 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-25 03:05

Pre-Run: 114,845,949,952 bytes free

Post-Run: 117,725,347,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5C3BCD4CF072A62927F3DC3D1B4DC1E0

GooredFix by jpshortstuff (08.01.10.1)

Log created at 22:09 on 24/02/2010 (Doug)

Firefox version 3.5.8 (en-US)

========== GooredScan ==========

========== GooredLog ==========

H:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [06:19 26/01/2008]

{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} [19:39 03/06/2008]

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [21:38 19/07/2008]

{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [19:40 22/12/2008]

H:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\wasbwg57.default\extensions\

{0538E3E3-7E9B-4d49-8831-A227C80A7AD3} [05:24 18/12/2009]

{20a82645-c095-46ed-80e3-08825760534b} [21:14 30/09/2009]

{4E77EDAD-9566-4089-88D1-C81498CEE770} [23:48 31/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"jqs@sun.com"="H:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:40 22/12/2008]

"{20a82645-c095-46ed-80e3-08825760534b}"="h:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:34 26/03/2009]

-=E.O.F=-

Elise · February 25, 2010

Well, that took care of quite some stuff! How are things running now?

Can you please launch MBAM, update to the latest definitions and run a quick scan? Please post me the log afterwards.

You can re-enable all active protection, it only had to be disabled because some applications detect Combofix's components as bad and block it.

DougAAAAA · February 25, 2010

Elise,

Thank you very much! Below is the log of the scan, and even to my untutored eyes this looks good. I am going to make a donation, by the way.

DougAAAAA

Malwarebytes' Anti-Malware 1.44

Database version: 3792

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

2/25/2010 11:15:58 AM

mbam-log-2010-02-25 (11-15-58).txt

Scan type: Quick Scan

Objects scanned: 135512

Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Elise · February 26, 2010

Hello ,

even to my untutored eyes this looks good.

Indeed, things are looking quite good

I have one question, I see in your DDS log your High Definition Audio bus driver is disabled. Is your audio working fine or do you use an alternative audio source?

UPDATE JAVA

------------------

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
Click the Download button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  Note - when ESET doesn't find any threats, no report will be created.
12. Push the button.
13. Push
  
  In your next reply, please include the following:
  - ESET online scan results

DougAAAAA · February 27, 2010

Hello,

First, according to the forum "I'm infected what do I do now" suggestions, I used "Defogger" and disabled the CD-ROM emulator. Should I re-enable?

Second, I updated the Java, as you suggested. That all went fine.

Third, I am not sure why I should do the ESET Online Scanner. I looked at reviews of it, and it got mixed reviews, and someone indicated it is expensive.

Thanks.

DougAAAAA

Elise · February 27, 2010

Hello again , the ESET online scanner is absolutely free (I think you confused it with ESET antivirus product). It installs a small ActiveX component on your system and scans your compter. Afterwards it deletes any detected threads.

As all tools we use/recommend here, this one is absolutely free. I would like you to run it because until now, we only have run antispyware scanners (like MBAM), I always ask for one antivirus scan as well, one never knows what might have escaped, better safe than sorry

However, if you do not feel comfortable using it, just let me know!

As for Defogger, if any emulators were disabled, you can enable them safely now.

DougAAAAA · March 1, 2010

Hello yet again. I ran the ESET Online Scanner, and the log is as follows:

H:\Documents and Settings\Doug\My Documents\Downloads\ShopAtHome_Toolbar.exe Win32/Adware.SAHAgent application cleaned by deleting - quarantined

H:\Qoobox\Quarantine\H\WINDOWS\system32\config\40332276.Evt.vir a variant of Win32/Nulprot trojan cleaned by deleting - quarantined

I deleted the quarantined files (not sure if that was what I was supposed to do).

Finally, we have Comcast internet, which provided a McAfee antivirus. Now they will provide Norton Security Suite. Do you have any comment on the relative merit of this? We had the McAfee when we started having all the problems that brought us to Malwarebytes.

Thank you again. How serious are the things that ESET found?

DougAAAAA

Elise · March 1, 2010

Hello DougAAAAA,

First of all, the ESET results, one file is in Combofix quarantine, the other one was a toolbar installer (which had not actually been installed as far as I can see). In other words, leftovers

Finally, we have Comcast internet, which provided a McAfee antivirus. Now they will provide Norton Security Suite. Do you have any comment on the relative merit of this? We had the McAfee when we started having all the problems that brought us to Malwarebytes.

Both McAfee and Norton are paid antivirus products, with the advantage that they come also with a firewall. As long as Comcast provides them for free, I would go with it.

Keep in mind that no single product offers 100% protection. Once you are clean, I'll give you some more information on how to make sure you stay clean

For now, I would like to see one last DDS log (no need for attach.txt), it has been a few days since the last log, and I want to make sure nothing important changed there.

DougAAAAA · March 3, 2010

Hello yet again, and thank you. Here is a DDS log

DDS (Ver_09-12-01.01) - NTFSx86

Run by Doug at 23:40:40.85 on Tue 03/02/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.890 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

H:\WINDOWS\System32\svchost.exe -k netsvcs

H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

H:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

H:\WINDOWS\Explorer.EXE

H:\Program Files\McAfee.com\Agent\mcagent.exe

H:\WINDOWS\system32\Rundll32.exe

H:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

H:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

H:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

H:\Program Files\Canon\MyPrinter\BJMyPrt.exe

H:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

H:\Program Files\Common Files\Java\Java Update\jusched.exe

H:\WINDOWS\system32\RunDLL32.exe

H:\Program Files\Messenger\msmsgs.exe

H:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe

H:\Documents and Settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\Logitech\SetPoint\SetPoint.exe

H:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

svchost.exe

H:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

H:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe

H:\WINDOWS\system32\CTsvcCDA.EXE

H:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

H:\Program Files\Java\jre6\bin\jqs.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

h:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

H:\WINDOWS\system32\svchost.exe -k imgsvc

H:\Program Files\Viewpoint\Common\ViewpointService.exe

H:\WINDOWS\system32\MsPMSPSv.exe

H:\Program Files\Canon\CAL\CALMAIN.exe

H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

H:\Program Files\McAfee\MPF\MPFSrv.exe

H:\Program Files\Mozilla Firefox\firefox.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE

H:\Program Files\Internet Explorer\iexplore.exe

H:\Documents and Settings\Doug\Desktop\Defogger.exe

H:\Documents and Settings\Doug\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - h:\program files\comcasttb\comcastdx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - h:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - h:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll