Jump to content

Rootkit asc3550p resistant to Anti-Malware


DougAAAAA
 Share

Recommended Posts

Hello,

As noted, a rootkit remains after all else has been cleared up. Some other strange behavior. McAfee was on the system before the Malwarebytes, and it picks up a "Buffer Overflow Blocked". Have had a couple of reboots.

As per the instructions, here is the dds.txt

DDS (Ver_09-12-01.01) - NTFSx86

Run by Doug at 23:43:59.68 on Mon 02/22/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1335 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

H:\WINDOWS\System32\svchost.exe -k netsvcs

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

svchost.exe

H:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

H:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe

H:\WINDOWS\system32\CTsvcCDA.EXE

H:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

H:\Program Files\Java\jre6\bin\jqs.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

h:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\system32\svchost.exe -k imgsvc

H:\Program Files\Viewpoint\Common\ViewpointService.exe

H:\WINDOWS\system32\MsPMSPSv.exe

H:\Program Files\McAfee.com\Agent\mcagent.exe

H:\WINDOWS\system32\Rundll32.exe

H:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

H:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

H:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

H:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

H:\Program Files\Canon\CAL\CALMAIN.exe

H:\Program Files\Canon\MyPrinter\BJMyPrt.exe

H:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

H:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

H:\Program Files\Messenger\msmsgs.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe

H:\Documents and Settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

H:\Program Files\Logitech\SetPoint\SetPoint.exe

H:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

H:\Program Files\McAfee\MPF\MPFSrv.exe

H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

H:\Documents and Settings\Doug\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Bar =

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre6\bin\ssv.dll

BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - h:\program files\comcasttb\comcastdx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - h:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - h:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - h:\program files\comcasttb\comcastdx.dll

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File

uRun: [<NO NAME>]

uRun: [MSMSGS] "h:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe

uRun: [Aim6]

uRun: [ComcastAntispyClient] "h:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide

uRun: [sansaDispatch] h:\documents and settings\doug\application data\sandisk\sansa updater\SansaDispatch.exe

mRun: [REGSHAVE] h:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [mcagent_exe] "h:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [CTSysVol] h:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [sSBkgdUpdate] "h:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "h:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [WrtMon.exe] h:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [CanonSolutionMenu] h:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] h:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [ArcSoft Connection Service] h:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime

mRun: [Kputiyojoqoziyi] rundll32.exe "h:\windows\enoxofip.dll",Startup

mRun: [Malwarebytes' Anti-Malware] "h:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: h:\docume~1\doug\startm~1\programs\startup\onenot~1.lnk - h:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - h:\program files\logitech\setpoint\SetPoint.exe

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - h:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {67DDCD98-1120-47C3-B47E-A4E6820A571F} - hxxp://www.pbworldnet.com/components/intranet.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238020536250

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - h:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll

mASetup: ccc-core-static - msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\doug\applic~1\mozilla\firefox\profiles\wasbwg57.default\

FF - prefs.js: browser.search.selectedEngine - Comcast Search

FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyeBay&gbh=1&&_trksid=m37&guest=1

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=hTV9Ev5FXTm3vXOKIXfYew&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - plugin: h:\documents and settings\doug\application data\mozilla\plugins\npPxPlay.dll

FF - plugin: h:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: h:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: h:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: h:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: h:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: h:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: h:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: h:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: XULRunner: {682F6FCB-8949-4E6E-B38B-2D412875716A} - h:\documents and settings\doug\local settings\application data\{682F6FCB-8949-4E6E-B38B-2D412875716A}

FF - HiddenExtension: XUL Cache: {F13EE702-7E49-4958-989C-E5021544F27B} - h:\documents and settings\sue\local settings\application data\{F13EE702-7E49-4958-989C-E5021544F27B}

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {8D4C9ACA-156C-46E3-BF54-C1EC598090BF} - h:\documents and settings\honored guest\local settings\application data\{8d4c9aca-156c-46e3-bf54-c1ec598090bf}\

FF - HiddenExtension: XUL Cache: No Registry Reference - h:\program files\mozilla firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}

FF - HiddenExtension: XUL Cache: No Registry Reference - h:\program files\mozilla firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

h:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;h:\windows\system32\drivers\mfehidk.sys [2008-1-30 214664]

R2 AntiSpywareService;Comcast AntiSpyware;h:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]

R2 MBAMService;MBAMService;h:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-25 236368]

R2 McProxy;McAfee Proxy Service;h:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-30 359952]

R2 McShield;McAfee Real-time Scanner;h:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-30 144704]

R2 Viewpoint Manager Service;Viewpoint Manager Service;h:\program files\viewpoint\common\ViewpointService.exe [2008-2-24 24652]

R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [2010-1-25 19160]

R3 McSysmon;McAfee SystemGuards;h:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-30 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;h:\windows\system32\drivers\mfeavfk.sys [2008-1-30 79816]

R3 mfebopk;McAfee Inc. mfebopk;h:\windows\system32\drivers\mfebopk.sys [2008-1-30 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;h:\windows\system32\drivers\mfesmfk.sys [2008-1-30 40552]

S2 gupdate;Google Update Service (gupdate);h:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]

S3 mferkdk;McAfee Inc. mferkdk;h:\windows\system32\drivers\mferkdk.sys [2008-1-30 34248]

=============== Created Last 30 ================

2010-02-23 04:43:04 0 ----a-w- h:\documents and settings\doug\defogger_reenable

2010-02-22 03:37:27 0 d-----w- h:\program files\Trend Micro

2010-01-30 03:48:44 56816 ----a-w- h:\windows\system32\drivers\avgntflt.sys

2010-01-26 00:02:15 0 d-----w- h:\docume~1\doug\applic~1\Malwarebytes

2010-01-26 00:02:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

2010-01-26 00:02:08 19160 ----a-w- h:\windows\system32\drivers\mbam.sys

2010-01-26 00:02:08 0 d-----w- h:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-26 00:02:07 0 d-----w- h:\program files\Malwarebytes' Anti-Malware

2010-01-25 12:09:28 0 ----a-w- h:\windows\Qpeduworu.bin

2010-01-25 12:09:27 120 ----a-w- h:\windows\Kditodovuje.dat

2010-01-25 09:41:43 0 ----a-w- h:\windows\system32\23281.exe

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- h:\windows\system32\drivers\srv.sys

2009-12-22 05:21:05 667136 ----a-w- h:\windows\system32\wininet.dll

2009-12-22 05:20:58 81920 ----a-w- h:\windows\system32\ieencode.dll

2009-12-16 18:43:27 343040 ----a-w- h:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- h:\windows\system32\csrsrv.dll

2009-12-08 19:26:15 2145280 ----a-w- h:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:51 2023936 ----a-w- h:\windows\system32\ntkrnlpa.exe

2009-11-27 17:11:44 17920 ----a-w- h:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- h:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- h:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- h:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- h:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- h:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- h:\windows\system32\msrle32.dll

============= FINISH: 23:44:56.50 ===============

Thank you in advance for any help!

DougAAAAA

mbam_log_2010_02_22__13_14_35_.txt

Attach_2_22_10.zip

Link to post
Share on other sites

Hello , and welcome to Malwarebytes forums!

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please read and follow all these instructions very carefully.

  1. Please download GooredFix and save it to your Desktop.
  2. Double-click GooredFix.exe to run it.
  3. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

In your next reply, please include the following:

  • Combofix.txt
  • Goored log

Link to post
Share on other sites

As requested, here are Combofix.txt and Goored.txt.

By the way, I disabled McAfee AND Malwarebytes Anti-Malware. Should they stay disabled until there's a reply.

Thank you. DougAAAAA

ComboFix 10-02-24.01 - Doug 02/24/2010 21:50:11.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1402 [GMT -5:00]

Running from: h:\documents and settings\Doug\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}\chrome.manifest

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}\chrome\content\_cfg.js

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}\chrome\content\overlay.xul

h:\documents and settings\Doug\Local Settings\Application Data\{682F6FCB-8949-4E6E-B38B-2D412875716A}\install.rdf

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}\chrome.manifest

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}\chrome\content\_cfg.js

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}\chrome\content\overlay.xul

h:\documents and settings\Honored Guest\Local Settings\Application Data\{8D4C9ACA-156C-46E3-BF54-C1EC598090BF}\install.rdf

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\chrome.manifest

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\chrome\content\_cfg.js

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\chrome\content\c.js

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\chrome\content\overlay.xul

h:\documents and settings\Sue\Local Settings\Application Data\{F13EE702-7E49-4958-989C-E5021544F27B}\install.rdf

h:\program files\Mozilla Firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}

h:\program files\Mozilla Firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}\chrome.manifest

h:\program files\Mozilla Firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}\chrome\content\overlay.xul

h:\program files\Mozilla Firefox\extensions\{6A258E45-C142-4CC5-B5D4-28A981A3683A}\install.rdf

h:\program files\Mozilla Firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}

h:\program files\Mozilla Firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}\chrome.manifest

h:\program files\Mozilla Firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}\chrome\content\overlay.xul

h:\program files\Mozilla Firefox\extensions\{8D91A52A-5AA7-433B-9347-A96B990E02A9}\install.rdf

h:\windows\COUPON~1.OCX

h:\windows\CouponPrinter.ocx

h:\windows\run.log

h:\windows\system32\23281.exe

h:\windows\system32\AutoRun.inf

h:\windows\system32\config\40332276.Evt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ASC3550P

-------\Service_asc3550p

((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))

.

2010-02-22 03:37 . 2010-02-22 03:37 -------- d-----w- h:\program files\Trend Micro

2010-02-18 01:38 . 2010-02-18 01:38 -------- d-----w- h:\documents and settings\Doug\Application Data\Apple Computer

2010-01-30 03:48 . 2010-01-31 05:15 56816 ----a-w- h:\windows\system32\drivers\avgntflt.sys

2010-01-27 00:13 . 2010-01-27 00:13 -------- d-----w- h:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2010-01-26 03:15 . 2010-01-26 03:15 -------- d-----w- h:\documents and settings\Sue\Application Data\CallingID

2010-01-26 03:15 . 2010-01-26 03:15 -------- d-----w- h:\documents and settings\Sue\Application Data\comcasttb

2010-01-26 03:15 . 2010-01-26 03:15 -------- d-----w- h:\documents and settings\Sue\Local Settings\Application Data\ArcSoft

2010-01-26 03:15 . 2010-01-26 03:15 -------- d-----w- h:\documents and settings\Sue\Application Data\ArcSoft

2010-01-26 03:11 . 2010-01-26 03:11 -------- d-----w- h:\documents and settings\Honored Guest\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-24 21:54 . 2009-01-01 17:00 -------- d-----w- h:\documents and settings\All Users\Application Data\Google Updater

2010-02-24 21:22 . 2009-05-30 01:35 -------- d-----w- h:\documents and settings\All Users\Application Data\CanonIJPLM

2010-02-22 04:05 . 2010-01-26 00:02 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware

2010-02-22 03:04 . 2009-12-26 22:14 -------- d-----w- h:\documents and settings\Doug\Application Data\ZoomBrowser EX

2010-02-18 02:45 . 2009-12-26 22:06 -------- d-----w- h:\documents and settings\Doug\Application Data\CameraWindowDC

2010-02-18 01:52 . 2008-11-20 01:59 -------- d-----w- h:\documents and settings\Doug\Application Data\ArcSoft

2010-02-17 20:18 . 2008-01-31 03:59 -------- d-----w- h:\program files\McAfee

2010-02-13 19:26 . 2009-12-31 23:47 -------- d-----w- h:\documents and settings\Doug\Application Data\comcasttb

2010-02-13 19:26 . 2009-12-31 23:48 -------- d-----w- h:\documents and settings\Doug\Application Data\CallingID

2010-02-04 04:07 . 2009-01-01 17:00 -------- d-----w- h:\program files\Google

2010-01-30 23:19 . 2010-01-01 21:00 -------- d-----w- h:\program files\QuickTime

2010-01-29 06:00 . 2010-01-25 12:09 0 ----a-w- h:\windows\Qpeduworu.bin

2010-01-26 03:15 . 2008-01-24 20:19 78224 ----a-w- h:\documents and settings\Sue\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-26 03:12 . 2010-01-03 05:42 -------- d-----w- h:\documents and settings\Honored Guest\Application Data\comcasttb

2010-01-26 03:00 . 2010-01-25 12:09 120 ----a-w- h:\windows\Kditodovuje.dat

2010-01-26 00:02 . 2010-01-26 00:02 -------- d-----w- h:\documents and settings\Doug\Application Data\Malwarebytes

2010-01-26 00:02 . 2010-01-26 00:02 -------- d-----w- h:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-18 20:59 . 2010-01-18 20:59 354744 ----a-w- h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe

2010-01-18 20:59 . 2010-01-18 20:59 79872 ----a-w- h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

2010-01-18 20:59 . 2010-01-18 20:59 574344 ----a-w- h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe

2010-01-18 20:58 . 2008-11-30 23:56 -------- d-----w- h:\documents and settings\Doug\Application Data\SanDisk

2010-01-07 21:07 . 2010-01-26 00:02 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2010-01-26 00:02 19160 ----a-w- h:\windows\system32\drivers\mbam.sys

2010-01-02 18:01 . 2010-01-02 18:01 -------- d-----w- h:\documents and settings\Honored Guest\Application Data\ArcSoft

2010-01-01 21:01 . 2008-01-24 20:06 -------- d--h--w- h:\program files\InstallShield Installation Information

2010-01-01 21:00 . 2010-01-01 20:51 -------- d-----w- h:\documents and settings\All Users\Application Data\ArcSoft

2010-01-01 21:00 . 2010-01-01 21:00 -------- d-----w- h:\documents and settings\All Users\Application Data\Apple Computer

2010-01-01 20:59 . 2010-01-01 20:59 -------- d-----w- h:\program files\Common Files\Apple

2010-01-01 20:59 . 2010-01-01 20:59 -------- d-----w- h:\program files\Apple Software Update

2010-01-01 20:59 . 2010-01-01 20:59 -------- d-----w- h:\documents and settings\All Users\Application Data\Apple

2010-01-01 20:51 . 2010-01-01 20:50 -------- d-----w- h:\program files\Common Files\ArcSoft

2010-01-01 20:50 . 2010-01-01 20:50 -------- d-----w- h:\program files\Kodak

2009-12-31 23:48 . 2009-12-31 23:47 -------- d-----w- h:\program files\comcasttb

2009-12-31 23:48 . 2009-03-25 22:24 -------- d-----w- h:\program files\Common Files\Scanner

2009-12-31 16:50 . 2008-01-18 21:48 353792 ----a-w- h:\windows\system32\drivers\srv.sys

2009-12-22 05:21 . 2008-01-18 22:13 667136 ----a-w- h:\windows\system32\wininet.dll

2009-12-22 05:20 . 2008-01-18 19:57 81920 ----a-w- h:\windows\system32\ieencode.dll

2009-12-16 18:43 . 2008-01-20 17:18 343040 ----a-w- h:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2008-01-18 18:19 33280 ----a-w- h:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2008-01-18 20:59 2145280 ----a-w- h:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- h:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2008-01-18 20:29 455424 ----a-w- h:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2008-01-18 21:20 1291776 ----a-w- h:\windows\system32\quartz.dll

2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- h:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2008-01-18 20:47 28672 ----a-w- h:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- h:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2008-01-18 20:45 11264 ----a-w- h:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2008-01-18 18:04 84992 ----a-w- h:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- h:\windows\system32\iyuv_32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="h:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ComcastAntispyClient"="h:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]

"SansaDispatch"="h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-01-18 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"REGSHAVE"="h:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"mcagent_exe"="h:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"P17Helper"="P17.dll" [2004-06-10 60928]

"CTSysVol"="h:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]

"SSBkgdUpdate"="h:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"OpwareSE4"="h:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]

"WrtMon.exe"="h:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"CanonSolutionMenu"="h:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]

"CanonMyPrinter"="h:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]

"ArcSoft Connection Service"="h:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"Malwarebytes' Anti-Malware"="h:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

h:\documents and settings\Honored Guest\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

h:\documents and settings\Sue\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

h:\documents and settings\Doug\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

h:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - h:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-23 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 06:42 72208 ----a-w- h:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-12 03:16 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2007-08-24 12:00 33648 ----a-w- h:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2006-11-10 17:35 90112 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-12-22 19:40 136600 ----a-w- h:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 05:00 90112 ------w- h:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"h:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"h:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"h:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"h:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"h:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"h:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 AntiSpywareService;Comcast AntiSpyware;h:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408]

R2 MBAMService;MBAMService;h:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/25/2010 7:02 PM 236368]

R2 Viewpoint Manager Service;Viewpoint Manager Service;h:\program files\Viewpoint\Common\ViewpointService.exe [2/24/2008 1:26 AM 24652]

R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [1/25/2010 7:02 PM 19160]

S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 10:00 PM 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-01-27 h:\windows\Tasks\AppleSoftwareUpdate.job

- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-25 h:\windows\Tasks\Google Software Updater.job

- h:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-01 03:20]

2010-02-25 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- h:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:00]

2010-02-24 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- h:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:00]

2010-02-24 h:\windows\Tasks\Malwarebytes' Scheduled Scan for Doug.job

- h:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-26 21:07]

2010-02-24 h:\windows\Tasks\Malwarebytes' Scheduled Update for Doug.job

- h:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-26 21:07]

2010-01-15 h:\windows\Tasks\McDefragTask.job

- h:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-31 16:22]

2010-02-01 h:\windows\Tasks\McQcTask.job

- h:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-31 16:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {67DDCD98-1120-47C3-B47E-A4E6820A571F} - hxxp://www.pbworldnet.com/components/intranet.CAB

FF - ProfilePath - h:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\wasbwg57.default\

FF - prefs.js: browser.search.selectedEngine - Comcast Search

FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyeBay&gbh=1&&_trksid=m37&guest=1

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=hTV9Ev5FXTm3vXOKIXfYew&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - plugin: h:\documents and settings\Doug\Application Data\Mozilla\plugins\npPxPlay.dll

FF - plugin: h:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll

FF - plugin: h:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: h:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: h:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: h:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: h:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: h:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: h:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

HKLM-Run-Kputiyojoqoziyi - h:\windows\enoxofip.dll

ActiveSetup-ccc-core-static - msiexec

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-24 21:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SansaDispatch = h:\documents and settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)

h:\windows\system32\Ati2evxx.dll

h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

h:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3444)

h:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll

h:\program files\Logitech\SetPoint\lgscroll.dll

h:\windows\system32\WPDShServiceObj.dll

h:\windows\system32\PortableDeviceTypes.dll

h:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

h:\windows\system32\Ati2evxx.exe

h:\windows\system32\Ati2evxx.exe

h:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

h:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

h:\windows\system32\CTsvcCDA.EXE

h:\program files\Canon\IJPLM\IJPLMSVC.EXE

h:\program files\Java\jre6\bin\jqs.exe

h:\progra~1\McAfee\MSC\mcmscsvc.exe

h:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

h:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

h:\progra~1\McAfee\VIRUSS~1\mcshield.exe

h:\windows\system32\MsPMSPSv.exe

h:\program files\ATI Technologies\ATI.ACE\Core-Static\mom.exe

h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

h:\program files\Canon\CAL\CALMAIN.exe

h:\progra~1\mcafee.com\agent\mcagent.exe

h:\windows\system32\wscntfy.exe

h:\windows\system32\Rundll32.exe

h:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe

h:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

h:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

h:\program files\McAfee\MPF\MPFSrv.exe

.

**************************************************************************

.

Completion time: 2010-02-24 22:05:27 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-25 03:05

Pre-Run: 114,845,949,952 bytes free

Post-Run: 117,725,347,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5C3BCD4CF072A62927F3DC3D1B4DC1E0

GooredFix by jpshortstuff (08.01.10.1)

Log created at 22:09 on 24/02/2010 (Doug)

Firefox version 3.5.8 (en-US)

========== GooredScan ==========

========== GooredLog ==========

H:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [06:19 26/01/2008]

{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} [19:39 03/06/2008]

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [21:38 19/07/2008]

{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [19:40 22/12/2008]

H:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\wasbwg57.default\extensions\

{0538E3E3-7E9B-4d49-8831-A227C80A7AD3} [05:24 18/12/2009]

{20a82645-c095-46ed-80e3-08825760534b} [21:14 30/09/2009]

{4E77EDAD-9566-4089-88D1-C81498CEE770} [23:48 31/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"jqs@sun.com"="H:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:40 22/12/2008]

"{20a82645-c095-46ed-80e3-08825760534b}"="h:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:34 26/03/2009]

-=E.O.F=-

Link to post
Share on other sites

Well, that took care of quite some stuff! How are things running now?

Can you please launch MBAM, update to the latest definitions and run a quick scan? Please post me the log afterwards.

You can re-enable all active protection, it only had to be disabled because some applications detect Combofix's components as bad and block it.

Link to post
Share on other sites

Elise,

Thank you very much! Below is the log of the scan, and even to my untutored eyes this looks good. I am going to make a donation, by the way.

DougAAAAA

Malwarebytes' Anti-Malware 1.44

Database version: 3792

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

2/25/2010 11:15:58 AM

mbam-log-2010-02-25 (11-15-58).txt

Scan type: Quick Scan

Objects scanned: 135512

Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hello ,

even to my untutored eyes this looks good.
Indeed, things are looking quite good :)

I have one question, I see in your DDS log your High Definition Audio bus driver is disabled. Is your audio working fine or do you use an alternative audio source?

UPDATE JAVA

------------------

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png


      In your next reply, please include the following:
      • ESET online scan results

Link to post
Share on other sites

Hello,

First, according to the forum "I'm infected what do I do now" suggestions, I used "Defogger" and disabled the CD-ROM emulator. Should I re-enable?

Second, I updated the Java, as you suggested. That all went fine.

Third, I am not sure why I should do the ESET Online Scanner. I looked at reviews of it, and it got mixed reviews, and someone indicated it is expensive.

Thanks.

DougAAAAA

Link to post
Share on other sites

Hello again :), the ESET online scanner is absolutely free (I think you confused it with ESET antivirus product). It installs a small ActiveX component on your system and scans your compter. Afterwards it deletes any detected threads.

As all tools we use/recommend here, this one is absolutely free. I would like you to run it because until now, we only have run antispyware scanners (like MBAM), I always ask for one antivirus scan as well, one never knows what might have escaped, better safe than sorry :)

However, if you do not feel comfortable using it, just let me know!

As for Defogger, if any emulators were disabled, you can enable them safely now.

Link to post
Share on other sites

Hello yet again. I ran the ESET Online Scanner, and the log is as follows:

H:\Documents and Settings\Doug\My Documents\Downloads\ShopAtHome_Toolbar.exe Win32/Adware.SAHAgent application cleaned by deleting - quarantined

H:\Qoobox\Quarantine\H\WINDOWS\system32\config\40332276.Evt.vir a variant of Win32/Nulprot trojan cleaned by deleting - quarantined

I deleted the quarantined files (not sure if that was what I was supposed to do).

Finally, we have Comcast internet, which provided a McAfee antivirus. Now they will provide Norton Security Suite. Do you have any comment on the relative merit of this? We had the McAfee when we started having all the problems that brought us to Malwarebytes.

Thank you again. How serious are the things that ESET found?

DougAAAAA

Link to post
Share on other sites

Hello DougAAAAA,

First of all, the ESET results, one file is in Combofix quarantine, the other one was a toolbar installer (which had not actually been installed as far as I can see). In other words, leftovers ;)

Finally, we have Comcast internet, which provided a McAfee antivirus. Now they will provide Norton Security Suite. Do you have any comment on the relative merit of this? We had the McAfee when we started having all the problems that brought us to Malwarebytes.
Both McAfee and Norton are paid antivirus products, with the advantage that they come also with a firewall. As long as Comcast provides them for free, I would go with it.

Keep in mind that no single product offers 100% protection. Once you are clean, I'll give you some more information on how to make sure you stay clean :)

For now, I would like to see one last DDS log (no need for attach.txt), it has been a few days since the last log, and I want to make sure nothing important changed there.

Link to post
Share on other sites

Hello yet again, and thank you. Here is a DDS log

DDS (Ver_09-12-01.01) - NTFSx86

Run by Doug at 23:40:40.85 on Tue 03/02/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.890 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

H:\WINDOWS\system32\Ati2evxx.exe

H:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

H:\WINDOWS\System32\svchost.exe -k netsvcs

H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

H:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe

H:\WINDOWS\system32\spoolsv.exe

H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

H:\WINDOWS\Explorer.EXE

H:\Program Files\McAfee.com\Agent\mcagent.exe

H:\WINDOWS\system32\Rundll32.exe

H:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

H:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe

H:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

H:\Program Files\Canon\MyPrinter\BJMyPrt.exe

H:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

H:\Program Files\Common Files\Java\Java Update\jusched.exe

H:\WINDOWS\system32\RunDLL32.exe

H:\Program Files\Messenger\msmsgs.exe

H:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe

H:\Documents and Settings\Doug\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\Logitech\SetPoint\SetPoint.exe

H:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

svchost.exe

H:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

H:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

H:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe

H:\WINDOWS\system32\CTsvcCDA.EXE

H:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

H:\Program Files\Java\jre6\bin\jqs.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

H:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

h:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

h:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

H:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

H:\WINDOWS\system32\svchost.exe -k imgsvc

H:\Program Files\Viewpoint\Common\ViewpointService.exe

H:\WINDOWS\system32\MsPMSPSv.exe

H:\Program Files\Canon\CAL\CALMAIN.exe

H:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

H:\Program Files\McAfee\MPF\MPFSrv.exe

H:\Program Files\Mozilla Firefox\firefox.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Documents and Settings\Doug\Desktop\Defogger.exe

H:\Documents and Settings\Doug\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - h:\program files\comcasttb\comcastdx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - h:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - h:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - h:\program files\comcasttb\comcastdx.dll

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File

uRun: [MSMSGS] "h:\program files\messenger\msmsgs.exe" /background

uRun: [ComcastAntispyClient] "h:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide

uRun: [sansaDispatch] h:\documents and settings\doug\application data\sandisk\sansa updater\SansaDispatch.exe

uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe

mRun: [REGSHAVE] h:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [mcagent_exe] "h:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [CTSysVol] h:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [sSBkgdUpdate] "h:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "h:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [WrtMon.exe] h:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [CanonSolutionMenu] h:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] h:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [ArcSoft Connection Service] h:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "h:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "h:\program files\common files\java\java update\jusched.exe"

mRun: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513

StartupFolder: h:\docume~1\doug\startm~1\programs\startup\onenot~1.lnk - h:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - h:\program files\logitech\setpoint\SetPoint.exe

IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - h:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1267388196734

DPF: {67DDCD98-1120-47C3-B47E-A4E6820A571F} - hxxp://www.pbworldnet.com/components/intranet.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238020536250

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - h:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\doug\applic~1\mozilla\firefox\profiles\wasbwg57.default\

FF - prefs.js: browser.search.selectedEngine - Comcast Search

FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyeBay&gbh=1&&_trksid=m37&guest=1

FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=hTV9Ev5FXTm3vXOKIXfYew&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=

FF - component: h:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: h:\documents and settings\doug\application data\mozilla\plugins\npPxPlay.dll

FF - plugin: h:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: h:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: h:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: h:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: h:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: h:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - plugin: h:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: h:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

h:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;h:\windows\system32\drivers\mfehidk.sys [2008-1-30 214664]

R2 AntiSpywareService;Comcast AntiSpyware;h:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]

R2 MBAMService;MBAMService;h:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-25 236368]

R2 McProxy;McAfee Proxy Service;h:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-30 359952]

R2 McShield;McAfee Real-time Scanner;h:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-30 144704]

R2 Viewpoint Manager Service;Viewpoint Manager Service;h:\program files\viewpoint\common\ViewpointService.exe [2008-2-24 24652]

R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [2010-1-25 19160]

R3 McSysmon;McAfee SystemGuards;h:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-30 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;h:\windows\system32\drivers\mfeavfk.sys [2008-1-30 79816]

R3 mfebopk;McAfee Inc. mfebopk;h:\windows\system32\drivers\mfebopk.sys [2008-1-30 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;h:\windows\system32\drivers\mfesmfk.sys [2008-1-30 40552]

S2 gupdate;Google Update Service (gupdate);h:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]

S3 mferkdk;McAfee Inc. mferkdk;h:\windows\system32\drivers\mferkdk.sys [2008-1-30 34248]

S3 V0060VID;Creative WebCam Live! Ultra;h:\windows\system32\drivers\V0060Vid.sys [2010-2-28 196409]

=============== Created Last 30 ================

2010-03-03 04:40:25 0 ----a-w- h:\documents and settings\doug\defogger_reenable

2010-02-28 23:12:00 0 d-----w- h:\program files\ESET

2010-02-28 05:00:59 86016 ----a-w- h:\windows\CtDrvIns.exe

2010-02-28 02:05:20 56 ---ha-w- h:\windows\system32\ezsidmv.dat

2010-02-28 02:03:51 0 d-----r- h:\program files\Skype

2010-02-27 02:03:31 73728 ----a-w- h:\windows\system32\javacpl.cpl

2010-02-25 02:46:57 0 d-sha-r- H:\cmdcons

2010-02-25 02:45:55 98816 ----a-w- h:\windows\sed.exe

2010-02-25 02:45:55 77312 ----a-w- h:\windows\MBR.exe

2010-02-25 02:45:55 261632 ----a-w- h:\windows\PEV.exe

2010-02-25 02:45:55 161792 ----a-w- h:\windows\SWREG.exe

2010-02-22 03:37:27 0 d-----w- h:\program files\Trend Micro

==================== Find3M ====================

2010-02-27 02:03:11 411368 ----a-w- h:\windows\system32\deploytk.dll

2010-01-31 05:15:01 56816 ----a-w- h:\windows\system32\drivers\avgntflt.sys

2010-01-07 21:07:14 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07:04 19160 ----a-w- h:\windows\system32\drivers\mbam.sys

2009-12-22 05:21:05 667136 ------w- h:\windows\system32\wininet.dll

2009-12-22 05:20:58 81920 ----a-w- h:\windows\system32\ieencode.dll

2009-12-16 18:43:27 343040 ----a-w- h:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- h:\windows\system32\csrsrv.dll

2009-12-08 19:26:15 2145280 ------w- h:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:51 2023936 ------w- h:\windows\system32\ntkrnlpa.exe

============= FINISH: 23:41:43.78 ===============

Link to post
Share on other sites

Hello again,

Thats looking awesome! Unless you have any problems left, your computer gets a clean bill of health :)

One small note, I see you are still using Internet Explorer 6. I recommend you to upgrade to Internet explorer 8 (Microsoft rates the update as High Priority). Even if you use Firefox as main browser, its still a good idea to keep also Internet Explorer up to date. It is still required for some sites (including MS update) and keeping it at IE6 leaves you with certain vulnerabilities that might be exploited when browsing the internet using IE6.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and Defogger (after any CD emulation software is re-enabled).

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :D.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.