Jump to content

Virus Protector removal - cannot update anti-malware


Recommended Posts

Hi,

I'm trying to help a friend remove the "Virus Protector" malware fake antivirus program from her laptop.

She is running XP with service pack 3.

Virus Protector appears as soon as she boots up, including booting into Safe Mode or Safe Mode with Networking.

I found various removal instructions which said to use Malwarebytes anti-malware removal, so I downloaded this onto machine, saved onto a usb and booted her machine into Safe Mode with Command Prompt and copied form the USB.

Malwarebytes installed fine and ran but could not update - got Error code 732(12007,0), so I ran it without updating.

It found various infections - none of them looked like 'Virus Protector' but I went ahead and asked it to fix them anyway.

I have the log - see attached.

It asked me to reboot to be able to finish, but when I rebooted (normally) Virus Protector came up again.

Please help.

Regards,

Susan

mbam_log_2010_03_18__14_09_33_.txt

Link to post
Share on other sites

Forgot to say, I saw on another thread for the same malware some suggedtions regarding running in safe mode with networking on how to get rid of the windows that come up to press Alt-F4.

I did this and the Safe Mode black screen came up but nothing else. I tried Esc and CTRL-Esc, still nothing. I then tried Ctrl-Alt-Del to bring up the Task Manager, but got a pop-up message to say that Task Manager has been disabled by your administrator.

So, don't ask me to try that!

Regards,

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

After you post that log (don't attach it), please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

My friend's pc is not connected to the internet as it can only boot in Safe Mode with Command Prompt, so I have to download everything to my own pc first.

I ran dds.scr - the dds.txt log is below, but I haven't run Combofix because that laptop is not connected to the internet so I won't be able to install the Windows Recovery Console as shown in the ComboFix instructions.

Regards,

Here is DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL

Run by Sharon Moldaver at 13:36:26.43 on 18/03/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1787 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uWindow Title = Windows Internet Explorer provided by Yahoo!

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

mStart Page = hxxp://home.ez-tracks.com/?fromOMB=1

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll

mWinlogon: Shell=c:\windows\system32\aymlf4525.exe

mWinlogon: System=lsass.exec:\windows\system32\svch?st.exe,

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\SearchSettings.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File

TB: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {2DBEDDA0-6B3A-4F7E-93C4-3C0EE28775C0} - No File

uRun: [spyware Cleaner] "c:\program files\spyware cleaner\SpywareCleaner.Exe" /boot

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [Miro] c:\program files\participatory culture foundation\miro\Miro.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [ares ultra] "c:\program files\ares ultra\Ares Ultra.exe" -h

uRun: [JFSW2Launch] c:\documents and settings\sharon moldaver\application data\transcend\jfsw2\JFSW2Launch.exe

uRun: [software Informer] "c:\program files\software informer\softinfo.exe" -autorun

uRun: [fsm]

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; yie8)" -"http://games.king.com/play.jsp?tournamentId=6947"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [c:\windows\system32\kdoac.exe] c:\windows\system32\kdoac.exe

mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize2\Reminder.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [searchSettings] c:\program files\search settings\SearchSettings.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [*Restore] c:\windows\system32\restore\rstrui.exe -i

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips photo manager\funcam\Philips FunCam Monitor.exe

uPolicies-system: DisableTaskMgr = 1 (0x1)

uPolicies-system: DisableRegistryTools = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll/search.htm

IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk142YYFR

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - f:\partycasino\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1224616646159&h=9ebadb03cb23837a50faa7c94e147a3c/&filename=jinstall-6u7-windows-i586-jc.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: aVppgqeEl.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-4-12 162640]

S1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005-12-28 4064]

S2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2009-12-16 375296]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-12 19024]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]

S3 idrmkl;idrmkl;c:\docume~1\sharon~1\locals~1\temp\idrmkl.sys [2004-9-3 29696]

S3 SNDM360;Philips FunCam;c:\windows\system32\drivers\sndm360.sys [2006-1-14 229760]

=============== Created Last 30 ================

2010-03-18 13:07:55 1678336 ----a-w- c:\windows\system32\aVppgqeEl.dll

2010-03-18 13:07:41 1678336 ----a-w- c:\windows\system32\aymlf4525.exe

2010-03-18 13:04:20 0 d-----w- c:\program files\Trend Micro

2010-03-18 13:03:52 812344 -c--a-w- C:\HJTInstall.exe

2010-03-18 12:54:58 0 d-----w- c:\program files\Safer Networking

2010-03-18 12:47:13 0 d-----w- c:\program files\SpybotSD

2010-03-18 12:42:26 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-03-18 12:42:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-03-18 12:41:08 0 dc----w- C:\spybot

2010-03-18 12:35:39 525824 -c--a-w- C:\dds.scr

2010-03-18 12:33:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-18 12:33:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-18 12:33:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 12:33:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-02 10:52:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Macrium

2010-02-28 16:43:46 0 d-----w- c:\program files\Babylon

2010-02-26 16:52:28 0 d-----w- c:\program files\Tirgumit

2010-02-24 16:33:58 0 d-----w- c:\docume~1\sharon~1\applic~1\FreeBurner

==================== Find3M ====================

2010-03-14 22:21:03 20 -c-h--w- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT

2010-03-13 07:35:49 43520 -c--a-w- c:\windows\system32\CmdLineExt03.dll

2010-01-05 18:37:28 103040 -c--a-w- c:\docume~1\sharon~1\applic~1\GDIPFONTCACHEV1.DAT

2006-01-09 11:02:16 774144 -c--a-w- c:\program files\RngInterstitial.dll

2006-01-08 10:30:39 278528 -c--a-w- c:\program files\common files\FDEUnInstaller.exe

2006-05-15 12:30:11 56 -csh--r- c:\windows\system32\2DC5AD80CC.sys

2006-05-15 12:30:11 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys

2008-08-18 13:12:20 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 13:49:42.07 ===============

Link to post
Share on other sites

Forgot to say - you'll notice that the date shown in the log is 18/3/2010 - this is because she also has a problem with the system clock and has to update it everytime she turns the pc on - this hasn't been done since then. In fact, she's got loads of problems (I think these viruses etc have got on her machine probably because she uses LimeWire etc to download music).

Link to post
Share on other sites

In the end I ran ComboFix without the Windows Recovery console. It also said Avast Antivirus was running despite the fact that I checked (running services.msc) from the Command prompt that it wasn't.

At the end it told me I was running Safe Mode and gave me the option of continuing to run in Safe Mode or doing a system restore. I opted to continue in Safe Mode.

Here is the log file:

ComboFix 10-03-19.07 - Sharon Moldaver 20/03/2010 14:15:10.1.1 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1786 [GMT 1:00]

Running from: C:\ComboFix.exe

Command switches used :: combofix

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\LOG.TXT

c:\program files\Internet Explorer\SET2D.tmp

c:\program files\Internet Explorer\SET2E.tmp

c:\program files\Internet Explorer\SET2F.tmp

c:\program files\Internet Explorer\SET30.tmp

c:\program files\Internet Explorer\SET85.tmp

c:\program files\Internet Explorer\SET86.tmp

c:\program files\Internet Explorer\SET87.tmp

c:\program files\Internet Explorer\SET88.tmp

c:\program files\Internet Explorer\SETDD.tmp

c:\program files\Internet Explorer\SETDE.tmp

c:\program files\Internet Explorer\SETDF.tmp

c:\program files\Internet Explorer\SETE0.tmp

c:\program files\Search Settings

c:\program files\Search Settings\SeARchsettings.dll

c:\program files\Search Settings\SearchSettings.exe

c:\program files\Search Settings\SearchSettingsRes409.dll

c:\windows\AUTOLNCH.REG

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf

c:\windows\system32\ntSVc.ocx

c:\windows\system32\SHELLLNK.TLB

c:\windows\system32\VB6KO.DLL

.

((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))

.

2010-03-18 13:26 . 2010-03-20 10:41 3895562 -c--a-r- C:\ComboFix.exe

2010-03-18 13:07 . 2010-03-18 13:07 1678336 ----a-w- c:\windows\system32\aVppgqeEl.dll

2010-03-18 13:07 . 2010-03-18 13:07 1678336 ----a-w- c:\windows\system32\aymlf4525.exe

2010-03-18 13:04 . 2010-03-18 13:04 -------- d-----w- c:\program files\Trend Micro

2010-03-18 13:03 . 2010-03-19 11:21 812344 -c--a-w- C:\HJTInstall.exe

2010-03-18 12:56 . 2010-03-18 12:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Safer Networking

2010-03-18 12:54 . 2010-03-18 12:54 -------- d-----w- c:\program files\Safer Networking

2010-03-18 12:47 . 2010-03-18 12:41 -------- d-----w- c:\program files\SpybotSD

2010-03-18 12:42 . 2010-03-18 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-18 12:42 . 2010-03-18 12:41 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-18 12:41 . 2010-03-18 12:41 -------- dc----w- C:\spybot

2010-03-18 12:39 . 2010-03-18 12:39 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-03-18 12:35 . 2010-03-20 10:32 525824 -c--a-w- C:\dds.scr

2010-03-18 12:34 . 2010-03-18 12:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-18 12:33 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-18 12:33 . 2010-03-18 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-18 12:33 . 2010-03-18 12:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-03-18 12:33 . 2010-03-18 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-18 12:33 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 12:32 . 2010-03-18 17:43 5115824 ----a-w- c:\documents and settings\Administrator\mbam-setup.exe

2010-03-17 12:29 . 2010-03-17 15:44 -------- d-----w- c:\documents and settings\Sharon Moldaver\Local Settings\Application Data\Yahoo

2010-03-02 10:52 . 2010-03-02 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium

2010-03-01 09:47 . 2010-03-01 09:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\myBabylon_English

2010-02-28 16:43 . 2010-02-28 16:43 -------- d-----w- c:\program files\Babylon

2010-02-26 16:52 . 2010-02-26 16:56 -------- d-----w- c:\program files\Tirgumit

2010-02-24 16:33 . 2010-03-04 10:15 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\FreeBurner

2010-02-23 09:41 . 2010-02-23 09:41 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\dvdcss

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-18 12:42 . 2008-10-19 12:52 -------- d-----w- c:\program files\Yahoo!

2010-03-18 12:41 . 2009-03-28 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-03-17 16:28 . 2008-01-30 20:04 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\skypePM

2010-03-17 15:57 . 2006-01-03 08:03 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\Skype

2010-03-17 15:44 . 2008-10-28 11:06 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\Yahoo!

2010-03-17 12:29 . 2009-03-28 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-03-16 22:08 . 2009-04-26 12:16 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\FrostWire

2010-03-14 22:21 . 2006-08-02 20:26 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT

2010-03-13 07:47 . 2005-12-22 22:15 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-13 07:35 . 2007-11-17 14:06 43520 -c--a-w- c:\windows\system32\CmdLineExt03.dll

2010-03-10 23:34 . 2008-10-19 12:52 -------- d-----w- c:\program files\CCleaner

2010-03-09 11:24 . 2009-04-12 10:33 153184 ----a-w- c:\windows\system32\aswBoot.exe

2010-03-09 11:12 . 2009-04-12 10:33 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-03-09 11:12 . 2009-04-12 10:33 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-03-09 11:09 . 2009-04-12 10:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-03-09 11:08 . 2009-04-12 10:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-03-09 11:08 . 2009-04-12 10:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-03-09 11:08 . 2009-04-12 10:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-03-09 11:08 . 2009-04-12 10:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-03-01 20:41 . 2009-03-20 12:36 -------- d-----w- c:\program files\Dl_cats

2010-02-28 16:25 . 2005-12-28 20:26 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-24 17:14 . 2009-04-26 12:16 -------- d-----w- c:\program files\FrostWire

2010-02-24 16:35 . 2010-01-26 13:37 -------- d-----w- c:\program files\Application Updater

2010-02-24 16:35 . 2009-11-15 13:59 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\Search Settings

2010-02-24 16:34 . 2009-11-15 13:58 -------- d-----w- c:\program files\Free Easy Burner

2010-02-11 18:53 . 2009-04-12 10:33 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-01-26 13:37 . 2010-01-26 13:37 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater

2010-01-22 22:28 . 2010-01-22 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-01-22 22:15 . 2008-11-07 13:20 -------- d-----w- c:\program files\Alwil Software

2006-01-09 11:02 . 2006-01-09 11:02 774144 -c--a-w- c:\program files\RngInterstitial.dll

2006-01-08 10:30 . 2006-01-06 19:28 278528 -c--a-w- c:\program files\Common Files\FDEUnInstaller.exe

2006-05-15 12:30 . 2006-05-15 12:30 56 -csh--r- c:\windows\system32\2DC5AD80CC.sys

2006-05-15 12:30 . 2006-05-15 12:23 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[-] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"JFSW2Launch"="c:\documents and settings\Sharon Moldaver\Application Data\Transcend\JFSW2\JFSW2Launch.exe" [2008-09-29 172032]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-10 413696]

"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"DLCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-01-19 181624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-22 24576]

Philips FunCam Monitor.lnk - c:\program files\Philips Photo Manager\FunCam\Philips FunCam Monitor.exe [2006-1-14 192512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\aVppgqeEl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk

backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk

backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sharon Moldaver^Start Menu^Programs^Startup^360Share On Startup.lnk]

path=c:\documents and settings\Sharon Moldaver\Start Menu\Programs\Startup\360Share On Startup.lnk

backup=c:\windows\pss\360Share On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]

c:\windows\system32\WLTRAY [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-18 07:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2006-04-06 08:51 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpppta]

2000-12-05 11:02 86016 -c--a-w- c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPPPTA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-07-19 10:06 77824 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-07-19 10:10 114688 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2005-07-19 10:09 94208 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-08-11 14:30 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-02-10 14:28 413696 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2005-09-09 23:19 393216 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]

2007-06-30 14:59 339968 -c--a-w- c:\windows\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"ose"=3 (0x3)

"NMSAccessU"=2 (0x2)

"NICCONFIGSVC"=2 (0x2)

"iPod Service"=3 (0x3)

"IDriverT"=3 (0x3)

"gusvc"=3 (0x3)

"dlcc_device"=3 (0x3)

"Bonjour Service"=2 (0x2)

"AresChatServer"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc\Svc]

"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc\Svc\Svc]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc\Svc\Svc\Svc]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc\Svc\Svc\Svc\Svc]

"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Graboid\\GraboidVideo\\1.4.0.0\\DLManager\\GraboidDLManager.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/04/2009 11:33 AM 162640]

S1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [28/12/2005 9:55 PM 4064]

S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [16/12/2009 5:38 PM 375296]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/04/2009 11:33 AM 19024]

S3 idrmkl;idrmkl;\??\c:\docume~1\SHARON~1\LOCALS~1\Temp\idrmkl.sys --> c:\docume~1\SHARON~1\LOCALS~1\Temp\idrmkl.sys [?]

S3 SNDM360;Philips FunCam;c:\windows\system32\drivers\sndm360.sys [14/01/2006 9:36 AM 229760]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 03:32 128512 -c--a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]

2010-03-20 c:\windows\Tasks\NSSstub.job

- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-19 09:05]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://home.ez-tracks.com/?fromOMB=1

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - f:\partycasino\RunApp.exe

DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)

WebBrowser-{2DBEDDA0-6B3A-4F7E-93C4-3C0EE28775C0} - (no file)

HKCU-Run-Spyware Cleaner - c:\program files\Spyware Cleaner\SpywareCleaner.Exe

HKCU-Run-Miro - c:\program files\Participatory Culture Foundation\Miro\Miro.exe

HKCU-Run-ares ultra - c:\program files\Ares Ultra\Ares Ultra.exe

HKCU-Run-Software Informer - c:\program files\Software Informer\softinfo.exe

HKCU-Run-fsm - (no file)

HKLM-Run-c:\windows\system32\kdoac.exe - c:\windows\system32\kdoac.exe

HKLM-Run-PC Pitstop Optimize Reminder - c:\program files\PCPitstop\Optimize2\Reminder.exe

HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe

MSConfigStartUp-ares ultra - c:\program files\Ares Ultra\Ares Ultra.exe

MSConfigStartUp-DeskSpace - f:\autodesk inventor isi\DeskSpace\deskspace.exe

MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe

MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\3.bin\m3SrchMn.exe

MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

MSConfigStartUp-Shareaza - c:\program files\K-litePro\K-litePro.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe

MSConfigStartUp-WOOKIT - c:\progra~1\Wanadoo\Shell.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-20 14:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1405879576-1362235470-2905362358-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DFE9343E-32C8-E468-E2F7-DC8B3C950297}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"pamnjjnncneimfnikokmjmlfjpcafaka"=hex:6a,61,61,68,6b,65,67,67,70,67,67,64,6e,

6d,62,6c,68,69,70,63,00,80

"oaceplnaagddafdpgnikoljcdldekd"=hex:6a,61,61,68,6b,65,67,67,70,67,67,64,6e,6d,

62,6c,68,69,70,63,00,80

"pamnjjnncneimfnikokmjmlfjpcacafa"=hex:6a,61,6e,67,61,66,67,63,6e,64,61,67,70,

67,61,67,68,6b,65,66,00,ba

"oaceplnaagddafdpgnikoljcdleefb"=hex:6a,61,6e,67,61,66,67,63,6e,64,61,67,70,67,

61,67,68,6b,65,66,00,ba

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="REMOVED"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)

c:\windows\System32\BCMLogon.dll

.

Completion time: 2010-03-20 14:32:58

ComboFix-quarantined-files.txt 2010-03-20 13:32

Pre-Run: 44,969,615,360 bytes free

Post-Run: 45,090,603,008 bytes free

- - End Of File - - BB484B2197552737AD97A7623D858758

Link to post
Share on other sites

  • Staff

Hi,

Please zip these files and attach them to your reply:

c:\windows\system32\advpack.dll

c:\windows\system32\aymlf4525.exe

c:\windows\system32\aVppgqeEl.dll

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::

idrmkl

KILLALL::

File::

c:\windows\system32\aymlf4525.exe

c:\windows\system32\aVppgqeEl.dll

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=-

"AppInit_DLLs"=""

FCOPY::

c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

I'm sorry, you were taking so long to reply (it would be better if someone in my timezone was working on this) and my friend was getting desperate, I decided to take matters into my own hands and rebooted anyway. I know we're not supposed to do this, sorry. You also didn't seem to tailor your reply to what I said in my original post - ie that the affected machine was running in Safe Mode with command prompt and couldn't get to the internet.

Anyway, it rebooted fine so I ran Malwarebytes anti-malware again and this time it updated fine. I also ran Spybot search and destroy which found a few other things, including the fact that the task bar had been disabled.

Things SEEM ok, now but I've attached the files you wanted so if there are still things to do, let me know.

ForSupportForum.zip

Link to post
Share on other sites

I've run ComboFix again with the CFScript. Here is ComboFix.txt.

ComboFix 10-03-20.01 - Sharon Moldaver 21/03/2010 1:52.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1454 [GMT 1:00]

Running from: c:\documents and settings\Sharon Moldaver\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Sharon Moldaver\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"c:\windows\system32\aVppgqeEl.dll"

"c:\windows\system32\aymlf4525.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\aVppgqeEl.dll

c:\windows\system32\aymlf4525.exe

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IDRMKL

-------\Service_idrmkl

((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))

.

2010-03-21 00:24 . 2010-03-21 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2010-03-21 00:23 . 2010-03-21 00:23 -------- d-----w- c:\documents and settings\Sharon Moldaver\Local Settings\Application Data\PCHealth

2010-03-20 17:38 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-03-20 17:23 . 2010-03-20 17:45 -------- d-----w- c:\windows\ie8updates

2010-03-20 17:18 . 2010-03-20 17:18 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-03-20 17:18 . 2010-03-20 17:18 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-03-20 17:17 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll

2010-03-20 17:17 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-03-20 17:17 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll

2010-03-20 17:17 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe

2010-03-20 17:17 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe

2010-03-20 17:16 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll

2010-03-20 17:16 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll

2010-03-20 17:05 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-03-20 17:03 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-03-20 17:03 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-03-20 16:56 . 2010-03-20 16:57 -------- d-----w- c:\program files\Norton Security Scan

2010-03-20 16:51 . 2010-03-20 16:51 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\Malwarebytes

2010-03-18 13:04 . 2010-03-18 13:04 -------- d-----w- c:\program files\Trend Micro

2010-03-18 12:56 . 2010-03-18 12:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Safer Networking

2010-03-18 12:54 . 2010-03-18 12:54 -------- d-----w- c:\program files\Safer Networking

2010-03-18 12:47 . 2010-03-20 17:12 -------- d-----w- c:\program files\SpybotSD

2010-03-18 12:42 . 2010-03-20 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-18 12:42 . 2010-03-18 12:41 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-18 12:41 . 2010-03-18 12:41 -------- dc----w- C:\spybot

2010-03-18 12:39 . 2010-03-18 12:39 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-03-18 12:34 . 2010-03-18 12:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-18 12:33 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-18 12:33 . 2010-03-18 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-18 12:33 . 2010-03-18 12:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-03-18 12:33 . 2010-03-18 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-18 12:33 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 12:32 . 2010-03-18 17:43 5115824 ----a-w- c:\documents and settings\Administrator\mbam-setup.exe

2010-03-17 12:29 . 2010-03-17 15:44 -------- d-----w- c:\documents and settings\Sharon Moldaver\Local Settings\Application Data\Yahoo

2010-03-02 10:52 . 2010-03-02 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium

2010-03-01 09:47 . 2010-03-01 09:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\myBabylon_English

2010-02-28 16:43 . 2010-02-28 16:43 -------- d-----w- c:\program files\Babylon

2010-02-26 16:52 . 2010-02-26 16:56 -------- d-----w- c:\program files\Tirgumit

2010-02-24 16:33 . 2010-03-04 10:15 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\FreeBurner

2010-02-23 09:41 . 2010-02-23 09:41 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\dvdcss

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-20 17:29 . 2006-11-05 13:49 -------- d-----w- c:\program files\RegRecall

2010-03-20 16:57 . 2005-12-22 22:22 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-18 12:42 . 2008-10-19 12:52 -------- d-----w- c:\program files\Yahoo!

2010-03-18 12:41 . 2009-03-28 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-03-17 16:28 . 2008-01-30 20:04 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\skypePM

2010-03-17 15:57 . 2006-01-03 08:03 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\Skype

2010-03-17 15:44 . 2008-10-28 11:06 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\Yahoo!

2010-03-17 12:29 . 2009-03-28 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-03-16 22:08 . 2009-04-26 12:16 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\FrostWire

2010-03-14 22:21 . 2006-08-02 20:26 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT

2010-03-13 07:47 . 2005-12-22 22:15 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-13 07:35 . 2007-11-17 14:06 43520 -c--a-w- c:\windows\system32\CmdLineExt03.dll

2010-03-10 23:34 . 2008-10-19 12:52 -------- d-----w- c:\program files\CCleaner

2010-03-09 11:24 . 2009-04-12 10:33 153184 ----a-w- c:\windows\system32\aswBoot.exe

2010-03-09 11:12 . 2009-04-12 10:33 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-03-09 11:12 . 2009-04-12 10:33 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-03-09 11:09 . 2009-04-12 10:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-03-09 11:08 . 2009-04-12 10:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-03-09 11:08 . 2009-04-12 10:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-03-09 11:08 . 2009-04-12 10:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-03-09 11:08 . 2009-04-12 10:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-03-01 20:41 . 2009-03-20 12:36 -------- d-----w- c:\program files\Dl_cats

2010-02-28 16:25 . 2005-12-28 20:26 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-24 17:14 . 2009-04-26 12:16 -------- d-----w- c:\program files\FrostWire

2010-02-24 16:35 . 2010-01-26 13:37 -------- d-----w- c:\program files\Application Updater

2010-02-24 16:35 . 2009-11-15 13:59 -------- d-----w- c:\documents and settings\Sharon Moldaver\Application Data\Search Settings

2010-02-24 16:34 . 2009-11-15 13:58 -------- d-----w- c:\program files\Free Easy Burner

2010-02-11 18:53 . 2009-04-12 10:33 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-01-26 13:37 . 2010-01-26 13:37 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater

2010-01-22 22:28 . 2010-01-22 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-01-22 22:15 . 2008-11-07 13:20 -------- d-----w- c:\program files\Alwil Software

2009-12-31 16:50 . 2005-12-22 21:52 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-10 12:51 916480 ----a-w- c:\windows\system32\wininet.dll

2006-01-09 11:02 . 2006-01-09 11:02 774144 -c--a-w- c:\program files\RngInterstitial.dll

2006-01-08 10:30 . 2006-01-06 19:28 278528 -c--a-w- c:\program files\Common Files\FDEUnInstaller.exe

2006-05-15 12:30 . 2006-05-15 12:30 56 -csh--r- c:\windows\system32\2DC5AD80CC.sys

2006-05-15 12:30 . 2006-05-15 12:23 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"JFSW2Launch"="c:\documents and settings\Sharon Moldaver\Application Data\Transcend\JFSW2\JFSW2Launch.exe" [2008-09-29 172032]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-10 413696]

"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-4 495432]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk

backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips FunCam Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Philips FunCam Monitor.lnk

backup=c:\windows\pss\Philips FunCam Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk

backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sharon Moldaver^Start Menu^Programs^Startup^360Share On Startup.lnk]

path=c:\documents and settings\Sharon Moldaver\Start Menu\Programs\Startup\360Share On Startup.lnk

backup=c:\windows\pss\360Share On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]

c:\windows\system32\WLTRAY [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-12-18 07:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2006-04-06 08:51 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpppta]

2000-12-05 11:02 86016 -c--a-w- c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPPPTA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

2005-07-19 10:06 77824 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

2005-07-19 10:10 114688 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

2005-07-19 10:09 94208 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-08-11 14:30 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-02-10 14:28 413696 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2005-09-09 23:19 393216 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 02:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]

2007-06-30 14:59 339968 -c--a-w- c:\windows\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=2 (0x2)

"WLSetupSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"ose"=3 (0x3)

"NMSAccessU"=2 (0x2)

"NICCONFIGSVC"=2 (0x2)

"iPod Service"=3 (0x3)

"IDriverT"=3 (0x3)

"gusvc"=3 (0x3)

"dlcc_device"=3 (0x3)

"Bonjour Service"=2 (0x2)

"AresChatServer"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"YahooAUService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc\Svc]

"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc\Svc\Svc]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc\Svc\Svc\Svc]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\Svc\Svc\Svc\Svc\Svc]

"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Graboid\\GraboidVideo\\1.4.0.0\\DLManager\\GraboidDLManager.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/04/2009 11:33 AM 162640]

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [28/12/2005 9:55 PM 4064]

R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [16/12/2009 5:38 PM 375296]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/04/2009 11:33 AM 19024]

S3 SNDM360;Philips FunCam;c:\windows\system32\drivers\sndm360.sys [14/01/2006 9:36 AM 229760]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 03:32 128512 -c--a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]

2010-03-20 c:\windows\Tasks\Norton Security Scan for Sharon Moldaver.job

- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 04:53]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://home.ez-tracks.com/?fromOMB=1

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - f:\partycasino\RunApp.exe

DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab

FF - ProfilePath - c:\documents and settings\Sharon Moldaver\Application Data\Mozilla\Firefox\Profiles\fsst1f62.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-21 01:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1405879576-1362235470-2905362358-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DFE9343E-32C8-E468-E2F7-DC8B3C950297}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"pamnjjnncneimfnikokmjmlfjpcafaka"=hex:6a,61,61,68,6b,65,67,67,70,67,67,64,6e,

6d,62,6c,68,69,70,63,00,80

"oaceplnaagddafdpgnikoljcdldekd"=hex:6a,61,61,68,6b,65,67,67,70,67,67,64,6e,6d,

62,6c,68,69,70,63,00,80

"pamnjjnncneimfnikokmjmlfjpcacafa"=hex:6a,61,6e,67,61,66,67,63,6e,64,61,67,70,

67,61,67,68,6b,65,66,00,ba

"oaceplnaagddafdpgnikoljcdleefb"=hex:6a,61,6e,67,61,66,67,63,6e,64,61,67,70,67,

61,67,68,6b,65,66,00,ba

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="REMOVED"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2340)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

.

**************************************************************************

.

Completion time: 2010-03-21 01:32:10 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-21 00:32

Pre-Run: 41,842,429,952 bytes free

Post-Run: 41,802,293,248 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 6CAE41E42B58B0AB1E64883191806450

Link to post
Share on other sites

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Sharon Moldaver at 1:50:43.01 on 21/03/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1600 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Application Updater\ApplicationUpdater.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Documents and Settings\Sharon Moldaver\Application Data\Transcend\JFSW2\JFSW2Launch.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Sharon Moldaver\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://home.ez-tracks.com/?fromOMB=1

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [JFSW2Launch] c:\documents and settings\sharon moldaver\application data\transcend\jfsw2\JFSW2Launch.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; yie8)" -"http://games.king.com/play.jsp?tournamentId=6947"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - f:\partycasino\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1224616646159&h=9ebadb03cb23837a50faa7c94e147a3c/&filename=jinstall-6u7-windows-i586-jc.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sharon~1\applic~1\mozilla\firefox\profiles\fsst1f62.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-4-12 162640]

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005-12-28 4064]

R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2009-12-16 375296]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-12 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]

S3 SNDM360;Philips FunCam;c:\windows\system32\drivers\sndm360.sys [2006-1-14 229760]

=============== Created Last 30 ================

2010-03-21 00:50:23 0 dcsha-r- C:\cmdcons

2010-03-20 17:38:43 293376 ------w- c:\windows\system32\browserchoice.exe

2010-03-20 17:23:52 0 d-----w- c:\windows\ie8updates

2010-03-20 17:18:04 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2010-03-20 17:18:00 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2010-03-20 17:17:00 473600 ------w- c:\windows\system32\dllcache\fastprox.dll

2010-03-20 17:17:00 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-03-20 17:17:00 401408 ------w- c:\windows\system32\dllcache\rpcss.dll

2010-03-20 17:17:00 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe

2010-03-20 17:17:00 110592 ------w- c:\windows\system32\dllcache\services.exe

2010-03-20 17:16:59 714752 ------w- c:\windows\system32\dllcache\ntdll.dll

2010-03-20 17:16:59 617472 ------w- c:\windows\system32\dllcache\advapi32.dll

2010-03-20 17:05:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-03-20 17:03:03 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-03-20 17:03:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-03-20 16:56:59 0 d-----w- c:\program files\Norton Security Scan

2010-03-20 16:51:34 0 d-----w- c:\docume~1\sharon~1\applic~1\Malwarebytes

2010-03-20 13:13:06 98816 ----a-w- c:\windows\sed.exe

2010-03-20 13:13:06 77312 ----a-w- c:\windows\MBR.exe

2010-03-20 13:13:06 261632 ----a-w- c:\windows\PEV.exe

2010-03-20 13:13:06 161792 ----a-w- c:\windows\SWREG.exe

2010-03-18 13:04:20 0 d-----w- c:\program files\Trend Micro

2010-03-18 12:54:58 0 d-----w- c:\program files\Safer Networking

2010-03-18 12:47:13 0 d-----w- c:\program files\SpybotSD

2010-03-18 12:42:26 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-03-18 12:42:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-03-18 12:41:08 0 dc----w- C:\spybot

2010-03-18 12:33:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-18 12:33:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-18 12:33:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-18 12:33:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-02 10:52:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Macrium

2010-02-28 16:43:46 0 d-----w- c:\program files\Babylon

2010-02-26 16:52:28 0 d-----w- c:\program files\Tirgumit

2010-02-24 16:33:58 0 d-----w- c:\docume~1\sharon~1\applic~1\FreeBurner

==================== Find3M ====================

2010-03-14 22:21:03 20 -c-h--w- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT

2010-03-13 07:35:49 43520 -c--a-w- c:\windows\system32\CmdLineExt03.dll

2010-01-05 18:37:28 103040 -c--a-w- c:\docume~1\sharon~1\applic~1\GDIPFONTCACHEV1.DAT

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll

2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll

2009-12-21 19:14:05 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll

2009-12-21 19:14:04 5942784 ----a-w- c:\windows\system32\dllcache\mshtml.dll

2009-12-21 19:14:04 206848 ----a-w- c:\windows\system32\dllcache\occache.dll

2009-12-21 19:14:03 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll

2009-12-21 19:14:03 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-12-21 19:14:03 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll

2009-12-21 19:14:03 1985536 ----a-w- c:\windows\system32\dllcache\iertutil.dll

2009-12-21 19:14:03 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll

2009-12-21 19:14:02 11070464 ----a-w- c:\windows\system32\dllcache\ieframe.dll

2009-12-21 19:14:01 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll

2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

2006-01-09 11:02:16 774144 -c--a-w- c:\program files\RngInterstitial.dll

2006-01-08 10:30:39 278528 -c--a-w- c:\program files\common files\FDEUnInstaller.exe

2006-05-15 12:30:11 56 -csh--r- c:\windows\system32\2DC5AD80CC.sys

2006-05-15 12:30:11 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys

2008-08-18 13:12:20 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 1:51:00.06 ===============

Link to post
Share on other sites

  • Staff
I'm sorry, you were taking so long to reply (it would be better if someone in my timezone was working on this) and my friend was getting desperate, I decided to take matters into my own hands and rebooted anyway. I know we're not supposed to do this, sorry. You also didn't seem to tailor your reply to what I said in my original post - ie that the affected machine was running in Safe Mode with command prompt and couldn't get to the internet.
I reply to posts in the order I receive them. Mind you I'm helping you without costing you money here.. I also am not working 24/7...

I did tailor my reply to what you said. I assumed you would bring ComboFix over from another computer with access to the Internet.

Please update MBAM, run a Quick Scan, and post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

I reply to posts in the order I receive them. Mind you I'm helping you without costing you money here.. I also am not working 24/7...

I did tailor my reply to what you said. I assumed you would bring ComboFix over from another computer with access to the Internet.

No, I know, sorry, just that she desperately needs her computer back - I have to give it back today, but I really don't want her to have it if it's not clean and hasn't got all the necessary stuff installed according to your recommendations. I do appreciate what you're doing.

It was the ComboFix instructios that were a problem - not being able to download the Window's recovery console - although the instructions tell you where to get it, if you can't get to the internet from the affected machin, they don't say how to start ComboFix with it if you don't have a desk-top just the command prompt.

Anyway, doing the scans you requested now.

MBAM log below (date still wrong):

Malwarebytes' Anti-Malware 1.44

Database version: 3888

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

21/03/2010 12:11:48 PM

mbam-log-2010-03-21 (12-11-48).txt

Scan type: Quick Scan

Objects scanned: 129554

Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff
No, I know, sorry, just that she desperately needs her computer back - I have to give it back today, but I really don't want her to have it if it's not clean and hasn't got all the necessary stuff installed according to your recommendations. I do appreciate what you're doing.

It was the ComboFix instructios that were a problem - not being able to download the Window's recovery console - although the instructions tell you where to get it, if you can't get to the internet from the affected machin, they don't say how to start ComboFix with it if you don't have a desk-top just the command prompt.

Okay thanks for letting me know.
Link to post
Share on other sites

Results:

F-Secure scan

Scanning Report

Sunday, March 21, 2010 12:16:26 - 12:41:34

Computer name: SHARON

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

9 malware found

TrackingCookie.Adinterax (spyware)

* System (Disinfected)

TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Adtech (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Xiti (spyware)

* System (Disinfected)

TrackingCookie.Mediaplex (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 86683

* System: 4202

* Not scanned: 31

Actions:

* Disinfected: 9

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\HIBERFIL.SYS

* C:\WINDOWS\TEMP\_AVAST5_\WEBSHLOCK.TXT

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG

* C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG

* C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB

* C:\DOCUMENTS AND SETTINGS\SHARON MOLDAVER\NTUSER.DAT

* C:\DOCUMENTS AND SETTINGS\SHARON MOLDAVER\NTUSER.DAT.LOG

* C:\DOCUMENTS AND SETTINGS\SHARON MOLDAVER\LOCAL SETTINGS\TEMP\~DF11EF.TMP

* C:\DOCUMENTS AND SETTINGS\SHARON MOLDAVER\LOCAL SETTINGS\TEMP\~DFDB73.TMP

* C:\DOCUMENTS AND SETTINGS\SHARON MOLDAVER\LOCAL SETTINGS\TEMP\~DFFC28.TMP

* C:\DOCUMENTS AND SETTINGS\SHARON MOLDAVER\LOCAL SETTINGS\TEMP\HSPERFDATA_SHARON MOLDAVER\3944

* C:\DOCUMENTS AND SETTINGS\SHARON MOLDAVER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT

* C:\DOCUMENTS AND SETTINGS\SHARON MOLDAVER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG

* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG

* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT

* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG

* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT

* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOG

* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT

* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG

* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT

Your Security Check

Results of screen317's Security Check version 0.99.2

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

avast! Free Antivirus

OneCare Advisor (Windows Live Toolbar)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.2.1

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

SHARON~1 LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe

SHARON~1 LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe

SHARON~1 LOCALS~1 Temp fsonlinescanner.exe

Alwil Software Avast5 AvastSvc.exe

````````````````````````````````

DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

Hi Chris,

I've had to hand the computer back to my friend as I have to go away for a while and she needs the machine - she is really pleased to have a working computer back - she had had other problems before this attack e.g. clicking on links in the results brought up by her search engine didn't work - and now that works.

Anyway, I've pointed her in the direction of this forum and topic, so she can read what you've written here - I will also be in email contact from Thursday night so can follow anything.

If she registers and I tell you her nick name, may she reply to this post about what's she's done in response to your post?

Anyway, thanks so much for your help - she's thanking me when you're the one she should be thanking.

Link to post
Share on other sites

Great, thanks.

Her name is araknid. I don't know if she's done what you said - she's a bit wary of doing anything. However, I've a feeling I deleted everything that had been put on the desktop already, so I'm not sure it will be possible to do the ComboFix unistall - is that a problem?

Regards

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.