Jump to content

MBAM and DDS/GMER


mmv
 Share

Recommended Posts

Hello- I'm not able to remove malware.trace. Once I scan two infected objects are found---malware.trace when clicking to remove and restart...I get error message:

Run Error! program C;\programfiles\malwarebytes\mban.exe the application has requested the runtime to terminate it is an unusual way- please contact application team for more support.

Thank you-

MBMA LOG

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3948

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/3/2010 8:23:22 AM

mbam-log-2010-04-03 (08-23-22).txt

Scan type: Quick scan

Objects scanned: 88060

Time elapsed: 7 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Delete on reboot.

Files Infected:

C:\Documents and Settings\All Users\AVP 2009\1.dat (Malware.Trace) -> Delete on reboot.

DEFOGGER LOG

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 22:28 on 04/04/2010 (Cucha)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS TXT

DDS (Ver_10-03-17.01) - NTFSx86

Run by Cucha at 22:32:04.75 on Sun 04/04/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.313 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Tall Emu\Online Armor\OAhlp.exe

C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Documents and Settings\Cucha\Desktop\Defogger.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Cucha\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File

TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: intuit.com\ttlc

Trusted Zone: microsoft.com\office

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167172611361

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167172599533

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5378/mcfscan.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-7 11608]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-10-10 200784]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-10-10 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-10-10 29776]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-7 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-7 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-7 56816]

R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-10-10 1244360]

R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-10-10 3184328]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 USB-100;USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\USBER100.SYS [2006-12-26 23938]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]

S2 BDVEDISK;BDVEDISK;\??\c:\program files\bitdefender\bitdefender 2009\bdvedisk.sys --> c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-2-7 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-2-7 166384]

S3 iscFlash;iscFlash;\??\c:\windows\system32\drivers\iscflash.sys --> c:\windows\system32\drivers\iscflash.sys [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-2-7 1112560]

=============== Created Last 30 ================

2010-04-05 02:28:14 0 ----a-w- c:\documents and settings\cucha\defogger_reenable

2010-04-03 02:43:46 0 d-----w- c:\documents and settings\all users\AVP 2009

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2009-10-07 21:53:54 32768 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat

2008-07-12 16:43:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071220080713\index.dat

============= FINISH: 22:34:24.81 ===============

ark.zip

Attach.zip

Link to post
Share on other sites

  • Root Admin

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi Ron-

This is the result of the combo log:

ComboFix 10-04-08.06 - Cucha 04/09/2010 18:44:59.6.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.456 [GMT -4:00]

Running from: c:\documents and settings\Cucha\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))

.

2010-04-05 03:17 . 2010-04-05 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2010-04-03 02:43 . 2010-04-03 02:44 -------- d-----w- c:\documents and settings\All Users\AVP 2009

2010-03-19 20:27 . 2010-03-19 20:27 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-03-19 20:26 . 2010-04-01 00:15 -------- d-----w- c:\documents and settings\Cucha\Application Data\Skype

2010-03-15 02:17 . 2010-04-03 11:01 439816 ----a-w- c:\documents and settings\Cucha\Application Data\Real\Update\setup3.10\setup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-04 02:01 . 2008-09-07 23:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-04 01:59 . 2009-10-10 13:42 -------- d-----w- c:\program files\SpywareBlaster

2010-04-03 02:49 . 2009-07-22 18:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-03 02:39 . 2009-08-11 00:06 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-03 02:18 . 2007-11-20 08:23 -------- d-----w- c:\documents and settings\Cucha\Application Data\Teleca

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Teleca Shared

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared

2010-04-03 02:13 . 2008-04-13 16:28 -------- d-----w- c:\program files\Common Files\Skype

2010-04-03 02:12 . 2008-04-13 16:28 -------- d-----r- c:\program files\Skype

2010-03-31 23:43 . 2008-04-13 16:32 -------- d-----w- c:\documents and settings\Cucha\Application Data\skypePM

2010-03-30 04:46 . 2009-07-22 18:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2009-07-22 18:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-29 03:12 . 2010-02-28 04:53 871592 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-03-19 20:22 . 2008-04-13 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-03-11 12:38 . 2004-01-08 20:23 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2001-08-30 10:30 17408 ----a-w- c:\windows\system32\corpol.dll

2010-02-27 20:27 . 2010-02-27 20:27 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2010-02-27 19:53 . 2007-01-30 23:13 -------- d-----w- c:\program files\Common Files\Intuit

2010-02-27 19:52 . 2007-01-30 23:12 -------- d-----w- c:\program files\TurboTax

2010-02-24 14:16 . 2009-10-02 21:39 181632 ------w- c:\windows\system32\MpSigStub.exe

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-07 20:55 . 2007-09-07 20:55 267064 c:\itunes\bak\iTunesHelper.exe

2008-11-20 18:20 . 2007-09-07 20:55 267064 c:\itunes\iTunesHelper.exe

2006-12-27 07:31 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2009-04-04 17:41 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\QTTask.exe

2008-11-04 15:30 . 2007-06-29 10:24 286720 c:\program files\QuickTime\QTTask.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-09-18 6503624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-27 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-09-18 852680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk

backup=c:\windows\pss\Printkey2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]

2009-01-08 11:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

c:\progra~1\AIM\aim.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]

c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-02-19 06:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-07 20:55 267064 ----a-w- c:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]

c:\progra~1\McAfee\MHN\McENUI.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2008-02-07 16:07 244208 -c--a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2007-06-13 13:16 528384 -c--a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-27 07:31 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-04-08 10:38 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4175:TCP"= 4175:TCP:slsk

"3389:TCP"= 3389:TCP:Remote Desktop

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/10/2009 9:52 AM 200784]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/10/2009 9:52 AM 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/10/2009 9:52 AM 29776]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/7/2009 8:34 PM 108289]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/10/2009 9:52 AM 1244360]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 6:38 AM 92008]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 USB-100;USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\USBER100.SYS [12/26/2006 6:34 PM 23938]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 BDVEDISK;BDVEDISK;\??\c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys --> c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2/7/2008 12:07 PM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2/7/2008 12:07 PM 166384]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/10/2009 9:52 AM 3184328]

S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys --> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2/7/2008 12:06 PM 1112560]

.

Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: intuit.com\ttlc

Trusted Zone: microsoft.com\office

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1504)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-04-09 19:00:01

ComboFix-quarantined-files.txt 2010-04-09 22:59

Pre-Run: 786,935,808 bytes free

Post-Run: 5,985,841,152 bytes free

- - End Of File - - DA4603C2A5BF74A8C0CDE6829154A688

Thank you-

Link to post
Share on other sites

  • Root Admin

Please download and run the following fix from Microsoft How do I restore security settings to the default settings?

When completed please reboot your computer.

Then run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites

Hi Ron-

Kaperksky log

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, April 14, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, April 13, 2010 19:47:08

Records in database: 3939804

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

J:\

Scan statistics:

Objects scanned: 145020

Threats found: 1

Infected objects found: 1

Suspicious objects found: 0

Scan duration: 04:05:17

File name / Threat / Threats count

C:\System Volume Information\_restore{219AE245-E3A2-47C0-9AC5-CF886E051F26}\RP246\A0034634.exe Infected: not-a-virus:FraudTool.Win32.AntiVirusPro.tr 1

Selected area has been scanned.

Thank you-

Link to post
Share on other sites

  • Root Admin

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log.

Link to post
Share on other sites

Hi Ron-

The same results-

Malwarebytes Logs

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3988

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/14/2010 9:29:53 PM

mbam-log-2010-04-14 (21-29-53).txt

Scan type: Quick scan

Objects scanned: 89823

Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Delete on reboot.

Files Infected:

C:\Documents and Settings\All Users\AVP 2009\1.dat (Malware.Trace) -> Delete on reboot.

Link to post
Share on other sites

  • Root Admin

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Folder::
C:\Documents and Settings\All Users\AVP 2009

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Link to post
Share on other sites

Hi Ron- I followed all the intructions. Before it started scanning it said "There's a new version of Combofix do you want to update YES or NO. I selected yes.

Combofix log

ComboFix 10-04-14.04 - Cucha 04/15/2010 22:01:05.7.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.374 [GMT -4:00]

Running from: c:\documents and settings\Cucha\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Cucha\Desktop\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\AVP 2009

c:\documents and settings\All Users\AVP 2009\1.dat

.

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))

.

2010-04-13 20:34 . 2010-04-15 23:01 -------- d-----w- c:\windows\system32\NtmsData

2010-04-05 03:17 . 2010-04-05 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

2010-03-19 20:27 . 2010-03-19 20:27 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-03-19 20:26 . 2010-04-01 00:15 -------- d-----w- c:\documents and settings\Cucha\Application Data\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-13 20:34 . 2006-12-27 00:02 85928 ----a-w- c:\documents and settings\Cucha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-13 20:32 . 2010-02-28 04:53 1365416 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-13 12:06 . 2010-03-15 02:17 439816 ----a-w- c:\documents and settings\Cucha\Application Data\Real\Update\setup3.10\setup.exe

2010-04-04 02:01 . 2008-09-07 23:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-04 01:59 . 2009-10-10 13:42 -------- d-----w- c:\program files\SpywareBlaster

2010-04-03 02:49 . 2009-07-22 18:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-03 02:39 . 2009-08-11 00:06 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-03 02:18 . 2007-11-20 08:23 -------- d-----w- c:\documents and settings\Cucha\Application Data\Teleca

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Teleca Shared

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared

2010-04-03 02:13 . 2008-04-13 16:28 -------- d-----w- c:\program files\Common Files\Skype

2010-04-03 02:12 . 2008-04-13 16:28 -------- d-----r- c:\program files\Skype

2010-03-31 23:43 . 2008-04-13 16:32 -------- d-----w- c:\documents and settings\Cucha\Application Data\skypePM

2010-03-30 04:46 . 2009-07-22 18:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2009-07-22 18:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-19 20:22 . 2008-04-13 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-03-11 12:38 . 2004-01-08 20:23 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2001-08-30 10:30 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2001-08-30 10:30 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-27 20:27 . 2010-02-27 20:27 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2010-02-27 19:53 . 2007-01-30 23:13 -------- d-----w- c:\program files\Common Files\Intuit

2010-02-27 19:52 . 2007-01-30 23:12 -------- d-----w- c:\program files\TurboTax

2010-02-24 14:16 . 2009-10-02 21:39 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 13:11 . 2001-08-30 10:30 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 13:10 . 2001-08-30 10:30 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2001-08-17 13:48 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2001-08-30 10:30 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2001-08-30 10:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-04-09_22.55.47 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-15 21:47 . 2010-04-15 21:47 16384 c:\windows\Temp\Perflib_Perfdata_420.dat

+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll

+ 2001-08-30 10:30 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll

+ 2010-04-13 15:30 . 2010-04-13 15:30 27136 c:\windows\Installer\bc96b6.msi

+ 2010-01-18 13:10 . 2010-04-13 21:28 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

- 2010-01-18 13:10 . 2010-03-10 10:43 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 90112 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 90112 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 45056 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 45056 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 22528 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 22528 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 30720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 30720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 16384 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 16384 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 34304 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 34304 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 3584 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 3584 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 8192 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 8192 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 2560 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 2560 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe

+ 2001-08-30 10:30 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll

+ 2006-12-25 19:28 . 2010-04-13 20:34 308400 c:\windows\system32\FNTCACHE.DAT

- 2006-12-25 19:28 . 2009-11-11 01:08 308400 c:\windows\system32\FNTCACHE.DAT

+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll

+ 2008-05-09 10:53 . 2010-03-09 11:09 430080 c:\windows\system32\dllcache\vbscript.dll

- 2008-05-09 10:53 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll

+ 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys

+ 2008-11-12 19:01 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys

+ 2010-02-12 04:33 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll

+ 2010-04-04 01:31 . 2010-04-04 01:31 267264 c:\windows\Installer\236821.msp

+ 2006-12-27 00:47 . 2010-04-13 21:23 114688 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 114688 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe

- 2006-12-27 00:47 . 2010-03-10 10:44 167936 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe

+ 2006-12-27 00:47 . 2010-04-13 21:23 167936 c:\windows\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe

+ 2008-11-12 19:01 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys

+ 2008-10-14 23:13 . 2010-02-17 13:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe

+ 2008-10-14 23:13 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe

+ 2008-10-14 23:13 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe

+ 2008-10-14 23:13 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe

+ 2010-02-26 10:09 . 2010-02-26 10:09 8300544 c:\windows\Installer\2da456.msp

+ 2008-10-14 23:13 . 2010-02-17 13:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe

+ 2008-10-14 23:13 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe

+ 2008-10-14 23:13 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe

+ 2008-10-14 23:13 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe

+ 2006-12-26 23:28 . 2010-04-06 17:52 31971272 c:\windows\system32\MRT.exe

+ 2010-03-22 20:03 . 2010-03-22 20:03 11732992 c:\windows\Installer\2da461.msp

+ 2009-08-17 21:40 . 2009-08-17 21:40 17309040 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6514\MSO.DLL

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-07 20:55 . 2007-09-07 20:55 267064 c:\itunes\bak\iTunesHelper.exe

2008-11-20 18:20 . 2007-09-07 20:55 267064 c:\itunes\iTunesHelper.exe

2006-12-27 07:31 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2009-04-04 17:41 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\QTTask.exe

2008-11-04 15:30 . 2007-06-29 10:24 286720 c:\program files\QuickTime\QTTask.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-09-18 6503624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-27 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-09-18 852680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk

backup=c:\windows\pss\Printkey2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]

2009-01-08 11:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

c:\progra~1\AIM\aim.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]

c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-02-19 06:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-07 20:55 267064 ----a-w- c:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]

c:\progra~1\McAfee\MHN\McENUI.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2008-02-07 16:07 244208 -c--a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2007-06-13 13:16 528384 -c--a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-27 07:31 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-04-08 10:38 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4175:TCP"= 4175:TCP:slsk

"3389:TCP"= 3389:TCP:Remote Desktop

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/10/2009 9:52 AM 200784]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/10/2009 9:52 AM 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/10/2009 9:52 AM 29776]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/7/2009 8:34 PM 108289]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/10/2009 9:52 AM 1244360]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 6:38 AM 92008]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 USB-100;USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\USBER100.SYS [12/26/2006 6:34 PM 23938]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 BDVEDISK;BDVEDISK;\??\c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys --> c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2/7/2008 12:07 PM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2/7/2008 12:07 PM 166384]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/10/2009 9:52 AM 3184328]

S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys --> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2/7/2008 12:06 PM 1112560]

.

Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-15 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: intuit.com\ttlc

Trusted Zone: microsoft.com\office

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

Completion time: 2010-04-15 22:14:59

ComboFix-quarantined-files.txt 2010-04-16 02:14

ComboFix2.txt 2010-04-09 23:00

Pre-Run: 6,097,698,816 bytes free

Post-Run: 6,629,146,624 bytes free

- - End Of File - - 80B2B968332F635FB593925F8F902B1D

Thank you-

Link to post
Share on other sites

  • Root Admin

Are you using or do you still have BitDefender AV installed? There is still a live driver for it loading that we should remove if you're not using it.

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

Then after the reboot please run a new Quick Scan with MBAM and post back the log.

Link to post
Share on other sites

Hello-

MBAM Log

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3999

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/16/2010 11:22:22 PM

mbam-log-2010-04-16 (23-22-22).txt

Scan type: Quick scan

Objects scanned: 89296

Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Please download a new version of Combofix and overwrite the current one on your desktop and run the following.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Driver::
BDVEDISK
File::
c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys
Folder::
c:\program files\BitDefender

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Link to post
Share on other sites

Hello-

Combo Log

ComboFix 10-04-19.08 - Cucha 04/20/2010 20:43:59.9.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.440 [GMT -4:00]

Running from: c:\documents and settings\Cucha\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Cucha\Desktop\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::

"c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BDVEDISK

-------\Service_BDVEDISK

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))

.

2010-04-13 20:34 . 2010-04-16 02:24 -------- d-----w- c:\windows\system32\NtmsData

2010-04-05 03:17 . 2010-04-05 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-19 16:23 . 2007-01-06 16:33 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-13 20:34 . 2006-12-27 00:02 85928 ----a-w- c:\documents and settings\Cucha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-13 20:32 . 2010-02-28 04:53 1365416 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-13 12:06 . 2010-03-15 02:17 439816 ----a-w- c:\documents and settings\Cucha\Application Data\Real\Update\setup3.10\setup.exe

2010-04-04 02:01 . 2008-09-07 23:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-04 01:59 . 2009-10-10 13:42 -------- d-----w- c:\program files\SpywareBlaster

2010-04-03 02:49 . 2009-07-22 18:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-03 02:39 . 2009-08-11 00:06 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-03 02:18 . 2007-11-20 08:23 -------- d-----w- c:\documents and settings\Cucha\Application Data\Teleca

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Teleca Shared

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared

2010-04-03 02:13 . 2008-04-13 16:28 -------- d-----w- c:\program files\Common Files\Skype

2010-04-03 02:12 . 2008-04-13 16:28 -------- d-----r- c:\program files\Skype

2010-04-01 00:15 . 2010-03-19 20:26 -------- d-----w- c:\documents and settings\Cucha\Application Data\Skype

2010-03-31 23:43 . 2008-04-13 16:32 -------- d-----w- c:\documents and settings\Cucha\Application Data\skypePM

2010-03-30 04:46 . 2009-07-22 18:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2009-07-22 18:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-19 20:27 . 2010-03-19 20:27 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-03-19 20:22 . 2008-04-13 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-03-11 12:38 . 2004-01-08 20:23 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2001-08-30 10:30 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2001-08-30 10:30 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-27 20:27 . 2010-02-27 20:27 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2010-02-27 19:53 . 2007-01-30 23:13 -------- d-----w- c:\program files\Common Files\Intuit

2010-02-27 19:52 . 2007-01-30 23:12 -------- d-----w- c:\program files\TurboTax

2010-02-24 14:16 . 2009-10-02 21:39 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 13:11 . 2001-08-30 10:30 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 13:10 . 2001-08-30 10:30 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2001-08-17 13:48 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2001-08-30 10:30 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2001-08-30 10:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((( SnapShot_2010-04-16_02.10.56 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-21 00:32 . 2010-04-21 00:32 16384 c:\windows\Temp\Perflib_Perfdata_5c4.dat

+ 2010-04-19 16:24 . 2010-04-19 16:24 3940352 c:\windows\Installer\1902ec5.msi

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-07 20:55 . 2007-09-07 20:55 267064 c:\itunes\bak\iTunesHelper.exe

2008-11-20 18:20 . 2007-09-07 20:55 267064 c:\itunes\iTunesHelper.exe

2006-12-27 07:31 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2009-04-04 17:41 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\QTTask.exe

2008-11-04 15:30 . 2007-06-29 10:24 286720 c:\program files\QuickTime\QTTask.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-09-18 6503624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-27 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-09-18 852680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk

backup=c:\windows\pss\Printkey2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]

2009-01-08 11:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

c:\progra~1\AIM\aim.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]

c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-02-19 06:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-07 20:55 267064 ----a-w- c:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]

c:\progra~1\McAfee\MHN\McENUI.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2008-02-07 16:07 244208 -c--a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2007-06-13 13:16 528384 -c--a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-27 07:31 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-04-08 10:38 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4175:TCP"= 4175:TCP:slsk

"3389:TCP"= 3389:TCP:Remote Desktop

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/10/2009 9:52 AM 200784]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/10/2009 9:52 AM 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/10/2009 9:52 AM 29776]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/7/2009 8:34 PM 108289]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/10/2009 9:52 AM 1244360]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 6:38 AM 92008]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 USB-100;USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\USBER100.SYS [12/26/2006 6:34 PM 23938]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2/7/2008 12:07 PM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2/7/2008 12:07 PM 166384]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/10/2009 9:52 AM 3184328]

S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys --> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2/7/2008 12:06 PM 1112560]

.

Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: intuit.com\ttlc

Trusted Zone: microsoft.com\office

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(432)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-04-20 20:58:33

ComboFix-quarantined-files.txt 2010-04-21 00:58

ComboFix2.txt 2010-04-16 02:15

ComboFix3.txt 2010-04-09 23:00

Pre-Run: 6,362,669,056 bytes free

Post-Run: 6,325,071,872 bytes free

- - End Of File - - 5F7EB1A88200A3C4DCF8FAFD485B46AB

Thank you-

Link to post
Share on other sites

  • Root Admin

Hi there. Just about done

STEP 01

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

AWF::
c:\itunes\bak\iTunesHelper.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\QuickTime\bak\QTTask.exe

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 20 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

STEP 03

Update MBAM and do anothe Quick Scan and post back the log please.

Link to post
Share on other sites

Hi Ron- How often should I update the Java. I did notice that IE is slower. Any suggestions would be greatly appreciated.

Thank you-

Combo Log

ComboFix 10-04-21.01 - Cucha 04/21/2010 17:38:32.11.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.436 [GMT -4:00]

Running from: c:\documents and settings\Cucha\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))

.

2010-04-13 20:34 . 2010-04-16 02:24 -------- d-----w- c:\windows\system32\NtmsData

2010-04-05 03:17 . 2010-04-05 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-21 18:24 . 2010-03-15 02:17 439816 ----a-w- c:\documents and settings\Cucha\Application Data\Real\Update\setup3.10\setup.exe

2010-04-19 16:23 . 2007-01-06 16:33 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-13 20:34 . 2006-12-27 00:02 85928 ----a-w- c:\documents and settings\Cucha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-13 20:32 . 2010-02-28 04:53 1365416 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-04 02:01 . 2008-09-07 23:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-04 01:59 . 2009-10-10 13:42 -------- d-----w- c:\program files\SpywareBlaster

2010-04-03 02:49 . 2009-07-22 18:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-03 02:39 . 2009-08-11 00:06 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-03 02:18 . 2007-11-20 08:23 -------- d-----w- c:\documents and settings\Cucha\Application Data\Teleca

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Teleca Shared

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared

2010-04-03 02:13 . 2008-04-13 16:28 -------- d-----w- c:\program files\Common Files\Skype

2010-04-03 02:12 . 2008-04-13 16:28 -------- d-----r- c:\program files\Skype

2010-04-01 00:15 . 2010-03-19 20:26 -------- d-----w- c:\documents and settings\Cucha\Application Data\Skype

2010-03-31 23:43 . 2008-04-13 16:32 -------- d-----w- c:\documents and settings\Cucha\Application Data\skypePM

2010-03-30 04:46 . 2009-07-22 18:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2009-07-22 18:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-19 20:27 . 2010-03-19 20:27 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-03-19 20:22 . 2008-04-13 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-03-11 12:38 . 2004-01-08 20:23 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2001-08-30 10:30 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2001-08-30 10:30 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-27 20:27 . 2010-02-27 20:27 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2010-02-27 19:53 . 2007-01-30 23:13 -------- d-----w- c:\program files\Common Files\Intuit

2010-02-27 19:52 . 2007-01-30 23:12 -------- d-----w- c:\program files\TurboTax

2010-02-24 14:16 . 2009-10-02 21:39 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 13:11 . 2001-08-30 10:30 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 13:10 . 2001-08-30 10:30 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2001-08-17 13:48 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2001-08-30 10:30 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2001-08-30 10:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((( SnapShot_2010-04-16_02.10.56 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-21 21:25 . 2010-04-21 21:25 16384 c:\windows\Temp\Perflib_Perfdata_768.dat

+ 2010-04-19 16:24 . 2010-04-19 16:24 3940352 c:\windows\Installer\1902ec5.msi

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-07 20:55 . 2007-09-07 20:55 267064 c:\itunes\bak\iTunesHelper.exe

2008-11-20 18:20 . 2007-09-07 20:55 267064 c:\itunes\iTunesHelper.exe

2006-12-27 07:31 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2009-04-04 17:41 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\QTTask.exe

2008-11-04 15:30 . 2007-06-29 10:24 286720 c:\program files\QuickTime\QTTask.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-09-18 6503624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-27 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-09-18 852680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk

backup=c:\windows\pss\Printkey2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]

2009-01-08 11:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

c:\progra~1\AIM\aim.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]

c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-02-19 06:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-07 20:55 267064 ----a-w- c:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]

c:\progra~1\McAfee\MHN\McENUI.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2008-02-07 16:07 244208 -c--a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2007-06-13 13:16 528384 -c--a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-27 07:31 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-04-08 10:38 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4175:TCP"= 4175:TCP:slsk

"3389:TCP"= 3389:TCP:Remote Desktop

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/10/2009 9:52 AM 200784]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/10/2009 9:52 AM 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/10/2009 9:52 AM 29776]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/7/2009 8:34 PM 108289]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/10/2009 9:52 AM 1244360]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 6:38 AM 92008]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 USB-100;USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\USBER100.SYS [12/26/2006 6:34 PM 23938]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2/7/2008 12:07 PM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2/7/2008 12:07 PM 166384]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/10/2009 9:52 AM 3184328]

S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys --> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2/7/2008 12:06 PM 1112560]

.

Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-21 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3264)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-04-21 17:51:39

ComboFix-quarantined-files.txt 2010-04-21 21:51

ComboFix2.txt 2010-04-21 00:58

ComboFix3.txt 2010-04-16 02:15

ComboFix4.txt 2010-04-09 23:00

Pre-Run: 6,286,700,544 bytes free

Post-Run: 6,246,793,216 bytes free

- - End Of File - - B91071AE7E27F8CE3AA2A09B83AD20EA

MBAM Log

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4019

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/21/2010 8:48:09 PM

mbam-log-2010-04-21 (20-48-09).txt

Scan type: Quick scan

Objects scanned: 128622

Time elapsed: 14 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Hi there. Well if at all possible it would be best to not even use Java if you can get away with it, but otherwise just leave the auto updater enabled and when a new version is available it should alert you.

The log indicates that you did not create and drop the CFSCRIPT.TXT file onto Combofix

Please re-read and follow the directions from the last post and make that file as shown and drop it onto CF

Thanks.

Link to post
Share on other sites

Hello- I followed directions- once it completes the scan it reboots..I don't see the long report on the screen. So when the pc restarts I look for the file C:\combofix.txt is that the correct log? and it only show this:

ComboFix 10-04-21.01 - Cucha 04/23/2010 2:51:42.13.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.437 [GMT -4:00]

Running from: C:\Documents and Settings\Cucha\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Cucha\Desktop\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

Is this correct?

Thank you-

Link to post
Share on other sites

  • Root Admin

It shows that it was trying to use that script. Perhaps you were doing something that blocked or hung it from completing.

Please download a new fresh copy of CF and overwrite your current copy. Then run it again but do not use a CFSCRIPT.TXT file this time for now. Delete the current c:\combofix.txt file if still there and then run the new one and it should provide you with a full log when it's done running. Please be patient and allow it time to gather and write the log.

Thanks.

Link to post
Share on other sites

Hi - Hope this is ok now.

Thank you-

ComboFix 10-04-21.01 - Cucha 04/23/2010 17:32:17.14.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.440 [GMT -4:00]

Running from: c:\documents and settings\Cucha\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))

.

2010-04-22 00:27 . 2010-04-22 00:27 503808 ----a-w- c:\documents and settings\Cucha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10eb716a-n\msvcp71.dll

2010-04-22 00:27 . 2010-04-22 00:27 499712 ----a-w- c:\documents and settings\Cucha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10eb716a-n\jmc.dll

2010-04-22 00:27 . 2010-04-22 00:27 348160 ----a-w- c:\documents and settings\Cucha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10eb716a-n\msvcr71.dll

2010-04-22 00:27 . 2010-04-22 00:27 61440 ----a-w- c:\documents and settings\Cucha\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4ffb25bb-n\decora-sse.dll

2010-04-22 00:27 . 2010-04-22 00:27 12800 ----a-w- c:\documents and settings\Cucha\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4ffb25bb-n\decora-d3d.dll

2010-04-22 00:27 . 2010-04-22 00:27 -------- d-----w- c:\program files\Common Files\Java

2010-04-22 00:26 . 2010-04-22 00:26 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-22 00:26 . 2010-04-22 00:26 -------- d-----w- c:\program files\Java

2010-04-13 20:34 . 2010-04-16 02:24 -------- d-----w- c:\windows\system32\NtmsData

2010-04-05 03:17 . 2010-04-05 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-21 18:24 . 2010-03-15 02:17 439816 ----a-w- c:\documents and settings\Cucha\Application Data\Real\Update\setup3.10\setup.exe

2010-04-19 16:23 . 2007-01-06 16:33 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-13 20:34 . 2006-12-27 00:02 85928 ----a-w- c:\documents and settings\Cucha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-13 20:32 . 2010-02-28 04:53 1365416 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-04 02:01 . 2008-09-07 23:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-04 01:59 . 2009-10-10 13:42 -------- d-----w- c:\program files\SpywareBlaster

2010-04-03 02:49 . 2009-07-22 18:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-03 02:39 . 2009-08-11 00:06 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-03 02:18 . 2007-11-20 08:23 -------- d-----w- c:\documents and settings\Cucha\Application Data\Teleca

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Teleca Shared

2010-04-03 02:18 . 2007-11-20 08:19 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared

2010-04-03 02:13 . 2008-04-13 16:28 -------- d-----w- c:\program files\Common Files\Skype

2010-04-03 02:12 . 2008-04-13 16:28 -------- d-----r- c:\program files\Skype

2010-04-01 00:15 . 2010-03-19 20:26 -------- d-----w- c:\documents and settings\Cucha\Application Data\Skype

2010-03-31 23:43 . 2008-04-13 16:32 -------- d-----w- c:\documents and settings\Cucha\Application Data\skypePM

2010-03-30 04:46 . 2009-07-22 18:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2009-07-22 18:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-19 20:27 . 2010-03-19 20:27 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2010-03-19 20:22 . 2008-04-13 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-03-11 12:38 . 2004-01-08 20:23 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2001-08-30 10:30 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2001-08-30 10:30 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-27 20:27 . 2010-02-27 20:27 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2010-02-27 19:53 . 2007-01-30 23:13 -------- d-----w- c:\program files\Common Files\Intuit

2010-02-27 19:52 . 2007-01-30 23:12 -------- d-----w- c:\program files\TurboTax

2010-02-24 14:16 . 2009-10-02 21:39 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 13:11 . 2001-08-30 10:30 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 13:10 . 2001-08-30 10:30 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2001-08-17 13:48 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2001-08-30 10:30 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2001-08-30 10:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((( SnapShot_2010-04-16_02.10.56 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-22 00:26 . 2010-04-22 00:26 153376 c:\windows\system32\javaws.exe

+ 2010-04-22 00:26 . 2010-04-22 00:26 145184 c:\windows\system32\javaw.exe

- 2009-12-19 13:40 . 2009-10-11 09:17 145184 c:\windows\system32\javaw.exe

+ 2010-04-22 00:26 . 2010-04-22 00:26 145184 c:\windows\system32\java.exe

- 2009-12-19 13:40 . 2009-10-11 09:17 145184 c:\windows\system32\java.exe

+ 2010-04-22 00:27 . 2010-04-22 00:27 180224 c:\windows\Installer\876ba.msi

+ 2010-04-22 00:26 . 2010-04-22 00:26 577536 c:\windows\Installer\876b2.msi

+ 2010-04-19 16:24 . 2010-04-19 16:24 3940352 c:\windows\Installer\1902ec5.msi

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-07 20:55 . 2007-09-07 20:55 267064 c:\itunes\bak\iTunesHelper.exe

2008-11-20 18:20 . 2007-09-07 20:55 267064 c:\itunes\iTunesHelper.exe

2006-12-27 07:31 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2009-04-04 17:41 . 2006-12-27 07:31 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\QTTask.exe

2008-11-04 15:30 . 2007-06-29 10:24 286720 c:\program files\QuickTime\QTTask.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-09-18 6503624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-27 185896]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-09-18 852680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk

backup=c:\windows\pss\Printkey2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]

2009-01-08 11:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

c:\progra~1\AIM\aim.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]

c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-02-19 06:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-09-07 20:55 267064 ----a-w- c:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]

c:\progra~1\McAfee\MHN\McENUI.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2008-02-07 16:07 244208 -c--a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]

c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

2007-06-13 13:16 528384 -c--a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

c:\program files\Java\jre6\bin\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2006-12-27 07:31 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2009-04-08 10:38 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"4175:TCP"= 4175:TCP:slsk

"3389:TCP"= 3389:TCP:Remote Desktop

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [10/10/2009 9:52 AM 200784]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [10/10/2009 9:52 AM 24656]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [10/10/2009 9:52 AM 29776]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/7/2009 8:34 PM 108289]

R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [10/10/2009 9:52 AM 1244360]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 6:38 AM 92008]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 USB-100;USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\USBER100.SYS [12/26/2006 6:34 PM 23938]

S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2/7/2008 12:07 PM 309744]

S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2/7/2008 12:07 PM 166384]

S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [10/10/2009 9:52 AM 3184328]

S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys --> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2/7/2008 12:06 PM 1112560]

.

Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-23 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://m.www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB

.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2404)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-04-23 17:46:03

ComboFix-quarantined-files.txt 2010-04-23 21:45

ComboFix2.txt 2010-04-21 21:51

ComboFix3.txt 2010-04-21 00:58

ComboFix4.txt 2010-04-16 02:15

ComboFix5.txt 2010-04-23 06:10

Pre-Run: 6,064,590,848 bytes free

Post-Run: 6,074,015,744 bytes free

- - End Of File - - B07B1C960C383684EDE24CB745DDAE41

Link to post
Share on other sites

  • Root Admin

Yes that's fine.

As long as these other applications from the CFScript are working we can leave them as they are since Anti-Virus and Malware scanners are not flagging them as infected.

This item here looks to be Soul Seek file sharing software which can easily bypass and infect your system. Basically your firewall is open to allow it to share files (illegal in many Countries and unsafe in general regardless of legality) Up to you but sharing files is probably going to keep you coming back here or similar places needing to get your system cleaned.

"4175:TCP"= 4175:TCP:slsk

How is the computer running otherwise? Are there still any signs of infection?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.