Jump to content

Antimalware doctor fixed browser hijack not


Recommended Posts

Hi I had that antimalware doctor on my computer. Malware bytes seems to fixed that problem. Now When I do a search on google or bing. The links take me to wonderful other search engines and not where I need to go.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Eric Abramson at 17:03:42.65 on Sat 04/24/2010

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.356 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Brownie\Brnipmon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Eric Abramson\Desktop\Fiz\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.fatwallet.com/

uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz

uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html

uWindow Title = Microsoft Internet Explorer provided by Verizon Online

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: {A057A204-BACC-4D26-CEC4-75A487FD6484} - No File

TB: {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No File

TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [sFP] c:\program files\common files\verizon online\sfp\vzSFPWin.EXE /s

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [brStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [NPSStartup]

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [dfdilxwy] c:\documents and settings\networkservice\local settings\application data\dpfhynuyx\igfhpbwtssd.exe

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} - c:\program files\travelaxe\Travelaxe.exe

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: arise.com

Trusted Zone: arise.com\portal

Trusted Zone: arise.com\support

Trusted Zone: epathcampus.com\www

Trusted Zone: fursthire.com\www

Trusted Zone: go.com\disneyshopping

Trusted Zone: servicecheckreport.com\www

Trusted Zone: willowcsn.com\cybercentral

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-3-17 15328]

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2005-11-4 6097]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-5-11 214664]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-2-27 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-5-11 144704]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-3-17 220128]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-5-11 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-5-11 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-5-11 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-5-11 40552]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-4-16 36608]

S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]

S3 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-2-16 3316080]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-5-11 34248]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-4-12 42112]

S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2010-3-17 44512]

S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]

S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2005-11-4 299923]

S3 suscom;Susteen Serial port driver;c:\windows\system32\drivers\suscom.sys --> c:\windows\system32\drivers\suscom.sys [?]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-4-16 238952]

=============== Created Last 30 ================

2010-04-24 20:55:27 0 ----a-w- c:\documents and settings\eric abramson\defogger_reenable

2010-04-22 19:15:02 0 d-----w- c:\program files\Verizon Wireless

2010-04-22 01:09:18 0 d-----w- c:\docume~1\ericab~1\applic~1\Malwarebytes

2010-04-22 01:09:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-22 01:09:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-04-22 01:09:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-22 01:09:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-21 15:30:03 0 d-sh--w- C:\found.000

2010-04-21 03:17:54 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-04-21 03:17:54 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

2010-04-21 03:14:23 0 d-----w- c:\docume~1\alluse~1\applic~1\avG

2010-04-21 03:13:47 30000 ----a-w- c:\windows\system32\k30ehoj0s.dll

2010-04-21 03:13:08 0 d-----w- C:\spoolerlogs

2010-04-21 03:12:55 0 d-----w- c:\docume~1\ericab~1\applic~1\AF2D276D8C7AD6452364F4C7939AF99C

2010-04-17 03:18:23 0 d-----w- c:\program files\QPST

2010-04-17 02:27:43 98560 ----a-w- c:\windows\system32\drivers\sscdbus.sys

2010-04-17 02:27:43 14848 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys

2010-04-17 02:27:43 12416 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys

2010-04-17 02:27:43 12416 ----a-w- c:\windows\system32\drivers\sscdcm.sys

2010-04-17 02:27:43 123648 ----a-w- c:\windows\system32\drivers\sscdmdm.sys

2010-04-17 02:27:43 12288 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys

2010-04-17 02:27:43 12288 ----a-w- c:\windows\system32\drivers\sscdwh.sys

2010-04-17 02:27:43 100352 ----a-w- c:\windows\system32\drivers\sscdserd.sys

2010-04-17 02:25:34 238952 ----a-w- c:\windows\system32\FsUsbExService.Exe

2010-04-17 02:25:33 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

2010-04-17 02:25:32 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll

2010-04-17 02:24:22 0 d-----w- c:\docume~1\ericab~1\applic~1\Samsung

2010-04-17 02:21:30 0 d-----w- c:\program files\MarkAny

2010-04-17 01:04:43 0 d-----w- c:\program files\SAMSUNG

2010-04-17 01:04:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Samsung

2010-04-14 16:35:12 0 d-----w- c:\windows\system32\wbem\Repository

2010-04-14 00:34:12 0 d-----w- c:\program files\BitPim

2010-04-11 16:05:45 0 d-----w- c:\docume~1\ericab~1\applic~1\E-centives

2010-04-09 01:14:12 230824 ----a-r- c:\windows\cpnprt2.cid

2010-04-09 01:14:12 230824 ------w- c:\windows\system32\cpnprt2.cid

2010-04-02 20:06:53 0 d-----w- c:\windows\system32\Dell

2010-04-02 20:06:53 0 d-----w- c:\program files\Dell

2010-03-30 03:17:07 215920 ----a-w- c:\windows\system32\muweb.dll

2010-03-30 03:17:06 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-03-30 03:17:06 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-03-26 11:36:45 0 d-----w- c:\program files\Seagate

2010-03-26 11:36:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate

2010-03-26 11:35:17 0 d-----w- C:\Seagate temp

==================== Find3M ====================

2010-03-17 09:51:48 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys

2010-03-17 09:51:39 44512 ----a-w- c:\windows\system32\drivers\psmounter.sys

2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll

2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-23 05:20:02 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe

2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll

2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

2010-02-06 21:20:28 34424 ----a-w- c:\docume~1\ericab~1\applic~1\GDIPFONTCACHEV1.DAT

2008-09-19 03:33:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat

============= FINISH: 17:05:57.18 ===============

Attach.txt

mbam_log_2010_04_22__07_14_02_.txt

ark.txt

Link to post
Share on other sites

Hi mny0690mny And Welcome to Malwarebytes!

Your PC has a rootkit that has replaced your ide driver file with malware. That's why your being redirected to the sites they want to go and spend money.

Hey some peolpe do. Sad. OK ready:

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi mny0690mny And Welcome to Malwarebytes!

Your PC has a rootkit that has replaced your ide driver file with malware. That's why your being redirected to the sites they want to go and spend money.

Hey some peolpe do. Sad. OK ready:

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

OK it crashed in regular but ran no problem in safe mode. Here is the log

ComboFix 10-04-21.01 - Administrator 04/26/2010 12:30:05.1.2 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.606 [GMT -4:00]

Running from: c:\documents and settings\Eric Abramson\Desktop\Fiz\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Eric Abramson\Application Data\AF2D276D8C7AD6452364F4C7939AF99C

c:\documents and settings\Eric Abramson\Application Data\AF2D276D8C7AD6452364F4C7939AF99C\enemies-names.txt

c:\documents and settings\Eric Abramson\Application Data\AF2D276D8C7AD6452364F4C7939AF99C\newupdate1142C.exe

c:\windows\desktop

c:\windows\system32\BSTIEPrintCtl1.dll

c:\windows\system32\Data

c:\windows\system32\k30ehoj0s.dll

c:\windows\system32\reboot.txt

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_PRAGMAxewmdxwmco

-------\Service_PRAGMAxewmdxwmco

((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))

.

2010-04-23 19:37 . 2010-04-23 19:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinPatrol

2010-04-23 02:51 . 2010-04-23 02:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-04-22 20:01 . 2010-04-22 20:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-22 19:15 . 2010-04-22 19:15 -------- d-----w- c:\program files\Verizon Wireless

2010-04-22 01:09 . 2010-04-22 01:09 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Malwarebytes

2010-04-22 01:09 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-22 01:09 . 2010-04-22 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-22 01:09 . 2010-04-22 11:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-22 01:09 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-21 15:30 . 2010-04-21 15:30 -------- d-----w- C:\found.000

2010-04-21 11:18 . 2010-04-21 15:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\dpfhynuyx

2010-04-21 11:17 . 2010-04-21 11:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-04-21 03:29 . 2010-04-21 03:29 34424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-21 03:20 . 2005-02-16 15:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Creative

2010-04-21 03:20 . 2005-02-16 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Jasc Software Inc

2010-04-21 03:20 . 2005-02-16 15:11 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Gtek

2010-04-21 03:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-04-21 03:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

2010-04-21 03:14 . 2010-04-22 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-21 03:14 . 2010-04-22 19:56 -------- d-----w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\avG

2010-04-21 03:13 . 2010-04-21 03:13 -------- d-----w- C:\spoolerlogs

2010-04-17 03:18 . 2010-04-17 03:18 -------- d-----w- c:\program files\QPST

2010-04-17 02:27 . 2009-10-15 05:28 98560 ----a-w- c:\windows\system32\drivers\sscdbus.sys

2010-04-17 02:27 . 2009-10-15 05:28 14848 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys

2010-04-17 02:27 . 2009-10-15 05:28 12416 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys

2010-04-17 02:27 . 2009-10-15 05:28 12416 ----a-w- c:\windows\system32\drivers\sscdcm.sys

2010-04-17 02:27 . 2009-10-15 05:28 123648 ----a-w- c:\windows\system32\drivers\sscdmdm.sys

2010-04-17 02:27 . 2009-10-15 05:28 12288 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys

2010-04-17 02:27 . 2009-10-15 05:28 12288 ----a-w- c:\windows\system32\drivers\sscdwh.sys

2010-04-17 02:27 . 2009-10-15 05:28 100352 ----a-w- c:\windows\system32\drivers\sscdserd.sys

2010-04-17 02:25 . 2009-12-25 18:26 238952 ----a-w- c:\windows\system32\FsUsbExService.Exe

2010-04-17 02:25 . 2009-12-07 14:04 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

2010-04-17 02:25 . 2009-12-07 14:04 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll

2010-04-17 02:24 . 2010-04-17 02:24 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Samsung

2010-04-17 02:21 . 2010-04-17 02:21 -------- d-----w- c:\program files\MarkAny

2010-04-17 02:14 . 2010-04-17 02:14 -------- d-----w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\Downloaded Installations

2010-04-17 01:04 . 2010-04-17 02:19 -------- d-----w- c:\program files\SAMSUNG

2010-04-17 01:04 . 2010-04-17 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung

2010-04-14 16:35 . 2010-04-14 16:35 -------- d-----w- c:\windows\system32\wbem\Repository

2010-04-14 00:34 . 2010-04-14 00:34 -------- d-----w- c:\program files\BitPim

2010-04-11 16:05 . 2010-04-11 16:05 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\E-centives

2010-04-02 20:06 . 2010-04-02 20:06 -------- d-----w- c:\windows\system32\Dell

2010-04-02 20:06 . 2010-04-02 20:06 -------- d-----w- c:\program files\Dell

2010-03-30 03:17 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-03-30 03:17 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-26 16:26 . 2004-08-10 18:51 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys

2010-04-22 14:56 . 2007-05-11 16:07 -------- d-----w- c:\program files\McAfee

2010-04-17 03:18 . 2005-02-16 15:07 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-15 13:45 . 2005-03-14 04:58 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\MSN6

2010-04-14 17:07 . 2009-11-08 13:31 79488 ----a-w- c:\documents and settings\Eric Abramson\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-04-14 16:34 . 2005-08-17 01:41 -------- d-----w- c:\program files\Susteen

2010-04-13 06:24 . 2010-02-24 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall

2010-04-11 16:05 . 2010-04-11 16:05 423464 ----a-w- c:\documents and settings\Eric Abramson\Application Data\E-centives\BSTIEPrintCtl1.dll

2010-04-09 01:14 . 2010-01-20 16:16 -------- d-----w- c:\program files\Coupons

2010-03-31 07:19 . 2010-02-24 22:10 -------- d-----w- c:\program files\Microsoft Silverlight

2010-03-26 11:36 . 2010-03-26 11:36 -------- d-----w- c:\program files\Seagate

2010-03-26 11:36 . 2010-03-26 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2010-03-22 14:03 . 2010-02-24 22:08 -------- d-----w- c:\program files\MediaMall

2010-03-21 15:37 . 2010-03-21 04:17 -------- d-----w- c:\program files\Glide

2010-03-21 05:05 . 2010-03-21 04:20 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\TransMedia

2010-03-21 03:55 . 2010-03-21 03:55 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-03-17 09:51 . 2010-03-17 10:14 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys

2010-03-17 09:51 . 2010-03-17 10:14 44512 ----a-w- c:\windows\system32\drivers\psmounter.sys

2010-03-17 01:20 . 2010-03-17 01:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{04573380-C04E-4C13-A8A2-EC012D38220A}

2010-03-17 01:20 . 2010-03-17 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ExamForce

2010-03-11 13:00 . 2009-10-03 19:00 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Arcsoft

2010-03-11 13:00 . 2009-10-03 18:59 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-03-11 13:00 . 2009-10-03 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft

2010-03-11 12:58 . 2010-03-11 12:58 -------- d-----w- c:\program files\NOS

2010-03-11 12:58 . 2010-03-11 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-11 12:38 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2004-08-10 18:51 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-06 20:59 . 2009-10-03 18:59 -------- d-----w- c:\program files\ArcSoft

2010-03-01 18:00 . 2005-04-14 16:06 -------- d-----w- c:\program files\Travelaxe

2010-02-24 22:11 . 2010-02-24 22:11 34424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-24 22:09 . 2010-02-24 22:09 4927864 ----a-w- c:\documents and settings\All Users\Application Data\MediaMall\isl.exe

2010-02-24 13:11 . 2004-08-10 18:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_E66204B17C935A3FF02727.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_D707CE1C009F1381803C2C.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_783F41B03DEFB198D13F8F.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_21F3885A18D238E15AAE81.exe

2010-02-21 05:02 . 2010-02-21 05:02 29926 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_2ED31C7E60F2138CD4C3A1.exe

2010-02-21 05:02 . 2010-02-21 05:02 109534 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_6FEFF9B68218417F98F549.exe

2010-02-16 14:08 . 2004-08-10 18:51 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-13 21:21 . 2005-03-15 02:27 34424 ----a-w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-12 04:33 . 2004-08-10 18:50 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-10 18:51 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-01-04 16:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-01-04 16:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"P17Helper"="P17.dll" [2004-06-10 60928]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

"c:\\Program Files\\SAMSUNG\\Samsung New PC Studio\\npsasvr.exe"=

"c:\\Program Files\\SAMSUNG\\Samsung New PC Studio\\npsvsvr.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP Port 135

"5000:TCP"= 5000:TCP:TCP Port 5000

"5001:TCP"= 5001:TCP:TCP Port 5001

"5002:TCP"= 5002:TCP:TCP Port 5002

"5003:TCP"= 5003:TCP:TCP Port 5003

"5004:TCP"= 5004:TCP:TCP Port 5004

"5005:TCP"= 5005:TCP:TCP Port 5005

"5006:TCP"= 5006:TCP:TCP Port 5006

"5007:TCP"= 5007:TCP:TCP Port 5007

"5008:TCP"= 5008:TCP:TCP Port 5008

"5009:TCP"= 5009:TCP:TCP Port 5009

"5010:TCP"= 5010:TCP:TCP Port 5010

"5011:TCP"= 5011:TCP:TCP Port 5011

"5012:TCP"= 5012:TCP:TCP Port 5012

"5013:TCP"= 5013:TCP:TCP Port 5013

"5014:TCP"= 5014:TCP:TCP Port 5014

"5015:TCP"= 5015:TCP:TCP Port 5015

"5016:TCP"= 5016:TCP:TCP Port 5016

"5017:TCP"= 5017:TCP:TCP Port 5017

"5018:TCP"= 5018:TCP:TCP Port 5018

"5019:TCP"= 5019:TCP:TCP Port 5019

"5020:TCP"= 5020:TCP:TCP Port 5020

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [3/17/2010 6:14 AM 15328]

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [11/4/2005 12:42 AM 6097]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [3/17/2010 6:14 AM 220128]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [4/16/2010 10:25 PM 36608]

S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 5:12 PM 10664]

S3 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/16/2010 1:18 AM 3316080]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [4/12/2009 9:10 AM 42112]

S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [3/17/2010 6:14 AM 44512]

S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]

S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [11/4/2005 12:42 AM 299923]

S3 suscom;Susteen Serial port driver;c:\windows\system32\DRIVERS\suscom.sys --> c:\windows\system32\DRIVERS\suscom.sys [?]

S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [4/16/2010 10:25 PM 238952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23fe0d63-0abd-11df-b772-001111ce8a58}]

\Shell\AutoRun\command - E:\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8949f59-e115-11de-b760-001111ce8a58}]

\Shell\AutoRun\command - G:\DPF_V211.exe

.

Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

2010-04-12 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-11 16:22]

2010-04-12 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-11 16:22]

2010-04-23 c:\windows\Tasks\My Backup xml.job

- c:\program files\Macrium\Reflect\reflect.exe [2010-03-17 09:45]

2010-04-26 c:\windows\Tasks\User_Feed_Synchronization-{CF7406DE-F153-48E6-A0D1-12808938D079}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.fatwallet.com/

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: arise.com

Trusted Zone: arise.com\portal

Trusted Zone: arise.com\support

Trusted Zone: epathcampus.com\www

Trusted Zone: fursthire.com\www

Trusted Zone: go.com\disneyshopping

Trusted Zone: servicecheckreport.com\www

Trusted Zone: willowcsn.com\cybercentral

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)

WebBrowser-{5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)

HKCU-Run-SFP - c:\program files\Common Files\Verizon Online\SFP\vzSFPWin.EXE

HKLM-Run-NPSStartup - (no file)

AddRemove-FPFarm - D:\setup.exe

AddRemove-Toddler - D:\setup.exe

AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe

AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe

AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe

AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe

AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe

AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe

AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe

AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe

AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe

AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe

AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe

AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe

AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe

AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe

AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe

AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe

AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-26 12:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x825A6AC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf764cf28

\Driver\ACPI -> ACPI.sys @ 0xf75bfcb8

\Driver\atapi -> atapi.sys @ 0xf7577852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7470bb0

PacketIndicateHandler -> NDIS.sys @ 0xf747da21

SendHandler -> NDIS.sys @ 0xf745b87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(956)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2156)

c:\windows\system32\WININET.dll

c:\program files\MozyHome\mozyshell.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\CTsvcCDA.EXE

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\MozyHome\mozybackup.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\System32\snmp.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\Rundll32.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2010-04-26 12:57:19 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-26 16:57

Pre-Run: 34,611,068,928 bytes free

Post-Run: 34,208,624,640 bytes free

- - End Of File - - CFAA1B955A394B78BD02707E2A997E5A

Link to post
Share on other sites

Hi mny0690mny

I bet your PC is running better now... :)

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

DDS::
Trusted Zone: arise.com
Trusted Zone: arise.com\portal
Trusted Zone: arise.com\support
Trusted Zone: epathcampus.com\www
Trusted Zone: fursthire.com\www
Trusted Zone: go.com\disneyshopping
Trusted Zone: servicecheckreport.com\www
Trusted Zone: willowcsn.com\cybercentral


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"=-
"5000:TCP"=-
"5001:TCP"=-
"5002:TCP"=-
"5003:TCP"=-
"5004:TCP"=-
"5005:TCP"=-
"5006:TCP"=-
"5007:TCP"=-
"5008:TCP"=-
"5009:TCP"=-
"5010:TCP"=-
"5011:TCP"=-
"5012:TCP"=-
"5013:TCP"=-
"5014:TCP"=-
"5015:TCP"=-
"5016:TCP"=-
"5017:TCP"=-
"5018:TCP"=-
"5019:TCP"=-
"5020:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23fe0d63-0abd-11df-b772-001111ce8a58}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8949f59-e115-11de-b760-001111ce8a58}]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

sfxdaw.jpg

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new Malwarebytes log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Next

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

I edited my fix mny0690mny

Ok so here are the logs from Combofix and MBAM

COMBOFIX

ComboFix 10-04-26.02 - Administrator 04/26/2010 19:04:12.2.2 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.605 [GMT -4:00]

Running from: c:\documents and settings\Eric Abramson\Desktop\Fiz\ComboFix.exe

Command switches used :: c:\documents and settings\Eric Abramson\Desktop\Fiz\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))

.

2010-04-23 19:37 . 2010-04-23 19:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinPatrol

2010-04-23 02:51 . 2010-04-23 02:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-04-22 20:01 . 2010-04-22 20:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-22 19:15 . 2010-04-22 19:15 -------- d-----w- c:\program files\Verizon Wireless

2010-04-22 01:09 . 2010-04-22 01:09 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Malwarebytes

2010-04-22 01:09 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-22 01:09 . 2010-04-22 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-22 01:09 . 2010-04-22 11:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-22 01:09 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-21 15:30 . 2010-04-21 15:30 -------- d-----w- C:\found.000

2010-04-21 11:18 . 2010-04-21 15:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\dpfhynuyx

2010-04-21 11:17 . 2010-04-21 11:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-04-21 03:29 . 2010-04-21 03:29 34424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-21 03:20 . 2005-02-16 15:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Creative

2010-04-21 03:20 . 2005-02-16 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Jasc Software Inc

2010-04-21 03:20 . 2005-02-16 15:11 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Gtek

2010-04-21 03:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-04-21 03:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

2010-04-21 03:14 . 2010-04-22 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-21 03:14 . 2010-04-22 19:56 -------- d-----w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\avG

2010-04-21 03:13 . 2010-04-21 03:13 -------- d-----w- C:\spoolerlogs

2010-04-17 03:18 . 2010-04-17 03:18 -------- d-----w- c:\program files\QPST

2010-04-17 02:27 . 2009-10-15 05:28 98560 ----a-w- c:\windows\system32\drivers\sscdbus.sys

2010-04-17 02:27 . 2009-10-15 05:28 14848 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys

2010-04-17 02:27 . 2009-10-15 05:28 12416 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys

2010-04-17 02:27 . 2009-10-15 05:28 12416 ----a-w- c:\windows\system32\drivers\sscdcm.sys

2010-04-17 02:27 . 2009-10-15 05:28 123648 ----a-w- c:\windows\system32\drivers\sscdmdm.sys

2010-04-17 02:27 . 2009-10-15 05:28 12288 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys

2010-04-17 02:27 . 2009-10-15 05:28 12288 ----a-w- c:\windows\system32\drivers\sscdwh.sys

2010-04-17 02:27 . 2009-10-15 05:28 100352 ----a-w- c:\windows\system32\drivers\sscdserd.sys

2010-04-17 02:25 . 2009-12-25 18:26 238952 ----a-w- c:\windows\system32\FsUsbExService.Exe

2010-04-17 02:25 . 2009-12-07 14:04 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

2010-04-17 02:25 . 2009-12-07 14:04 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll

2010-04-17 02:24 . 2010-04-17 02:24 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Samsung

2010-04-17 02:21 . 2010-04-17 02:21 -------- d-----w- c:\program files\MarkAny

2010-04-17 02:14 . 2010-04-17 02:14 -------- d-----w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\Downloaded Installations

2010-04-17 01:04 . 2010-04-17 02:19 -------- d-----w- c:\program files\SAMSUNG

2010-04-17 01:04 . 2010-04-17 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung

2010-04-14 16:35 . 2010-04-14 16:35 -------- d-----w- c:\windows\system32\wbem\Repository

2010-04-14 00:34 . 2010-04-14 00:34 -------- d-----w- c:\program files\BitPim

2010-04-11 16:05 . 2010-04-11 16:05 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\E-centives

2010-04-02 20:06 . 2010-04-02 20:06 -------- d-----w- c:\windows\system32\Dell

2010-04-02 20:06 . 2010-04-02 20:06 -------- d-----w- c:\program files\Dell

2010-03-30 03:17 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-03-30 03:17 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-26 22:59 . 2004-08-10 18:51 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys

2010-04-22 14:56 . 2007-05-11 16:07 -------- d-----w- c:\program files\McAfee

2010-04-17 03:18 . 2005-02-16 15:07 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-15 13:45 . 2005-03-14 04:58 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\MSN6

2010-04-14 17:07 . 2009-11-08 13:31 79488 ----a-w- c:\documents and settings\Eric Abramson\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-04-14 16:34 . 2005-08-17 01:41 -------- d-----w- c:\program files\Susteen

2010-04-13 06:24 . 2010-02-24 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall

2010-04-11 16:05 . 2010-04-11 16:05 423464 ----a-w- c:\documents and settings\Eric Abramson\Application Data\E-centives\BSTIEPrintCtl1.dll

2010-04-09 01:14 . 2010-01-20 16:16 -------- d-----w- c:\program files\Coupons

2010-03-31 07:19 . 2010-02-24 22:10 -------- d-----w- c:\program files\Microsoft Silverlight

2010-03-26 11:36 . 2010-03-26 11:36 -------- d-----w- c:\program files\Seagate

2010-03-26 11:36 . 2010-03-26 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2010-03-22 14:03 . 2010-02-24 22:08 -------- d-----w- c:\program files\MediaMall

2010-03-21 15:37 . 2010-03-21 04:17 -------- d-----w- c:\program files\Glide

2010-03-21 05:05 . 2010-03-21 04:20 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\TransMedia

2010-03-21 03:55 . 2010-03-21 03:55 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-03-17 09:51 . 2010-03-17 10:14 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys

2010-03-17 09:51 . 2010-03-17 10:14 44512 ----a-w- c:\windows\system32\drivers\psmounter.sys

2010-03-17 01:20 . 2010-03-17 01:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{04573380-C04E-4C13-A8A2-EC012D38220A}

2010-03-17 01:20 . 2010-03-17 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ExamForce

2010-03-11 13:00 . 2009-10-03 19:00 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Arcsoft

2010-03-11 13:00 . 2009-10-03 18:59 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-03-11 13:00 . 2009-10-03 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft

2010-03-11 12:58 . 2010-03-11 12:58 -------- d-----w- c:\program files\NOS

2010-03-11 12:58 . 2010-03-11 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-11 12:38 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2004-08-10 18:51 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-06 20:59 . 2009-10-03 18:59 -------- d-----w- c:\program files\ArcSoft

2010-03-01 18:00 . 2005-04-14 16:06 -------- d-----w- c:\program files\Travelaxe

2010-02-24 22:11 . 2010-02-24 22:11 34424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-24 22:09 . 2010-02-24 22:09 4927864 ----a-w- c:\documents and settings\All Users\Application Data\MediaMall\isl.exe

2010-02-24 13:11 . 2004-08-10 18:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_E66204B17C935A3FF02727.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_D707CE1C009F1381803C2C.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_783F41B03DEFB198D13F8F.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_21F3885A18D238E15AAE81.exe

2010-02-21 05:02 . 2010-02-21 05:02 29926 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_2ED31C7E60F2138CD4C3A1.exe

2010-02-21 05:02 . 2010-02-21 05:02 109534 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_6FEFF9B68218417F98F549.exe

2010-02-16 14:08 . 2004-08-10 18:51 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-13 21:21 . 2005-03-15 02:27 34424 ----a-w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-12 04:33 . 2004-08-10 18:50 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-10 18:51 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-01-04 16:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-01-04 16:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"P17Helper"="P17.dll" [2004-06-10 60928]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

"c:\\Program Files\\SAMSUNG\\Samsung New PC Studio\\npsasvr.exe"=

"c:\\Program Files\\SAMSUNG\\Samsung New PC Studio\\npsvsvr.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [3/17/2010 6:14 AM 15328]

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [11/4/2005 12:42 AM 6097]

S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [3/17/2010 6:14 AM 220128]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [4/16/2010 10:25 PM 36608]

S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 5:12 PM 10664]

S3 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/16/2010 1:18 AM 3316080]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [4/12/2009 9:10 AM 42112]

S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [3/17/2010 6:14 AM 44512]

S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]

S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [11/4/2005 12:42 AM 299923]

S3 suscom;Susteen Serial port driver;c:\windows\system32\DRIVERS\suscom.sys --> c:\windows\system32\DRIVERS\suscom.sys [?]

S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [4/16/2010 10:25 PM 238952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

2010-04-12 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-11 16:22]

2010-04-12 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-11 16:22]

2010-04-23 c:\windows\Tasks\My Backup xml.job

- c:\program files\Macrium\Reflect\reflect.exe [2010-03-17 09:45]

2010-04-26 c:\windows\Tasks\User_Feed_Synchronization-{CF7406DE-F153-48E6-A0D1-12808938D079}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://verizon.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-26 19:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82B80AC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf761bf28

\Driver\ACPI -> ACPI.sys @ 0xf758ecb8

\Driver\atapi -> atapi.sys @ 0xf7546852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf743fbb0

PacketIndicateHandler -> NDIS.sys @ 0xf744ca21

SendHandler -> NDIS.sys @ 0xf742a87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(868)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1552)

c:\windows\system32\WININET.dll

c:\program files\MozyHome\mozyshell.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

.

**************************************************************************

.

Completion time: 2010-04-26 19:27:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-26 23:27

ComboFix2.txt 2010-04-26 16:57

Pre-Run: 35,018,579,968 bytes free

Post-Run: 34,986,881,024 bytes free

- - End Of File - - A780F9645BAB298D5E779ACB2DADBB63

MBAM

alwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4040

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.11

4/26/2010 8:23:51 PM

mbam-log-2010-04-26 (20-23-51).txt

Scan type: Full scan (C:\|)

Objects scanned: 216941

Time elapsed: 50 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\k30ehoj0s.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0002163.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Ok so here are the logs from Combofix and MBAM

COMBOFIX

ComboFix 10-04-26.02 - Administrator 04/26/2010 19:04:12.2.2 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.605 [GMT -4:00]

Running from: c:\documents and settings\Eric Abramson\Desktop\Fiz\ComboFix.exe

Command switches used :: c:\documents and settings\Eric Abramson\Desktop\Fiz\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))

.

2010-04-23 19:37 . 2010-04-23 19:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinPatrol

2010-04-23 02:51 . 2010-04-23 02:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-04-22 20:01 . 2010-04-22 20:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-22 19:15 . 2010-04-22 19:15 -------- d-----w- c:\program files\Verizon Wireless

2010-04-22 01:09 . 2010-04-22 01:09 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Malwarebytes

2010-04-22 01:09 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-22 01:09 . 2010-04-22 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-22 01:09 . 2010-04-22 11:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-22 01:09 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-21 15:30 . 2010-04-21 15:30 -------- d-----w- C:\found.000

2010-04-21 11:18 . 2010-04-21 15:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\dpfhynuyx

2010-04-21 11:17 . 2010-04-21 11:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-04-21 03:29 . 2010-04-21 03:29 34424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-21 03:20 . 2005-02-16 15:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Creative

2010-04-21 03:20 . 2005-02-16 15:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Jasc Software Inc

2010-04-21 03:20 . 2005-02-16 15:11 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Gtek

2010-04-21 03:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-04-21 03:17 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

2010-04-21 03:14 . 2010-04-22 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-21 03:14 . 2010-04-22 19:56 -------- d-----w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\avG

2010-04-21 03:13 . 2010-04-21 03:13 -------- d-----w- C:\spoolerlogs

2010-04-17 03:18 . 2010-04-17 03:18 -------- d-----w- c:\program files\QPST

2010-04-17 02:27 . 2009-10-15 05:28 98560 ----a-w- c:\windows\system32\drivers\sscdbus.sys

2010-04-17 02:27 . 2009-10-15 05:28 14848 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys

2010-04-17 02:27 . 2009-10-15 05:28 12416 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys

2010-04-17 02:27 . 2009-10-15 05:28 12416 ----a-w- c:\windows\system32\drivers\sscdcm.sys

2010-04-17 02:27 . 2009-10-15 05:28 123648 ----a-w- c:\windows\system32\drivers\sscdmdm.sys

2010-04-17 02:27 . 2009-10-15 05:28 12288 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys

2010-04-17 02:27 . 2009-10-15 05:28 12288 ----a-w- c:\windows\system32\drivers\sscdwh.sys

2010-04-17 02:27 . 2009-10-15 05:28 100352 ----a-w- c:\windows\system32\drivers\sscdserd.sys

2010-04-17 02:25 . 2009-12-25 18:26 238952 ----a-w- c:\windows\system32\FsUsbExService.Exe

2010-04-17 02:25 . 2009-12-07 14:04 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys

2010-04-17 02:25 . 2009-12-07 14:04 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll

2010-04-17 02:24 . 2010-04-17 02:24 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Samsung

2010-04-17 02:21 . 2010-04-17 02:21 -------- d-----w- c:\program files\MarkAny

2010-04-17 02:14 . 2010-04-17 02:14 -------- d-----w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\Downloaded Installations

2010-04-17 01:04 . 2010-04-17 02:19 -------- d-----w- c:\program files\SAMSUNG

2010-04-17 01:04 . 2010-04-17 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Samsung

2010-04-14 16:35 . 2010-04-14 16:35 -------- d-----w- c:\windows\system32\wbem\Repository

2010-04-14 00:34 . 2010-04-14 00:34 -------- d-----w- c:\program files\BitPim

2010-04-11 16:05 . 2010-04-11 16:05 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\E-centives

2010-04-02 20:06 . 2010-04-02 20:06 -------- d-----w- c:\windows\system32\Dell

2010-04-02 20:06 . 2010-04-02 20:06 -------- d-----w- c:\program files\Dell

2010-03-30 03:17 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-03-30 03:17 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-26 22:59 . 2004-08-10 18:51 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys

2010-04-22 14:56 . 2007-05-11 16:07 -------- d-----w- c:\program files\McAfee

2010-04-17 03:18 . 2005-02-16 15:07 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-15 13:45 . 2005-03-14 04:58 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\MSN6

2010-04-14 17:07 . 2009-11-08 13:31 79488 ----a-w- c:\documents and settings\Eric Abramson\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-04-14 16:34 . 2005-08-17 01:41 -------- d-----w- c:\program files\Susteen

2010-04-13 06:24 . 2010-02-24 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall

2010-04-11 16:05 . 2010-04-11 16:05 423464 ----a-w- c:\documents and settings\Eric Abramson\Application Data\E-centives\BSTIEPrintCtl1.dll

2010-04-09 01:14 . 2010-01-20 16:16 -------- d-----w- c:\program files\Coupons

2010-03-31 07:19 . 2010-02-24 22:10 -------- d-----w- c:\program files\Microsoft Silverlight

2010-03-26 11:36 . 2010-03-26 11:36 -------- d-----w- c:\program files\Seagate

2010-03-26 11:36 . 2010-03-26 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2010-03-22 14:03 . 2010-02-24 22:08 -------- d-----w- c:\program files\MediaMall

2010-03-21 15:37 . 2010-03-21 04:17 -------- d-----w- c:\program files\Glide

2010-03-21 05:05 . 2010-03-21 04:20 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\TransMedia

2010-03-21 03:55 . 2010-03-21 03:55 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-03-17 09:51 . 2010-03-17 10:14 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys

2010-03-17 09:51 . 2010-03-17 10:14 44512 ----a-w- c:\windows\system32\drivers\psmounter.sys

2010-03-17 01:20 . 2010-03-17 01:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{04573380-C04E-4C13-A8A2-EC012D38220A}

2010-03-17 01:20 . 2010-03-17 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ExamForce

2010-03-11 13:00 . 2009-10-03 19:00 -------- d-----w- c:\documents and settings\Eric Abramson\Application Data\Arcsoft

2010-03-11 13:00 . 2009-10-03 18:59 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-03-11 13:00 . 2009-10-03 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft

2010-03-11 12:58 . 2010-03-11 12:58 -------- d-----w- c:\program files\NOS

2010-03-11 12:58 . 2010-03-11 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-11 12:38 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2004-08-10 18:51 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-06 20:59 . 2009-10-03 18:59 -------- d-----w- c:\program files\ArcSoft

2010-03-01 18:00 . 2005-04-14 16:06 -------- d-----w- c:\program files\Travelaxe

2010-02-24 22:11 . 2010-02-24 22:11 34424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-24 22:09 . 2010-02-24 22:09 4927864 ----a-w- c:\documents and settings\All Users\Application Data\MediaMall\isl.exe

2010-02-24 13:11 . 2004-08-10 18:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_E66204B17C935A3FF02727.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_D707CE1C009F1381803C2C.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_783F41B03DEFB198D13F8F.exe

2010-02-21 05:02 . 2010-02-21 05:02 43646 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_21F3885A18D238E15AAE81.exe

2010-02-21 05:02 . 2010-02-21 05:02 29926 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_2ED31C7E60F2138CD4C3A1.exe

2010-02-21 05:02 . 2010-02-21 05:02 109534 ----a-r- c:\documents and settings\Eric Abramson\Application Data\Microsoft\Installer\{AE3F60A0-11F7-4DE7-AD9D-3831096E14B5}\_6FEFF9B68218417F98F549.exe

2010-02-16 14:08 . 2004-08-10 18:51 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-13 21:21 . 2005-03-15 02:27 34424 ----a-w- c:\documents and settings\Eric Abramson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-12 04:33 . 2004-08-10 18:50 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-10 18:51 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-01-04 16:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-01-04 16:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"P17Helper"="P17.dll" [2004-06-10 60928]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\MediaMall\\MediaMallServer.exe"=

"c:\\Program Files\\SAMSUNG\\Samsung New PC Studio\\npsasvr.exe"=

"c:\\Program Files\\SAMSUNG\\Samsung New PC Studio\\npsvsvr.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [3/17/2010 6:14 AM 15328]

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [11/4/2005 12:42 AM 6097]

S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [3/17/2010 6:14 AM 220128]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [4/16/2010 10:25 PM 36608]

S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 5:12 PM 10664]

S3 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2/16/2010 1:18 AM 3316080]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [4/12/2009 9:10 AM 42112]

S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [3/17/2010 6:14 AM 44512]

S3 scsichk;scsichk;\??\c:\windows\system32\scsichk.sys --> c:\windows\system32\scsichk.sys [?]

S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [11/4/2005 12:42 AM 299923]

S3 suscom;Susteen Serial port driver;c:\windows\system32\DRIVERS\suscom.sys --> c:\windows\system32\DRIVERS\suscom.sys [?]

S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [4/16/2010 10:25 PM 238952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

2010-04-12 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-11 16:22]

2010-04-12 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-11 16:22]

2010-04-23 c:\windows\Tasks\My Backup xml.job

- c:\program files\Macrium\Reflect\reflect.exe [2010-03-17 09:45]

2010-04-26 c:\windows\Tasks\User_Feed_Synchronization-{CF7406DE-F153-48E6-A0D1-12808938D079}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://verizon.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-26 19:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82B80AC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf761bf28

\Driver\ACPI -> ACPI.sys @ 0xf758ecb8

\Driver\atapi -> atapi.sys @ 0xf7546852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

NDIS: Intel

Link to post
Share on other sites

Check a file/files

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to

c:\windows\system32\scsichk.sys

then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Next

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Next

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply, please include these log(s):

virustotal Report

EsetOnlineScanner\log.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Check a file/files

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to

c:\windows\system32\scsichk.sys

then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Next

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Next

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply, please include these log(s):

virustotal Report

EsetOnlineScanner\log.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

That file is not in the directory...I did a search for scsichk.sys

and that did not show up either... Do I have to be in safe mode under administrator or is something else going on.

Link to post
Share on other sites

That file is not in the directory...I did a search for scsichk.sys

and that did not show up either... Do I have to be in safe mode under administrator or is something else going on.

Things overall are running faster, except when booting up takes a bit after desktop shows up for me to be able to use start menu...

When I tried to run combofix in normal mode I received an error of:

Bad_Pool_Caller

Stop : 0x000000CD4( 0x000000007, 0x00000CD4, 0x15fff44D, 0x804DC605

When I ran it in Safe mode no problem at all.

Link to post
Share on other sites

Things overall are running faster, except when booting up takes a bit after desktop shows up for me to be able to use start menu...

When I tried to run combofix in normal mode I received an error of:

Bad_Pool_Caller

Stop : 0x000000CD4( 0x000000007, 0x00000CD4, 0x15fff44D, 0x804DC605

When I ran it in Safe mode no problem at all.

One other thing just noticed. When mcafee is running update says unable to install due to error. Please reinstall program.

Link to post
Share on other sites

No need to run combofix. When does mcafee expire. When you have to paid for it? We need to enable hidden files then "Browse button and then navigate to

c:\windows\system32\scsichk.sys"

You will need to enable hidden files and folders by doing the following:

Windows XP

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

Also, please do everything in Normal mode...... :)

Link to post
Share on other sites

No need to run combofix. When does mcafee expire. When you have to paid for it? We need to enable hidden files then "Browse button and then navigate to

c:\windows\system32\scsichk.sys"

You will need to enable hidden files and folders by doing the following:

Windows XP

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

Ok did what you said and still not there. Did a search for SCSI and nothing came up under that like scsichk.

I get Mcafee free from my ISP provider.

Also, please do everything in Normal mode...... :)

Link to post
Share on other sites

OK...Move on to ATF Cleaner and ESET Online Scanner..... :)

Ok the atf did not give me a log. I ran it a second time and it said 8800 kb.

THe eset said:

C:\Documents and Settings\Eric Abramson\Application Data\Sun\Java\Deployment\cache\6.0\3\3b3487c3-274ce311 Java/TrojanDownloader.Agent.NAM trojan

C:\Program Files\Z-Firm LLC\ShipRush v4\ShipRush4.exe probably unknown NewHeur_PE virus

C:\Qoobox\Quarantine\C\Documents and Settings\Eric Abramson\Application Data\AF2D276D8C7AD6452364F4C7939AF99C\newupdate1142C.exe.vir a variant of Win32/Kryptik.DWR trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\rasacd.sys.vir Win32/Olmarik.XG trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0002123.sys Win32/Olmarik.XG trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0002161.exe a variant of Win32/Kryptik.DWR trojan

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0003371.sys Win32/Olmarik.XG trojan

by the way thanks for all your help on this.

Link to post
Share on other sites

Nice Job mny0690mny.... :)

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Folders

C:\Documents and Settings\Eric Abramson\Application Data\Sun\Java

C:\Program Files\Z-Firm LLC\ShipRush v4

You should talk to your ISP provider about the update problem with Mcafee. They had some major problems with XP service pack 3 at:

http://www.pcmag.com/article2/0,2817,2363091,00.asp

And they will help you.

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 20 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u120 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.

Let me know how ths goes and I'll give you some additional links for you to check out to help you with your computer security.

Link to post
Share on other sites

Nice Job mny0690mny.... :)

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Folders

C:\Documents and Settings\Eric Abramson\Application Data\Sun\Java

C:\Program Files\Z-Firm LLC\ShipRush v4

You should talk to your ISP provider about the update problem with Mcafee. They had some major problems with XP service pack 3 at:

http://www.pcmag.com/article2/0,2817,2363091,00.asp

And they will help you.

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 20 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u120 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.

Let me know how ths goes and I'll give you some additional links for you to check out to help you with your computer security.

everything went good. got

Version: Java 6 Update 20

now I just have to look into the mcafee problem.....

Link to post
Share on other sites

Your Computer is Clean

CLEAN-1.jpg

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you mny0690mny

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.