Jump to content

Recommended Posts

My HP desktop has been infected with animalware doctor. I'm following your procedures as outlined in the stickie: I'm infected - What do I do now?

Computer is HP Intel Pentium 4 CPU 3.00GHz, 512 MB Ram running Windows XP professional v2002, SP 3.

Ran Malwarebytes after uploading latest updates. 2 files were quarantined and deleted in that pass (see attached log). It did not ask me to reboot, but I rebooted anyway. The bug was back instantly with the gotnewupdate000.exe file, the drwtsn32.exe files and the drwin files which I ended the processes on.

Dowloaded the DeFogger, DDS and GMER files from another computer onto a flashdrive.

Ran DeFogger on the infected computer from that flashdrive (not the desktop). After the "finished" message, the OK appeared, I clicked that, but did NOT get a message asking me to reboot the machine. I don't have an error message either. What I have on my desktop now is the little Defogger window that gives me the option to Disable or Re-enable. I've attached the defogger_disable log for you (it's on the flashdrive, not the desktop). I won't do anything else until I hear back from you guys.

Thanks for the assist.

Ellen

mbam_log_2010_05_11__22_09_31_.txt

Link to post
Share on other sites

Hello yymellen

Welcome to Malwarebytes.

=====================

  • Please download OTH.scr to your desktop.
  • Download OTL to your desktop.
  • Double click the OTH file and select Kill All Processes, your desktop will go blank
    OTH_Main.jpg
    Then select Start OTL OTL will now run
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

I keep getting a connection error when I try to send the extras.txt info. Using my iTouch to send this reply while I rescan my desktop with malwarebytes. I do have Internet connectivity from the modem to other computers.

OTL Extras logfile created on: 5/13/2010 10:37:44 PM - Run 1

OTL by OldTimer - Version 3.2.4.1

Link to post
Share on other sites

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    DRV - (usrvrn) -- C:\WINDOWS\system32\drivers\usrvrn.sys ()
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    [2010/05/07 10:04:48 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{1c22200b-3cee-5885-8326-2d596ddae153}
    O4 - HKCU..\Run: [gotnewupdate000.exe] C:\Documents and Settings\Dan\Application Data\1BF4A59C73DC722884ECEDB2AC7AABC0\gotnewupdate000.exe (MS)
    O4 - HKCU..\Run: [owxoisynt] C:\Documents and Settings\Dan\owxoisynt.exe ()
    O32 - AutoRun File - [2002/09/11 03:02:32 | 000,000,045 | -HS- | M] () - H:\Autorun.inf -- [ FAT32 ]
    O33 - MountPoints2\{2f6fec14-dfba-11de-b0a5-000c6eba18e5}\Shell\AutoRun\command - "" = D:\Setup_FlipShare.exe -- File not found
    O33 - MountPoints2\{2f6fec14-dfba-11de-b0a5-000c6eba18e5}\Shell\Setup FlipShare\command - "" = D:\Setup_FlipShare.exe -- File not found
    O33 - MountPoints2\{f9493833-7a90-11dd-b83c-806d6172696f}\Shell\AutoRun\command - "" = H:\Info.exe -- [2002/09/10 21:54:58 | 000,040,960 | -HS- | M] (XSS)
    [2010/05/09 23:49:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Local Settings\Application Data\rkogceybs
    [2010/05/13 22:26:28 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\cprt.sys
    [2010/05/10 05:37:45 | 000,606,015 | ---- | M] () -- C:\WINDOWS\System32\ifarmed.html
    [2010/05/09 23:50:29 | 000,000,038 | ---- | M] () -- C:\WINDOWS\System32\online_{c7a06a9e-f685-458d-aa00-01ab6888121b}
    [2010/05/09 23:50:23 | 000,000,038 | ---- | M] () -- C:\WINDOWS\System32\{c7a06a9e-f685-458d-aa00-01ab6888121b}
    [2010/05/09 23:48:54 | 000,056,766 | ---- | M] () -- C:\WINDOWS\System32\owxoisynt.exe
    [2010/05/09 23:48:51 | 000,050,990 | ---- | M] () -- C:\WINDOWS\System32\flqmiaxsdj.exe
    [2010/04/12 18:59:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG

    :Files
    C:\WINDOWS\Tasks\At*.job
    C:\Documents and Settings\Dan\Application Data\1BF4A59C73DC722884ECEDB2AC7AABC0

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Here's the log from the OTL. Please note that upon reboot the dwwin files popped right back up in my task manager. I ended those processes. And while I typed up this reply a new tab opened up in Mozilla directing me to Walgreens. :)

All processes killed

========== OTL ==========

Service usrvrn stopped successfully!

Service usrvrn deleted successfully!

C:\WINDOWS\system32\drivers\usrvrn.sys moved successfully.

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

C:\Program Files\Mozilla Firefox\extensions\{1c22200b-3cee-5885-8326-2d596ddae153}\components folder moved successfully.

C:\Program Files\Mozilla Firefox\extensions\{1c22200b-3cee-5885-8326-2d596ddae153}\chrome folder moved successfully.

C:\Program Files\Mozilla Firefox\extensions\{1c22200b-3cee-5885-8326-2d596ddae153} folder moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\gotnewupdate000.exe deleted successfully.

C:\Documents and Settings\Dan\Application Data\1BF4A59C73DC722884ECEDB2AC7AABC0\gotnewupdate000.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\owxoisynt deleted successfully.

C:\Documents and Settings\Dan\owxoisynt.exe moved successfully.

H:\Autorun.inf moved successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f6fec14-dfba-11de-b0a5-000c6eba18e5}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2f6fec14-dfba-11de-b0a5-000c6eba18e5}\ not found.

File D:\Setup_FlipShare.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f6fec14-dfba-11de-b0a5-000c6eba18e5}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2f6fec14-dfba-11de-b0a5-000c6eba18e5}\ not found.

File D:\Setup_FlipShare.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f9493833-7a90-11dd-b83c-806d6172696f}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f9493833-7a90-11dd-b83c-806d6172696f}\ not found.

H:\Info.exe moved successfully.

C:\Documents and Settings\Dan\Local Settings\Application Data\rkogceybs folder moved successfully.

File C:\WINDOWS\System32\drivers\cprt.sys not found.

C:\WINDOWS\system32\ifarmed.html moved successfully.

C:\WINDOWS\system32\online_{c7a06a9e-f685-458d-aa00-01ab6888121b} moved successfully.

C:\WINDOWS\system32\{c7a06a9e-f685-458d-aa00-01ab6888121b} moved successfully.

C:\WINDOWS\system32\owxoisynt.exe moved successfully.

C:\WINDOWS\system32\flqmiaxsdj.exe moved successfully.

C:\Documents and Settings\All Users\Application Data\avG folder moved successfully.

========== FILES ==========

C:\WINDOWS\Tasks\At1.job moved successfully.

C:\WINDOWS\Tasks\At10.job moved successfully.

C:\WINDOWS\Tasks\At11.job moved successfully.

C:\WINDOWS\Tasks\At12.job moved successfully.

C:\WINDOWS\Tasks\At13.job moved successfully.

C:\WINDOWS\Tasks\At14.job moved successfully.

C:\WINDOWS\Tasks\At15.job moved successfully.

C:\WINDOWS\Tasks\At16.job moved successfully.

C:\WINDOWS\Tasks\At17.job moved successfully.

C:\WINDOWS\Tasks\At18.job moved successfully.

C:\WINDOWS\Tasks\At19.job moved successfully.

C:\WINDOWS\Tasks\At2.job moved successfully.

C:\WINDOWS\Tasks\At20.job moved successfully.

C:\WINDOWS\Tasks\At21.job moved successfully.

C:\WINDOWS\Tasks\At22.job moved successfully.

C:\WINDOWS\Tasks\At23.job moved successfully.

C:\WINDOWS\Tasks\At24.job moved successfully.

C:\WINDOWS\Tasks\At3.job moved successfully.

C:\WINDOWS\Tasks\At4.job moved successfully.

C:\WINDOWS\Tasks\At5.job moved successfully.

C:\WINDOWS\Tasks\At6.job moved successfully.

C:\WINDOWS\Tasks\At7.job moved successfully.

C:\WINDOWS\Tasks\At8.job moved successfully.

C:\WINDOWS\Tasks\At9.job moved successfully.

C:\Documents and Settings\Dan\Application Data\1BF4A59C73DC722884ECEDB2AC7AABC0 folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dan

->Temp folder emptied: 158065307 bytes

->Temporary Internet Files folder emptied: 6826426 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 36956894 bytes

->Apple Safari cache emptied: 4838542 bytes

->Flash cache emptied: 920 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 11361099 bytes

->Flash cache emptied: 1369 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 5498938 bytes

->Java cache emptied: 301858 bytes

->Flash cache emptied: 22489 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2162283 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 56126306 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10951420 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 324494 bytes

RecycleBin emptied: 2937 bytes

Total Files Cleaned = 280.00 mb

OTL by OldTimer - Version 3.2.4.1 log created on 05142010_201721

Files\Folders moved on Reboot...

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NL4MCAS5\ads[1].htm moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NL4MCAS5\kronomy_com[1].htm moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NL4MCAS5\statstracker[1].htm moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EER003Q9\ads[1].htm moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EER003Q9\ads[2].htm moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\24MVCJ26\new-eclipse-trailer-unleashed-oprah-352902[1].htm moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0COC54YD\landing_bottom[1].htm moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0COC54YD\new[1].htm moved successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0COC54YD\right_bar[1].htm moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

The McAffee icon does not load on my system tray anymore (since the bug) so I don't know how to disable it.

I have Malwarebytes on my desktop as well as IOBit Security 360.

When I right-click on those icons I get the same options (no disable):

Open

Scan with IOBit360

Run as...

Scan for Threats (with an icon that looks like a blue McAffee Shield)

Scan with Malwarebytes' Antimalware

Send to ...

Cut

Copy

Create Shortcut

Delete

Rename

Properties

I won't run that ComboFix until you let me know if I can skip the disable step.

Also, I haven't run the GMER program yet either (from your first post) since I wasn't successful with the OTH step.

By the way, you're a big help. Thanks for being there!

Link to post
Share on other sites

You are welcome.

I am going to temporarily disable all of those services from running.

We will reenable them when we are past the combofix part.

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.

@Echo off

sc config McShield start=disabled
sc config McTaskManager start=disabled
sc config McAfeeFramework start=disabled
sc config mfehidk start=disabled
sc config mfeavfk start=disabled
sc config mfeapfk start=disabled
sc config mfetdik start=disabled
sc config mfebopk start=disabled
sc config mferkdk start=disabled
sc config IS360service start=disabled

Then please double click on fixthis.bat a window will open and close quickly.This is normal.

After that run please try combofix again if it still tells you about the protection then you can safely proceed.

Link to post
Share on other sites

You are welcome.

I am going to temporarily disable all of those services from running.

We will reenable them when we are past the combofix part.

ran the fixthis then started combofix.

Got this message:

ComboFix has detected the following real time scanner to be active:

antivirus: McAfee VirusScan Enterprise...

please disable these scanners before clicking ok.

Now what?

Link to post
Share on other sites

Please reboot the machine and see if it still says that.

If it does please temporarily uninstall those programs.

Posting ComboFixLog here and as an attachment

ComboFix 10-05-16.01 - Dan 05/16/2010 14:40:12.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.306 [GMT -5:00]

Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Dan\Start Menu\Programs\Antimalware Doctor

c:\documents and settings\Dan\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk

c:\documents and settings\Dan\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

c:\program files\Common Files\Adobe\ARM\1.0\adobearm.exe

c:\program files\QuickTime\QTTask.exe

c:\windows\system32\ctfmon .exe

c:\windows\system32\kzorpglk.dll

c:\windows\system32\nwiz .exe

c:\windows\system32\regsvr32 .exe

c:\windows\system32\rundll32 .exe

 <pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe ---^> c:\program files\Common Files\Adobe\ARM\1.0\adobearm.exe
c:\program files\QuickTime\qttask .exe ---^> c:\program files\QuickTime\qttask.exe
c:\program files\QuickTime\qttask .exe ---^> c:\program files\QuickTime\qttask.exe
</pre>

.

Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_USBXBOX

((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))

.

2010-05-15 01:17 . 2010-05-15 01:17 -------- d-----w- C:\_OTL

2010-05-10 05:13 . 2010-05-10 05:13 -------- d-----w- C:\spoolerlogs

2010-05-10 04:50 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2010-05-10 04:50 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-05-10 02:31 . 2010-05-10 02:31 296448 ----a-w- c:\windows\system32\barfgizb.dll

2010-05-07 15:04 . 2010-05-07 15:04 96704 ----a-w- c:\windows\system32\fa443773.exe

2010-05-04 02:58 . 2010-05-04 02:58 -------- d-----w- c:\program files\iPod

2010-05-04 02:49 . 2010-05-04 02:49 -------- d-----w- c:\program files\Bonjour

2010-04-29 22:26 . 2010-04-29 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-04-29 22:26 . 2010-04-29 22:26 -------- d-----w- c:\program files\IObit

2010-04-29 07:19 . 2010-04-29 07:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-04-26 11:52 . 2010-04-29 07:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-04-20 06:10 . 2010-04-20 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-18 05:26 . 2010-04-18 05:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-16 19:49 . 2010-02-07 16:28 -------- d-----w- c:\program files\QuickTime

2010-05-16 19:29 . 2008-09-17 19:17 -------- d-----w- c:\program files\McAfee

2010-05-16 19:29 . 2008-09-17 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-15 04:34 . 2004-08-04 12:00 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys

2010-05-10 12:58 . 2008-09-17 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-10 04:48 . 2004-08-04 12:00 182656 -c--a-w- c:\windows\system32\drivers\ndis.sys

2010-05-09 17:17 . 2010-04-12 01:02 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-04 03:00 . 2010-02-07 16:35 -------- d-----w- c:\program files\iTunes

2010-05-04 02:58 . 2008-11-09 14:43 -------- d-----w- c:\program files\Common Files\Apple

2010-05-04 02:51 . 2010-04-16 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-04 02:43 . 2010-05-04 02:43 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-01 05:15 . 2010-04-12 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 23:36 . 2009-06-20 16:28 -------- d-----w- c:\documents and settings\Dan\Application Data\Amazon

2010-04-29 23:36 . 2009-06-20 16:25 -------- d-----w- c:\program files\Amazon

2010-04-29 20:39 . 2010-04-12 22:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39 . 2010-04-12 22:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-21 17:08 . 2010-05-02 16:34 52224 ----a-w- c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll

2010-04-21 17:08 . 2010-05-02 16:34 101376 ----a-w- c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll

2010-04-16 12:20 . 2008-09-17 21:02 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-16 12:16 . 2010-04-16 12:16 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-04-12 22:29 . 2010-04-12 22:29 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2010-04-12 22:29 . 2010-04-12 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-12 22:10 . 2008-10-05 16:27 86472 -c--a-w- c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-10 20:52 . 2008-11-11 05:32 -------- d-----w- c:\program files\Free Offers from Freeze.com

2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-07 03:31 . 2010-03-03 00:48 439816 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\setup.exe

2010-04-04 15:23 . 2008-11-11 05:35 -------- d-----w- c:\documents and settings\Dan\Application Data\dvdcss

2010-03-26 07:48 . 2010-03-26 07:48 20846064 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-03-18 20:41 . 2009-12-18 20:13 79488 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-03 08:48 . 2010-03-03 08:48 8405312 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-03-03 08:48 . 2010-03-03 08:48 149000 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe

2010-03-03 08:48 . 2010-03-03 08:48 10309448 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-03-03 08:48 . 2010-03-03 08:48 283280 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe

2010-03-03 08:48 . 2010-03-03 08:48 181768 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe

2010-03-03 08:48 . 2010-03-03 08:48 79368 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\vista.exe

2010-03-03 08:48 . 2010-03-03 08:48 64000 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll

2010-03-03 08:48 . 2010-03-03 08:48 52288 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll

2010-03-03 08:48 . 2010-03-03 08:48 50688 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll

2010-03-03 08:48 . 2010-03-03 08:48 49152 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll

2010-03-03 08:48 . 2010-03-03 08:48 118784 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll

2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-11-24 19:14 . 2009-11-24 19:14 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

2009-11-28 18:10 . 2009-11-28 18:10 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

.

<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Sonic\Update Manager\sgtray .exe
c:\program files\IObit\IObit Security 360\is360tray .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^Adobe Media Player.lnk]

path=c:\documents and settings\Dan\Start Menu\Programs\Startup\Adobe Media Player.lnk

backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]

S0 gcusv;gcusv; [x]

S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\drivers\vnetusbl.sys [3/9/2004 7:48 PM 108032]

.

Contents of the 'Scheduled Tasks' folder

2010-05-16 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\

FF - component: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll

FF - plugin: c:\documents and settings\Dan\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Dan\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\Musicnotes\npmusicn.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-16 14:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1784)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\windows\system32\nvsvc32.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-05-16 14:54:30 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-16 19:54

Pre-Run: 103,859,597,312 bytes free

Post-Run: 103,841,226,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 445439F7C42A8DB424C7BB7322C35DCD

ComboFixLog.txt

Link to post
Share on other sites

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=50105

Collect::
c:\windows\system32\barfgizb.dll
c:\windows\system32\fa443773.exe

DirLook::
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

RenV::
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Sonic\Update Manager\sgtray .exe
c:\program files\IObit\IObit Security 360\is360tray .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe

Save this as CFScript.txt

Drag CFScript.txt into ComboFix.exe

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

4. It wasn't able to automatically upload the files.

It did not ask me to reboot.

I found the submit zip folder.

I clicked on the "here" link to upload the zip file I get:

Unable to connect

Firefox can't establish a connection to the server at www.bleepingcomputer.com.

And yet I'm able to post this message, so the internet connection is good. Just can't get into bleepingcomputer, I guess.

Do you want me to post the LOG that was generated after that CFScript/ComboFix run?

Link to post
Share on other sites

Yes please post the log.

FYI, overnight, windows installed a security update and rebooted my computer.

None of those dwwin files popped up, so that's a start.

Here's the log from last night:

ComboFix 10-05-16.01 - Dan 05/16/2010 21:38:42.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.310 [GMT -5:00]

Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt

file zipped: c:\windows\system32\barfgizb.dll

file zipped: c:\windows\system32\fa443773.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\barfgizb.dll

c:\windows\system32\fa443773.exe

.

((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))

.

2010-05-16 19:51 . 2010-05-16 19:51 -------- d-----w- c:\windows\LastGood

2010-05-15 01:17 . 2010-05-15 01:17 -------- d-----w- C:\_OTL

2010-05-10 05:13 . 2010-05-10 05:13 -------- d-----w- C:\spoolerlogs

2010-05-10 04:50 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2010-05-10 04:50 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-05-04 02:58 . 2010-05-04 02:58 -------- d-----w- c:\program files\iPod

2010-05-04 02:49 . 2010-05-04 02:49 -------- d-----w- c:\program files\Bonjour

2010-05-04 02:43 . 2010-05-04 02:43 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-02 16:34 . 2010-04-21 17:08 52224 ----a-w- c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll

2010-05-02 16:34 . 2010-04-21 17:08 101376 ----a-w- c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll

2010-04-29 22:26 . 2010-04-29 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2010-04-29 22:26 . 2010-04-29 22:26 -------- d-----w- c:\program files\IObit

2010-04-29 07:19 . 2010-04-29 07:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-04-26 11:52 . 2010-04-29 07:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-04-20 06:10 . 2010-04-20 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-04-18 05:26 . 2010-04-18 05:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-17 02:38 . 2010-02-07 16:35 -------- d-----w- c:\program files\iTunes

2010-05-16 19:49 . 2010-02-07 16:28 -------- d-----w- c:\program files\QuickTime

2010-05-16 19:29 . 2008-09-17 19:17 -------- d-----w- c:\program files\McAfee

2010-05-16 19:29 . 2008-09-17 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-15 04:34 . 2004-08-04 12:00 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys

2010-05-10 12:58 . 2008-09-17 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-10 04:48 . 2004-08-04 12:00 182656 -c--a-w- c:\windows\system32\drivers\ndis.sys

2010-05-09 17:17 . 2010-04-12 01:02 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-04 02:58 . 2008-11-09 14:43 -------- d-----w- c:\program files\Common Files\Apple

2010-05-04 02:51 . 2010-04-16 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-01 05:15 . 2010-04-12 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 23:36 . 2009-06-20 16:28 -------- d-----w- c:\documents and settings\Dan\Application Data\Amazon

2010-04-29 23:36 . 2009-06-20 16:25 -------- d-----w- c:\program files\Amazon

2010-04-29 20:39 . 2010-04-12 22:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39 . 2010-04-12 22:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-16 12:20 . 2008-09-17 21:02 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-16 12:16 . 2010-04-16 12:16 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-04-12 22:29 . 2010-04-12 22:29 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes

2010-04-12 22:29 . 2010-04-12 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-12 22:10 . 2008-10-05 16:27 86472 -c--a-w- c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-10 20:52 . 2008-11-11 05:32 -------- d-----w- c:\program files\Free Offers from Freeze.com

2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-07 03:31 . 2010-03-03 00:48 439816 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\setup.exe

2010-04-04 15:23 . 2008-11-11 05:35 -------- d-----w- c:\documents and settings\Dan\Application Data\dvdcss

2010-03-26 07:48 . 2010-03-26 07:48 20846064 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-03-18 20:41 . 2009-12-18 20:13 79488 ----a-w- c:\documents and settings\Dan\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-03 08:48 . 2010-03-03 08:48 8405312 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-03-03 08:48 . 2010-03-03 08:48 149000 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe

2010-03-03 08:48 . 2010-03-03 08:48 10309448 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-03-03 08:48 . 2010-03-03 08:48 283280 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe

2010-03-03 08:48 . 2010-03-03 08:48 181768 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe

2010-03-03 08:48 . 2010-03-03 08:48 79368 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\vista.exe

2010-03-03 08:48 . 2010-03-03 08:48 64000 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll

2010-03-03 08:48 . 2010-03-03 08:48 52288 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll

2010-03-03 08:48 . 2010-03-03 08:48 50688 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll

2010-03-03 08:48 . 2010-03-03 08:48 49152 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll

2010-03-03 08:48 . 2010-03-03 08:48 118784 ----a-w- c:\documents and settings\Dan\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll

2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-11-24 19:14 . 2009-11-24 19:14 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

2009-11-28 18:10 . 2009-11-28 18:10 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} ----

2010-04-20 06:11 . 2010-05-04 03:00 2094 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxInstallLog.txt

2009-06-03 14:32 . 2009-06-03 14:32 7994 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\gearaspiwdmx86.cat

2009-05-18 18:48 . 2009-05-18 18:48 2763 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\GEARAspiWDM.inf

2009-05-18 18:17 . 2009-05-18 18:17 26600 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspiWDM.sys

2009-02-04 18:56 . 2009-02-04 18:56 75112 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DifXInstall32.exe

2008-04-17 17:12 . 2008-04-17 17:12 107368 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspi.dll

2006-11-02 11:21 . 2006-11-02 11:21 319456 ----a-w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxAPI.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^Adobe Media Player.lnk]

path=c:\documents and settings\Dan\Start Menu\Programs\Startup\Adobe Media Player.lnk

backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2008-09-17 20:13 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]

S0 gcusv;gcusv; [x]

S3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;c:\windows\system32\drivers\vnetusbl.sys [3/9/2004 7:48 PM 108032]

.

Contents of the 'Scheduled Tasks' folder

2010-05-16 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\

FF - component: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll

FF - plugin: c:\documents and settings\Dan\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Dan\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\Musicnotes\npmusicn.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-fa443773 - c:\windows\system32\fa443773.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-16 21:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-05-16 21:45:26

ComboFix-quarantined-files.txt 2010-05-17 02:45

ComboFix2.txt 2010-05-16 19:54

Pre-Run: 103,825,862,656 bytes free

Post-Run: 103,783,342,080 bytes free

- - End Of File - - CB10BA1982EC50B2879835B6C27F9FDB

Link to post
Share on other sites

Hi see if you can access the upload link I gave you earlier to submit the zip file after doing the below scan's.

Also the dwwin files are legitimate they are drwatson debugger files.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Hi see if you can access the upload link I gave you earlier to submit the zip file after doing the below scan's.

Also the dwwin files are legitimate they are drwatson debugger files.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

[*]Click on the update tab then click on Check for updates.

[*]If an update is found, it will download and install the latest version.

[*]Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.

[*]The scan may take some time to finish,so please be patient.

[*]When the scan is complete, click OK, then Show Results to view the results.

[*]Make sure that everything is checked, and click Remove Selected.

[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

[*]Copy&Paste the entire report in your next reply.

Oh. I thought the dwwin and drwatson exe's were part of the antimalwaredoctor stuff.

I updated the Malwarebytes data files and ran the quick scan. REPORT:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4119

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/20/2010 12:09:41 AM

mbam-log-2010-05-20 (00-09-41).txt

Scan type: Quick scan

Objects scanned: 118540

Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

RE: Step 2, running ESET and posting the LOG file.

Ran the program. it found 7 files, I clicked on the boxes to remove/quarantine the files,

but that replaced that window with one that said they recommend I install E Smart Security or ESET NOD32 Antivirus, with two options: Purchase or 30-day trial.

I chose 30 day trial hoping it would at least finish this round, but it now has me at the screen that wants me to choose which program to try. *sigh*

I looked for that log file on my hard drive and it isn't there, just the ocx file and uninstaller files.

Link to post
Share on other sites

Please remove the 30 day trial.

The scan automatically removes the threat if you hit remove threats.

Were you able to upload the zip file to Bleeping Computer?

How are things running?

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Link to post
Share on other sites

Please remove the 30 day trial.

The scan automatically removes the threat if you hit remove threats.

Were you able to upload the zip file to Bleeping Computer?

How are things running?

Didn't install the 30 day trial, I just stopped at that point until I heard back from you.

I was able to upload that zip file to Bleeping Computer :)

Things are running pretty well, no more random pages being called up on the internet.

No more warnings about infected files.

But there's one red icon in my system tray, bottom right corner I don't recognize that says:

Update is ready to install. When I right click the icon it says it's an Adobe Reader update.

I'm so leery now of these things because they look legit, yet end up being bogus.

Earlier I had to deal with the Windows Security Center bug and it amazes me how they get away with looking like the real deal.

I'm not updating anything until you let me know it's safe to do so. For now, here's the OTL log:

OTL logfile created on: 5/20/2010 9:02:33 PM - Run 2

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Dan\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 266.00 Mb Available Physical Memory | 52.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 143.84 Gb Total Space | 96.53 Gb Free Space | 67.11% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

Drive H: | 5.19 Gb Total Space | 0.94 Gb Free Space | 18.13% Space Free | Partition Type: FAT32

I: Drive not present or media not loaded

Computer Name: DAN-ADA5D825B1F

Current User Name: Dan

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Dan\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (Adobe Systems Incorporated)

PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Dan\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)

SRV - (AdobeActiveFileMonitor7.0) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (Adobe Systems Incorporated)

SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)

========== Driver Services (SafeList) ==========

DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)

DRV - (Changer) -- C:\WINDOWS\system32\drivers\changer.sys (Microsoft Corporation)

DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )

DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT)

DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)

DRV - (CX23880) -- C:\WINDOWS\system32\drivers\cx88vid.sys (Conexant Systems, Inc.)

DRV - (CXTUNE) -- C:\WINDOWS\system32\drivers\cx88tune.sys (Conexant Systems, Inc.)

DRV - (CX88ENC) -- C:\WINDOWS\system32\drivers\cx88enc.sys (Conexant Systems, Inc.)

DRV - (CXAVXBAR) -- C:\WINDOWS\system32\drivers\cxavxbar.sys (Conexant Systems, Inc.)

DRV - (LinksysFVNETusbl(AR)®) Linksys FVNETusbl(AR)® -- C:\WINDOWS\system32\drivers\vnetusbl.sys (Cisco-Linksys LLC)

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (CA561) ICatch (VI) -- C:\WINDOWS\system32\drivers\spca561.sys (SP)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - prefs.js..extensions.enabledItems: {aac4043a-8832-4abe-9963-35377f30b8e6}:2.6.0.15

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.3

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/09/17 15:13:42 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/01 23:32:08 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/02/08 01:19:18 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/01 21:56:53 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/03 21:50:54 | 000,000,000 | ---D | M]

[2010/05/01 21:57:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Mozilla\Extensions

[2010/05/01 21:57:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2010/05/20 00:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions

[2010/05/02 13:27:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/05/02 11:34:07 | 000,000,000 | ---D | M] (Castle Age Toolbar) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\geif10ke.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}

[2008/11/14 18:15:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Mozilla\Sunbird\Profiles\gdyjnbd8.default\extensions

[2010/05/20 00:09:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/05/01 21:56:13 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009/02/08 01:19:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

[2009/07/17 19:33:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

[2010/04/01 12:58:18 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2010/04/01 12:58:19 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2009/05/21 11:33:58 | 000,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll

[2010/04/01 12:58:20 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2006/10/26 20:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL

[2009/12/21 18:34:06 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll

[2008/09/17 15:13:37 | 000,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll

[2010/04/20 01:06:00 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

[2010/04/20 01:06:00 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

[2010/04/20 01:06:00 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

[2010/04/20 01:06:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

[2010/04/20 01:06:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

[2010/04/20 01:06:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

[2010/04/20 01:06:01 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

[2008/09/17 15:13:46 | 000,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll

[2008/09/17 15:13:26 | 000,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll

[2009/11/28 13:10:16 | 008,467,184 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSibelius.dll

[2009/11/24 14:14:50 | 010,437,264 | ---- | M] (PDFTron Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\PDFNetC.dll

[2009/11/28 13:10:18 | 000,107,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ScorchPDFWrapper.dll

[2010/04/01 10:56:18 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml

[2010/04/01 10:56:18 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml

[2010/04/01 10:56:18 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml

[2010/04/01 10:56:18 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml

[2010/04/01 10:56:18 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2010/04/01 10:56:18 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

[2010/04/01 10:56:18 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/05/16 14:49:16 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1221684262687 (MUWebControl Class)

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\WINDOWS\Prairie Wind.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Prairie Wind.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/09/04 16:36:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - H:\AUTOEXEC.BAT -- [ FAT32 ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/16 21:36:28 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/05/16 14:35:26 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/05/16 14:31:06 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/05/16 14:31:06 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/05/16 14:31:06 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/05/16 14:23:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2010/05/16 12:25:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/05/15 22:11:44 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/05/14 20:17:21 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/05/14 20:13:43 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\OTH.scr

[2010/05/13 22:36:03 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\OTL.exe

[2010/05/10 07:47:25 | 000,000,000 | ---D | C] -- C:\Config.Msi

[2010/05/10 00:13:08 | 000,000,000 | ---D | C] -- C:\spoolerlogs

[2010/05/09 23:50:43 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys

[2010/05/09 23:50:43 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys

[2010/05/03 21:58:39 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2010/05/03 21:49:17 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2010/04/29 17:26:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit

[2010/04/29 17:26:23 | 000,000,000 | ---D | C] -- C:\Program Files\IObit

[2010/04/29 06:23:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real

[2010/04/29 02:19:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer

[2010/04/26 06:52:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer

========== Files - Modified Within 30 Days ==========

[2010/05/20 20:05:20 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job

[2010/05/20 20:05:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/20 20:04:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/05/20 20:04:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/20 20:04:44 | 536,203,264 | -HS- | M] () -- C:\hiberfil.sys

[2010/05/20 15:11:42 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Dan\NTUSER.DAT

[2010/05/20 15:11:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Dan\ntuser.ini

[2010/05/18 01:28:43 | 000,122,210 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\battlecry.jpg

[2010/05/16 21:43:04 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/05/16 21:38:37 | 000,001,221 | ---- | M] () -- C:\CF-Submit.htm

[2010/05/16 14:49:16 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/05/16 14:35:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010/05/16 14:30:01 | 003,689,722 | R--- | M] () -- C:\Documents and Settings\Dan\Desktop\ComboFix.exe

[2010/05/15 22:10:38 | 000,000,371 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\fixthis.bat

[2010/05/14 23:34:12 | 000,036,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\intelppm.sys

[2010/05/14 09:59:26 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\OTH.scr

[2010/05/13 22:36:00 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\OTL.exe

[2010/05/12 15:07:28 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/05/11 22:15:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Dan\defogger_reenable

[2010/05/11 20:07:06 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\16eu51i5.exe

[2010/05/10 07:56:30 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/05/09 23:48:29 | 000,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys

[2010/05/09 16:17:21 | 346,388,594 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\kvideo.MOV

[2010/05/09 12:17:58 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/05/01 21:56:25 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

========== Files Created - No Company Name ==========

[2010/05/18 01:28:47 | 000,122,210 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\battlecry.jpg

[2010/05/16 21:38:37 | 000,001,221 | ---- | C] () -- C:\CF-Submit.htm

[2010/05/16 14:35:33 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/05/16 14:35:27 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/05/16 14:31:06 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/05/16 14:31:06 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/05/16 14:31:06 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/05/16 14:31:06 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/05/16 14:31:06 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/05/15 22:10:38 | 000,000,371 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\fixthis.bat

[2010/05/14 20:14:12 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\16eu51i5.exe

[2010/05/14 20:13:55 | 003,689,722 | R--- | C] () -- C:\Documents and Settings\Dan\Desktop\ComboFix.exe

[2010/05/11 22:15:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dan\defogger_reenable

[2010/05/09 14:21:38 | 346,388,594 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\kvideo.MOV

[2010/05/03 22:00:23 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/05/01 21:56:24 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2008/11/21 21:52:57 | 000,000,037 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2008/11/08 23:39:41 | 000,014,385 | ---- | C] () -- C:\WINDOWS\Tw561a.ini

[2008/11/08 23:39:41 | 000,000,081 | ---- | C] () -- C:\WINDOWS\Setup8a.ini

[2008/09/17 14:30:38 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll

[2008/09/17 14:17:28 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig

[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2004/09/13 16:35:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

< End of report >

Link to post
Share on other sites

Great yes that adobe update is needed go ahead and do that one.

You can actually uninstall the version or Adobe reader that you have and download and install the newest one from Here

The following will re enable the security software a restart will be needed to complete the action's.

Please go to Start>Run type in Notepad.

Copy what is in the code box below into the open Notepad window.

Change the "Save As Type" to "All Files". Save it as fix.bat on your Desktop.

@Echo off

sc config McShield start=enabled
sc config McTaskManager start=enabled
sc config McAfeeFramework start=enabled
sc config mfehidk start=enabled
sc config mfeavfk start=enabled
sc config mfeapfk start=enabled
sc config mfetdik start=enabled
sc config mfebopk start=enabled
sc config mferkdk start=enabled
sc config IS360service start=enabled

del /q /f "C:\Documents and Settings\Dan\Desktop\fixthis.bat"
del /q /f "C:\Documents and Settings\Dan\Desktop\16eu51i5.exe"

del %0

Then please double click on fix.bat a window will open and close quickly.This is normal.

========================

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Great yes that adobe update is needed go ahead and do that one.

You can actually uninstall the version or Adobe reader that you have and download and install the newest one from Here

The following will re enable the security software a restart will be needed to complete the action's.

=====================================

After that your all set.

Ok. Got the Adobe. Got the Java.

The system restore thing showed the box already unchecked, so I didn't do anything there.

All the files we worked with are gone. Ran the windows update and it said there weren't any updates I'm missing, so I think we're good to go.

Regarding security, however. When I couldn't disable McAfee I just uninstalled it. I also uninstalled that IOBit one as well. I kept Malwarebytes, of course, but that's not a comprehensive virus protection program, is it?

Should I reinstall the McAfee or go with a different program, since that didn't seem to help protect me the last time around?

Thank you so much for your assistance. It was most appreciated.

Link to post
Share on other sites

Should I reinstall the McAfee or go with a different program, since that didn't seem to help protect me the last time around?
Hi that is up to you but there are free antivirus programs out there as well but nothing will be 100% infections dupe antivirus\antispyware products all of the time.

One that is very good is Microsoft Security Essentials

Secondly I would recommend Antivir

You will need a antivirus program as well as mbam to have adequate protection.

You are welcome.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.