Jump to content
patk

HJT log - help request

Recommended Posts

I have used Malwarebytes before, but I'm new to the forum but . Thanks for being here.

My kids' computer has been acting strange. It's running XP Home with SP2.

I've been able to clean (I think) many problems with Spybot S&D and the MS malware removal tool. Those run, along with HJT but malwarebytes will not - appears to install but crashes looking for vbalsgrid6.ocx, which is in fact where it's supposed to be. I've tried registering the files with the batch command I found in another question.

I have an old version of McAfee installed that apparently isn't working, and can't uninstall it even with the removal tool.

Also, in some cases I get "you can't do that because you're not an administrator" messages even when I'm logged on with an admin account. IE7 wont launch at all but not problems with firefox. Flash won't install.

Here's the HJT log. I'm ready to throw this computer out the window; I'll try anything. Thanks in advance for any suggestions.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:31:13 AM, on 5/31/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - Startup: ChkDisk.lnk = ?

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1273971104687

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...983/mcfscan.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

--

End of file - 5086 bytes

Share this post


Link to post
Share on other sites

Hi,

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

---

Download GMER here by clicking download exe -button and then saving it your desktop:

  • Double-click .exe that you downloaded
  • Click rootkit-tab, uncheck files option and then click scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Share this post


Link to post
Share on other sites

Thanks for your help Blade81. Here are the DDS files (DDS told me to zip the attach.txt file - I hope this is OK):

DDS (Ver_10-03-17.01) - NTFSx86

Run by pat at 9:01:30.66 on Tue 06/01/2010

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.608 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\pat\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

TB: {C4F5EC43-D494-47E4-8E35-440B49E25FD5} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273971104687

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37692.8155092593

DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab

DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5983/mcfscan.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - Eudora's Shell Extension

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pat\applic~1\mozilla\firefox\profiles\buititz0.default\

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?linkid=677

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\pat\application data\mozilla\firefox\profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\pat\application data\mozilla\firefox\profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 385536]

R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2002-9-21 10016]

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [2003-4-23 26752]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2003-4-23 40704]

S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\dcxxmjpg.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?]

S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\lstone2k.sys --> c:\windows\system32\drivers\lstone2k.sys [?]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-24 34248]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2008-3-29 131776]

=============== Created Last 30 ================

2010-05-31 05:41:48 0 d-----w- c:\program files\Trend Micro

2010-05-31 05:39:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-31 03:19:22 0 d-----w- c:\program files\McAfee UnInstaller 6.5 Demo English

2010-05-16 01:40:15 0 d-sh--w- c:\documents and settings\pat\IETldCache

2010-05-16 01:19:23 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-16 01:19:23 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-05-16 01:19:23 0 dc-h--w- c:\windows\ie8

2010-05-16 00:50:35 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-16 00:32:29 0 d-----w- c:\windows\McAfee.com

2010-05-16 00:12:41 0 d-----w- c:\program files\ESET

2010-05-16 00:08:31 0 d-----w- c:\docume~1\pat\applic~1\QuickScan

2010-05-15 20:45:20 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-15 20:45:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-05-15 20:03:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-05-15 19:49:31 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-05-30 20:32:59 5438253 ----a-w- c:\windows\PUZZLES.DAT

2008-07-07 18:27:52 0 ----a-w- c:\program files\temp01

2004-06-26 02:45:23 0 --sh--r- c:\program files\q330994.exe

2004-01-25 03:15:07 102 ----a-w- c:\program files\cache.log

2002-09-18 19:47:22 1735350 ----a-r- c:\program files\Online Manual.pdf

2004-06-26 02:45:24 0 -csh--r- c:\windows\msxmidi.exe

2004-06-26 02:45:24 0 -csh--r- c:\windows\seksdialer.exe

2004-06-26 02:45:24 0 -csh--r- c:\windows\system\system.exe

2004-06-26 02:45:24 0 -csh--r- c:\windows\system\wmscrop.exe

2004-06-26 02:45:24 0 -csh--r- c:\windows\system32\d2kpax.dll

2004-06-26 02:45:24 0 -csh--r- c:\windows\system32\d2kpax.exe

2004-06-26 02:45:23 0 -csh--r- c:\windows\system32\jac.dll

2004-06-26 02:45:23 0 -csh--r- c:\windows\system32\msxslab.dll

============= FINISH: 9:02:14.30 ===============

And the GMER file

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-01 09:27:23

Windows 5.1.2600 Service Pack 2

Running: cqkkudrb.exe; Driver: C:\DOCUME~1\pat\LOCALS~1\Temp\pxtdqpoc.sys

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3844] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

attach.zip

Share this post


Link to post
Share on other sites

Hi again,

If you want to try uninstall McAfee you may try Revo Uninstaller.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Share this post


Link to post
Share on other sites

Thanks for the tip on Revo. I think I got McAfee removed.

New DDS log (attach.txt is zipped and attached)

DDS (Ver_10-03-17.01) - NTFSx86

Run by pat at 22:56:54.55 on Wed 06/02/2010

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.666 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\explorer.exe

C:\Documents and Settings\pat\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273971104687

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37692.8155092593

DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab

DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5983/mcfscan.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pat\applic~1\mozilla\firefox\profiles\buititz0.default\

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?linkid=677

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\pat\application data\mozilla\firefox\profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\pat\application data\mozilla\firefox\profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 385536]

R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2002-9-21 10016]

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [2003-4-23 26752]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2003-4-23 40704]

S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\dcxxmjpg.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?]

S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\lstone2k.sys --> c:\windows\system32\drivers\lstone2k.sys [?]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-24 34248]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-6-2 27064]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2008-3-29 131776]

=============== Created Last 30 ================

2010-06-03 02:44:09 0 d-sha-r- C:\cmdcons

2010-06-03 02:40:28 98816 ----a-w- c:\windows\sed.exe

2010-06-03 02:40:28 77312 ----a-w- c:\windows\MBR.exe

2010-06-03 02:40:28 256512 ----a-w- c:\windows\PEV.exe

2010-06-03 02:40:28 161792 ----a-w- c:\windows\SWREG.exe

2010-06-03 01:56:30 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-06-03 01:56:28 0 d-----w- c:\program files\VS Revo Group

2010-05-31 05:41:48 0 d-----w- c:\program files\Trend Micro

2010-05-16 01:40:15 0 d-sh--w- c:\documents and settings\pat\IETldCache

2010-05-16 01:19:23 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-16 01:19:23 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-05-16 01:19:23 0 dc-h--w- c:\windows\ie8

2010-05-16 00:50:35 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-16 00:32:29 0 d-----w- c:\windows\McAfee.com

2010-05-16 00:12:41 0 d-----w- c:\program files\ESET

2010-05-16 00:08:31 0 d-----w- c:\docume~1\pat\applic~1\QuickScan

2010-05-15 20:45:20 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-15 20:45:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-05-15 20:03:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-05-15 19:49:31 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-05-30 20:32:59 5438253 ----a-w- c:\windows\PUZZLES.DAT

2008-07-07 18:27:52 0 ----a-w- c:\program files\temp01

2004-06-26 02:45:23 0 --sh--r- c:\program files\q330994.exe

2004-01-25 03:15:07 102 ----a-w- c:\program files\cache.log

2002-09-18 19:47:22 1735350 ----a-r- c:\program files\Online Manual.pdf

2004-06-26 02:45:24 0 -csh--r- c:\windows\msxmidi.exe

2004-06-26 02:45:24 0 -csh--r- c:\windows\seksdialer.exe

2004-06-26 02:45:24 0 -csh--r- c:\windows\system\wmscrop.exe

2004-06-26 02:45:24 0 -csh--r- c:\windows\system32\d2kpax.dll

2004-06-26 02:45:24 0 -csh--r- c:\windows\system32\d2kpax.exe

2004-06-26 02:45:23 0 -csh--r- c:\windows\system32\jac.dll

2004-06-26 02:45:23 0 -csh--r- c:\windows\system32\msxslab.dll

============= FINISH: 22:57:04.35 ===============

Combofix log

ComboFix 10-06-02.02 - pat 06/02/2010 22:44:50.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.716 [GMT -4:00]

Running from: c:\documents and settings\pat\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Kids\Start Menu\Programs\Startup\ChkDisk.lnk

C:\m.exe

C:\P.EXE

C:\q.exe

c:\windows\desktop

c:\windows\patch.exe

c:\windows\system\system.exe

c:\windows\system32\42KJE738.ocx

c:\windows\system32\fonts

c:\windows\system32\fonts\ACADEMY_.PFB

c:\windows\system32\fonts\ACADEMY_.PFM

c:\windows\system32\fonts\ACADEMY_.TTF

.

((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))

.

2010-06-03 01:58 . 2010-06-03 01:58 -------- d-----w- c:\documents and settings\pat\Local Settings\Application Data\VS Revo Group

2010-06-03 01:56 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-06-03 01:56 . 2010-06-03 01:56 -------- d-----w- c:\program files\VS Revo Group

2010-05-31 05:41 . 2010-05-31 05:41 -------- d-----w- c:\program files\Trend Micro

2010-05-30 23:53 . 2010-05-18 21:21 702120 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-05-30 23:53 . 2010-05-18 21:21 868456 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-05-30 22:54 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

2010-05-30 22:47 . 2010-05-31 01:31 -------- d-----w- c:\program files\Windows Live Safety Center

2010-05-30 22:45 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Kids\Application Data\Mozilla\Firefox\Profiles\91si3sjs.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

2010-05-30 22:41 . 2010-05-30 22:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-05-16 20:48 . 2010-05-16 20:48 -------- d-sh--w- c:\documents and settings\Kids\IETldCache

2010-05-16 01:40 . 2010-05-16 01:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-16 01:40 . 2010-05-16 01:40 -------- d-sh--w- c:\documents and settings\pat\IETldCache

2010-05-16 01:19 . 2010-05-16 01:21 -------- dc-h--w- c:\windows\ie8

2010-05-16 01:19 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-16 01:19 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-05-16 00:50 . 2010-05-16 00:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-16 00:32 . 2010-05-16 00:32 -------- d-----w- c:\windows\McAfee.com

2010-05-16 00:12 . 2010-05-16 00:12 -------- d-----w- c:\program files\ESET

2010-05-16 00:08 . 2010-05-31 00:47 -------- d-----w- c:\documents and settings\pat\Application Data\QuickScan

2010-05-15 20:45 . 2010-05-31 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-15 20:45 . 2010-05-15 20:50 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-15 20:03 . 2010-05-30 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-15 19:49 . 2010-05-15 19:49 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-03 02:31 . 2002-09-26 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime

2010-05-31 13:51 . 2009-05-30 22:57 -------- d-----w- c:\program files\CCleaner

2010-05-31 05:36 . 2009-04-25 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\pilopume

2010-05-31 05:36 . 2009-04-26 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\rajadeda

2010-05-31 05:36 . 2009-04-27 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\royukise

2010-05-31 05:36 . 2009-04-22 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\rukabipe

2010-05-31 05:36 . 2009-04-17 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\sowulafo

2010-05-31 05:36 . 2009-04-26 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\viwamofe

2010-05-31 05:36 . 2009-04-26 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\wemekuro

2010-05-31 05:36 . 2009-04-23 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\wivawira

2010-05-31 05:36 . 2009-04-17 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\wohajulo

2010-05-31 05:36 . 2009-04-27 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\yenifobo

2010-05-31 05:36 . 2009-04-22 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\zizavamu

2010-05-30 20:32 . 2009-05-29 22:00 5438253 ----a-w- c:\windows\PUZZLES.DAT

2010-05-15 20:03 . 2009-04-18 03:29 -------- d-----w- c:\program files\Alwil Software

2010-05-15 19:48 . 2010-04-29 14:04 -------- d-----w- c:\program files\MyLifeStory_at

2010-05-15 19:48 . 2010-04-29 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Fashion Solitaire 1.2

2010-05-01 16:45 . 2010-05-01 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

2010-04-29 23:54 . 2010-04-29 23:54 -------- d-----w- c:\documents and settings\Kids\Application Data\RenPy

2010-04-29 20:16 . 2007-08-17 20:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2008-07-07 18:27 . 2008-07-07 18:27 0 ----a-w- c:\program files\temp01

2004-06-26 02:45 . 2004-06-26 02:45 0 --sh--r- c:\program files\q330994.exe

2004-01-25 03:15 . 2003-08-18 23:14 102 ----a-w- c:\program files\cache.log

2002-09-18 19:47 . 2003-08-18 23:08 1735350 ----a-r- c:\program files\Online Manual.pdf

2004-06-26 02:45 . 2004-06-26 02:45 0 -csh--r- c:\windows\msxmidi.exe

2004-06-26 02:45 . 2004-06-26 02:45 0 -csh--r- c:\windows\seksdialer.exe

2004-06-26 02:45 . 2004-06-26 02:45 0 -csh--r- c:\windows\system\wmscrop.exe

2004-06-26 02:45 . 2004-06-26 02:45 0 -csh--r- c:\windows\system32\d2kpax.dll

2004-06-26 02:45 . 2004-06-26 02:45 0 -csh--r- c:\windows\system32\d2kpax.exe

2004-06-26 02:45 . 2004-06-26 02:45 0 -csh--r- c:\windows\system32\jac.dll

2004-06-26 02:45 . 2004-06-26 02:45 0 -csh--r- c:\windows\system32\msxslab.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 315392]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk

backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [9/21/2002 2:44 PM 10016]

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [4/23/2003 10:25 PM 26752]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [4/23/2003 10:25 PM 40704]

S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\DCxxMJPG.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?]

S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\DRIVERS\lstone2k.sys --> c:\windows\system32\DRIVERS\lstone2k.sys [?]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/2/2010 9:56 PM 27064]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [3/29/2008 3:40 PM 131776]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?linkid=677

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{C4F5EC43-D494-47E4-8E35-440B49E25FD5} - (no file)

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)

SafeBoot-MCODS

MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe

AddRemove-Scooby-Doo, Showdown in Ghost Town - c:\program files\The Learning Company\Scooby-Doo

AddRemove-USB 2.0 Setup program - c:\program files\VIA Technologies

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-02 22:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(476)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-06-02 22:51:04

ComboFix-quarantined-files.txt 2010-06-03 02:51

Pre-Run: 36,946,108,416 bytes free

Post-Run: 37,007,777,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - C5A86CDAEF7EF621BC7B1E618511A3BA

I really appreciate your time on this.

attach.zip

Share this post


Link to post
Share on other sites

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=52339
Collect::
c:\program files\q330994.exe
c:\windows\msxmidi.exe
c:\windows\seksdialer.exe
c:\windows\system\wmscrop.exe
c:\windows\system32\d2kpax.dll
c:\windows\system32\d2kpax.exe
c:\windows\system32\jac.dll
c:\windows\system32\msxslab.dll
Driver::
mfehidk
mcmscsvc
mferkdk
DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Trusted Zone: internet
Folder::
c:\documents and settings\All Users\Application Data\pilopume
c:\documents and settings\All Users\Application Data\rajadeda
c:\documents and settings\All Users\Application Data\royukise
c:\documents and settings\All Users\Application Data\rukabipe
c:\documents and settings\All Users\Application Data\sowulafo
c:\documents and settings\All Users\Application Data\viwamofe
c:\documents and settings\All Users\Application Data\wemekuro
c:\documents and settings\All Users\Application Data\wivawira
c:\documents and settings\All Users\Application Data\wohajulo
c:\documents and settings\All Users\Application Data\yenifobo
c:\documents and settings\All Users\Application Data\zizavamu
c:\windows\McAfee.com

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner

Share this post


Link to post
Share on other sites

I ran the combofix with the script as you directed. The log is below.

I keep getting the message "the windows installer could not be accessed" when trying to install Java. I uninstalled the old versions but now cannot get the current version installed. It looks like without Java, Kaspersky won't run. Did I mess up?

combofix log

ComboFix 10-06-02.04 - pat 06/03/2010 15:17:52.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.746 [GMT -4:00]

Running from: c:\documents and settings\pat\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\pat\Desktop\cfscript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\All Users\Application Data\pilopume

c:\documents and settings\All Users\Application Data\rajadeda

c:\documents and settings\All Users\Application Data\rajadeda\adedajar.ini

c:\documents and settings\All Users\Application Data\royukise

c:\documents and settings\All Users\Application Data\rukabipe

c:\documents and settings\All Users\Application Data\sowulafo

c:\documents and settings\All Users\Application Data\viwamofe

c:\documents and settings\All Users\Application Data\wemekuro

c:\documents and settings\All Users\Application Data\wivawira

c:\documents and settings\All Users\Application Data\wohajulo

c:\documents and settings\All Users\Application Data\yenifobo

c:\documents and settings\All Users\Application Data\yenifobo\obofiney.ini

c:\documents and settings\All Users\Application Data\zizavamu

c:\program files\q330994.exe

c:\windows\McAfee.com

c:\windows\McAfee.com\FreeScan\avvclean.dat

c:\windows\McAfee.com\FreeScan\avvnames.dat

c:\windows\McAfee.com\FreeScan\avvscan.dat

c:\windows\McAfee.com\FreeScan\config.dat

c:\windows\McAfee.com\FreeScan\mcfscan.dll

c:\windows\McAfee.com\FreeScan\mcscan32.dll

c:\windows\McAfee.com\FreeScan\signlic.txt

c:\windows\msxmidi.exe

c:\windows\seksdialer.exe

c:\windows\system\wmscrop.exe

c:\windows\system32\d2kpax.dll

c:\windows\system32\d2kpax.exe

c:\windows\system32\jac.dll

c:\windows\system32\msxslab.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MCMSCSVC

-------\Legacy_MFEHIDK

-------\Legacy_MFERKDK

-------\Service_mcmscsvc

-------\Service_mfehidk

-------\Service_mferkdk

((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))

.

2010-06-03 01:58 . 2010-06-03 01:58 -------- d-----w- c:\documents and settings\pat\Local Settings\Application Data\VS Revo Group

2010-06-03 01:56 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-06-03 01:56 . 2010-06-03 01:56 -------- d-----w- c:\program files\VS Revo Group

2010-05-31 05:41 . 2010-05-31 05:41 -------- d-----w- c:\program files\Trend Micro

2010-05-30 23:53 . 2010-05-18 21:21 702120 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-05-30 23:53 . 2010-05-18 21:21 868456 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-05-30 22:54 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

2010-05-30 22:47 . 2010-05-31 01:31 -------- d-----w- c:\program files\Windows Live Safety Center

2010-05-30 22:45 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Kids\Application Data\Mozilla\Firefox\Profiles\91si3sjs.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

2010-05-30 22:41 . 2010-05-30 22:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-05-16 20:48 . 2010-05-16 20:48 -------- d-sh--w- c:\documents and settings\Kids\IETldCache

2010-05-16 01:40 . 2010-05-16 01:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-16 01:40 . 2010-05-16 01:40 -------- d-sh--w- c:\documents and settings\pat\IETldCache

2010-05-16 01:19 . 2010-05-16 01:21 -------- dc-h--w- c:\windows\ie8

2010-05-16 01:19 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-16 01:19 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-05-16 00:50 . 2010-05-16 00:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-16 00:12 . 2010-05-16 00:12 -------- d-----w- c:\program files\ESET

2010-05-16 00:08 . 2010-05-31 00:47 -------- d-----w- c:\documents and settings\pat\Application Data\QuickScan

2010-05-15 20:45 . 2010-05-31 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-15 20:45 . 2010-05-15 20:50 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-15 20:03 . 2010-05-30 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-15 19:49 . 2010-05-15 19:49 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-03 02:31 . 2002-09-26 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime

2010-05-31 13:51 . 2009-05-30 22:57 -------- d-----w- c:\program files\CCleaner

2010-05-30 20:32 . 2009-05-29 22:00 5438253 ----a-w- c:\windows\PUZZLES.DAT

2010-05-15 20:03 . 2009-04-18 03:29 -------- d-----w- c:\program files\Alwil Software

2010-05-15 19:48 . 2010-04-29 14:04 -------- d-----w- c:\program files\MyLifeStory_at

2010-05-15 19:48 . 2010-04-29 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Fashion Solitaire 1.2

2010-05-01 16:45 . 2010-05-01 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

2010-04-29 23:54 . 2010-04-29 23:54 -------- d-----w- c:\documents and settings\Kids\Application Data\RenPy

2010-04-29 20:16 . 2007-08-17 20:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2008-07-07 18:27 . 2008-07-07 18:27 0 ----a-w- c:\program files\temp01

2004-01-25 03:15 . 2003-08-18 23:14 102 ----a-w- c:\program files\cache.log

2002-09-18 19:47 . 2003-08-18 23:08 1735350 ----a-r- c:\program files\Online Manual.pdf

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 315392]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk

backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [9/21/2002 2:44 PM 10016]

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [4/23/2003 10:25 PM 26752]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [4/23/2003 10:25 PM 40704]

S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\DCxxMJPG.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?]

S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\DRIVERS\lstone2k.sys --> c:\windows\system32\DRIVERS\lstone2k.sys [?]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/2/2010 9:56 PM 27064]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [3/29/2008 3:40 PM 131776]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?linkid=677

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-03 15:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1052)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-03 15:26:15

ComboFix-quarantined-files.txt 2010-06-03 19:26

ComboFix2.txt 2010-06-03 02:51

Pre-Run: 36,940,943,360 bytes free

Post-Run: 36,906,799,104 bytes free

- - End Of File - - 9B40DF739EF41E58649249E17E296E27

Share this post


Link to post
Share on other sites

I should have also said that I stopped because I was trying to do everything in the sequence you offered. Kaspersky didn't run so I didn't re-run DDS.

Share this post


Link to post
Share on other sites

Hi,

Please look for a [4]-Submit zip file in c:\qoobox\quarantine folder. Upload it to this website if found. Kindly include a link to this topic.

Did you try to run Kaspersky after reboot? If not please see if Windows installer issue still shows up after that.

Share this post


Link to post
Share on other sites

The reboot didn't help with the installer issue. So, no java, no Kaspersky.

I uploaded the file as directed to the bleepingcomputer page.

Thanks for your patience with me.

Hi,

Please look for a [4]-Submit zip file in c:\qoobox\quarantine folder. Upload it to this website if found. Kindly include a link to this topic.

Did you try to run Kaspersky after reboot? If not please see if Windows installer issue still shows up after that.

Share this post


Link to post
Share on other sites

Hi,

1. Download Dial-a-Fix archive file here.

2. Extract contents to suitable place (e.g. your desktop) and navigate to that location.

3. Double-click Dial-a-Fix.exe file to execute the program.

4. Checkmark Fix Windows Installer -checkbox. It's possible that the program checks some options automatically after that. Leave those untouched and click GO -button.

When tool has finished, reboot and see if installer works any better.

Share this post


Link to post
Share on other sites

It looks like that fixed my installer issues. I have the most recent Java environment installed. Unfortunately, Kaspersky keeps giving me errors for having an interrupted internet connection. I'm running wired to the router and other computers aren't having any problems.

Hi,

1. Download Dial-a-Fix archive file here.

2. Extract contents to suitable place (e.g. your desktop) and navigate to that location.

3. Double-click Dial-a-Fix.exe file to execute the program.

4. Checkmark Fix Windows Installer -checkbox. It's possible that the program checks some options automatically after that. Leave those untouched and click GO -button.

When tool has finished, reboot and see if installer works any better.

Share this post


Link to post
Share on other sites

Glad to hear installer issue got resolved. Let's replace Kaspersky scan with ESET solution.

* Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Copy and paste report as a reply to this topic, along with a new dds log & a description of any remaining problems

Share this post


Link to post
Share on other sites

Thank you so much for all of this - when we started, IE wouldn't launch at all and I had lost install privileges from my admin account. Now, both of those problems are solved and I can see light at the end of the tunnel.

Here's the ESET log.

C:\Documents and Settings\All Users\Application Data\dawutiyu\uyituwad.ini Win32/Adware.Virtumonde.NEO application

C:\Documents and Settings\All Users\Application Data\delobevu\uveboled.ini Win32/Adware.Virtumonde.NEO application

C:\Documents and Settings\All Users\Application Data\fefofari\irafofef.ini Win32/Adware.Virtumonde.NEO application

C:\Documents and Settings\All Users\Application Data\foyanuhi\ihunayof.ini Win32/Adware.Virtumonde.NEO application

C:\Documents and Settings\All Users\Application Data\jijuwimu\umiwujij.ini Win32/Adware.Virtumonde.NEO application

C:\Documents and Settings\All Users\Application Data\lizasaja\ajasazil.ini Win32/Adware.Virtumonde.NEO application

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn12.zip Win32/Bagle.gen.zip worm

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn19.zip Win32/Bagle.gen.zip worm

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn7.zip Win32/Bagle.gen.zip worm

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn8.zip Win32/Bagle.gen.zip worm

C:\Documents and Settings\All Users\Application Data\tulokowi\iwokolut.ini Win32/Adware.Virtumonde.NEO application

C:\Program Files\MSN Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\rajadeda\adedajar.ini.vir Win32/Adware.Virtumonde.NEO application

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\yenifobo\obofiney.ini.vir Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{2D0C8399-2C55-4287-8994-1C69C27C28EF}\RP2277\A0249036.exe a variant of Win32/Kryptik.EJQ trojan

C:\System Volume Information\_restore{2D0C8399-2C55-4287-8994-1C69C27C28EF}\RP2279\A0249403.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{2D0C8399-2C55-4287-8994-1C69C27C28EF}\RP2279\A0249410.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{2D0C8399-2C55-4287-8994-1C69C27C28EF}\RP2289\A0250119.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{2D0C8399-2C55-4287-8994-1C69C27C28EF}\RP2304\A0252907.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{2D0C8399-2C55-4287-8994-1C69C27C28EF}\RP2304\A0252908.ini Win32/Adware.Virtumonde.NEO application

Glad to hear installer issue got resolved. Let's replace Kaspersky scan with ESET solution.

* Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Copy and paste report as a reply to this topic, along with a new dds log & a description of any remaining problems

Share this post


Link to post
Share on other sites

Hi,

Please use t_reply.gif-button when you reply to not quote whole previous post :)

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn8.zip
C:\Program Files\MSN Messenger\msimg32.dll
Folder::
C:\Documents and Settings\All Users\Application Data\tulokowi
C:\Documents and Settings\All Users\Application Data\dawutiyu
C:\Documents and Settings\All Users\Application Data\delobevu
C:\Documents and Settings\All Users\Application Data\fefofari
C:\Documents and Settings\All Users\Application Data\foyanuhi
C:\Documents and Settings\All Users\Application Data\jijuwimu
C:\Documents and Settings\All Users\Application Data\lizasaja

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log + fresh dds.txt log and a description of remaining problems (if any).

Share this post


Link to post
Share on other sites

Sorry 'bout the quoting - I hope you weren't pulling your hair out every time I did that! :)

Here's the combofix log

ComboFix 10-06-07.03 - pat 06/07/2010 16:54:47.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.559 [GMT -4:00]

Running from: c:\documents and settings\pat\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\pat\Desktop\cfscript.txt

FILE ::

"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn12.zip"

"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn19.zip"

"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn7.zip"

"c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn8.zip"

"c:\program files\MSN Messenger\msimg32.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\dawutiyu

c:\documents and settings\All Users\Application Data\dawutiyu\uyituwad.ini

c:\documents and settings\All Users\Application Data\delobevu

c:\documents and settings\All Users\Application Data\delobevu\uveboled.ini

c:\documents and settings\All Users\Application Data\fefofari

c:\documents and settings\All Users\Application Data\fefofari\irafofef.ini

c:\documents and settings\All Users\Application Data\foyanuhi

c:\documents and settings\All Users\Application Data\foyanuhi\ihunayof.ini

c:\documents and settings\All Users\Application Data\jijuwimu

c:\documents and settings\All Users\Application Data\jijuwimu\umiwujij.ini

c:\documents and settings\All Users\Application Data\lizasaja

c:\documents and settings\All Users\Application Data\lizasaja\ajasazil.ini

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn12.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn19.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn7.zip

c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn8.zip

c:\documents and settings\All Users\Application Data\tulokowi

c:\documents and settings\All Users\Application Data\tulokowi\iwokolut.ini

c:\program files\MSN Messenger\msimg32.dll

.

((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))

.

2010-06-06 17:25 . 2010-06-06 17:25 503808 ----a-w- c:\documents and settings\pat\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-39d56ae9-n\msvcp71.dll

2010-06-06 17:25 . 2010-06-06 17:25 499712 ----a-w- c:\documents and settings\pat\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-39d56ae9-n\jmc.dll

2010-06-06 17:25 . 2010-06-06 17:25 348160 ----a-w- c:\documents and settings\pat\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-39d56ae9-n\msvcr71.dll

2010-06-06 17:25 . 2010-06-06 17:25 61440 ----a-w- c:\documents and settings\pat\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-603426ce-n\decora-sse.dll

2010-06-06 17:25 . 2010-06-06 17:25 12800 ----a-w- c:\documents and settings\pat\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-603426ce-n\decora-d3d.dll

2010-06-06 17:25 . 2010-06-06 17:25 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:24 . 2010-06-07 20:54 -------- d-----w- c:\windows\system32\CatRoot2

2010-06-06 17:11 . 2010-06-07 03:35 -------- d-----w- c:\windows\system32\NtmsData

2010-06-04 17:26 . 2010-06-04 17:26 -------- d-----w- c:\documents and settings\Kids\Local Settings\Application Data\VS Revo Group

2010-06-03 01:58 . 2010-06-03 01:58 -------- d-----w- c:\documents and settings\pat\Local Settings\Application Data\VS Revo Group

2010-06-03 01:56 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-06-03 01:56 . 2010-06-03 01:56 -------- d-----w- c:\program files\VS Revo Group

2010-05-31 05:41 . 2010-05-31 05:41 -------- d-----w- c:\program files\Trend Micro

2010-05-30 23:53 . 2010-05-18 21:21 702120 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-05-30 23:53 . 2010-05-18 21:21 868456 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-05-30 22:54 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

2010-05-30 22:47 . 2010-05-31 01:31 -------- d-----w- c:\program files\Windows Live Safety Center

2010-05-30 22:45 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Kids\Application Data\Mozilla\Firefox\Profiles\91si3sjs.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll

2010-05-30 22:41 . 2010-05-30 22:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-05-16 20:48 . 2010-05-16 20:48 -------- d-sh--w- c:\documents and settings\Kids\IETldCache

2010-05-16 01:40 . 2010-05-16 01:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-16 01:40 . 2010-05-16 01:40 -------- d-sh--w- c:\documents and settings\pat\IETldCache

2010-05-16 01:19 . 2010-05-16 01:21 -------- dc-h--w- c:\windows\ie8

2010-05-16 01:19 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-16 01:19 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-05-16 00:50 . 2010-05-16 00:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-16 00:12 . 2010-05-16 00:12 -------- d-----w- c:\program files\ESET

2010-05-16 00:08 . 2010-06-06 18:03 -------- d-----w- c:\documents and settings\pat\Application Data\QuickScan

2010-05-15 20:45 . 2010-05-31 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-15 20:45 . 2010-05-15 20:50 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-15 20:03 . 2010-05-30 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-15 19:49 . 2010-05-15 19:49 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-07 20:58 . 2007-09-01 15:41 -------- d-----w- c:\program files\MSN Messenger

2010-06-06 17:25 . 2006-03-19 03:58 -------- d-----w- c:\program files\Common Files\Java

2010-06-06 17:25 . 2006-03-19 03:59 -------- d-----w- c:\program files\Java

2010-06-03 02:31 . 2002-09-26 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime

2010-05-31 13:51 . 2009-05-30 22:57 -------- d-----w- c:\program files\CCleaner

2010-05-30 20:32 . 2009-05-29 22:00 5438253 ----a-w- c:\windows\PUZZLES.DAT

2010-05-15 20:03 . 2009-04-18 03:29 -------- d-----w- c:\program files\Alwil Software

2010-05-15 19:48 . 2010-04-29 14:04 -------- d-----w- c:\program files\MyLifeStory_at

2010-05-15 19:48 . 2010-04-29 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Fashion Solitaire 1.2

2010-05-01 16:45 . 2010-05-01 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

2010-04-29 23:54 . 2010-04-29 23:54 -------- d-----w- c:\documents and settings\Kids\Application Data\RenPy

2010-04-29 20:16 . 2007-08-17 20:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2008-07-07 18:27 . 2008-07-07 18:27 0 ----a-w- c:\program files\temp01

2004-01-25 03:15 . 2003-08-18 23:14 102 ----a-w- c:\program files\cache.log

2002-09-18 19:47 . 2003-08-18 23:08 1735350 ----a-r- c:\program files\Online Manual.pdf

.

((((((((((((((((((((((((((((( SnapShot@2010-06-03_02.49.02 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-07 04:24 . 2010-06-07 04:24 16384 c:\windows\temp\Perflib_Perfdata_510.dat

+ 2010-06-07 13:45 . 2010-06-07 13:45 85019 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\system32\Macromed\Flash\FlashUtil10e.exe

+ 2010-06-06 17:25 . 2010-06-06 17:25 153376 c:\windows\system32\javaws.exe

+ 2010-06-06 17:25 . 2010-06-06 17:25 145184 c:\windows\system32\javaw.exe

+ 2010-06-06 17:25 . 2010-06-06 17:25 145184 c:\windows\system32\java.exe

- 2002-09-04 12:00 . 2009-04-16 07:06 118152 c:\windows\system32\FNTCACHE.DAT

+ 2002-09-04 12:00 . 2010-06-06 17:11 118152 c:\windows\system32\FNTCACHE.DAT

+ 2010-06-06 17:25 . 2010-06-06 17:25 180224 c:\windows\Installer\cb849.msi

+ 2010-06-06 17:25 . 2010-06-06 17:25 577536 c:\windows\Installer\cb844.msi

+ 2010-01-26 20:59 . 2010-01-26 20:59 1955384 c:\windows\Downloaded Program Files\CONFLICT.5\FP_AX_CAB_INSTALLER.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 315392]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk

backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [9/21/2002 2:44 PM 10016]

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [4/23/2003 10:25 PM 26752]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [4/23/2003 10:25 PM 40704]

S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\DCxxMJPG.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?]

S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\DRIVERS\lstone2k.sys --> c:\windows\system32\DRIVERS\lstone2k.sys [?]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [6/2/2010 9:56 PM 27064]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [3/29/2008 3:40 PM 131776]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?linkid=677

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\pat\Application Data\Mozilla\Firefox\Profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-07 16:59

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-06-07 17:01:09

ComboFix-quarantined-files.txt 2010-06-07 21:00

ComboFix2.txt 2010-06-03 19:26

ComboFix3.txt 2010-06-03 02:51

Pre-Run: 37,233,332,224 bytes free

Post-Run: 37,194,686,464 bytes free

- - End Of File - - AB34B30E5E8B1DAA99571CD58BF5A599

and the dds log

DDS (Ver_10-03-17.01) - NTFSx86

Run by pat at 17:14:42.90 on Mon 06/07/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.689 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\System32\svchost.exe -k NetworkService

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\pat\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273971104687

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37692.8155092593

DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab

DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5983/mcfscan.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pat\applic~1\mozilla\firefox\profiles\buititz0.default\

FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?linkid=677

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\pat\application data\mozilla\firefox\profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\documents and settings\pat\application data\mozilla\firefox\profiles\buititz0.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2002-9-21 10016]

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\drivers\ousbehci.sys [2003-4-23 26752]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2003-4-23 40704]

S1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;c:\windows\system32\drivers\dcxxmjpg.sys --> c:\windows\system32\drivers\DCxxMJPG.sys [?]

S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\system32\drivers\lstone2k.sys --> c:\windows\system32\drivers\lstone2k.sys [?]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-6-2 27064]

S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2008-3-29 131776]

=============== Created Last 30 ================

2010-06-06 17:25:25 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:24:03 0 d-----w- c:\windows\system32\CatRoot2

2010-06-06 17:11:36 0 d-----w- c:\windows\system32\NtmsData

2010-06-06 16:52:31 10493952 ----a-w- c:\windows\sectest.db

2010-06-03 02:44:09 0 d-sha-r- C:\cmdcons

2010-06-03 02:40:28 98816 ----a-w- c:\windows\sed.exe

2010-06-03 02:40:28 77312 ----a-w- c:\windows\MBR.exe

2010-06-03 02:40:28 256512 ----a-w- c:\windows\PEV.exe

2010-06-03 02:40:28 161792 ----a-w- c:\windows\SWREG.exe

2010-06-03 01:56:30 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-06-03 01:56:28 0 d-----w- c:\program files\VS Revo Group

2010-05-31 05:41:48 0 d-----w- c:\program files\Trend Micro

2010-05-16 01:40:15 0 d-sh--w- c:\documents and settings\pat\IETldCache

2010-05-16 01:19:23 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-16 01:19:23 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-05-16 01:19:23 0 dc-h--w- c:\windows\ie8

2010-05-16 00:50:35 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-05-16 00:12:41 0 d-----w- c:\program files\ESET

2010-05-16 00:08:31 0 d-----w- c:\docume~1\pat\applic~1\QuickScan

2010-05-15 20:45:20 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-05-15 20:45:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-05-15 20:03:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-05-15 19:49:31 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-05-30 20:32:59 5438253 ----a-w- c:\windows\PUZZLES.DAT

2008-07-07 18:27:52 0 ----a-w- c:\program files\temp01

2004-01-25 03:15:07 102 ----a-w- c:\program files\cache.log

2002-09-18 19:47:22 1735350 ----a-r- c:\program files\Online Manual.pdf

============= FINISH: 17:15:08.63 ===============

The attach.txt file is zipped and attached.

The computer seems to be working normally.

attach.zip

Share this post


Link to post
Share on other sites
Sorry 'bout the quoting - I hope you weren't pulling your hair out every time I did that!
Wasn't that big problem :)

Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC and save it to desktop.

  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!

    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:



    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

    [*]Run Secunia vulnerability check here and fix its findings.

    [*]Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:

    Antivir

    Avast!

    Good commercial ones are from:

    Kaspersky and

    ESET

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.

    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade :)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.