Jump to content

AV Security Suite infection...Mb does not completely remove

HaroldC
 Share

Recommended Posts

HaroldC

HaroldC

Posted
Posted

Hi,

As with others here I am infected with that STUPID AV Security Suite. Despite the assurance in the instructions elsewhere in this form that Malwarebytes will completely remove this threat, I find that I am still infected. Malwarebytes in complete scan found 4 registry infections but no program files to delete.

After doing research on the Internet I was able to figure out how to access the Internet again and I believe that I located at least one file that was responsible for the threat. I renamed the file and shredded it. Now AV Security Suite no longer comes up but I know I am still infected because I can't run Windows Update. Also my Norton keeps popping up with blocked attacks that I never saw before all this started two days ago. I think it must be registry infections.

I am afraid to do anything that requires me to type a password because I am afraid it will be stolen.

Looking at other posts in this forum I saw the direction to download DDS and run it and post the results so I did the same. I also downloaded ComboFix but have not run it yet because it says not to unless directed to. Here are my DDS results.

Thanks,

Harold

----------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Harold Cogle at 23:04:58.06 on Thu 06/17/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1339 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\LG DVD Writer\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\LG DVD Writer\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Cyberlink\Shared files\RichVideo.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Harold Cogle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/index.html

uInternet Settings,ProxyServer = http=127.0.0.1:1062

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [ahuaieouxrl] c:\documents and settings\harold cogle\local settings\application data\lrcgnabtu\wumafmy.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe

mRun: [seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"

mRun: [CTHelper] CTHELPER.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"

mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r

mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [updateLBPShortCut] "c:\program files\lg dvd writer\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [CLMLServer] "c:\program files\lg dvd writer\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\lg dvd writer\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [RemoteControl8] "c:\program files\lg dvd writer\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\lg dvd writer\cyberlink\powerdvd8\language\Language.exe"

mRun: [updatePPShortCut] "c:\program files\lg dvd writer\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"

mRun: [uCam_Menu] "c:\program files\lg dvd writer\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"

mRun: [LGODDFU] "c:\program files\lg dvd writer\cyberlink\lg_fwupdate\fwupdate.exe" blrun

mRun: [updatePSTShortCut] "c:\program files\lg dvd writer\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [ahuaieouxrl] c:\documents and settings\harold cogle\local settings\application data\lrcgnabtu\wumafmy.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\gogear vibe device manager\GoGear_Vibe_DeviceManager.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267314445390

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267314432093

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 relog_ap

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\harold~1\applic~1\mozilla\firefox\profiles\5qdv0tms.default\

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\arcsoft\media converter for philips\internet video downloader\plugin_firefox\components\nsURLRecordEx.dll

FF - plugin: c:\documents and settings\harold cogle\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-1-27 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-1-27 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-1-27 482432]

R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2009-8-23 6144]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100617.001\IDSXpx86.sys [2010-6-17 331640]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-1-27 117640]

R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100617.003\NAVENG.SYS [2010-6-17 85552]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100617.003\NAVEX15.SYS [2010-6-17 1347504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-8-16 1527900]

S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-8-16 544768]

=============== Created Last 30 ================

2010-06-06 22:19:14 0 d-----w- C:\Temp

2010-06-06 22:18:35 361 ----a-w- c:\windows\lgfwup.ini

2010-06-06 22:18:31 59904 ----a-w- c:\windows\system32\wbemdisp.tlb

2010-06-06 22:18:31 115016 ----a-w- c:\windows\system32\MSINET.OCX

2010-06-06 22:18:31 102160 ----a-w- c:\windows\system32\VB6KO.DLL

2010-06-06 22:18:30 16384 ----a-w- c:\windows\system32\lgfwunis.exe

2010-06-06 22:01:12 0 d-----w- c:\program files\common files\CyberLink

2010-06-06 21:50:33 0 d-----w- c:\program files\LG DVD Writer

2010-05-30 05:54:02 15876 ----a-w- c:\documents and settings\harold cogle\.recently-used.xbel

2010-05-29 16:14:47 0 d-----w- c:\program files\hugin Version 0.6.0

2010-05-25 03:57:24 73216 ----a-w- c:\windows\ST6UNST.EXE

==================== Find3M ====================

2010-05-25 04:05:06 249856 ------w- c:\windows\Setup1.exe

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 23:06:52.29 ===============

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Here is my Combofix report:

ComboFix 10-06-17.02 - Harold Cogle 06/18/2010 1:03.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1638 [GMT -4:00]

Running from: c:\documents and settings\Harold Cogle\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\HAROLD~1\LOCALS~1\Temp\tmp2.tmp

c:\windows\system32\_004739_.tmp.dll

c:\windows\system32\win.com

Infected copy of c:\windows\system32\drivers\snapman.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

.

((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))

.

2010-06-18 00:41 . 2010-06-18 00:41 0 ----a-w- c:\windows\nsreg.dat

2010-06-18 00:41 . 2010-06-18 00:41 -------- d-----w- c:\documents and settings\Harold Cogle\Local Settings\Application Data\Mozilla

2010-06-16 23:11 . 2010-06-16 23:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-06-07 03:37 . 2010-06-07 03:37 -------- d-----w- c:\documents and settings\Harold Cogle\Local Settings\Application Data\Power2Go

2010-06-06 22:19 . 2010-06-06 22:19 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe

2010-06-06 22:19 . 2010-06-06 22:19 -------- d-----w- C:\Temp

2010-06-06 22:18 . 1998-07-22 04:00 102160 ----a-w- c:\windows\system32\VB6KO.DLL

2010-06-06 22:18 . 2010-06-06 22:19 16384 ----a-w- c:\windows\system32\lgfwunis.exe

2010-06-06 22:07 . 2010-06-06 22:07 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe

2010-06-06 22:02 . 2010-06-06 22:02 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe

2010-06-06 22:01 . 2010-06-06 22:01 -------- d-----w- c:\program files\Common Files\CyberLink

2010-06-06 21:59 . 2010-06-06 21:59 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe

2010-06-06 21:59 . 2010-06-10 21:00 -------- d-----w- c:\documents and settings\Harold Cogle\Application Data\CyberLink

2010-06-06 21:56 . 2010-06-06 21:56 -------- d-----w- c:\program files\Cyberlink

2010-06-06 21:54 . 2010-06-06 21:54 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe

2010-06-06 21:53 . 2010-06-06 21:53 -------- d-----w- c:\program files\Common Files\LightScribe

2010-06-06 21:52 . 2010-06-06 21:52 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe

2010-06-06 21:50 . 2010-06-10 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2010-06-06 21:50 . 2010-06-06 21:50 -------- d-----w- c:\program files\LG DVD Writer

2010-06-06 21:45 . 2010-06-17 03:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp

2010-06-06 21:45 . 2010-06-06 21:45 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe

2010-05-29 16:14 . 2010-05-29 16:20 -------- d-----w- c:\program files\hugin Version 0.6.0

2010-05-25 03:57 . 2010-05-25 04:05 73216 ----a-w- c:\windows\ST6UNST.EXE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-18 04:11 . 2009-08-15 01:13 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-18 01:17 . 2010-03-09 01:00 -------- d-----w- c:\documents and settings\Harold Cogle\Application Data\Facebook

2010-06-16 23:49 . 2009-09-01 01:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-16 03:45 . 2009-08-04 04:50 -------- d-----w- c:\documents and settings\Harold Cogle\Application Data\Smart Recorder

2010-06-07 03:37 . 2009-08-08 02:00 106280 ----a-w- c:\documents and settings\Harold Cogle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-06 22:20 . 2009-08-03 05:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-06 04:26 . 2010-01-29 03:56 -------- d-----w- c:\documents and settings\Harold Cogle\Application Data\vlc

2010-05-30 05:54 . 2009-09-18 11:08 -------- d-----w- c:\documents and settings\Harold Cogle\Application Data\gtk-2.0

2010-05-25 04:05 . 2010-03-31 03:00 249856 ------w- c:\windows\Setup1.exe

2010-04-29 19:39 . 2009-09-01 01:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-09-01 01:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 21:52 . 2010-04-28 21:52 -------- d-----w- c:\documents and settings\Jennifer Cogle\Application Data\ArcSoft

2010-04-04 20:29 . 2010-04-04 20:29 287 ----a-w- c:\windows\EReg072.dat

2010-03-21 19:55 . 2009-08-11 22:23 250 ----a-w- c:\windows\PowerReg.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 1325848]

"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]

"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 136472]

"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]

"EPSON Stylus CX7800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 98304]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-15 202256]

"UpdateLBPShortCut"="c:\program files\LG DVD Writer\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"CLMLServer"="c:\program files\LG DVD Writer\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"UpdateP2GoShortCut"="c:\program files\LG DVD Writer\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"RemoteControl8"="c:\program files\LG DVD Writer\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]

"PDVD8LanguageShortcut"="c:\program files\LG DVD Writer\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]

"UpdatePPShortCut"="c:\program files\LG DVD Writer\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"UCam_Menu"="c:\program files\LG DVD Writer\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]

"LGODDFU"="c:\program files\LG DVD Writer\CyberLink\lg_fwupdate\fwupdate.exe" [2010-06-06 557056]

"UpdatePSTShortCut"="c:\program files\LG DVD Writer\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-25 210216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Philips GoGear VIBE Device Manager.lnk - c:\program files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe [2010-2-18 1701224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]

2006-12-12 14:46 20480 ----a-w- c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]

2009-06-03 18:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SideWinderTrayV4]

2000-06-02 23:07 24650 ----a-w- c:\progra~1\GAMECO~1\Common\SWTrayV4.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-08-08 11:36 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-03-15 03:22 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\LG DVD Writer\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [1/27/2010 11:10 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [1/27/2010 11:10 PM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [1/27/2010 11:10 PM 482432]

R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [8/23/2009 1:04 AM 6144]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100617.001\IDSXpx86.sys [6/17/2010 2:42 PM 331640]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [1/27/2010 11:10 PM 117640]

R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 2:56 PM 102448]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 7:14 PM 135664]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [8/16/2009 2:12 AM 1527900]

S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [8/16/2009 2:14 AM 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 17:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:14]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 23:14]

2010-06-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2052111302-162531612-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2052111302-162531612-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-18 c:\windows\Tasks\User_Feed_Synchronization-{3BC5B024-6002-4EB4-A269-BF5E26F69063}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.foxnews.com/index.html

uInternet Settings,ProxyServer = http=127.0.0.1:1062

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\Harold Cogle\Application Data\Mozilla\Firefox\Profiles\5qdv0tms.default\

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\ArcSoft\Media Converter for Philips\Internet Video Downloader\Plugin_FireFox\components\nsURLRecordEx.dll

FF - plugin: c:\documents and settings\Harold Cogle\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKCU-Run-ahuaieouxrl - c:\documents and settings\harold cogle\local settings\application data\lrcgnabtu\wumafmy.exe

HKLM-Run-ahuaieouxrl - c:\documents and settings\harold cogle\local settings\application data\lrcgnabtu\wumafmy.exe

AddRemove-MLT Cascades Crossing Installed rolling stock - c:\games\Microsoft Train Simulator\TRAINS\TRAINSET\Uninstal.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-18 01:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1120)

c:\windows\system32\relog_ap.dll

.

Completion time: 2010-06-18 01:15:13

ComboFix-quarantined-files.txt 2010-06-18 05:15

Pre-Run: 741,243,731,968 bytes free

Post-Run: 744,637,394,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 353343CEFFD6EE6E2C127F86B2BBEF00

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Something good happened because I was able to download and install Windows updates. 30 of them to be exact. I know....I should have been keeping up with that.

Here is my new DDS log:

------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Harold Cogle at 2:02:27.79 on Fri 06/18/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1471 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\LG DVD Writer\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\LG DVD Writer\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Cyberlink\Shared files\RichVideo.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\eHome\ehmsas.exe

c:\program files\real\realplayer\RealPlay.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe

C:\Program Files\Dell Support Center\gs_agent\dsc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\Harold Cogle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/index.html

uInternet Settings,ProxyServer = http=127.0.0.1:1062

BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe

mRun: [seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"

mRun: [CTHelper] CTHELPER.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"

mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r

mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [EPSON Stylus CX7800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [updateLBPShortCut] "c:\program files\lg dvd writer\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [CLMLServer] "c:\program files\lg dvd writer\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\lg dvd writer\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [RemoteControl8] "c:\program files\lg dvd writer\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\lg dvd writer\cyberlink\powerdvd8\language\Language.exe"

mRun: [updatePPShortCut] "c:\program files\lg dvd writer\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"

mRun: [uCam_Menu] "c:\program files\lg dvd writer\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"

mRun: [LGODDFU] "c:\program files\lg dvd writer\cyberlink\lg_fwupdate\fwupdate.exe" blrun

mRun: [updatePSTShortCut] "c:\program files\lg dvd writer\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\lg dvd writer\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\gogear vibe device manager\GoGear_Vibe_DeviceManager.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267314445390

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267314432093

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 relog_ap

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\harold~1\applic~1\mozilla\firefox\profiles\5qdv0tms.default\

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\arcsoft\media converter for philips\internet video downloader\plugin_firefox\components\nsURLRecordEx.dll

FF - plugin: c:\documents and settings\harold cogle\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-1-27 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-1-27 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-1-27 482432]

R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2009-8-23 6144]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100617.001\IDSXpx86.sys [2010-6-17 331640]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]

R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-1-27 117640]

R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100617.018\NAVENG.SYS [2010-6-17 85552]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100617.018\NAVEX15.SYS [2010-6-17 1347504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-8-16 1527900]

S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-8-16 544768]

=============== Created Last 30 ================

2010-06-18 05:30:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-18 05:26:07 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-06-18 04:52:30 0 d-sha-r- C:\cmdcons

2010-06-18 04:49:35 98816 ----a-w- c:\windows\sed.exe

2010-06-18 04:49:35 77312 ----a-w- c:\windows\MBR.exe

2010-06-18 04:49:35 256512 ----a-w- c:\windows\PEV.exe

2010-06-18 04:49:35 161792 ----a-w- c:\windows\SWREG.exe

2010-06-06 22:19:14 0 d-----w- C:\Temp

2010-06-06 22:18:35 361 ----a-w- c:\windows\lgfwup.ini

2010-06-06 22:18:31 59904 ----a-w- c:\windows\system32\wbemdisp.tlb

2010-06-06 22:18:31 115016 ----a-w- c:\windows\system32\MSINET.OCX

2010-06-06 22:18:31 102160 ----a-w- c:\windows\system32\VB6KO.DLL

2010-06-06 22:18:30 16384 ----a-w- c:\windows\system32\lgfwunis.exe

2010-06-06 22:01:12 0 d-----w- c:\program files\common files\CyberLink

2010-06-06 21:50:33 0 d-----w- c:\program files\LG DVD Writer

2010-05-30 05:54:02 15876 ----a-w- c:\documents and settings\harold cogle\.recently-used.xbel

2010-05-29 16:14:47 0 d-----w- c:\program files\hugin Version 0.6.0

2010-05-25 03:57:24 73216 ----a-w- c:\windows\ST6UNST.EXE

==================== Find3M ====================

2010-05-25 04:05:06 249856 ------w- c:\windows\Setup1.exe

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 2:03:18.03 ===============

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Harold,

Things are looking good, but we're not done yet. Let's continue.

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\lgfwunis.exe

c:\windows\Setup1.exe

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now.

-screen317

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Results of c:\windows\system32\lgfwunis.exe

Antivirus Version Last Update Result

a-squared 5.0.0.26 2010.06.18 -

AhnLab-V3 2010.06.19.00 2010.06.19 -

AntiVir 8.2.2.6 2010.06.18 -

Antiy-AVL 2.0.3.7 2010.06.18 -

Authentium 5.2.0.5 2010.06.18 -

Avast 4.8.1351.0 2010.06.18 -

Avast5 5.0.332.0 2010.06.18 -

AVG 9.0.0.787 2010.06.18 -

BitDefender 7.2 2010.06.19 -

CAT-QuickHeal 10.00 2010.06.18 -

ClamAV 0.96.0.3-git 2010.06.19 -

Comodo 5148 2010.06.19 -

DrWeb 5.0.2.03300 2010.06.19 -

eSafe 7.0.17.0 2010.06.17 -

eTrust-Vet 36.1.7650 2010.06.19 -

F-Prot 4.6.1.107 2010.06.18 -

F-Secure 9.0.15370.0 2010.06.19 -

Fortinet 4.1.133.0 2010.06.18 -

GData 21 2010.06.19 -

Ikarus T3.1.1.84.0 2010.06.18 -

Jiangmin 13.0.900 2010.06.15 -

Kaspersky 7.0.0.125 2010.06.19 -

McAfee 5.400.0.1158 2010.06.19 -

McAfee-GW-Edition 2010.1 2010.06.18 -

Microsoft 1.5902 2010.06.18 -

NOD32 5208 2010.06.18 -

Norman 6.05.06 2010.06.18 -

nProtect 2010-06-19.01 2010.06.19 -

Panda 10.0.2.7 2010.06.18 -

PCTools 7.0.3.5 2010.06.19 -

Prevx 3.0 2010.06.19 -

Rising 22.52.05.00 2010.06.19 -

Sophos 4.54.0 2010.06.19 -

Sunbelt 6470 2010.06.19 -

Symantec 20101.1.0.89 2010.06.18 -

TheHacker 6.5.2.0.300 2010.06.18 -

TrendMicro 9.120.0.1004 2010.06.19 -

TrendMicro-HouseCall 9.120.0.1004 2010.06.19 -

VBA32 3.12.12.5 2010.06.18 -

ViRobot 2010.6.19.3894 2010.06.19 -

VirusBuster 5.0.27.0 2010.06.18 -

Additional information

File size: 16384 bytes

MD5...: ab8bfc0bb0724e1833b8c422abd90331

SHA1..: 11dd46e53f76b0472c774791dd0efc8000cd6a33

SHA256: 5f426b4aab8923b066c1f740b810b361a6c523f400c44e47b5191cdb33211919

ssdeep: 192:pC9gLI3EwdzmSBpd3Grs2FlaAdKyqC4Ao4pd3Grs2:EO2zmSGjla8KyPQ4G

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x10b0

timedatestamp.....: 0x4a83dbf7 (Thu Aug 13 09:25:11 2009)

machinetype.......: 0x14c (I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x1cd0 0x2000 4.46 bfd0cedfcd7e0a8b3d53b4bbf41f5801

.data 0x3000 0xb88 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.rsrc 0x4000 0xbf0 0x1000 3.54 680ff0d6257fae6a496d4d702bf38cad

( 1 imports )

> MSVBVM60.DLL: -, -, -, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, ProcCallEngine, -, -, -, -, -, -

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: BitLeader

copyright....: n/a

product......: LG Firmware Autoupdate

description..: n/a

original name: lgfwunis.exe

internal name: lgfwunis

file version.: 1.00.0012

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Results of c:\windows\Setup1.exe

Antivirus Version Last Update Result

a-squared 5.0.0.26 2010.06.18 -

AhnLab-V3 2010.06.19.00 2010.06.19 -

AntiVir 8.2.2.6 2010.06.18 -

Antiy-AVL 2.0.3.7 2010.06.18 -

Authentium 5.2.0.5 2010.06.18 -

Avast 4.8.1351.0 2010.06.18 -

Avast5 5.0.332.0 2010.06.18 -

AVG 9.0.0.787 2010.06.18 -

BitDefender 7.2 2010.06.19 -

CAT-QuickHeal 10.00 2010.06.18 -

ClamAV 0.96.0.3-git 2010.06.19 -

Comodo 5148 2010.06.19 -

DrWeb 5.0.2.03300 2010.06.19 -

eTrust-Vet 36.1.7650 2010.06.19 -

F-Prot 4.6.1.107 2010.06.18 -

F-Secure 9.0.15370.0 2010.06.19 -

Fortinet 4.1.133.0 2010.06.18 -

GData 21 2010.06.19 -

Ikarus T3.1.1.84.0 2010.06.18 -

Jiangmin 13.0.900 2010.06.15 -

Kaspersky 7.0.0.125 2010.06.19 -

McAfee 5.400.0.1158 2010.06.19 -

McAfee-GW-Edition 2010.1 2010.06.18 -

Microsoft 1.5902 2010.06.18 -

NOD32 5208 2010.06.18 -

Norman 6.05.06 2010.06.18 -

nProtect 2010-06-19.01 2010.06.19 -

Panda 10.0.2.7 2010.06.18 -

PCTools 7.0.3.5 2010.06.19 -

Prevx 3.0 2010.06.19 -

Rising 22.52.05.00 2010.06.19 -

Sophos 4.54.0 2010.06.19 -

Sunbelt 6470 2010.06.19 -

Symantec 20101.1.0.89 2010.06.18 -

TheHacker 6.5.2.0.300 2010.06.18 -

TrendMicro 9.120.0.1004 2010.06.19 -

TrendMicro-HouseCall 9.120.0.1004 2010.06.19 -

ViRobot 2010.6.19.3894 2010.06.19 -

VirusBuster 5.0.27.0 2010.06.18 -

Additional information

File size: 249856 bytes

MD5...: b9917fc4c836776765e311fff84dd534

SHA1..: 63cf6b3992f2058f6a5995293e1017627569f8b5

SHA256: 4c7ea1f0b856125a1316e7dd19a2702de959a048fc9f2556ec3de351067422b7

ssdeep: 6144:AnIKlBmT0LNn3moSAj0UTp1bDQwZefWnwJsY:Anrdj0UTp1Xth

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x37e0

timedatestamp.....: 0x38ce7cd9 (Tue Mar 14 17:54:33 2000)

machinetype.......: 0x14c (I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x350ec 0x36000 6.00 8d2f26c5a4fad502f9b2528300bacf8e

.data 0x37000 0x5390 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110

.rsrc 0x3d000 0x4edc 0x5000 3.56 b69c45010c4bdce013e31e3f092fc9c6

( 1 imports )

> MSVBVM60.DLL: __vbaVarTstGt, __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaLineInputStr, __vbaLenBstr, -, __vbaStrVarMove, -, -, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, -, -, _adj_fprem1, __vbaRecAnsiToUni, -, __vbaCopyBytes, __vbaResume, __vbaStrCat, __vbaRecDestruct, __vbaSetSystemError, __vbaNameFile, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaLateMemSt, -, __vbaForEachCollObj, __vbaBoolStr, __vbaExitProc, __vbaFileCloseAll, -, __vbaCyAdd, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaBoolVar, __vbaForEachCollVar, -, __vbaBoolVarNull, _CIsin, -, -, __vbaErase, __vbaLateMemStAd, __vbaNextEachCollObj, -, __vbaVarZero, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, -, __vbaGenerateBoundsError, -, __vbaCyI2, __vbaStrCmp, __vbaVarTstEq, __vbaCyI4, __vbaNextEachCollVar, __vbaPrintObj, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaVarLateMemSt, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, -, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaFpCmpCy, __vbaVarMul, __vbaExceptHandler, -, __vbaPrintFile, __vbaStrToUnicode, -, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaVarDiv, -, __vbaFPException, __vbaInStrVar, -, -, __vbaUbound, __vbaStrVarVal, __vbaVarCat, -, __vbaDateVar, -, __vbaI2Var, -, -, -, _CIlog, -, __vbaErrorOverflow, __vbaFileOpen, -, __vbaInStr, __vbaNew2, -, __vbaCyMulI2, _adj_fdiv_m32i, -, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, -, __vbaDerefAry1, _adj_fdivr_m32, __vbaPowerR8, -, _adj_fdiv_r, -, -, -, -, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI2, __vbaFpI4, __vbaVarCopy, -, __vbaVarLateMemCallLd, __vbaR8IntI2, __vbaLateMemCallLd, _CIatan, -, __vbaStrMove, __vbaCastObj, __vbaStrVarCopy, -, _allmul, __vbaLenVarB, __vbaLateIdSt, _CItan, -, __vbaAryUnlock, _CIexp, __vbaMidStmtBstr, -, __vbaFreeStr, __vbaFreeObj, -

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Microsoft Visual Basic 6 (71.5%)

Win32 Executable MS Visual C++ (generic) (21.3%)

Win32 Executable Generic (4.8%)

Generic Win/DOS Executable (1.1%)

DOS Executable Generic (1.1%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: Copyright © 1987-1999 Microsoft Corporation

product......: Visual Basic

description..: Visual Basic 6.0 Setup Toolkit

original name: setup1.exe

internal name: setup1

file version.: 6.00.8804

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Here is my F-secure report:

Saturday, June 19, 2010 00:43:47 - 01:51:03

Computer name: KEATONZOE1824

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

No malware found

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 74183

System: 4529

Not scanned: 15

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\DOCUMENTS AND SETTINGS\HAROLD COGLE\LOCAL SETTINGS\TEMP\HSPERFDATA_HAROLD COGLE\5368

C:\DOCUMENTS AND SETTINGS\HAROLD COGLE\LOCAL SETTINGS\TEMP\HSPERFDATA_HAROLD COGLE\5184

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_NPC.TRAY.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_UI.HOST.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Here is my Security check report:

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Norton Internet Security

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 15

Java 2 Runtime Environment, SE v1.4.2_03

Out of date Java installed!

Adobe Flash Player

Adobe Reader 9.3.2

Mozilla Firefox (3.6.3)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

````````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

I see that windows firewall is off but Norton tells me to do that in favor of it's firewall.

Also...before your last post I did a full system scan with Norton and it tells me I am infected with "Backdoor.Tidserv!inf" and that it will have to be removed manually. I looked up this virus and in the Manual Removal Instructions I have found it says I need to disable and delete two DLL files (tutatezu.dii & rujamika.dll) both located in WINDOWS\system32\. Well I looked for these files and they are not there. I see no sign of it.

Things seem to be running fine.

Thanks,

Harold

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Installed latest Java and ran Security check again:

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Norton Internet Security

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 20

Java 2 Runtime Environment, SE v1.4.2_03

Adobe Flash Player

Adobe Reader 9.3.2

Mozilla Firefox (3.6.3)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

````````````````````````````````

DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Here is the file Norton says is infected with Tidserv!inf:

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\imapi.sys.vir

It looks like it is quarantined. Did Combofix do that and if so what will happen to it when I uninstall Combofix? In other words how do I get rid of the quarantined file?

This appears to be my only remaining issue.

Thanks,

Harold

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Harold,

Yes that is ComboFix's quarantine folder and it will be purged automatically when ComboFix is uninstalled.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java 2 Runtime Environment, SE v1.4.2_03

Restart your computer.

Let me know what issues remain.

Link to post
Share on other sites
HaroldC

HaroldC

Posted
  • Author
Posted

Everything seems to be operating normally.

The only problem I still have (and this happened before this problem you helped me with) is that one day I could not go to "www.drwhoguide.com/who.htm" on this computer. When I try Microsoft Explorer hangs up and I have to force it to close. I can go there on every other computer I try....just not this one. It's strange.

Thank you very much for all your help. I greatly appreciate it.\

Harold

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept