Jump to content

Malware Re-appearing


Recommended Posts

I have been trying to clean some adware/malware off of my system for about two weeks. I run Malwaye bytes every day, and it seems that it will clean the system only for it to spring up again in about two days. I use FF to browse and am pretty careful about where I go and what I download. It seems every time that it detects something, it will reside as a .dll in which when I restart, it throws an error that it cannot find that .dll after Malwarebytes deletes it. However, in about 24 - 48 hours another variant of the whole thing seems to spring up and pop ups begin to spring once more. Below is the log. Can anyone assist, as I want to find root cause. Thanks!!

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4175

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/21/2010 5:14:42 PM

mbam-log-2010-06-21 (17-14-42).txt

Scan type: Quick scan

Objects scanned: 136030

Time elapsed: 15 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 13

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\gazuv.dll (Adware.EZlife) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{fab60ebf-2b47-463e-8676-dd55faf44af0} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{fab60ebf-2b47-463e-8676-dd55faf44af0} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fab60ebf-2b47-463e-8676-dd55faf44af0} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fab60ebf-2b47-463e-8676-dd55faf44af0} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\gazuv.dll (Adware.EZlife) -> Delete on reboot.

Link to post
Share on other sites

Hello Craddock_13! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed of any changes.

Step 1

Your database version of Malwarebytes' Anti-Malware is 4175 , but the latest version is 4224 , so please:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=9573

In your next reply, please post a logfile of GMER and DDS.

Link to post
Share on other sites

See below for MBAM scan results and DDS. Also see attached. Thanks in advance for your help!!!

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4225

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/22/2010 1:00:27 PM

mbam-log-2010-06-22 (13-00-27).txt

Scan type: Quick scan

Objects scanned: 128777

Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 28

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 6

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{07e692da-6b36-4656-a88f-d15b148e7e68} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07e692da-6b36-4656-a88f-d15b148e7e68} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07e692da-6b36-4656-a88f-d15b148e7e68} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07e692da-6b36-4656-a88f-d15b148e7e68} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{67113b3e-1fcf-42ee-b049-fc2110fa13ba} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{67113b3e-1fcf-42ee-b049-fc2110fa13ba} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{67113b3e-1fcf-42ee-b049-fc2110fa13ba} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67113b3e-1fcf-42ee-b049-fc2110fa13ba} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{7f2940c4-acb9-4fae-a4e6-92c475529282} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7f2940c4-acb9-4fae-a4e6-92c475529282} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7f2940c4-acb9-4fae-a4e6-92c475529282} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallWTF1012$ (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\V71IQL7HI7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Adware.Adshot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skb (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\$NtUninstallWTF1012$ (Adware.EZLife) -> Quarantined and deleted successfully.

C:\Documents and Settings\Craddock\Application Data\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\Documents and Settings\Craddock\Application Data\Sky-Banners\skb (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\Documents and Settings\Craddock\Application Data\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\Documents and Settings\Craddock\Application Data\Street-Ads\sta (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\tazuv.exe (Adware.Adshot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gazuv.dll (Adware.EZlife) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cazuv.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tjyeh.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vqpisrzj.exe (Adware.Lifze) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kjyeh.exe (Adware.Adshot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sqbybalwwjra.exe (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\Program Files\$NtUninstallWTF1012$\elUninstall.exe (Adware.EZLife) -> Quarantined and deleted successfully.

C:\Documents and Settings\Craddock\Application Data\Sky-Banners\skb\log.xml (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Craddock at 13:12:40.40 on Tue 06/22/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1968.1047 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

svchost.exe

C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe

C:\Program Files\Intel\ASF Agent\ASFAgent.exe

C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\STacSV.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe

C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\igfxpers.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\iprntctl.exe

C:\WINDOWS\sttray.exe

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\iprntlgn.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Pidgin\pidgin.exe

C:\WINDOWS\System32\igfxsrvc.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Network Associates\Common Framework\McTray.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Craddock\Desktop\Defogger(2).exe

C:\Documents and Settings\Craddock\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [Pidgin] c:\program files\pidgin\pidgin.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"

mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"

mRun: [<NO NAME>]

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON

mRun: [iDTSysTrayApp] sttray.exe

mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe

mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://66.133.171.94/rcm/webcontrols/vmrc/VMRCActiveXClient.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://acs-inc.webex.com/client/wbs27-vzbprodcn/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\craddock\applic~1\mozilla\firefox\profiles\dasypmbl.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101021100&s=

FF - plugin: c:\documents and settings\craddock\application data\mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npnipp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101021100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-17 64288]

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-8-20 34671]

R1 NvtSp50;Novatel Wireless NDIS 5 Single-Packet Read Protocol Driver;c:\windows\system32\drivers\NvtSp50.sys [2008-6-10 22016]

R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-6-3 386328]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-7-31 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-7-31 21352]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-9-3 104000]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-9-9 69632]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2009-8-18 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-8-18 244368]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-9-3 72264]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-9-3 34152]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-9-3 168776]

S0 aamzl;aamzl; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-10 133104]

S3 dialmgr;dialmgr;c:\windows\system32\dialmgr.sys [2010-6-14 2304]

S3 PhidgetWebservice21;Phidget Webservice 21;c:\program files\phidgets\PhidgetWindowsService21.exe [2009-12-14 24576]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

=============== Created Last 30 ================

2010-06-22 18:11:17 0 ----a-w- c:\documents and settings\craddock\defogger_reenable

2010-06-21 21:20:47 0 d-----w- c:\docume~1\craddock\applic~1\Songbird2

2010-06-21 21:20:26 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-06-21 21:20:26 109360 ----a-w- c:\windows\system32\GEARAspi.dll

2010-06-21 21:19:52 0 d-----w- c:\program files\Songbird

2010-06-18 19:46:47 0 d-----w- c:\windows\system32\appmgmt

2010-06-18 19:46:47 0 d-----w- c:\windows\SxsCaPendDel

2010-06-18 19:44:42 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cb0f1eb27a08ee.mof

2010-06-17 21:06:54 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-17 20:01:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-17 20:00:57 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-17 19:59:24 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-17 19:59:13 0 d-----w- c:\program files\Lavasoft

2010-06-14 17:07:56 2304 ----a-w- c:\windows\system32\dialmgr.sys

2010-06-11 15:23:34 0 d-----w- c:\windows\Cache

2010-06-11 01:33:55 0 d-----w- c:\docume~1\craddock\applic~1\Canneverbe Limited

2010-06-11 01:33:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Canneverbe Limited

2010-06-11 01:33:33 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2010-06-09 21:58:14 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-06-09 13:31:05 218 ----a-w- c:\documents and settings\craddock\.recently-used.xbel

2010-06-07 14:48:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Update

2010-06-07 14:46:55 0 d-----w- c:\docume~1\craddock\applic~1\A65E05259D485BCC50F9C4AD75FBE752

2010-06-07 14:42:05 0 d-----w- c:\docume~1\craddock\applic~1\Malwarebytes

2010-06-07 14:41:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 14:41:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-07 14:41:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 14:41:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-05 06:07:45 0 d-----w- c:\program files\uTorrent

==================== Find3M ====================

2010-06-09 21:58:13 578560 ----a-w- c:\windows\system32\user32.DLL

2010-04-30 08:01:51 3100814229 ----a-w- c:\documents and settings\craddock\VLR_Matt.zip

2010-04-28 13:52:07 32024683 ----a-w- c:\documents and settings\craddock\wireless-switch.zip

2003-08-16 12:30:36 150519 ----a-w- c:\program files\H5614H01.CAB

2003-08-16 12:27:38 840686 ----a-w- c:\program files\D5614A01.CAB

2003-08-16 12:27:34 272467 ----a-w- c:\program files\C5614B01.CAB

2003-08-16 12:27:30 253358 ----a-w- c:\program files\C5614A01.CAB

2003-08-16 12:27:28 117844 ----a-w- c:\program files\B5614F01.CAB

2003-08-16 12:27:26 117461 ----a-w- c:\program files\B5614E01.CAB

2003-08-16 12:27:24 481873 ----a-w- c:\program files\B5614B01.CAB

2003-08-16 12:27:22 470042 ----a-w- c:\program files\B5614A01.CAB

2003-08-16 12:27:18 606451 ----a-w- c:\program files\A5614301.CAB

2003-08-16 12:27:12 668664 ----a-w- c:\program files\A5614201.CAB

2003-08-16 12:26:58 8251862 ----a-w- c:\program files\A5614101.CAB

2003-08-16 12:25:08 184 -c--a-w- c:\program files\AUTORUN.INF

============= FINISH: 13:14:18.95 ===============

Attach.zip

Link to post
Share on other sites

Step 1

Please, uninstall the following applications:

  1. Ad-Aware

You can read, how to this here:

Step 2

Please go to www.virustotal.com and upload the files below:

c:\program files\A5614101.CAB

c:\program files\AUTORUN.INF

Post the resaults in your next reply.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

I have included the requested as well as some on-access mcafee scan logs that popped up. Adaware has also been uninstalled.

File A5614101.CAB received on 2010.01.25 12:06:45 (UTC)

Current status: finished

Result: 1/41 (2.44%)

Compact Compact

Print results Print results

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.25 -

AhnLab-V3 5.0.0.2 2010.01.23 -

AntiVir 7.9.1.150 2010.01.25 -

Antiy-AVL 2.0.3.7 2010.01.22 -

Authentium 5.2.0.5 2010.01.24 -

Avast 4.8.1351.0 2010.01.25 -

AVG 9.0.0.730 2010.01.25 -

BitDefender 7.2 2010.01.25 -

CAT-QuickHeal 10.00 2010.01.25 -

ClamAV 0.94.1 2010.01.25 -

Comodo 3704 2010.01.25 -

DrWeb 5.0.1.12222 2010.01.25 -

eSafe 7.0.17.0 2010.01.24 -

eTrust-Vet 35.2.7258 2010.01.25 -

F-Prot 4.5.1.85 2010.01.24 -

F-Secure 9.0.15370.0 2010.01.25 -

Fortinet 4.0.14.0 2010.01.25 -

GData 19 2010.01.25 -

Ikarus T3.1.1.80.0 2010.01.25 -

Jiangmin 13.0.900 2010.01.24 -

K7AntiVirus 7.10.952 2010.01.22 -

Kaspersky 7.0.0.125 2010.01.25 -

McAfee 5871 2010.01.24 -

McAfee+Artemis 5871 2010.01.24 -

McAfee-GW-Edition 6.8.5 2010.01.25 -

Microsoft 1.5405 2010.01.25 -

NOD32 4803 2010.01.25 -

Norman 6.04.03 2010.01.25 -

nProtect 2009.1.8.0 2010.01.25 -

Panda 10.0.2.2 2010.01.24 -

PCTools 7.0.3.5 2010.01.25 -

Prevx 3.0 2010.01.25 -

Rising 22.32.00.04 2010.01.25 -

Sophos 4.50.0 2010.01.25 -

Sunbelt 3.2.1858.2 2010.01.24 -

Symantec 20091.2.0.41 2010.01.25 -

TheHacker 6.5.0.9.162 2010.01.25 -

TrendMicro 9.120.0.1004 2010.01.25 -

VBA32 3.12.12.1 2010.01.23 Malware-Cryptor.Win32.083

ViRobot 2010.1.25.2154 2010.01.25 -

VirusBuster 5.0.21.0 2010.01.24 -

Additional information

File size: 8251862 bytes

MD5 : 4bca9765024880afcf58dbbb31dcf07f

SHA1 : 49fcde0d72bd89524a5895d6c01bc924afdf9bdd

SHA256: f7f1d6f7486bb451e823e8618ad5065ffb546a8668fc6ee9e2548b8216012500

TrID : File type identification

Microsoft Cabinet Archive (85.7%)

HSC music composer song (13.5%)

Lumena CEL bitmap (0.6%)

ssdeep: 98304:yevW8lBfV/jthJlqA2XpdJ8WCOpatdpiVsfaIndBCAK1Lg5hOF/oE8u0cEwH:y78XZ4XKWCO4WVsfLUL1mE8uGy

PEiD : -

RDS : NSRL Reference Data Set

( Microsoft )

January 2006 MSDN Library: A5614101.CABMSDN Disc 2434.10: A5614101.CABMSDN Disc 2434.11: A5614101.CABMSDN Disc 2434.13: A5614101.CABMSDN Disc 2434.15: A5614101.CABMSDN Disc 2434.4: A5614101.CABMSDN Disc 2434.5: A5614101.CABMSDN disc 2434.6: A5614101.CABMSDN Disc 2434.8: A5614101.CABMSDN Disc2434.2: A5614101.CABMSDN DISC2434.7: A5614101.CABMSDN MS Business Solutions Customer relationship Mgmt 1.0, CRM Sales for Outlook - June 2003, Office FrontPage 2003, Office OneNote 2003, Office Pro: A5614101.CAB

File AUTORUN.INF received on 2010.05.19 22:12:49 (UTC)

Current status: finished

Result: 1/41 (2.44%)

Compact Compact

Print results Print results

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.05.10 -

AhnLab-V3 2010.05.20.00 2010.05.19 -

AntiVir 8.2.1.242 2010.05.19 -

Antiy-AVL 2.0.3.7 2010.05.19 -

Authentium 5.2.0.5 2010.05.19 -

Avast 4.8.1351.0 2010.05.19 -

Avast5 5.0.332.0 2010.05.19 -

AVG 9.0.0.787 2010.05.19 -

BitDefender 7.2 2010.05.19 -

CAT-QuickHeal 10.00 2010.05.19 -

ClamAV 0.96.0.3-git 2010.05.19 -

Comodo 4888 2010.05.19 -

DrWeb 5.0.2.03300 2010.05.19 -

eSafe 7.0.17.0 2010.05.17 -

eTrust-Vet 35.2.7498 2010.05.19 -

F-Prot 4.5.1.85 2010.05.19 -

F-Secure 9.0.15370.0 2010.05.19 -

Fortinet 4.1.133.0 2010.05.19 -

GData 21 2010.05.19 -

Ikarus T3.1.1.84.0 2010.05.19 -

Jiangmin 13.0.900 2010.05.19 -

Kaspersky 7.0.0.125 2010.05.19 -

McAfee 5.400.0.1158 2010.05.19 Generic!atr.b

McAfee-GW-Edition 2010.1 2010.05.19 -

Microsoft 1.5802 2010.05.19 -

NOD32 5130 2010.05.19 -

Norman 6.04.12 2010.05.19 -

nProtect 2010-05-19.02 2010.05.19 -

Panda 10.0.2.7 2010.05.19 -

PCTools 7.0.3.5 2010.05.19 -

Prevx 3.0 2010.05.20 -

Rising 22.48.02.04 2010.05.19 -

Sophos 4.53.0 2010.05.19 -

Sunbelt 6324 2010.05.19 -

Symantec 20101.1.0.89 2010.05.19 -

TheHacker 6.5.2.0.283 2010.05.19 -

TrendMicro 9.120.0.1004 2010.05.19 -

TrendMicro-HouseCall 9.120.0.1004 2010.05.19 -

VBA32 3.12.12.5 2010.05.19 -

ViRobot 2010.5.19.2324 2010.05.19 -

VirusBuster 5.0.27.0 2010.05.19 -

Additional information

File size: 184 bytes

MD5 : 5380d58457837fe9e5a6097d3950660e

SHA1 : cb8f8768cc4b0310e4e64d413ebeb917f88c9b2f

SHA256: 0e00f75a3d58e633c04fce55fb8db1ce92e0984ebfb80e33f1768b4fa670ca09

TrID : File type identification

Autorun.inf file (91.6%)

Generic INI configuration (8.3%)

ssdeep: 3:It1qQ0gFTsRQgJbNPQDDQNDpXX/yb4QDDQnEiuHPgyyuLVWDsygFIyLV3ILuHPgy:e1qQ0ksaoPQDDQ7XI4QDDQ5uHPdVZWDO

sigcheck: publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEiD : -

RDS : NSRL Reference Data Set

( Microsoft )

Applications Microsoft Office Family: AUTORUN.INFBeta 2 Kit 2003: AUTORUN.INFDisc 2435.4: AUTORUN.INF, TAUTORUN.INFJanuary 2006 MSDN Library: AUTORUN.INFMicrosoft Office One Note 2003: AUTORUN.INFMicrosoft Office Small Business Edition 2003: AUTORUN.INFMicrosoft Windows Rights Management Services Evaluation Kit: AUTORUN.INFMSDN Disc 2434.10: AUTORUN.INFMSDN Disc 2434.11: AUTORUN.INFMSDN Disc 2434.13: AUTORUN.INFMSDN Disc 2434.15: AUTORUN.INFMSDN Disc 2434.4: AUTORUN.INFMSDN Disc 2434.5: AUTORUN.INFMSDN disc 2434.6: AUTORUN.INFMSDN Disc 2434.8: AUTORUN.INFMSDN Disc 2435.1: AUTORUN.INF, TAUTORUN.INFMSDN Disc 2435.2: AUTORUN.INF, TAUTORUN.INFMSDN Disc 2435.3: AUTORUN.INF, TAUTORUN.INFMSDN Disc 2435.5: AUTORUN.INF, TAUTORUN.INFMSDN Disc 2619: AUTORUN.INFMSDN Disc 2619.1: AUTORUN.INFMSDN Disc 3010: AUTORUN.INFMSDN Disc 3073: AUTORUN.INFMSDN Disc 3089: AUTORUN.INF, TAUTORUN.INFMSDN Disc 3089.1: AUTORUN.INF, TAUTORUN.INFMSDN Disc 3096: AUTORUN.INFMSDN Disc 3096.01: AUTORUN.INFMSDN Disc 3617: AUTORUN.INFMSDN Disc2434.2: AUTORUN.INFMSDN DISC2434.7: AUTORUN.INFMSDN MS Business Solutions Customer relationship Mgmt 1.0, CRM Sales for Outlook - June 2003, Office FrontPage 2003, Office OneNote 2003, Office Pro: AUTORUN.INFMSDN Office Publisher 2003: AUTORUN.INFOffice FrontPage 2003: AUTORUN.INFOffice FrontPage 2003: AUTORUN.INFOffice OneNote 2003: AUTORUN.INFOffice Professional Edition 2003: AUTORUN.INFOffice Professional Enterprise Edition 2003: AUTORUN.INFPowerPoint 2003: AUTORUN.INFVisual Studio 2005: AUTORUN.INFVisual Studio 2005 Team Suite: AUTORUN.INF

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4228

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/23/2010 8:59:02 AM

mbam-log-2010-06-23 (08-59-02).txt

Scan type: Quick scan

Objects scanned: 130995

Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\etagxfnv (Rogue.AntivirusSuite.Gen) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\svchost.exe (Trojan.Agent) -> No action taken.

6/23/2010 5:09:15 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe HKEY_USERS\.DEFAULT\Software\avsoft FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:20 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe Software\avsoft FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:20 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe HKEY_USERS\.DEFAULT\Software\avsuite FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:20 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe Software\avsuite FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:20 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe HKLM\SOFTWARE\avsuite FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:20 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe HKEY_USERS\S-1-5-21-606747145-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Associations FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:20 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe Software\Microsoft\Windows\CurrentVersion\Policies\Associations FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:20 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe HKEY_USERS\S-1-5-21-606747145-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:20 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe Software\Microsoft\Windows\CurrentVersion\Policies\Attachments FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:21 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Script\Settings\ FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:21 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe Software\Microsoft\Windows Script\Settings\ FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:21 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe HKEY_USERS\S-1-5-21-606747145-152049171-839522115-1003\Software\Microsoft\Windows Script\Settings\ FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:21 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe Software\Microsoft\Windows Script\Settings\ FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:21 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe c:\documents and settings\localservice\local settings\application data\mnoqeplyt\jmykcwmtssd.exe FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:21 AM Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe c:\documents and settings\localservice\local settings\application data\mnoqeplyt\jmykcwmtssd.exe FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:21 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MNOQEPLYT\JMYKCWMTSSD.EXE FakeAlert-FakeSpy!env.a (Trojan)

6/23/2010 5:09:21 AM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svchost.exe C:\Documents and Settings\LocalService\Local Settings\Application Data\mnoqeplyt\jmykcwmtssd.exe FakeAlert-FakeSpy!env.a (Trojan)

Link to post
Share on other sites

I apologize, here is the correct MBAM log. I copied and pasted it before I hit the remove all option previously:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4228

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/23/2010 9:03:53 AM

mbam-log-2010-06-23 (09-03-53).txt

Scan type: Quick scan

Objects scanned: 130995

Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\etagxfnv (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

See below. Symptoms still persist:

ComboFix 10-06-23.05 - Craddock 06/24/2010 11:11:49.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1968.1451 [GMT -5:00]

Running from: c:\documents and settings\Craddock\Desktop\Combo-Fix.exe

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Craddock\Application Data\A65E05259D485BCC50F9C4AD75FBE752

c:\documents and settings\Craddock\Application Data\A65E05259D485BCC50F9C4AD75FBE752\enemies-names.txt

c:\documents and settings\Craddock\Application Data\A65E05259D485BCC50F9C4AD75FBE752\local.ini

c:\documents and settings\Craddock\Application Data\A65E05259D485BCC50F9C4AD75FBE752\lsrslt.ini

c:\documents and settings\Craddock\Application Data\EurekaLog

c:\documents and settings\Craddock\Local Settings\Application Data\Uninstall.exe

c:\documents and settings\Craddock\Local Settings\Application Data\Windows Server

c:\documents and settings\Craddock\Local Settings\Application Data\Windows Server\flags.ini

c:\documents and settings\Craddock\Local Settings\Application Data\Windows Server\uses32.dat

C:\feed.txt

c:\program files\autorun.inf

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

c:\windows\system32\dialmgr.sys

c:\windows\system32\hlp.dat

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_dialmgr

-------\Service_dialmgr

((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))

.

2010-06-23 10:09 . 2010-06-23 10:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\mnoqeplyt

2010-06-23 10:08 . 2010-06-23 10:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-06-21 23:06 . 2010-06-21 23:06 1065 ----a-w- c:\documents and settings\Craddock\Application Data\.purple\certificates\x509\tls_peers\gmail.com

2010-06-21 21:20 . 2010-06-21 21:20 -------- d-----w- c:\documents and settings\Craddock\Local Settings\Application Data\Songbird2

2010-06-21 21:20 . 2010-06-21 21:20 -------- d-----w- c:\documents and settings\Craddock\Application Data\Songbird2

2010-06-21 21:20 . 2010-06-09 00:30 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-06-21 21:20 . 2010-06-09 00:30 109360 ----a-w- c:\windows\system32\GEARAspi.dll

2010-06-21 21:19 . 2010-06-22 00:02 -------- d-----w- c:\program files\Songbird

2010-06-18 19:46 . 2010-06-19 01:35 -------- d-----w- c:\windows\SxsCaPendDel

2010-06-17 20:00 . 2010-06-17 20:00 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-17 19:59 . 2010-06-23 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-06-11 15:23 . 2010-06-11 15:23 -------- d-----w- c:\windows\Cache

2010-06-11 01:33 . 2010-06-11 01:33 -------- d-----w- c:\documents and settings\Craddock\Application Data\Canneverbe Limited

2010-06-11 01:33 . 2010-06-11 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited

2010-06-11 01:33 . 2009-11-12 19:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2010-06-11 01:33 . 2010-06-11 01:33 -------- d-----w- c:\program files\CDBurnerXP

2010-06-10 22:28 . 2010-06-10 22:28 299008 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atlchat.dll

2010-06-09 21:58 . 2008-04-14 00:12 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-06-07 18:44 . 2010-06-07 18:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-06-07 14:48 . 2010-06-07 15:15 -------- d-----w- c:\documents and settings\Craddock\Local Settings\Application Data\touuloven

2010-06-07 14:48 . 2010-06-07 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-06-07 14:47 . 2010-06-07 14:47 32256 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\Firefox\Profiles\dasypmbl.default\extensions\{3997989E-8B76-4709-839A-E0D908B8418B}\components\EasyGetFF.dll

2010-06-07 14:47 . 2010-06-07 14:47 -------- d-----w- c:\documents and settings\Craddock\Local Settings\Application Data\EasyGet

2010-06-07 14:47 . 2010-06-07 15:49 -------- d-----w- c:\documents and settings\Craddock\Local Settings\Application Data\AskToolbar

2010-06-07 14:42 . 2010-06-07 14:42 -------- d-----w- c:\documents and settings\Craddock\Application Data\Malwarebytes

2010-06-07 14:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 14:41 . 2010-06-07 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 14:41 . 2010-06-07 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-07 14:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-05 06:07 . 2010-06-05 06:07 -------- d-----w- c:\program files\uTorrent

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-24 18:04 . 2010-01-06 06:04 -------- d-----w- c:\documents and settings\Craddock\Application Data\uTorrent

2010-06-24 18:02 . 2010-03-05 15:07 -------- d-----w- c:\documents and settings\Craddock\Application Data\.purple

2010-06-11 15:36 . 2010-02-26 16:43 324936 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\atcliun.exe

2010-06-11 15:35 . 2010-02-26 16:42 185240 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\atgpcext.dll

2010-06-10 22:28 . 2010-06-10 22:28 221184 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atres_lite.dll

2010-06-10 22:28 . 2010-06-10 22:28 770872 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atsccust.dll

2010-06-10 22:28 . 2010-06-10 22:28 221184 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\scwbxui7.dll

2010-06-10 22:28 . 2010-06-10 22:28 356352 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\sccustres.dll

2010-06-10 22:28 . 2010-06-10 22:28 165176 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\wbxreport.exe

2010-06-10 22:28 . 2010-06-10 22:28 163840 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\uilibres.dll

2010-06-10 22:28 . 2010-06-10 22:28 65536 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\wbxcrypt.dll

2010-06-10 22:28 . 2010-06-10 22:28 5702 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atkbctl.dll

2010-06-10 22:28 . 2010-06-10 22:28 49152 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\wbxtrace.dll

2010-06-10 22:28 . 2010-06-10 22:28 286720 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\attp.dll

2010-06-10 22:28 . 2010-06-10 22:28 24576 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atmemmgr.dll

2010-06-10 22:28 . 2010-06-10 22:28 53248 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atcarmcl.dll

2010-06-10 22:28 . 2010-06-10 22:28 380928 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atarm.dll

2010-06-10 17:07 . 2009-08-20 16:07 -------- d-----w- c:\documents and settings\Craddock\Application Data\webex

2010-06-10 14:25 . 2010-03-05 15:07 -------- d-----w- c:\program files\Pidgin

2010-06-08 22:39 . 2010-06-21 21:23 704512 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\msc@songbirdnest.com\platform\WINNT_x86-msvc\components\sbMSCDevice.dll

2010-06-08 03:25 . 2010-01-20 20:21 -------- d-----w- c:\documents and settings\Craddock\Application Data\gtk-2.0

2010-05-21 08:19 . 2010-02-26 16:42 28488 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\atgpcdec.dll

2010-05-20 22:57 . 2010-05-20 22:57 831488 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\832\mac.dll

2010-05-18 14:10 . 2010-05-18 14:10 -------- d-----w- c:\documents and settings\Craddock\Application Data\enchant

2010-05-09 22:30 . 2010-06-21 21:23 282624 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\windowsmedia@songbirdnest.com\platform\WINNT_x86-msvc\components\sbWindowsMediacore.dll

2010-05-09 22:30 . 2010-06-21 21:23 110592 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\quicktime@songbirdnest.com\platform\WINNT_x86-msvc\components\sbQuickTimeMediacore.dll

2010-05-09 22:30 . 2010-06-21 21:23 872448 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\mtp@songbirdnest.com\platform\WINNT_x86-msvc\components\sbMTPWin32.dll

2010-05-09 22:28 . 2010-06-21 21:23 13312 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\components\sbGracenoteStub.dll

2010-05-09 22:28 . 2010-06-21 21:23 81920 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\sbGracenote.dll

2010-05-09 22:28 . 2010-06-21 21:23 81408 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_musicid_cd.dll

2010-05-09 22:28 . 2010-06-21 21:23 571904 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_sdkmanager.dll

2010-05-09 22:28 . 2010-06-21 21:23 154624 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_search.dll

2010-05-09 22:28 . 2010-06-21 21:23 114688 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_link.dll

2010-05-09 22:28 . 2010-06-21 21:23 13312 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\components\sbGearworksStub.dll

2010-05-09 22:28 . 2010-06-21 21:23 65536 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\sbGearworksCD.dll

2010-05-09 22:28 . 2010-06-21 21:23 394600 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gwrks32.dll

2010-05-09 22:28 . 2010-06-21 21:23 3573096 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gearaw32.dll

2010-05-09 22:28 . 2010-06-21 21:23 238952 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gwlangen.dll

2010-05-08 02:46 . 2009-08-23 23:56 -------- d-----w- c:\program files\Google

2010-04-30 08:01 . 2010-04-29 22:00 3100814229 ----a-w- c:\documents and settings\Craddock\VLR_Matt.zip

2010-04-28 13:52 . 2010-04-28 13:52 32024683 ----a-w- c:\documents and settings\Craddock\wireless-switch.zip

2010-04-22 18:16 . 2010-03-27 01:50 256 ----a-w- c:\windows\system32\pool.bin

2010-04-08 15:47 . 2010-04-08 15:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-05 11:46 . 2010-04-05 11:46 26694 ----a-r- c:\documents and settings\Craddock\Application Data\Microsoft\Installer\{10FD7666-5D97-4677-8181-AFCD08260043}\BlackBerry.exe

2010-03-27 01:49 . 2009-08-18 16:27 62280 -c--a-w- c:\documents and settings\Craddock\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2003-08-16 12:30 . 2009-09-02 16:36 150519 ----a-w- c:\program files\H5614H01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 840686 ----a-w- c:\program files\D5614A01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 272467 ----a-w- c:\program files\C5614B01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 253358 ----a-w- c:\program files\C5614A01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 117844 ----a-w- c:\program files\B5614F01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 117461 ----a-w- c:\program files\B5614E01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 481873 ----a-w- c:\program files\B5614B01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 470042 ----a-w- c:\program files\B5614A01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 606451 ----a-w- c:\program files\A5614301.CAB

2003-08-16 12:27 . 2009-09-02 16:36 668664 ----a-w- c:\program files\A5614201.CAB

2003-08-16 12:26 . 2009-09-02 16:36 8251862 ----a-w- c:\program files\A5614101.CAB

2010-01-26 22:09 . 2008-07-02 10:22 27960 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2010-01-26 22:09 . 2008-07-02 10:22 126344 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2009-11-06 15:47 . 2008-07-02 10:24 46408 -c--a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2009-08-20 16:06 . 2009-08-20 16:06 98712 -c--a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

Infected c:\windows\system32\user32.dll hex repaired

------- Sigcheck -------

[7] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2help.dll

[-] 2008-04-14 . 6388CB57165A1496B75333BB7492CCA9 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll

[7] 2004-08-04 . 9BEACB911CA61E5881102188AB7FB431 . 19968 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2help.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2010-05-31 48106]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-06-05 322352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-01 196608]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-05-30 593920]

"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-09-09 1486848]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2008-07-09 150040]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2008-07-09 170520]

"Persistence"="c:\windows\System32\igfxpers.exe" [2008-07-09 141848]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]

"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]

"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2006-10-18 45056]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 169264]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-8-18 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]

2009-05-14 03:05 623888 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phidget21Manager]

2009-12-14 21:40 86016 ----a-w- c:\program files\Phidgets\Phidget21Manager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2010-06-05 06:07 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=

"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [8/20/2009 12:09 PM 34671]

R1 NvtSp50;Novatel Wireless NDIS 5 Single-Packet Read Protocol Driver;c:\windows\system32\drivers\NvtSp50.sys [6/10/2008 1:32 PM 22016]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [6/3/2008 3:28 PM 386328]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 9:41 PM 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 9:41 PM 21352]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]

R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [9/9/2008 2:21 PM 69632]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [8/18/2009 11:08 AM 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [8/18/2009 11:37 AM 244368]

S0 aamzl;aamzl; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/10/2009 11:25 PM 133104]

S3 PhidgetWebservice21;Phidget Webservice 21;c:\program files\Phidgets\PhidgetWindowsService21.exe [12/14/2009 4:40 PM 24576]

.

Contents of the 'Scheduled Tasks' folder

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-11 04:25]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-11 04:25]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Craddock\Application Data\Mozilla\Firefox\Profiles\dasypmbl.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101021100&s=

FF - plugin: c:\documents and settings\Craddock\Application Data\Mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101021100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

Toolbar-Locked - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-24 13:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A1FBEC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9ef3852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Intel® WiFi Link 5100 AGN -> SendCompleteHandler -> NDIS.sys @ 0xb9e11bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9e00a0d

SendHandler -> NDIS.sys @ 0xb9e14b40

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606747145-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D134596E-FD1B-5236-DF67-9E96B36D99F4}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafdgahkfejpkaaeca"=hex:6b,61,61,69,67,6e,6e,6e,64,61,6c,62,6b,6f,61,67,68,6b,

6f,66,67,6b,00,00

"haldinokcpibohbg"=hex:6b,61,61,69,67,6e,6e,6e,64,61,6c,62,6b,6f,61,67,68,6b,

6f,66,67,6b,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1512)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1572)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2688)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Network Associates\Common Framework\naPrdMgr.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\windows\system32\STacSV.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Intel\WiFi\bin\WLKeeper.exe

c:\windows\sttray.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\HidFind.exe

c:\windows\System32\igfxsrvc.exe

c:\program files\Network Associates\Common Framework\McTray.exe

c:\windows\System32\wbem\unsecapp.exe

c:\program files\DellTPad\Apntex.exe

.

**************************************************************************

.

Completion time: 2010-06-24 13:08:59 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-24 18:08

Pre-Run: 7,351,906,304 bytes free

Post-Run: 7,926,009,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

C:\wubildr.mbr = "Ubuntu"

- - End Of File - - 17D1DF716042001D95D04ECAEED7FF35

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

Driver::
aamzl

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\mnoqeplyt

FCopy::
c:\windows\ServicePackFiles\i386\ws2help.dll | c:\windows\system32\ws2help.dll

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101021100&s=

RegLock::
[HKEY_USERS\S-1-5-21-606747145-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D134596E-FD1B-5236-DF67-9E96B36D99F4}*]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Thanks for the continued patience and help. See below for the log:

ComboFix 10-06-23.05 - Craddock 06/24/2010 16:58:24.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1968.1432 [GMT -5:00]

Running from: c:\documents and settings\Craddock\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Craddock\Desktop\CFScript.txt

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\LocalService\Local Settings\Application Data\mnoqeplyt

Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ws2help.dll --> c:\windows\system32\ws2help.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AAMZL

-------\Service_aamzl

((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))

.

2010-06-24 20:42 . 2010-06-24 20:42 348160 ----a-w- c:\documents and settings\Craddock\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-115c3f70-n\msvcr71.dll

2010-06-24 20:42 . 2010-06-24 20:42 503808 ----a-w- c:\documents and settings\Craddock\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-115c3f70-n\msvcp71.dll

2010-06-24 20:42 . 2010-06-24 20:42 499712 ----a-w- c:\documents and settings\Craddock\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-115c3f70-n\jmc.dll

2010-06-23 10:08 . 2010-06-23 10:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-06-21 23:06 . 2010-06-21 23:06 1065 ----a-w- c:\documents and settings\Craddock\Application Data\.purple\certificates\x509\tls_peers\gmail.com

2010-06-21 21:20 . 2010-06-21 21:20 -------- d-----w- c:\documents and settings\Craddock\Local Settings\Application Data\Songbird2

2010-06-21 21:20 . 2010-06-21 21:20 -------- d-----w- c:\documents and settings\Craddock\Application Data\Songbird2

2010-06-21 21:20 . 2010-06-09 00:30 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-06-21 21:20 . 2010-06-09 00:30 109360 ----a-w- c:\windows\system32\GEARAspi.dll

2010-06-21 21:19 . 2010-06-22 00:02 -------- d-----w- c:\program files\Songbird

2010-06-18 19:46 . 2010-06-19 01:35 -------- d-----w- c:\windows\SxsCaPendDel

2010-06-17 20:00 . 2010-06-17 20:00 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-06-17 19:59 . 2010-06-23 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-06-11 15:23 . 2010-06-11 15:23 -------- d-----w- c:\windows\Cache

2010-06-11 01:33 . 2010-06-11 01:33 -------- d-----w- c:\documents and settings\Craddock\Application Data\Canneverbe Limited

2010-06-11 01:33 . 2010-06-11 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited

2010-06-11 01:33 . 2009-11-12 19:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2010-06-11 01:33 . 2010-06-11 01:33 -------- d-----w- c:\program files\CDBurnerXP

2010-06-10 22:28 . 2010-06-10 22:28 299008 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atlchat.dll

2010-06-09 21:58 . 2008-04-14 00:12 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-06-07 18:44 . 2010-06-07 18:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-06-07 14:48 . 2010-06-07 15:15 -------- d-----w- c:\documents and settings\Craddock\Local Settings\Application Data\touuloven

2010-06-07 14:48 . 2010-06-07 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-06-07 14:47 . 2010-06-07 14:47 32256 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\Firefox\Profiles\dasypmbl.default\extensions\{3997989E-8B76-4709-839A-E0D908B8418B}\components\EasyGetFF.dll

2010-06-07 14:47 . 2010-06-07 14:47 -------- d-----w- c:\documents and settings\Craddock\Local Settings\Application Data\EasyGet

2010-06-07 14:47 . 2010-06-07 15:49 -------- d-----w- c:\documents and settings\Craddock\Local Settings\Application Data\AskToolbar

2010-06-07 14:42 . 2010-06-07 14:42 -------- d-----w- c:\documents and settings\Craddock\Application Data\Malwarebytes

2010-06-07 14:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-07 14:41 . 2010-06-07 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 14:41 . 2010-06-07 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-07 14:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-05 06:07 . 2010-06-05 06:07 -------- d-----w- c:\program files\uTorrent

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-24 22:07 . 2010-01-06 06:04 -------- d-----w- c:\documents and settings\Craddock\Application Data\uTorrent

2010-06-24 22:07 . 2010-03-05 15:07 -------- d-----w- c:\documents and settings\Craddock\Application Data\.purple

2010-06-11 15:36 . 2010-02-26 16:43 324936 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\atcliun.exe

2010-06-11 15:35 . 2010-02-26 16:42 185240 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\atgpcext.dll

2010-06-10 22:28 . 2010-06-10 22:28 221184 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atres_lite.dll

2010-06-10 22:28 . 2010-06-10 22:28 770872 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atsccust.dll

2010-06-10 22:28 . 2010-06-10 22:28 221184 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\scwbxui7.dll

2010-06-10 22:28 . 2010-06-10 22:28 356352 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\sccustres.dll

2010-06-10 22:28 . 2010-06-10 22:28 165176 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\wbxreport.exe

2010-06-10 22:28 . 2010-06-10 22:28 163840 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\uilibres.dll

2010-06-10 22:28 . 2010-06-10 22:28 65536 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\wbxcrypt.dll

2010-06-10 22:28 . 2010-06-10 22:28 5702 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atkbctl.dll

2010-06-10 22:28 . 2010-06-10 22:28 49152 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\wbxtrace.dll

2010-06-10 22:28 . 2010-06-10 22:28 286720 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\attp.dll

2010-06-10 22:28 . 2010-06-10 22:28 24576 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atmemmgr.dll

2010-06-10 22:28 . 2010-06-10 22:28 53248 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atcarmcl.dll

2010-06-10 22:28 . 2010-06-10 22:28 380928 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\932\atarm.dll

2010-06-10 17:07 . 2009-08-20 16:07 -------- d-----w- c:\documents and settings\Craddock\Application Data\webex

2010-06-10 14:25 . 2010-03-05 15:07 -------- d-----w- c:\program files\Pidgin

2010-06-08 22:39 . 2010-06-21 21:23 704512 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\msc@songbirdnest.com\platform\WINNT_x86-msvc\components\sbMSCDevice.dll

2010-06-08 03:25 . 2010-01-20 20:21 -------- d-----w- c:\documents and settings\Craddock\Application Data\gtk-2.0

2010-05-21 08:19 . 2010-02-26 16:42 28488 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\atgpcdec.dll

2010-05-20 22:57 . 2010-05-20 22:57 831488 ----a-w- c:\documents and settings\Craddock\Application Data\Mozilla\plugins\WebEx\832\mac.dll

2010-05-18 14:10 . 2010-05-18 14:10 -------- d-----w- c:\documents and settings\Craddock\Application Data\enchant

2010-05-09 22:30 . 2010-06-21 21:23 282624 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\windowsmedia@songbirdnest.com\platform\WINNT_x86-msvc\components\sbWindowsMediacore.dll

2010-05-09 22:30 . 2010-06-21 21:23 110592 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\quicktime@songbirdnest.com\platform\WINNT_x86-msvc\components\sbQuickTimeMediacore.dll

2010-05-09 22:30 . 2010-06-21 21:23 872448 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\mtp@songbirdnest.com\platform\WINNT_x86-msvc\components\sbMTPWin32.dll

2010-05-09 22:28 . 2010-06-21 21:23 13312 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\components\sbGracenoteStub.dll

2010-05-09 22:28 . 2010-06-21 21:23 81920 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\sbGracenote.dll

2010-05-09 22:28 . 2010-06-21 21:23 81408 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_musicid_cd.dll

2010-05-09 22:28 . 2010-06-21 21:23 571904 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_sdkmanager.dll

2010-05-09 22:28 . 2010-06-21 21:23 154624 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_search.dll

2010-05-09 22:28 . 2010-06-21 21:23 114688 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\gracenote@songbirdnest.com\platform\WINNT_x86-msvc\lib\gnsdk_link.dll

2010-05-09 22:28 . 2010-06-21 21:23 13312 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\components\sbGearworksStub.dll

2010-05-09 22:28 . 2010-06-21 21:23 65536 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\sbGearworksCD.dll

2010-05-09 22:28 . 2010-06-21 21:23 394600 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gwrks32.dll

2010-05-09 22:28 . 2010-06-21 21:23 3573096 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gearaw32.dll

2010-05-09 22:28 . 2010-06-21 21:23 238952 ----a-w- c:\documents and settings\Craddock\Application Data\Songbird2\Profiles\vzillvl9.default\extensions\cd-rip@songbirdnest.com\platform\WINNT_x86-msvc\lib\gwlangen.dll

2010-05-08 02:46 . 2009-08-23 23:56 -------- d-----w- c:\program files\Google

2010-04-30 08:01 . 2010-04-29 22:00 3100814229 ----a-w- c:\documents and settings\Craddock\VLR_Matt.zip

2010-04-28 13:52 . 2010-04-28 13:52 32024683 ----a-w- c:\documents and settings\Craddock\wireless-switch.zip

2010-04-22 18:16 . 2010-03-27 01:50 256 ----a-w- c:\windows\system32\pool.bin

2010-04-08 15:47 . 2010-04-08 15:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-05 11:46 . 2010-04-05 11:46 26694 ----a-r- c:\documents and settings\Craddock\Application Data\Microsoft\Installer\{10FD7666-5D97-4677-8181-AFCD08260043}\BlackBerry.exe

2010-03-27 01:49 . 2009-08-18 16:27 62280 -c--a-w- c:\documents and settings\Craddock\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2003-08-16 12:30 . 2009-09-02 16:36 150519 ----a-w- c:\program files\H5614H01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 840686 ----a-w- c:\program files\D5614A01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 272467 ----a-w- c:\program files\C5614B01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 253358 ----a-w- c:\program files\C5614A01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 117844 ----a-w- c:\program files\B5614F01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 117461 ----a-w- c:\program files\B5614E01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 481873 ----a-w- c:\program files\B5614B01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 470042 ----a-w- c:\program files\B5614A01.CAB

2003-08-16 12:27 . 2009-09-02 16:36 606451 ----a-w- c:\program files\A5614301.CAB

2003-08-16 12:27 . 2009-09-02 16:36 668664 ----a-w- c:\program files\A5614201.CAB

2003-08-16 12:26 . 2009-09-02 16:36 8251862 ----a-w- c:\program files\A5614101.CAB

2010-01-26 22:09 . 2008-07-02 10:22 27960 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2010-01-26 22:09 . 2008-07-02 10:22 126344 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2009-11-06 15:47 . 2008-07-02 10:24 46408 -c--a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2009-08-20 16:06 . 2009-08-20 16:06 98712 -c--a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

"Pidgin"="c:\program files\Pidgin\pidgin.exe" [2010-05-31 48106]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-06-05 322352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-01 196608]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-05-30 593920]

"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-09-09 1486848]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2008-07-09 150040]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2008-07-09 170520]

"Persistence"="c:\windows\System32\igfxpers.exe" [2008-07-09 141848]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]

"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2006-10-18 40960]

"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2006-10-18 45056]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 169264]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-8-18 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]

2009-05-14 03:05 623888 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phidget21Manager]

2009-12-14 21:40 86016 ----a-w- c:\program files\Phidgets\Phidget21Manager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2010-06-05 06:07 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=

"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [8/20/2009 12:09 PM 34671]

R1 NvtSp50;Novatel Wireless NDIS 5 Single-Packet Read Protocol Driver;c:\windows\system32\drivers\NvtSp50.sys [6/10/2008 1:32 PM 22016]

R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]

R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [6/3/2008 3:28 PM 386328]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 9:41 PM 808296]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 9:41 PM 21352]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]

R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [9/9/2008 2:21 PM 69632]

R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [8/18/2009 11:08 AM 32808]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [8/18/2009 11:37 AM 244368]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/10/2009 11:25 PM 133104]

S3 PhidgetWebservice21;Phidget Webservice 21;c:\program files\Phidgets\PhidgetWindowsService21.exe [12/14/2009 4:40 PM 24576]

.

Contents of the 'Scheduled Tasks' folder

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-11 04:25]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-11 04:25]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Craddock\Application Data\Mozilla\Firefox\Profiles\dasypmbl.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101021100&s=

FF - plugin: c:\documents and settings\Craddock\Application Data\Mozilla\plugins\npatgpc.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnipp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101021100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-24 17:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606747145-152049171-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D134596E-FD1B-5236-DF67-9E96B36D99F4}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iafdgahkfejpkaaeca"=hex:6b,61,61,69,67,6e,6e,6e,64,61,6c,62,6b,6f,61,67,68,6b,

6f,66,67,6b,00,00

"haldinokcpibohbg"=hex:6b,61,61,69,67,6e,6e,6e,64,61,6c,62,6b,6f,61,67,68,6b,

6f,66,67,6b,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3556)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\Network Associates\Common Framework\naPrdMgr.exe

c:\windows\system32\STacSV.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Intel\WiFi\bin\WLKeeper.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\HidFind.exe

c:\program files\DellTPad\Apntex.exe

c:\windows\sttray.exe

c:\windows\System32\igfxsrvc.exe

c:\program files\Network Associates\Common Framework\McTray.exe

c:\windows\System32\wbem\unsecapp.exe

c:\program files\McAfee\VirusScan Enterprise\MCUPDATE.EXE

c:\program files\Network Associates\Common Framework\McScript_InUse.exe

.

**************************************************************************

.

Completion time: 2010-06-24 17:09:40 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-24 22:09

ComboFix2.txt 2010-06-24 18:09

Pre-Run: 7,831,633,920 bytes free

Post-Run: 7,638,900,736 bytes free

- - End Of File - - 617F7333532F5507DA738393AFF64F34

Link to post
Share on other sites

Most variations of malware. The most serious was the TDSS rootkit.

http://www.kernelmode.info/forum/viewtopic...=19&start=0

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete DDS and Defogger.

Step 4

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! ;)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.