Jump to content

Help Confirm/Ensure Computer is now Clean


Recommended Posts

Was having problems with Google Redirect virus and took the following actions:

MalwareBytes

HitMan Pro

MSFT Malcious Software Scan

MSFT Essentials

Reset Router

Surprisingly resetting the router is what solved the redirect virus, but in doing the other scans, founds lots of other malicious items (rootkits, password stealers, trojans, etc)... scary stuff.

I now appear to be clean, but would like to know for certain (or at least as certain as one can be) so need the help of the experts here.

Here is the latest MalwareBytes log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4265

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

7/2/2010 3:20:19 AM

mbam-log-2010-07-02 (03-20-19).txt

Scan type: Quick scan

Objects scanned: 137578

Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

When running the DeFogger it seemed to work but i was NOT asked to reboot the machine. Not sure if this is an error or not, so here is the defogger_disable log:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 02:40 on 02/07/2010 (Steve)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Here is the DDS.txt log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Steve at 2:41:48.52 on Fri 07/02/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2261 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

svchost.exe

E:\xampp\apache\bin\apache.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

E:\xampp\apache\bin\apache.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Steve\Desktop\MalwareLogStuff\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://mail.yahoo.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [Alcmtr] ALCMTR.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\xpm49sa7.default\

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]

R2 Apache2.2;Apache2.2;e:\xampp\apache\bin\apache.exe [2008-6-12 24635]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-5-5 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-5-5 20952]

=============== Created Last 30 ================

2010-07-02 06:40:29 0 ----a-w- c:\documents and settings\steve\defogger_reenable

2010-06-11 16:31:34 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-11 16:28:43 0 d-----w- c:\program files\Microsoft Security Essentials

2010-06-11 16:28:19 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-06-11 16:28:19 215920 ----a-w- c:\windows\system32\muweb.dll

2010-06-11 16:28:19 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-06-11 16:22:38 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-11 15:51:32 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-11 15:51:26 0 d-----w- c:\program files\Hitman Pro 3.5

2010-06-11 15:51:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-06-11 03:18:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-06-11 00:46:32 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2010-04-16 11:43:25 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe

2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2010-04-03 07:33:56 2365288 ----a-w- c:\windows\system32\dllcache\WMVCore.dll

============= FINISH: 2:42:30.96 ===============

Other Files attached.

Thank you in advance for helping.

Attach.zip

ark.zip

Link to post
Share on other sites

Please download ComboFix from this link, save it on your desktop, turn off your anti-virus software, and run the ComboFix download that you had saved on your desktop.

Combofix will ask you a few questions (such as whether or not you want to install the Windows Recovery Console), give you some general warnings about not using it without supervision, and it will give you some general information about the tool. Please note that the Windows Recovery Console is not required to run ComboFix, and that you do not need it if you have a Windows XP disk.

ComboFix usually takes about 10 minutes to run, unless your computer is heavily infected. It will run through about 50 different stages (listing them all on the blue window that popped up while it was running), and if it does not advance to the next stage after about 10 minutes then that is usually a sign that your anti-virus software is interfering with it.

Once ComboFix is done, it will remove anything that it knows is malicious, and restart your computer. If it didn't find anything malicious, then it will skip that step. The final step takes a few minutes, and when it is done it will open a log in Notepad. Please either copy and paste this log into a reply, or save it on your desktop as a Text Document and attach it to a reply. Please do not take screenshots of the log, or save it as a Word Document.

Link to post
Share on other sites

Thanks for the reply/help. Here is the info from the log.txt file:

ComboFix 10-07-01.02 - Steve 07/02/2010 20:14:42.1.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2309 [GMT -4:00]

Running from: c:\documents and settings\Steve\Desktop\MalwareLogStuff\ComboFix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Steve\g2mdlhlpx.exe

c:\windows\xpsp1hfm.log

.

((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))

.

2010-06-30 07:00 . 2010-06-30 07:00 36688 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-22 08:01 . 2010-06-22 08:01 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-06-20 21:30 . 2010-07-01 13:32 27630760 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\msgup1000_1270_us_u1.exe

2010-06-16 05:27 . 2010-06-15 00:23 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\yupdater.exe

2010-06-11 16:31 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-11 16:28 . 2010-06-30 07:00 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-06-11 16:28 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-06-11 16:28 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-06-11 16:22 . 2010-06-11 16:22 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-11 15:51 . 2010-07-02 20:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-11 15:51 . 2010-06-11 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-11 15:51 . 2010-06-11 15:51 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-06-11 00:46 . 2010-06-11 00:46 503808 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2e3afd79-n\msvcp71.dll

2010-06-11 00:46 . 2010-06-11 00:46 499712 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2e3afd79-n\jmc.dll

2010-06-11 00:46 . 2010-06-11 00:46 348160 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2e3afd79-n\msvcr71.dll

2010-06-11 00:46 . 2010-06-11 00:46 61440 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c62618b-n\decora-sse.dll

2010-06-11 00:46 . 2010-06-11 00:46 12800 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c62618b-n\decora-d3d.dll

2010-06-11 00:46 . 2010-06-11 03:18 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\24011\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\24011\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\24011\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\24011\AcrobatUpdater.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-03 00:20 . 2009-05-04 21:47 -------- d-----w- c:\documents and settings\Steve\Application Data\Skype

2010-07-03 00:20 . 2009-05-04 21:49 -------- d-----w- c:\documents and settings\Steve\Application Data\skypePM

2010-06-28 15:55 . 2008-10-24 02:11 -------- d-----w- c:\documents and settings\Steve\Application Data\FileZilla

2010-06-22 12:35 . 2009-10-29 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-06-16 05:27 . 2008-05-05 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-06-12 00:19 . 2008-04-19 13:07 -------- d-----w- c:\program files\Microsoft Works

2010-06-11 23:54 . 2008-04-23 01:54 -------- d-----w- c:\program files\Symantec

2010-06-11 23:53 . 2008-04-23 01:54 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-06-11 03:18 . 2008-04-19 13:00 -------- d-----w- c:\program files\Common Files\Java

2010-06-11 03:18 . 2008-04-19 13:00 -------- d-----w- c:\program files\Java

2010-06-08 14:00 . 2009-05-06 00:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-21 17:21 . 2008-08-26 18:59 -------- d-----w- c:\documents and settings\Steve\Application Data\AdobeUM

2010-05-04 17:20 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:56 . 2004-08-10 17:51 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-05-06 00:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-05-06 00:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:51 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-17 142104]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-17 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-17 138008]

"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]

"nwiz"="nwiz.exe" [2009-05-01 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-26 6110528]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2008-02-28 18:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2008-04-19 13:06 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-09-10 21:40 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\WINDOWS\\system32\\MPSMC__U.EXE"=

"e:\\xampp\\apache\\bin\\apache.exe"=

"e:\\xampp\\mysql\\bin\\mysqld.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Apache2.2;Apache2.2;e:\xampp\apache\bin\apache.exe [6/12/2008 2:01 PM 24635]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/5/2009 8:24 PM 304464]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/5/2009 8:24 PM 20952]

.

Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://mail.yahoo.com/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\xpm49sa7.default\

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1528)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

c:\windows\system32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2010-07-02 20:22:40 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-03 00:22

Pre-Run: 38,689,214,464 bytes free

Post-Run: 39,201,525,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 19603685EB5FD3C017435CBDC1DE3E79

Link to post
Share on other sites

That log looks pretty good.

Please run an online virus scan through ESET. Here are the steps:

  1. Turn off your anti-virus software.
  2. Click on this link.
  3. Click on the "ESET Online Scanner" button.
  4. Put a check in the box that says "YES, I accept the Terms of Use."
  5. Click the 'Start' button just to the right of the checkbox.
  6. Uncheck the box that says "Remove found threats" (this is very important).
  7. Click on "Advanced settings".
  8. Put a check in the box that says "Scan for potentially unsafe applications".
  9. Verify that "Scan for potentially unwanted applications" is also checked.
  10. Verify that "Enable Anti-Stealth technology" is also checked.
  11. Click the 'Start' button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
  12. When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  13. Save that text file on your desktop, and then copy and paste it into a reply for me.
  14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Link to post
Share on other sites

Thanks again...

ESET Online Scanner results are clean (did find bunch of problems on first run, but they were all back-up files of a hacked server, so i knew exactly why they were flagged, and had the program clean those)

Anything next? If not, should any of the programs used above be deleted?

Link to post
Share on other sites

Anything next? If not, should any of the programs used above be deleted?

Everything is looking good, so your computer should be clean.

Yes, you may delete everything that you downloaded to get logs and such. There is even an uninstall in the Add/Remove Programs under the Control Panel for the files that the ESET Online Scanner installed if you want to remove that as well. :P

Link to post
Share on other sites

  • 2 weeks later...

Since your computer has been cleaned up, I am closing this topic in order to keep it from being hijacked. If you have any further issues, then please send me a private message, and I will be happy to reopen this topic for you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.