Jump to content

"Program Compability Assistant" - Rogue Malware Help Needed, "This program requires a missing codec"


aseire
 Share

Recommended Posts

  • Staff

Hi,

This certainly looks strange, because it suprises me that "Compatibility" is misspelled.

Since when did you start getting this?

Do you only get this when you open Soundbooth? Or does this also display when Soundbooth is closed?

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

Link to post
Share on other sites

Hi Mieke and thank you very much for helping,

I am not sure when this started as I had never used Adobe Soundbooth before although I installed it a year ago. Recently my computer was infected with the "desktop security" malware bug and I was able to eliminate it using Malwarebytes.

As requested, Attach.txt is attached

As requested, A copy and paste of the contents of DDS.txt is here:

DDS (Ver_10-03-17.01) - NTFSx86

Run by FDR at 7:49:59.96 on Fri 08/13/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2740 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Quink\Quink.exe

C:\WINDOWS\vVX3000.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Documents and Settings\FDR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Download\Malwarebytes\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com/

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070404

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe

uRun: [Google Update] "c:\documents and settings\fdr\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Quink] c:\program files\quink\Quink.exe

mRun: [VX3000] c:\windows\vVX3000.exe

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE

mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\firefox.exe" /runcleanupscript

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRunServices: [pdfupd] c:\docume~1\fdr\locals~1\temp\pdfupd.exe

mRunServices: [digitaldigital] c:\program files\hp\digital imaging\{3a316611-45d1-429c-aa26-b71259c44689}\imaginghpofxd08.exe

mRunServices: [gleeglren] c:\program files\matlab\r2009a student\bin\win32\unicodewindows6.6.exe

mRunServices: [QuickTimeResourcesQuickTime] c:\program files\quicktime\propertypanels\proppanelhelpers.resources\fr.lproj\quicktimeresourcesquicktime.exe

mRunServices: [HPOFXD08imaging] c:\program files\hp\digital imaging\{3a316611-45d1-429c-aa26-b71259c44689}\imaginghpofxd08.exe

mRunServices: [OfficePluginResiepluginres] c:\program files\adobe\adobe contribute cs4\en_us\resources\npcontributeresofficepluginres5.0.0.3264.exe

mRunServices: [QuickTimeQuickTimeResources] c:\program files\quicktime\propertypanels\proppanelhelpers.resources\fr.lproj\quicktimeresourcesquicktime.exe

mRunServices: [moreRefer] c:\program files\online services\internetrefer.exe

mRunServices: [resourcesMicrosoft] c:\program files\microsoft silverlight\3.0.50106.0\de\mscorlibvisualbasic3.0.50106.0.exe

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: turbotax.com

DPF: ATLApplicationLocatorAXInstall - hxxp://146.186.47.11/LaunchVCPC.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} - hxxp://www.teechart.net/files/activex/public/teechart.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/45.19/uploader2.cab

DPF: {693BC536-57DD-427A-9032-58A2F36E35EC} - hxxp://63.193.118.175/test/flex/xwavloop.cab

DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.dotphoto.com/ImageUploader4.cab

DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.ikanos.com/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} - file://d:\controls\sdkinst.cab

Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - c:\docume~1\fdr\locals~1\temp\6E.tmp

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: wxvault.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fdr\applic~1\mozilla\firefox\profiles\t3v47vsl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\fdr\application data\mozilla\firefox\profiles\t3v47vsl.default\extensions\{cf40acc5-e1bb-4aff-ac72-04c2f616bca7}\plugins\npwavloop.dll

FF - plugin: c:\documents and settings\fdr\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\ksolo\npAVX.dll

FF - plugin: c:\program files\npapi karaoke plugin\npwavloop.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-9-7 21920]

S2 network;network;c:\windows\system32\svchost.exe -k network [2004-8-10 14336]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

=============== Created Last 30 ================

2010-08-12 19:49:54 0 d--h--w- c:\windows\PIF

2010-08-12 16:15:16 0 d-----w- c:\documents and settings\all users\AdobeTemp

2010-08-11 21:17:00 0 d-----w- C:\Virus

2010-08-11 20:38:20 0 d-----w- c:\program files\Trend Micro

2010-08-10 12:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-08-10 12:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-08-04 19:59:18 2464 ----a-w- c:\documents and settings\fdr\j.2.bat

2010-07-29 15:25:30 23392 ----a-w- c:\windows\system32\nscompat.tlb

2010-07-29 15:25:30 16832 ----a-w- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2010-08-10 19:47:05 3338 ----a-w- c:\documents and settings\fdr\j.bat

2010-06-23 18:08:46 1072 ----a-w- c:\documents and settings\fdr\j.1.bat

2010-06-18 18:30:03 493 ----a-w- c:\documents and settings\fdr\d.bat

2010-05-26 22:29:01 278 ----a-w- c:\documents and settings\fdr\j.0.bat

============= FINISH: 7:50:50.76 ===============

Link to post
Share on other sites

  • Staff

Hi,

What are these bat files?

2010-08-10 19:47:05 3338 ----a-w- c:\documents and settings\fdr\j.bat

2010-06-23 18:08:46 1072 ----a-w- c:\documents and settings\fdr\j.1.bat

2010-06-18 18:30:03 493 ----a-w- c:\documents and settings\fdr\d.bat

2010-05-26 22:29:01 278 ----a-w- c:\documents and settings\fdr\j.0.bat

2010-08-04 19:59:18 2464 ----a-w- c:\documents and settings\fdr\j.2.bat

Did you create them?

Please do the following as well...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi Mieke and thank you again for helping,

J.*.bat are all safe. Yes, I created them.

mRun: [Quink] c:\program files\quink\Quink.exe. Safe, I created it.

Adobe soundbooth: Safe, I purchased Adobe soundbooth directly from Adobe. I have been using their "shrink wrapped" original CD's for installation.

As requested ComboFix log follows:

ComboFix 10-08-12.03 - FDR 08/13/2010 11:22:39.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2675 [GMT -7:00]

Running from: c:\download\Malwarebytes\ComboFix\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NETWORK

-------\Service_network

((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))

.

2010-08-12 19:49 . 2010-08-12 19:49 -------- d--h--w- c:\windows\PIF

2010-08-12 16:15 . 2010-08-12 16:38 -------- d-----w- c:\documents and settings\All Users\AdobeTemp

2010-08-11 21:17 . 2010-08-13 17:15 -------- d-----w- C:\Virus

2010-08-11 20:38 . 2010-08-11 20:38 -------- d-----w- c:\program files\Trend Micro

2010-08-04 19:59 . 2010-07-22 00:32 2464 ----a-w- c:\documents and settings\FDR\j.2.bat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-13 16:38 . 2009-05-24 20:04 -------- d-----w- c:\program files\AirPort

2010-08-13 16:37 . 2007-04-20 04:42 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-13 02:35 . 2009-11-25 03:24 -------- d-----w- c:\program files\QuickTime

2010-08-12 21:33 . 2008-05-15 23:43 75304 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-12 19:46 . 2010-07-01 22:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-11 20:58 . 2007-04-04 06:58 -------- d-----w- c:\program files\Java

2010-08-10 19:47 . 2010-05-26 22:21 3338 ----a-w- c:\documents and settings\FDR\j.bat

2010-07-29 15:38 . 2007-08-01 14:56 -------- d-----w- c:\program files\Windows Media Connect 2

2010-07-01 23:42 . 2010-07-01 23:42 -------- d-----w- c:\documents and settings\FDR\Application Data\Malwarebytes

2010-07-01 22:14 . 2010-07-01 22:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-01 22:14 . 2010-07-01 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-01 21:59 . 2010-07-01 21:59 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-06-23 18:08 . 2010-06-23 20:53 1072 ----a-w- c:\documents and settings\FDR\j.1.bat

2010-06-18 18:30 . 2010-06-18 18:48 493 ----a-w- c:\documents and settings\FDR\d.bat

2010-05-26 22:29 . 2010-06-17 20:41 278 ----a-w- c:\documents and settings\FDR\j.0.bat

1999-01-15 17:51 . 2007-11-23 01:29 266 -c--a-w- c:\program files\internet explorer\plugins\Efile.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\FDR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-31 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]

"Quink"="c:\program files\Quink\Quink.exe" [2007-05-15 110592]

"VX3000"="c:\windows\vVX3000.exe" [2006-10-14 707376]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-14 277296]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-09-17 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-4 24576]

EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-8-25 192512]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-5-15 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\tyvcprog\\mxHello\\SpeakFreely\\Nocrypto\\Speakfre.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Speak Freely\\Speakfre.exe"=

"c:\\tyvcprog\\mxHello\\SpeakFreely\\WinDebug\\Speakfre.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=

"c:\\NewProducts\\MxHello\\RentaCoder\\evgeny777\\VoipBasic_20090508\\wavloop.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\tyvcprog\\mxHello\\VoipBasicSource_20090512\\wavloop___Win32_Release\\wavloop.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\tyvcprog\\mxHello\\VoipBasicSource_20090512\\wavloop___Win32_Debug\\wavloop.exe"=

"c:\\tyvcprog\\mxHello\\VoipBasicSourceMemLeakFix_20091201\\wavloop___Win32_Debug\\wavloop.exe"=

"c:\\tyvcprog\\mxHello\\VoipBasicSourceMemLeakFix_20091201\\wavloop___Win32_Release\\wavloop.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp

"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp

"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

"5353:UDP"= 5353:UDP:Bonjour

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [9/7/2008 9:02 PM 21920]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]

.

Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\defragBatch.job

- c:\windows\system32\defragBatch.bat [2007-07-17 23:02]

2009-04-10 c:\windows\Tasks\generalBackup.job

- c:\backup\generalBACKUP.BAT [2008-03-27 02:39]

2010-08-11 c:\windows\Tasks\outlookBACKUP.job

- c:\backup\outlookBACKUP.BAT [2008-03-18 21:32]

2010-08-11 c:\windows\Tasks\robocopyBACKUP.job

- c:\backup\robocopyBACKUP.BAT [2009-04-10 20:04]

2008-05-20 c:\windows\Tasks\runAdaware.job

- c:\lavasoft\runAdaware.BAT [2008-05-19 17:58]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070404

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: turbotax.com

Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -

DPF: ATLApplicationLocatorAXInstall - hxxp://146.186.47.11/LaunchVCPC.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} - hxxp://www.teechart.net/files/activex/public/teechart.cab

DPF: {693BC536-57DD-427A-9032-58A2F36E35EC} - hxxp://63.193.118.175/test/flex/xwavloop.cab

FF - ProfilePath - c:\documents and settings\FDR\Application Data\Mozilla\Firefox\Profiles\t3v47vsl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\FDR\Application Data\Mozilla\Firefox\Profiles\t3v47vsl.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\npwavloop.dll

FF - plugin: c:\documents and settings\FDR\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\kSolo\npAVX.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\firefox.exe

Notify-WgaLogon - (no file)

AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe

AddRemove-Faverolle - c:\windows\system32\javaws.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-13 11:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\KB2183461.log 1988 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(972)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(808)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Wave Systems Corp\Common\DataServer.exe

c:\program files\Juniper Networks\Common Files\dsNcService.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

c:\windows\stsystra.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-08-13 11:40:49 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-13 18:40

Pre-Run: 12,963,766,272 bytes free

Post-Run: 14,279,249,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - ECB2DC8A5C6D00E05CABACFA75325E39

Link to post
Share on other sites

  • Staff

Hi,

The logs are a bit confusing here, because the DDS log shows many values under the Runservices key created (which are malware related entries, most probably orphaned):

mRunServices: [digitaldigital] c:\program files\hp\digital imaging\{3a316611-45d1-429c-aa26-b71259c44689}\imaginghpofxd08.exe

mRunServices: [gleeglren] c:\program files\matlab\r2009a student\bin\win32\unicodewindows6.6.exe

mRunServices: [QuickTimeResourcesQuickTime] c:\program files\quicktime\propertypanels\proppanelhelpers.resources\fr.lproj\quicktimeresourcesquicktime.exe

mRunServices: [HPOFXD08imaging] c:\program files\hp\digital imaging\{3a316611-45d1-429c-aa26-b71259c44689}\imaginghpofxd08.exe

mRunServices: [OfficePluginResiepluginres] c:\program files\adobe\adobe contribute cs4\en_us\resources\npcontributeresofficepluginres5.0.0.3264.exe

mRunServices: [QuickTimeQuickTimeResources] c:\program files\quicktime\propertypanels\proppanelhelpers.resources\fr.lproj\quicktimeresourcesquicktime.exe

mRunServices: [moreRefer] c:\program files\online services\internetrefer.exe

mRunServices: [resourcesMicrosoft] c:\program files\microsoft silverlight\3.0.50106.0\de\mscorlibvisualbasic3.0.50106.0.exe

But Combofix doesn't list them.

If they are orphaned keys, Combofix should have deleted them, but it should have mentioned this below under the - - - - ORPHANS REMOVED - - - - part. And I don't see them listed there.

Anyway, can you re-run DDS again and see if above Runservices keys are still listed there? Just let me know.

reason I am asking to do this all is to make sure first all malware & leftovers are removed before we start dealing with your main problem and finding the cause. This way we can rule out malware.

Link to post
Share on other sites

Understood and no problem Mieke,

As requested, I have re-run DDS again - here is the log (I no longer see Runservices keys still listed):

DDS (Ver_10-03-17.01) - NTFSx86

Run by FDR at 12:08:17.17 on Fri 08/13/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3318.2761 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Wave Systems Corp\Common\DataServer.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Quink\Quink.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Documents and Settings\FDR\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Download\Malwarebytes\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070404

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

uRun: [Google Update] "c:\documents and settings\fdr\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Quink] c:\program files\quink\Quink.exe

mRun: [VX3000] c:\windows\vVX3000.exe

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: turbotax.com

DPF: ATLApplicationLocatorAXInstall - hxxp://146.186.47.11/LaunchVCPC.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} - hxxp://www.teechart.net/files/activex/public/teechart.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/45.19/uploader2.cab

DPF: {693BC536-57DD-427A-9032-58A2F36E35EC} - hxxp://63.193.118.175/test/flex/xwavloop.cab

DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.dotphoto.com/ImageUploader4.cab

DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.ikanos.com/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} - file://d:\controls\sdkinst.cab

Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\wxvault.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fdr\applic~1\mozilla\firefox\profiles\t3v47vsl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\fdr\application data\mozilla\firefox\profiles\t3v47vsl.default\extensions\{cf40acc5-e1bb-4aff-ac72-04c2f616bca7}\plugins\npwavloop.dll

FF - plugin: c:\documents and settings\fdr\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\ksolo\npAVX.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-9-7 21920]

S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]

=============== Created Last 30 ================

2010-08-13 18:16:20 0 d-sha-r- C:\cmdcons

2010-08-13 18:12:00 98816 ----a-w- c:\windows\sed.exe

2010-08-13 18:12:00 77312 ----a-w- c:\windows\MBR.exe

2010-08-13 18:12:00 256512 ----a-w- c:\windows\PEV.exe

2010-08-13 18:12:00 161792 ----a-w- c:\windows\SWREG.exe

2010-08-12 19:49:54 0 d--h--w- c:\windows\PIF

2010-08-12 16:15:16 0 d-----w- c:\documents and settings\all users\AdobeTemp

2010-08-11 21:17:00 0 d-----w- C:\Virus

2010-08-11 20:38:20 0 d-----w- c:\program files\Trend Micro

2010-08-10 12:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-08-10 12:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-08-04 19:59:18 2464 ----a-w- c:\documents and settings\fdr\j.2.bat

2010-07-29 15:25:30 23392 ----a-w- c:\windows\system32\nscompat.tlb

2010-07-29 15:25:30 16832 ----a-w- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2010-08-10 19:47:05 3338 ----a-w- c:\documents and settings\fdr\j.bat

2010-06-23 18:08:46 1072 ----a-w- c:\documents and settings\fdr\j.1.bat

2010-06-18 18:30:03 493 ----a-w- c:\documents and settings\fdr\d.bat

2010-05-26 22:29:01 278 ----a-w- c:\documents and settings\fdr\j.0.bat

============= FINISH: 12:08:50.17 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hi,

Looks like Combofix already deleted those Runservices keys but didn't mention it in the --- orphans removed --- part.

Anyway, nothing suspicious I can see in your logs anymore, so your issue doesn't look as a result of malware. The fact that you only get this when you launch/use Adobe soundbooth means that the problem lies within Adobe itself.

Can you tell me if this folder is also created by Adobe soundbooth?

2010-08-12 16:15:16 0 d-----w- c:\documents and settings\all users\AdobeTemp

The folder was created on 2010-08-12 16:15:16

Is that the time you reinstalled it?

I guess you created this folder as well:

2010-08-11 21:17:00 0 d-----w- C:\Virus

Not sure what's in there, but if it's malware, it needs to go :D

You've mentioned before that you already uninstalled and reinstalled it again and the same issue appeared again. I have found an interesting PDF document about Adobe soundbooth with install/uninstall instructions:

http://www.adobe.com/support/documentation...B_Readme_EN.pdf

Make sure you have done it properly as described there. Because you need to uninstall both program and codecs + verify if everything is removed properly etc etc, before you reinstall.

They also mention something about known issues + compatibility issues, so please go through them and compare/verify with your version.

Link to post
Share on other sites

Hi,

Looks like Combofix already deleted those Runservices keys but didn't mention it in the --- orphans removed --- part.

Anyway, nothing suspicious I can see in your logs anymore, so your issue doesn't look as a result of malware. The fact that you only get this when you launch/use Adobe soundbooth means that the problem lies within Adobe itself.

Can you tell me if this folder is also created by Adobe soundbooth?

2010-08-12 16:15:16 0 d-----w- c:\documents and settings\all users\AdobeTemp

The folder was created on 2010-08-12 16:15:16

Is that the time you reinstalled it?

[Aseire] Yes I reinstalled it then

I guess you created this folder as well:

2010-08-11 21:17:00 0 d-----w- C:\Virus

Not sure what's in there, but if it's malware, it needs to go :D

[Aseire] Yes I created it - it is safe.

You've mentioned before that you already uninstalled and reinstalled it again and the same issue appeared again. I have found an interesting PDF document about Adobe soundbooth with install/uninstall instructions:

http://www.adobe.com/support/documentation...B_Readme_EN.pdf

Make sure you have done it properly as described there. Because you need to uninstall both program and codecs + verify if everything is removed properly etc etc, before you reinstall.

They also mention something about known issues + compatibility issues, so please go through them and compare/verify with your version.

[Aseire] CS4 is what I am using (not CS3) but I will try removing the codecs first to see the effect. This uninstall / reinstall takes quite a while - typically 1-2 hours so please be patient as I will eventually respond. If the display is not malware then why does it go to www.totalcodec.com? The fact that other users have seen the same "Program Compability Assistant" splash screen after suffering from "desktop security 2010" malware bug makes me convinced I still have malware in my system.

Link to post
Share on other sites

  • Staff

Hang on...

Are you still having this error now? After the steps we have done? Because I'm puzzled why you only get this in Adobe. Must be some component it is using that is not OK, probably replaced by malware. That's why it's searching for a needle in a haystack what exact component in Adobe soundbooth this is. That's why a full uninstall of it, in the proper way, and reinstalling it may fix it.

Link to post
Share on other sites

  • Staff

I *think* I have found the cause...

I see this listed in your log: Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -

It looks like an orphaned key, but this protocol may be the reason.

Please do the following as this key isn't a default key anyway:

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\video/x-flv]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then reboot and post a new DDS log.

Then, also clean your Temp cache.

Link to post
Share on other sites

  • Staff

Hi aseire,

Please also perform my above step with regedit, this to delete an extra leftover.

The reason why you didn't get it anymore after running Combofix is because Combofix clears the temp cache and the "loader" that was attached to above key was actually loading from the temp cache. So that explains it why you didnt get it anymore after performing my previous steps with Combofix. (That's why I was puzzled afterwards because I assumed you still had this). :D

I will add an extra detection in malwarebytes to deal with that leftover, so please run malwarebytes once again within a few hours or tomorrow as it may still find some orphaned entries related with this. :)

Also do the following...

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know how things are now.

Link to post
Share on other sites

  • Staff

Hi,

No, Combofix didn't delete that key yet, because you are now showing it in regedit :D

My above instructions would delete the key, but since you are familiar with the registry, you can also delete it manually. Just rightclick the video/x-flv there in regedit (what you highlighted) and select delete.

Malwarebytes will mainly remove the related GUID under it in next update: {08C72DD4-19AD-49f1-83DA-8542B4D302C5}

It won't delete the video/x-flv protocol as this protocol *may* be set by legitimate software as well. In your case, it was set by malware.

Can you do me a favor and tell me what the path is under this GUID?

You can find it under this key:

HKEY_CURRENT_USER\Software\Classes\CLSID\{08C72DD4-19AD-49f1-83DA-8542B4D302C5}\InprocServer32

there should be a filepath mentioned under there. Let me know what it is. That's the path to the malicious loader. Normally it should have been present in the %temp% folder and it's that what Combofix deleted since Combofix clears the cache automatically already :)

Link to post
Share on other sites

Good addition to malwarebytes Mieke!

Here is the path under this GUID

HKEY_CURRENT_USER\Software\Classes\CLSID\{08C72DD4-19AD-49f1-83DA-8542B4D302C5}\InprocServer32

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\CLSID\{08C72DD4-19AD-49f1-83DA-8542B4D302C5}\InprocServer32]

@="C:\\DOCUME~1\\FDR\\LOCALS~1\\Temp\\6E.tmp"

Reboot - complete

ComboFix /Uninstall - complete

step with regedit - complete

What cache do you want me to clean?

So I guess the destructive payload is in 6E.tmp?

Link to post
Share on other sites

  • Staff
What cache do you want me to clean?

Actually, that wouldn't be needed anymore as Combofix has done this already previously.

Just verify if this file is gone: C:\\DOCUME~1\\FDR\\LOCALS~1\\Temp\\6E.tmp - this was indeed the loader.

To find out, go to start > run and type %temp% in the run box.

Your tempfolder will open. That's where the 6E.tmp file was present before (and should be gone already). If still present there, delete it.

Also, since you are familiar with the registry, also delete this key manually:

HKEY_CURRENT_USER\Software\Classes\CLSID\{08C72DD4-19AD-49f1-83DA-8542B4D302C5}

rightclick and delete it.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Hi,

Well, I guess we are finished here. I don't need anything else anymore :D

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.