Security Tool /Spyware/Trojan/Rootkit

Klinker · August 18, 2010

A fake security alert "Security Tool" downloaded itself. I ran McAfee/MalBytes/Adaware etc., but nothing was found. The fake "Security Tool" its system tray icons and the garbage windows that would pop up disappeared, so I thought it was gone. However, when using Internet Explorer I started to get redirects and then multiple browsers opening. I ran everything again and MalBytes found "Spyware.passwords" and "trojan.hiloti.gen" on first pass. None of the other scans found anything so I tried Inter Explorer again, and redirects/multiple browser continued. I ran another set of scans and MalBytes found "trojan.fakealert" and "rootkit.dropper". Again, I thought it was ok but the same redirects continued.

I ran Mcafee/Malbytes/Adaware/Stinger yet again, but everything comes back clean. The redirects with the browser continue.

I can't seem to shake this one out of my system and really need some help.

I ran Defogger per instructions. I ran DDS and got the logs. I tried to run GMER but had issues. It started o.k., and per instructions I made sure the boxes were unchecked and tried the scan again. It scanned for several minutes, but locked up. I had to reboot and tried again but it locked again. I tried a third time with GMER and after a pretty long time I got the "blue screen" stating that windows was shutting down because of instability so I don't have any logs from GMER.

Please let me know if I should add any additional information. Thank you for your help on this matter.

Last MBAM log (shows clean)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4442

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/17/2010 5:59:35 PM

mbam-log-2010-08-17 (17-59-35).txt

Scan type: Quick scan

Objects scanned: 168786

Time elapsed: 12 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 18:20 on 17/08/2010

EDIT: The DDS text file may have been too long because I could not post my entry. Will attempt to send log in second posting. Sorry to split my entry.

Klinker · August 18, 2010

Attempted to send DDS log, but it appears too long to post as text. I had to attach as zipped file along with zipped attach.txt file. Sorry, I don't know why it won't post as text.

Attach.zip

DDS.zip

Klinker · August 18, 2010

I know we're not supposed to reply until 48 hours have passed, but I noticed my post has been shuffled down to the bottom of page three and I didn't want it to get lost. Plus, I see some more recent problem entries from today have already been answered.

Redirect problem persists with browser.

Again, sorry to jump the gun but I didn't want my issue to get lost and I definitely need some help.

Thanks.

screen317 · August 18, 2010

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Klinker · August 19, 2010

Thanks for the help on this. I ran ComboFix per instructions. Logs attached, ComboFix first:

ComboFix 10-08-17.04 - William Buckhold 08/18/2010 19:37:51.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.541 [GMT -4:00]

Running from: c:\documents and settings\William Buckhold\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe

c:\documents and settings\William Buckhold\GoToAssistDownloadHelper.exe

c:\documents and settings\William Buckhold\Local Settings\Application Data\Windows Server

c:\windows\Tasks\diqteegy.job

c:\windows\Tasks\melrfwwg.job

c:\windows\Tasks\tqojdjbm.job

C:\zip.exe

c:\windows\system32\drivers\gpevbz.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))

.

2010-08-16 19:28 . 2010-08-16 19:28 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-16 18:49 . 2010-08-16 18:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-08-16 18:46 . 2010-08-16 18:46 120 ----a-w- c:\windows\Jmopadote.dat

2010-08-16 18:46 . 2010-08-16 18:46 0 ----a-w- c:\windows\Wgirahi.bin

2010-08-16 18:46 . 2010-08-16 19:27 -------- d-----w- c:\documents and settings\William Buckhold\Local Settings\Application Data\{92DE1F95-A400-4315-B451-895D9DAF0891}

2010-08-14 23:35 . 2010-08-16 19:28 -------- d-----w- C:\Netgear

2010-08-06 15:04 . 2010-08-06 15:04 -------- d-----w- c:\documents and settings\William Buckhold\Local Settings\Application Data\vxcjbimom

2010-07-28 15:52 . 2010-07-28 15:52 -------- d-----w- c:\documents and settings\William Buckhold\Application Data\Malwarebytes

2010-07-28 15:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-28 15:52 . 2010-07-28 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-28 15:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-28 15:52 . 2010-07-28 16:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-25 22:04 . 2010-07-25 22:04 -------- d-sh--w- c:\documents and settings\Amy Marshall\PrivacIE

2010-07-25 21:52 . 2010-07-25 21:52 -------- d-sh--w- c:\documents and settings\Amy Marshall\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-18 23:59 . 2006-08-03 02:19 -------- d-----w- c:\program files\Dl_cats

2010-08-18 22:32 . 2006-12-14 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-08-18 21:37 . 2006-08-19 21:44 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-16 23:16 . 2010-04-30 13:24 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll

2010-08-16 23:16 . 2008-03-18 01:05 300384 ----a-w- c:\documents and settings\William Buckhold\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

2010-08-13 11:18 . 2010-02-17 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-06-30 12:31 . 2005-08-16 08:18 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2005-08-16 08:18 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2005-08-16 08:18 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-22 20:58 . 2010-06-22 20:58 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb3E.tmp.exe

2010-06-21 15:27 . 2006-07-29 20:34 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2005-08-16 08:18 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-16 15:42 . 2010-03-11 21:23 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-14 14:31 . 2005-08-16 08:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2005-08-16 08:18 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-03 16:02 . 2010-03-11 20:56 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-05-27 03:08 . 2006-08-03 02:26 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-05-27 03:08 . 2006-08-03 02:26 88 --sh--r- c:\windows\system32\C644D0FFE4.sys

2010-05-23 14:57 . 2010-05-23 14:57 666112 ----a-w- c:\documents and settings\William Buckhold\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1004220-0-main.dll

2006-08-07 17:39 . 2006-08-07 17:39 251 ----a-w- c:\program files\wt3d.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-28 73728]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-26 30192]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-18 110592]

"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]

"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-08-10 286720]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-18 8192]

"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2004-01-30 1921024]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-27 413696]

"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-29 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\William Buckhold\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/11/2010 4:56 PM 64288]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/22/2010 9:22 AM 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/29/2009 3:32 PM 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/22/2010 9:22 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/22/2010 9:22 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/22/2010 9:22 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/22/2010 9:22 AM 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/22/2010 9:22 AM 55456]

R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/22/2010 9:22 AM 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 9:22 AM 88480]

S0 gpevbz;gpevbz;c:\windows\system32\drivers\gpevbz.sys [4/2/2010 4:55 PM 823808]

S2 gupdate1c986fbc422206;Google Update Service (gupdate1c986fbc422206);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2009 3:01 PM 133104]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/29/2006 5:09 PM 30192]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 9:22 AM 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/22/2010 9:22 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-14 18:33]

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 19:01]

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 19:01]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Trusted Zone: interfleet.com\http2

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: musicmatch.com\online

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://conleybottom1.axiscam.net/activex/AMC.cab

DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://www.bcsrivercam.com/TSBnwCam.CAB

.

- - - - ORPHANS REMOVED - - - -

BHO-{65dbd01a-b56b-48de-8bf5-9b6aa3159029} - yezakive.dll

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

SharedTaskScheduler-{d61d3580-784e-4774-9b0e-619a0b35aad4} - c:\windows\system32\jegohami.dll

SSODL-bubuwopek-{a6162656-0d14-4004-bff3-8256bd495616} - c:\windows\system32\nulutuni.dll

SSODL-ledeyumid-{d61d3580-784e-4774-9b0e-619a0b35aad4} - c:\windows\system32\jegohami.dll

MSConfigStartUp-zodorizaso - busogeto.dll

AddRemove-Dell Digital Jukebox Driver - c:\program files\Dell\Digital Jukebox Drivers\DrvUnins.exe

AddRemove-McAfee Clean Up Tool - c:\docume~1\WILLIA~1\LOCALS~1\TEMPOR~1\Content.IE5\A2N99RDZ\UNWISE.EXE

AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe

AddRemove-TurboTax 2008 - c:\documents and settings\Amy Marshall\My Documents\Amy Finances\TurboTax\Deluxe 2008\Installer\TurboTax 2008 Installer.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-18 20:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870E4EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7552f28

\Driver\ACPI -> ACPI.sys @ 0xf73e5cb8

\Driver\atapi -> atapi.sys @ 0xf7377852

\Driver\iaStor -> iastor.sys @ 0xf72aeb10

IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Intel® PRO/1000 PL Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf713bbb0

PacketIndicateHandler -> NDIS.sys @ 0xf7148a21

SendHandler -> NDIS.sys @ 0xf712687b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1136)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1036)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

c:\windows\system32\fxssvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\stsystra.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\dlcdcoms.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

.

**************************************************************************

.

Completion time: 2010-08-18 20:16:38 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-19 00:16

Pre-Run: 262,109,372,416 bytes free

Post-Run: 263,383,556,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - F61EBF39FB843857F88F712F695D88E4

Klinker · August 19, 2010

DDS Log with attach.txt zipped.