labgrant Posted January 20, 2011 ID:376937 Share Posted January 20, 2011 My PC crashed this morning with an automatic download of White Smoke software - despite updated norton I receive from work. I restarted in Safe Mode, regained network access, and installed your software again - as it was what I used prior to this event and shall again in the future. I ran a scan, cleaned a litany of threats, but reboot failed. I rebooted again in Safe Mode; a search of log items indicated a tdss. I downloaded a TDSS killer, scanned, and cleared a rootkit.tdss. My next reboot succeeded, scan came up clean, but I am not feeling too comfortable due to the swift efficiency of the bug. I hate to ask, "Am I clear?" Link to post Share on other sites More sharing options...
Maniac Posted January 20, 2011 ID:376949 Share Posted January 20, 2011 Hello labgrant! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
labgrant Posted January 20, 2011 Author ID:376963 Share Posted January 20, 2011 Thank you for taking my post. Here go; perhaps later you could direct on how to remove the vestiges of previous antivirus software?Many thanks in advance,ComboFix 11-01-19.02 - Randy 01/20/2011 3:47.1.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1282 [GMT -5:00]Running from: c:\documents and settings\Randy\Desktop\Combo-Fix.exeAV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Randy\delme.batc:\documents and settings\Randy\Local Settings\Application Data\{86284D7B-F8E4-429A-8767-0AEBAE7EF7CA}c:\documents and settings\Randy\Local Settings\Application Data\{86284D7B-F8E4-429A-8767-0AEBAE7EF7CA}\chrome.manifestc:\documents and settings\Randy\Local Settings\Application Data\{86284D7B-F8E4-429A-8767-0AEBAE7EF7CA}\chrome\content\_cfg.jsc:\documents and settings\Randy\Local Settings\Application Data\{86284D7B-F8E4-429A-8767-0AEBAE7EF7CA}\chrome\content\overlay.xulc:\documents and settings\Randy\Local Settings\Application Data\{86284D7B-F8E4-429A-8767-0AEBAE7EF7CA}\install.rdfc:\program files\Search Toolbarc:\program files\Search Toolbar\icon.icoc:\program files\Search Toolbar\SearchToolbar.dllc:\program files\Search Toolbar\SearchToolbarUninstall.exec:\program files\Search Toolbar\SearchToolbarUpdater.exec:\windows\system32\muzapp.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_6TO4-------\Legacy_SSHNAS-------\Service_6to4((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 ))))))))))))))))))))))))))))))).2011-01-19 23:13 . 2011-01-19 23:13 -------- d-----w- c:\documents and settings\Randy\Application Data\Malwarebytes2011-01-19 23:13 . 2011-01-19 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2011-01-19 23:13 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-01-19 23:13 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-01-19 23:13 . 2011-01-20 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-01-19 20:48 . 2011-01-19 20:48 0 ----a-w- c:\windows\Npesamecusuram.bin2011-01-19 20:46 . 2011-01-19 20:46 -------- d-----w- c:\windows\system32\%APPDATA%2011-01-19 17:38 . 2011-01-19 17:38 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE2011-01-19 16:21 . 2011-01-19 16:39 -------- d-----w- c:\documents and settings\Administrator2011-01-19 00:35 . 2011-01-19 00:35 -------- d-sh--w- c:\documents and settings\Randy\IECompatCache2011-01-17 18:21 . 2011-01-17 18:53 -------- d-----w- c:\program files\ABBYY Screenshot Reader2011-01-17 18:21 . 2011-01-17 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ABBYY.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr2010-11-18 18:12 . 2006-08-21 17:23 81920 ----a-w- c:\windows\system32\isign32.dll2010-11-12 23:53 . 2010-06-25 22:44 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-11-12 21:34 . 2008-12-09 21:25 73728 ----a-w- c:\windows\system32\javacpl.cpl2010-11-09 14:52 . 2006-08-21 17:02 249856 ----a-w- c:\windows\system32\odbc32.dll2010-11-06 00:26 . 2006-08-21 17:03 916480 ----a-w- c:\windows\system32\wininet.dll2010-11-06 00:26 . 2006-08-21 17:02 43520 ----a-w- c:\windows\system32\licmgr10.dll2010-11-06 00:26 . 2006-08-21 17:02 1469440 ------w- c:\windows\system32\inetcpl.cpl2010-11-03 12:25 . 2006-08-21 17:02 385024 ----a-w- c:\windows\system32\html.iec2010-11-02 15:17 . 2006-08-21 17:02 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys2010-10-28 13:13 . 2006-08-21 17:01 290048 ----a-w- c:\windows\system32\atmfd.dll2010-10-26 13:25 . 2006-08-21 17:03 1853312 ----a-w- c:\windows\system32\win32k.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CFSServ.exe"="CFSServ.exe -NoClient" [X]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]"NDSTray.exe"="NDSTray.exe" [bU]"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]"TPSMain"="TPSMain.exe" [2005-06-01 282624]"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 16262656]"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 89541]"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-2 113664]Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-7 600680]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-21 155648][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 2:43 PM 204800]R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 4:09 PM 102448]S0 ccfp;ccfp;c:\windows\system32\drivers\xbpw.sys --> c:\windows\system32\drivers\xbpw.sys [?]S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 12:55 PM 23888]S3 Plugversnp;Plugversnp;c:\windows\system32\rasdial.exe [8/21/2006 12:02 PM 11264].Contents of the 'Scheduled Tasks' folder..------- Supplementary Scan -------.uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHPuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstartuInternet Settings,ProxyOverride = <local>uInternet Settings,ProxyServer = http=127.0.0.1:8893IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\6ni0n1k3.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.comFF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=FF - prefs.js: network.proxy.type - 0FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.comFF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ffFF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension.- - - - ORPHANS REMOVED - - - -HKCU-Run-ABBYY Screenshot Reader Retail - (no file)HKLM-Run-Iyoqaw - c:\windows\ekilosupukale.dllSafeBoot-Symantec AntvirusAddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-01-20 03:59Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(976)c:\windows\system32\Ati2evxx.dllc:\windows\system32\CLBCATQ.DLL- - - - - - - > 'explorer.exe'(7868)c:\windows\system32\WININET.dllc:\windows\system32\btmmhook.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dllc:\windows\system32\TPwrCfg.DLLc:\windows\system32\TPwrReg.dllc:\windows\system32\TPSTrace.DLL.------------------------ Other Running Processes ------------------------.c:\windows\system32\Ati2evxx.exec:\program files\Symantec\Symantec Endpoint Protection\Smc.exec:\program files\Common Files\Symantec Shared\ccSvcHst.exec:\windows\system32\acs.exec:\windows\system32\Ati2evxx.exec:\program files\TOSHIBA\ConfigFree\CFSvcs.exec:\windows\system32\DVDRAMSV.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\java.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\toshiba\IVP\swupdate\swupdtmr.exec:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exec:\windows\system32\TODDSrv.exec:\program files\TOSHIBA\ConfigFree\NDSTray.exec:\windows\system32\TPSMain.exec:\windows\RTHDCPL.EXEc:\windows\AGRSMMSG.exec:\program files\Microsoft ActiveSync\Wcescomm.exec:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exec:\progra~1\MICROS~4\rapimgr.exec:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exec:\program files\HP\Digital Imaging\bin\hpqSTE08.exec:\windows\system32\wscntfy.exec:\windows\system32\TPSBattM.exe.**************************************************************************.Completion time: 2011-01-20 04:05:05 - machine was rebootedComboFix-quarantined-files.txt 2011-01-20 09:04Pre-Run: 5,233,799,168 bytes freePost-Run: 5,850,353,664 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect- - End Of File - - 3F7CBC21E011596BEBA5340F900F7385 Link to post Share on other sites More sharing options...
Maniac Posted January 20, 2011 ID:376964 Share Posted January 20, 2011 I gotta go to school, so after about 9-10 hours will have the opportunity to check your answer.Sorry about that! Have a nice day! Link to post Share on other sites More sharing options...
labgrant Posted January 20, 2011 Author ID:376966 Share Posted January 20, 2011 I must prepare for school today. Have a good one. Link to post Share on other sites More sharing options...
Maniac Posted January 20, 2011 ID:377102 Share Posted January 20, 2011 Thank you for taking my post. Here go; perhaps later you could direct on how to remove the vestiges of previous antivirus software?Which is it? Link to post Share on other sites More sharing options...
labgrant Posted January 20, 2011 Author ID:377141 Share Posted January 20, 2011 McAfee Link to post Share on other sites More sharing options...
Maniac Posted January 20, 2011 ID:377147 Share Posted January 20, 2011 Please post the content of C:\Qoobox\Add-Remove Programs.txt Link to post Share on other sites More sharing options...
labgrant Posted January 20, 2011 Author ID:377179 Share Posted January 20, 2011 C:\Qoobox\Add-Remove Programs.txt:ABBYY Screenshot ReaderAdobe AIRAdobe Creative SuiteAdobe Flash Player 10 ActiveXAdobe Flash Player 10 PluginAdobe Shockwave Player 11Adobe SVG Viewer 3.0AiO_Scan_CDAAiOSoftwareNPIAmazon MP3 Downloader 1.0.5BufferChmC3100c3100_HelpCompatibility Pack for the 2007 Office systemContentSAFER for WizmaxCritical Update for Windows Media Player 11 (KB959772)CustomerResearchQFolderDestinationsDeviceManagementQFolderDivX Web PlayerDocProcDocProcQFolderEmoDioeSupportQFolderEvernoteFarm Works SoftwareFax_CDAfoobar2000 v0.9.6.2Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB2158563)Hotfix for Windows XP (KB2443685)Hotfix for Windows XP (KB952287)Hotfix for Windows XP (KB954550-v5)Hotfix for Windows XP (KB961118)Hotfix for Windows XP (KB970653-v3)Hotfix for Windows XP (KB976098-v2)Hotfix for Windows XP (KB979306)Hotfix for Windows XP (KB981793)HP Customer Participation Program 7.0HP Imaging Device Functions 7.0HP Photosmart EssentialHP Photosmart, Officejet and Deskjet 7.0.AHP Product AssistantHP Solution Center 7.0HP UpdateHPPhotoSmartExpressHPProductAssistantInstantShareDevicesMFCJava Auto UpdaterJava 6 Update 23Java 6 Update 3Lame ACM MP3 CodecLast.fm 1.5.4.27091Linksys EasyLink AdvisorLiveUpdate 3.3 (Symantec Corporation)Malwarebytes' Anti-MalwareMarketResearchMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1 Security Update (KB2416447)Microsoft .NET Framework 1.1 Security Update (KB979906)Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft ActiveSyncMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft Kernel-Mode Driver Framework Feature Pack 1.5Microsoft National Language Support Downlevel APIsMicrosoft Office OneNote 2003Microsoft Office Professional Edition 2003Microsoft Office Standard Edition 2003Microsoft SilverlightMicrosoft User-Mode Driver Framework Feature Pack 1.5Microsoft Visual J# .NET Redistributable Package 1.1Microsoft WorksMove Media PlayerMozilla Firefox (3.6.13)Mozilla Thunderbird (2.0.0.24)MSVC80_x86MSVC80_x86_v2MSVC90_x86MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MyFreeCodecNewCopy_CDAOCR Software by I.R.I.S 7.0PanoStandAlonePC Connectivity SolutionPicasa 3PowerISOPrezi DesktopProductContextNPIPure Networks PlatformReadmeScanScannerCopySearch ToolbarSecurity Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)Security Update for Windows Internet Explorer 7 (KB938127-v2)Security Update for Windows Internet Explorer 7 (KB938127)Security Update for Windows Internet Explorer 7 (KB953838)Security Update for Windows Internet Explorer 7 (KB956390)Security Update for Windows Internet Explorer 7 (KB958215)Security Update for Windows Internet Explorer 7 (KB960714)Security Update for Windows Internet Explorer 7 (KB961260)Security Update for Windows Internet Explorer 7 (KB963027)Security Update for Windows Internet Explorer 7 (KB969897)Security Update for Windows Internet Explorer 7 (KB972260)Security Update for Windows Internet Explorer 8 (KB2183461)Security Update for Windows Internet Explorer 8 (KB2360131)Security Update for Windows Internet Explorer 8 (KB2416400)Security Update for Windows Internet Explorer 8 (KB971961)Security Update for Windows Internet Explorer 8 (KB972260)Security Update for Windows Internet Explorer 8 (KB974455)Security Update for Windows Internet Explorer 8 (KB976325)Security Update for Windows Internet Explorer 8 (KB978207)Security Update for Windows Internet Explorer 8 (KB981332)Security Update for Windows Internet Explorer 8 (KB982381)Security Update for Windows Media Player (KB2378111)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player (KB954155)Security Update for Windows Media Player (KB968816)Security Update for Windows Media Player (KB973540)Security Update for Windows Media Player (KB975558)Security Update for Windows Media Player (KB978695)Security Update for Windows Media Player 10 (KB936782)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 11 (KB954154)Security Update for Windows XP (KB2079403)Security Update for Windows XP (KB2115168)Security Update for Windows XP (KB2121546)Security Update for Windows XP (KB2160329)Security Update for Windows XP (KB2229593)Security Update for Windows XP (KB2259922)Security Update for Windows XP (KB2279986)Security Update for Windows XP (KB2286198)Security Update for Windows XP (KB2296011)Security Update for Windows XP (KB2296199)Security Update for Windows XP (KB2347290)Security Update for Windows XP (KB2360937)Security Update for Windows XP (KB2387149)Security Update for Windows XP (KB2419632)Security Update for Windows XP (KB2423089)Security Update for Windows XP (KB2436673)Security Update for Windows XP (KB2440591)Security Update for Windows XP (KB2443105)Security Update for Windows XP (KB923561)Security Update for Windows XP (KB923689)Security Update for Windows XP (KB938464-v2)Security Update for Windows XP (KB938464)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB946648)Security Update for Windows XP (KB950762)Security Update for Windows XP (KB950974)Security Update for Windows XP (KB951066)Security Update for Windows XP (KB951376-v2)Security Update for Windows XP (KB951698)Security Update for Windows XP (KB951748)Security Update for Windows XP (KB952004)Security Update for Windows XP (KB952954)Security Update for Windows XP (KB954211)Security Update for Windows XP (KB954459)Security Update for Windows XP (KB954600)Security Update for Windows XP (KB955069)Security Update for Windows XP (KB956390)Security Update for Windows XP (KB956391)Security Update for Windows XP (KB956572)Security Update for Windows XP (KB956744)Security Update for Windows XP (KB956802)Security Update for Windows XP (KB956803)Security Update for Windows XP (KB956841)Security Update for Windows XP (KB956844)Security Update for Windows XP (KB957095)Security Update for Windows XP (KB957097)Security Update for Windows XP (KB958644)Security Update for Windows XP (KB958687)Security Update for Windows XP (KB958690)Security Update for Windows XP (KB958869)Security Update for Windows XP (KB959426)Security Update for Windows XP (KB960225)Security Update for Windows XP (KB960715)Security Update for Windows XP (KB960803)Security Update for Windows XP (KB960859)Security Update for Windows XP (KB961371)Security Update for Windows XP (KB961373)Security Update for Windows XP (KB961501)Security Update for Windows XP (KB968537)Security Update for Windows XP (KB969059)Security Update for Windows XP (KB969898)Security Update for Windows XP (KB969947)Security Update for Windows XP (KB970238)Security Update for Windows XP (KB970430)Security Update for Windows XP (KB971468)Security Update for Windows XP (KB971486)Security Update for Windows XP (KB971557)Security Update for Windows XP (KB971633)Security Update for Windows XP (KB971657)Security Update for Windows XP (KB972270)Security Update for Windows XP (KB973346)Security Update for Windows XP (KB973354)Security Update for Windows XP (KB973507)Security Update for Windows XP (KB973525)Security Update for Windows XP (KB973869)Security Update for Windows XP (KB973904)Security Update for Windows XP (KB974112)Security Update for Windows XP (KB974318)Security Update for Windows XP (KB974392)Security Update for Windows XP (KB974571)Security Update for Windows XP (KB975025)Security Update for Windows XP (KB975467)Security Update for Windows XP (KB975560)Security Update for Windows XP (KB975561)Security Update for Windows XP (KB975562)Security Update for Windows XP (KB975713)Security Update for Windows XP (KB977165)Security Update for Windows XP (KB977816)Security Update for Windows XP (KB977914)Security Update for Windows XP (KB978037)Security Update for Windows XP (KB978251)Security Update for Windows XP (KB978262)Security Update for Windows XP (KB978338)Security Update for Windows XP (KB978542)Security Update for Windows XP (KB978601)Security Update for Windows XP (KB979309)Security Update for Windows XP (KB979482)Security Update for Windows XP (KB979559)Security Update for Windows XP (KB979683)Security Update for Windows XP (KB979687)Security Update for Windows XP (KB980195)Security Update for Windows XP (KB980218)Security Update for Windows XP (KB980232)Security Update for Windows XP (KB980436)Security Update for Windows XP (KB981322)Security Update for Windows XP (KB981852)Security Update for Windows XP (KB981957)Security Update for Windows XP (KB981997)Security Update for Windows XP (KB982132)Security Update for Windows XP (KB982214)Security Update for Windows XP (KB982665)Security Update for Windows XP (KB982802)SMART Board SoftwareSMART Essentials for EducatorsSolutionCenterStatusSymantec Endpoint ProtectionToolboxTrayAppUnloadUpdate for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Windows Internet Explorer 8 (KB972636)Update for Windows Internet Explorer 8 (KB976662)Update for Windows Internet Explorer 8 (KB976749)Update for Windows Internet Explorer 8 (KB980182)Update for Windows XP (KB2141007)Update for Windows XP (KB2345886)Update for Windows XP (KB2467659)Update for Windows XP (KB951072-v2)Update for Windows XP (KB951978)Update for Windows XP (KB955759)Update for Windows XP (KB955839)Update for Windows XP (KB967715)Update for Windows XP (KB968389)Update for Windows XP (KB971737)Update for Windows XP (KB973687)Update for Windows XP (KB973815)VC80CRTRedist - 8.0.50727.762Visual C++ 2008 x86 Runtime - (v9.0.30729)Visual C++ 2008 x86 Runtime - v9.0.30729.01VLC media player 0.9.9WebEx Support Manager for Internet ExplorerWebRegWindows Driver Package - Nokia Modem (03/05/2008 3.7)Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-RayWindows Genuine Advantage Validation Tool (KB892130)Windows Internet Explorer 7Windows Internet Explorer 8Windows Media Format 11 runtimeWindows Media Player 11Windows XP Service Pack 3WinRAR archiverXviD MPEG-4 Video Codec Link to post Share on other sites More sharing options...
Maniac Posted January 20, 2011 ID:377182 Share Posted January 20, 2011 Please manually delete the following folder:c:\program files\McAfeeNext, please uninstall Search Toolbar .Let me know. Link to post Share on other sites More sharing options...
labgrant Posted January 20, 2011 Author ID:377207 Share Posted January 20, 2011 McAfee is deleted. How do I uninstall Search Toolbar? Delete? I only find it in quarantine. Link to post Share on other sites More sharing options...
Maniac Posted January 21, 2011 ID:377361 Share Posted January 21, 2011 No, via Add or Remove Programs.http://support.microsoft.com/kb/307895 Link to post Share on other sites More sharing options...
labgrant Posted January 21, 2011 Author ID:377405 Share Posted January 21, 2011 Search Toolbar did not come up in the installed programs list in Add or Remove. Quarantined by ComboFix, I restored Search Toolbar and ran the uninstaller. Sufficient? Link to post Share on other sites More sharing options...
Maniac Posted January 21, 2011 ID:377408 Share Posted January 21, 2011 Yes, probably. Now:Open Notepad and copy and paste the text in the code box below into it:DDS::uInternet Settings,ProxyOverride = <local>uInternet Settings,ProxyServer = http=127.0.0.1:8893Save the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Link to post Share on other sites More sharing options...
labgrant Posted January 21, 2011 Author ID:377414 Share Posted January 21, 2011 Aces. Here you go:ComboFix 11-01-19.02 - Randy 01/21/2011 5:07.2.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1245 [GMT -5:00]Running from: c:\documents and settings\Randy\Desktop\Combo-Fix.exeCommand switches used :: c:\documents and settings\Randy\Desktop\CFScript.txtAV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}.PEV Error: LocalSettingsFile((((((((((((((((((((((((( Files Created from 2010-12-21 to 2011-01-21 ))))))))))))))))))))))))))))))).2011-01-19 23:13 . 2011-01-19 23:13 -------- d-----w- c:\documents and settings\Randy\Application Data\Malwarebytes2011-01-19 23:13 . 2011-01-19 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2011-01-19 23:13 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-01-19 23:13 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-01-19 23:13 . 2011-01-20 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-01-19 20:48 . 2011-01-19 20:48 0 ----a-w- c:\windows\Npesamecusuram.bin2011-01-19 20:46 . 2011-01-19 20:46 -------- d-----w- c:\windows\system32\%APPDATA%2011-01-19 17:38 . 2011-01-19 17:38 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE2011-01-19 16:21 . 2011-01-19 16:39 -------- d-----w- c:\documents and settings\Administrator2011-01-19 00:35 . 2011-01-19 00:35 -------- d-sh--w- c:\documents and settings\Randy\IECompatCache2011-01-17 18:21 . 2011-01-17 18:53 -------- d-----w- c:\program files\ABBYY Screenshot Reader2011-01-17 18:21 . 2011-01-17 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ABBYY.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr2010-11-18 18:12 . 2006-08-21 17:23 81920 ----a-w- c:\windows\system32\isign32.dll2010-11-12 23:53 . 2010-06-25 22:44 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-11-12 21:34 . 2008-12-09 21:25 73728 ----a-w- c:\windows\system32\javacpl.cpl2010-11-09 14:52 . 2006-08-21 17:02 249856 ----a-w- c:\windows\system32\odbc32.dll2010-11-06 00:26 . 2006-08-21 17:03 916480 ----a-w- c:\windows\system32\wininet.dll2010-11-06 00:26 . 2006-08-21 17:02 43520 ----a-w- c:\windows\system32\licmgr10.dll2010-11-06 00:26 . 2006-08-21 17:02 1469440 ------w- c:\windows\system32\inetcpl.cpl2010-11-03 12:25 . 2006-08-21 17:02 385024 ----a-w- c:\windows\system32\html.iec2010-11-02 15:17 . 2006-08-21 17:02 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys2010-10-28 13:13 . 2006-08-21 17:01 290048 ----a-w- c:\windows\system32\atmfd.dll2010-10-26 13:25 . 2006-08-21 17:03 1853312 ----a-w- c:\windows\system32\win32k.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CFSServ.exe"="CFSServ.exe -NoClient" [X]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]"NDSTray.exe"="NDSTray.exe" [bU]"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]"TPSMain"="TPSMain.exe" [2005-06-01 282624]"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 16262656]"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 89541]"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-2 113664]Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-7 600680]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-21 155648][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= Link to post Share on other sites More sharing options...
Maniac Posted January 21, 2011 ID:377619 Share Posted January 21, 2011 Please post the entire log file of ComboFix. Link to post Share on other sites More sharing options...
labgrant Posted January 21, 2011 Author ID:377626 Share Posted January 21, 2011 ComboFix 11-01-19.02 - Randy 01/21/2011 5:07.2.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1245 [GMT -5:00]Running from: c:\documents and settings\Randy\Desktop\Combo-Fix.exeCommand switches used :: c:\documents and settings\Randy\Desktop\CFScript.txtAV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}.PEV Error: LocalSettingsFile((((((((((((((((((((((((( Files Created from 2010-12-21 to 2011-01-21 ))))))))))))))))))))))))))))))).2011-01-19 23:13 . 2011-01-19 23:13 -------- d-----w- c:\documents and settings\Randy\Application Data\Malwarebytes2011-01-19 23:13 . 2011-01-19 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2011-01-19 23:13 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-01-19 23:13 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2011-01-19 23:13 . 2011-01-20 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-01-19 20:48 . 2011-01-19 20:48 0 ----a-w- c:\windows\Npesamecusuram.bin2011-01-19 20:46 . 2011-01-19 20:46 -------- d-----w- c:\windows\system32\%APPDATA%2011-01-19 17:38 . 2011-01-19 17:38 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE2011-01-19 16:21 . 2011-01-19 16:39 -------- d-----w- c:\documents and settings\Administrator2011-01-19 00:35 . 2011-01-19 00:35 -------- d-sh--w- c:\documents and settings\Randy\IECompatCache2011-01-17 18:21 . 2011-01-17 18:53 -------- d-----w- c:\program files\ABBYY Screenshot Reader2011-01-17 18:21 . 2011-01-17 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ABBYY.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr2010-11-18 18:12 . 2006-08-21 17:23 81920 ----a-w- c:\windows\system32\isign32.dll2010-11-12 23:53 . 2010-06-25 22:44 472808 ----a-w- c:\windows\system32\deployJava1.dll2010-11-12 21:34 . 2008-12-09 21:25 73728 ----a-w- c:\windows\system32\javacpl.cpl2010-11-09 14:52 . 2006-08-21 17:02 249856 ----a-w- c:\windows\system32\odbc32.dll2010-11-06 00:26 . 2006-08-21 17:03 916480 ----a-w- c:\windows\system32\wininet.dll2010-11-06 00:26 . 2006-08-21 17:02 43520 ----a-w- c:\windows\system32\licmgr10.dll2010-11-06 00:26 . 2006-08-21 17:02 1469440 ------w- c:\windows\system32\inetcpl.cpl2010-11-03 12:25 . 2006-08-21 17:02 385024 ----a-w- c:\windows\system32\html.iec2010-11-02 15:17 . 2006-08-21 17:02 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys2010-10-28 13:13 . 2006-08-21 17:01 290048 ----a-w- c:\windows\system32\atmfd.dll2010-10-26 13:25 . 2006-08-21 17:03 1853312 ----a-w- c:\windows\system32\win32k.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CFSServ.exe"="CFSServ.exe -NoClient" [X]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]"NDSTray.exe"="NDSTray.exe" [bU]"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]"TPSMain"="TPSMain.exe" [2005-06-01 282624]"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 16262656]"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 89541]"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-2 113664]Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-7 600680]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-21 155648][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync ServiceR2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 4:09 PM 102448]S0 ccfp;ccfp;c:\windows\system32\drivers\xbpw.sys --> c:\windows\system32\drivers\xbpw.sys [?]S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 2:43 PM 204800]S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 12:55 PM 23888]S3 Plugversnp;Plugversnp;c:\windows\system32\rasdial.exe [8/21/2006 12:02 PM 11264]..------- Supplementary Scan -------.uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHPuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstartIE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\6ni0n1k3.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.comFF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=FF - prefs.js: network.proxy.type - 0FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}FF - Ext: EBrary Reader Plugin: reader_plugin@ebrary.com - %profile%\extensions\reader_plugin@ebrary.comFF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ffFF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension.- - - - ORPHANS REMOVED - - - -HKLM-Run-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-01-21 05:13Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(964)c:\windows\system32\Ati2evxx.dll- - - - - - - > 'explorer.exe'(3464)c:\windows\system32\WININET.dllc:\windows\system32\btmmhook.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\TPwrCfg.DLLc:\windows\system32\TPwrReg.dllc:\windows\system32\TPSTrace.DLLc:\windows\system32\PortableDeviceApi.dll.Completion time: 2011-01-21 05:15:35ComboFix-quarantined-files.txt 2011-01-21 10:15ComboFix2.txt 2011-01-20 09:05Pre-Run: 6,200,131,584 bytes freePost-Run: 6,169,530,368 bytes free- - End Of File - - 0B3E02C2146F63942C9E39340EC21A54 Link to post Share on other sites More sharing options...
labgrant Posted January 21, 2011 Author ID:377627 Share Posted January 21, 2011 Apologies, should have caught that. Link to post Share on other sites More sharing options...
Maniac Posted January 21, 2011 ID:377633 Share Posted January 21, 2011 Launch Malwarebytes' Anti-MalwareGo to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.Let me know how are things now. Link to post Share on other sites More sharing options...
labgrant Posted January 21, 2011 Author ID:377673 Share Posted January 21, 2011 Everything seems to be right as rain. Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 5567Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/21/2011 6:32:39 PMmbam-log-2011-01-21 (18-32-39).txtScan type: Quick scanObjects scanned: 154842Time elapsed: 3 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\Software\ndo8thb2ikwe (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Maniac Posted January 21, 2011 ID:377674 Share Posted January 21, 2011 Nice job! Last steps:Step 1Go to Start => Run... and copy & paste next command in the field:ComboFix /uninstallThen hit Enter button.This procedure will do the following:Uninstall ComboFixDelete its related folders and filesReset your clock settingsHide file extensionsHide the system/hidden filesResets System Restore againP.S.: Make sure there's a space between ComboFix and /uninstallStep 2Keep your software up-to-date:www.bleepingcomputer.com/tutorials/tutorial174.htmlSome malware preventions:http://forums.malwarebytes.org/index.php?showtopic=9365Safe surfing! Link to post Share on other sites More sharing options...
labgrant Posted January 21, 2011 Author ID:377677 Share Posted January 21, 2011 Aces! Many thanks ... though I will miss the sweet Thundercat icon. Link to post Share on other sites More sharing options...
Maniac Posted January 22, 2011 ID:377781 Share Posted January 22, 2011 You're welcome! Link to post Share on other sites More sharing options...
Recommended Posts