Jump to content

Hijackthis help


daytona
 Share

Recommended Posts

Hello daytona! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please download and run WUS_Fix.exe: http://users.telenet.be/marcvn/tools/WUS_Fix.exe

This should restore the default registry settings related with BITS and Automatic updates.

Link to post
Share on other sites

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "-Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2

  • Open HijackThis, click Config, click Misc Tools
  • Click Open Uninstall Manager
  • Click Save List (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include this log:

  • Malwarebytes' Anti-Malware log
  • Add or Remove Programs list
  • a new fresh HiJackThis log

Link to post
Share on other sites

MAL-WARE

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5639

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/30/2011 11:06:29 AM

mbam-log-2011-01-30 (11-06-29).txt

Scan type: Quick scan

Objects scanned: 222812

Time elapsed: 15 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

...........................................

Hijack

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:09:02 AM, on 1/30/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\sessmgr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3071130

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58

Link to post
Share on other sites

MAL-WARE

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5639

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/30/2011 11:06:29 AM

mbam-log-2011-01-30 (11-06-29).txt

Scan type: Quick scan

Objects scanned: 222812

Time elapsed: 15 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

...........................................

Hijack

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:09:02 AM, on 1/30/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\sessmgr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3071130

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR

Link to post
Share on other sites

Step 1

Please, uninstall the following applications:

  1. Advertising Center

You can read, how to do this here:

Step 2

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 3

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Sorry, wouldn't upload.

ComboFix 11-01-29.03 - user 01/30/2011 16:21:21.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1709 [GMT -5:00]

Running from: c:\documents and settings\user.FTPD\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\user.FTPD\Application Data\Adobe\AdobeUpdate .exe

c:\documents and settings\user.FTPD\Application Data\Adobe\plugs

c:\windows\system\oeminfo.ini

----- BITS: Possible infected sites -----

hxxp://ftpddc1:8530

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-30 )))))))))))))))))))))))))))))))

.

2011-01-30 14:14 . 2011-01-30 14:14 388096 ----a-r- c:\documents and settings\user.FTPD\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-01-30 14:14 . 2011-01-30 14:14 -------- d-----w- c:\program files\Trend Micro

2011-01-30 13:59 . 2011-01-30 21:18 -------- d-----w- c:\windows\system32\CatRoot2

2011-01-30 13:17 . 2011-01-30 13:18 -------- d-----w- c:\program files\CCleaner

2011-01-30 13:07 . 2011-01-30 13:09 -------- dc-h--w- c:\windows\ie8

2011-01-29 21:43 . 2011-01-29 21:43 -------- d-----w- c:\program files\Windows Live Safety Center

2011-01-29 18:52 . 2009-03-08 09:33 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll

2011-01-29 18:52 . 2009-03-08 09:33 420352 -c--a-w- c:\windows\system32\dllcache\vbscript.dll

2011-01-29 18:30 . 2011-01-30 12:48 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-01-29 18:30 . 2011-01-30 12:48 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-01-29 17:54 . 2011-01-29 17:54 -------- d-----w- c:\windows\system32\wbem\Repository

2011-01-29 17:34 . 2008-04-14 09:42 171008 ----a-w- c:\windows\system32\OLD18.tmp

2011-01-29 17:30 . 2011-01-29 17:34 -------- d-----w- c:\windows\LastGood(2)

2011-01-29 04:18 . 2011-01-29 04:18 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes

2011-01-29 02:26 . 2011-01-29 05:27 0 ----a-w- c:\windows\Aqamonibumeru.bin

2011-01-29 02:26 . 2011-01-29 02:26 -------- d-----w- c:\documents and settings\user.FTPD\Local Settings\Application Data\{AB1D8544-D70D-43F8-A314-11172E6B56D7}

2011-01-29 02:20 . 2011-01-29 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\oDoGmBe06511

2011-01-28 23:48 . 2011-01-28 23:48 -------- d-----w- c:\documents and settings\user.FTPD\Local Settings\Application Data\smpCommsInit

2011-01-28 23:48 . 2011-01-29 21:42 -------- d-----w- c:\documents and settings\user.FTPD\Application Data\81422

2011-01-24 16:40 . 2011-01-24 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe

2011-01-23 14:27 . 2011-01-23 14:27 1409 ----a-w- c:\windows\QTFont.for

2011-01-13 15:02 . 2011-01-13 15:02 -------- d-----w- c:\documents and settings\LaFave\10-1177

2011-01-12 08:25 . 2010-11-09 14:52 249856 -c----w- c:\windows\system32\dllcache\odbc32.dll

2011-01-12 08:25 . 2010-11-09 14:52 200704 -c----w- c:\windows\system32\dllcache\msadox.dll

2011-01-12 08:25 . 2010-11-09 14:52 180224 -c----w- c:\windows\system32\dllcache\msadomd.dll

2011-01-12 08:25 . 2010-11-09 14:52 143360 -c----w- c:\windows\system32\dllcache\msadco.dll

2011-01-12 08:25 . 2010-11-09 14:52 102400 -c----w- c:\windows\system32\dllcache\msjro.dll

2011-01-12 08:25 . 2010-11-09 14:52 536576 -c----w- c:\windows\system32\dllcache\msado15.dll

2011-01-01 22:27 . 2011-01-01 22:27 -------- d-----w- c:\documents and settings\user.FTPD\Local Settings\Application Data\Nero

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 23:09 . 2010-11-17 21:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2010-11-17 21:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-07 21:11 . 2010-12-07 21:11 709456 ----a-w- c:\windows\isRS-000.tmp

2010-11-18 18:12 . 2004-08-10 19:02 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2006-02-28 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2007-07-22 21:27 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-05-12 03:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2006-10-20 23:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-07-22 21:27 16132608 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2011 8:17 AM 135664]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-30 13:17]

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-30 13:17]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?ilc=1

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

TCP: {BD2467E0-F50E-4D09-AFB2-14D0E0941E57} = 192.168.3.5,24.213.60.93

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB

FF - ProfilePath - c:\documents and settings\user.FTPD\Application Data\Mozilla\Firefox\Profiles\n2hppjva.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: AniWeather: {4176DFF4-4698-11DE-BEEB-45DA55D89593} - %profile%\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}

FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia

FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-30 16:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-01-30 16:33:30

ComboFix-quarantined-files.txt 2011-01-30 21:33

Pre-Run: 51,185,737,728 bytes free

Post-Run: 53,189,152,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

[spybotsd]

timeout.old=30

- - End Of File - - 2EF9CF3294A24B71F546DAC2783A5B9E

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\OLD18.tmp

Folder::
c:\documents and settings\user.FTPD\Local Settings\Application Data\{AB1D8544-D70D-43F8-A314-11172E6B56D7}
c:\documents and settings\All Users\Application Data\oDoGmBe06511
c:\documents and settings\user.FTPD\Application Data\81422

DirLook::
c:\documents and settings\LaFave\10-1177

DDS::
uInternet Settings,ProxyOverride = <local>
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 11-01-30.02 - user 01/31/2011 7:12.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1417 [GMT -5:00]

Running from: c:\documents and settings\user.FTPD\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\user.FTPD\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FILE ::

"c:\windows\system32\OLD18.tmp"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\oDoGmBe06511

c:\documents and settings\All Users\Application Data\oDoGmBe06511\oDoGmBe06511

c:\documents and settings\user.FTPD\Application Data\81422

c:\documents and settings\user.FTPD\Application Data\81422\pdmn2.exe

c:\documents and settings\user.FTPD\Application Data\81422\recf.exe

c:\documents and settings\user.FTPD\Application Data\81422\userid.dat

c:\documents and settings\user.FTPD\Local Settings\Application Data\{AB1D8544-D70D-43F8-A314-11172E6B56D7}

c:\documents and settings\user.FTPD\Local Settings\Application Data\{AB1D8544-D70D-43F8-A314-11172E6B56D7}\chrome.manifest

c:\documents and settings\user.FTPD\Local Settings\Application Data\{AB1D8544-D70D-43F8-A314-11172E6B56D7}\chrome\content\_cfg.js

c:\documents and settings\user.FTPD\Local Settings\Application Data\{AB1D8544-D70D-43F8-A314-11172E6B56D7}\chrome\content\overlay.xul

c:\documents and settings\user.FTPD\Local Settings\Application Data\{AB1D8544-D70D-43F8-A314-11172E6B56D7}\install.rdf

c:\windows\system32\OLD18.tmp

.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-31 )))))))))))))))))))))))))))))))

.

2011-01-30 21:58 . 2011-01-30 21:58 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D7686B-B170-47B8-9599-DDC5D4956990}\MpKsl611250ae.sys

2011-01-30 21:58 . 2011-01-13 06:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D7686B-B170-47B8-9599-DDC5D4956990}\mpengine.dll

2011-01-30 21:58 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-30 21:56 . 2011-01-30 21:56 -------- d-----w- c:\windows\LastGood

2011-01-30 21:56 . 2011-01-30 21:56 -------- d-----w- c:\program files\Microsoft Security Client

2011-01-30 21:41 . 2011-01-30 21:41 5126 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-01-30 14:14 . 2011-01-30 14:14 388096 ----a-r- c:\documents and settings\user.FTPD\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-01-30 14:14 . 2011-01-30 14:14 -------- d-----w- c:\program files\Trend Micro

2011-01-30 13:59 . 2011-01-31 12:10 -------- d-----w- c:\windows\system32\CatRoot2

2011-01-30 13:17 . 2011-01-30 13:18 -------- d-----w- c:\program files\CCleaner

2011-01-30 13:07 . 2011-01-30 13:09 -------- dc-h--w- c:\windows\ie8

2011-01-29 21:43 . 2011-01-29 21:43 -------- d-----w- c:\program files\Windows Live Safety Center

2011-01-29 18:52 . 2010-03-10 06:15 420352 -c--a-w- c:\windows\system32\dllcache\vbscript.dll

2011-01-29 18:52 . 2009-12-09 05:53 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll

2011-01-29 18:30 . 2011-01-30 12:48 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-01-29 18:30 . 2011-01-30 12:48 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-01-29 17:54 . 2011-01-29 17:54 -------- d-----w- c:\windows\system32\wbem\Repository

2011-01-29 04:18 . 2011-01-29 04:18 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes

2011-01-29 02:26 . 2011-01-29 05:27 0 ----a-w- c:\windows\Aqamonibumeru.bin

2011-01-28 23:48 . 2011-01-28 23:48 -------- d-----w- c:\documents and settings\user.FTPD\Local Settings\Application Data\smpCommsInit

2011-01-24 16:40 . 2011-01-24 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe

2011-01-23 14:27 . 2011-01-23 14:27 1409 ----a-w- c:\windows\QTFont.for

2011-01-13 15:02 . 2011-01-13 15:02 -------- d-----w- c:\documents and settings\LaFave\10-1177

2011-01-12 08:25 . 2010-11-09 14:52 249856 -c----w- c:\windows\system32\dllcache\odbc32.dll

2011-01-12 08:25 . 2010-11-09 14:52 200704 -c----w- c:\windows\system32\dllcache\msadox.dll

2011-01-12 08:25 . 2010-11-09 14:52 180224 -c----w- c:\windows\system32\dllcache\msadomd.dll

2011-01-12 08:25 . 2010-11-09 14:52 143360 -c----w- c:\windows\system32\dllcache\msadco.dll

2011-01-12 08:25 . 2010-11-09 14:52 102400 -c----w- c:\windows\system32\dllcache\msjro.dll

2011-01-12 08:25 . 2010-11-09 14:52 536576 -c----w- c:\windows\system32\dllcache\msado15.dll

2011-01-01 22:27 . 2011-01-01 22:27 -------- d-----w- c:\documents and settings\user.FTPD\Local Settings\Application Data\Nero

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-20 23:09 . 2010-11-17 21:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2010-11-17 21:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-07 21:11 . 2010-12-07 21:11 709456 ----a-w- c:\windows\isRS-000.tmp

2010-11-18 18:12 . 2004-08-10 19:02 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2006-02-28 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\LaFave\10-1177 ----

2011-01-12 17:23 . 2011-01-12 18:25 1081712 ----a-w- c:\documents and settings\LaFave\10-1177\Handgun 2.JPG

2011-01-12 17:23 . 2011-01-12 18:25 1091852 ----a-w- c:\documents and settings\LaFave\10-1177\Handgun 1.JPG

((((((((((((((((((((((((((((( SnapShot@2011-01-30_21.31.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-01-30 21:48 . 2011-01-30 21:48 16384 c:\windows\Temp\Perflib_Perfdata_654.dat

- 2007-11-30 00:15 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe

+ 2007-11-30 00:15 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe

+ 2004-08-10 18:51 . 2011-01-30 21:41 97942 c:\windows\system32\perfc009.dat

+ 2006-02-28 12:00 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll

- 2006-02-28 12:00 . 2009-03-08 09:31 66560 c:\windows\system32\mshtmled.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll

- 2006-02-28 12:00 . 2009-03-08 09:33 25600 c:\windows\system32\jsproxy.dll

+ 2009-03-08 09:31 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll

- 2009-03-08 09:31 . 2009-03-08 09:31 66560 c:\windows\system32\dllcache\mshtmled.dll

+ 2009-03-08 09:34 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll

- 2009-03-08 09:33 . 2009-03-08 09:33 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2009-03-08 09:33 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2011-01-30 21:46 . 2009-05-26 11:40 17272 c:\windows\ie8updates\KB981332-IE8\spmsg.dll

+ 2011-01-30 21:46 . 2009-05-26 11:40 26488 c:\windows\ie8updates\KB981332-IE8\spcustom.dll

+ 2011-01-30 21:46 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB976662-IE8\spmsg.dll

+ 2011-01-30 21:46 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB976662-IE8\spcustom.dll

+ 2011-01-30 21:44 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB971961-IE8\spmsg.dll

+ 2011-01-30 21:44 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB971961-IE8\spcustom.dll

+ 2011-01-30 21:46 . 2010-02-22 14:23 17272 c:\windows\ie8updates\KB2416400-IE8\spmsg.dll

+ 2011-01-30 21:46 . 2010-02-22 14:23 26488 c:\windows\ie8updates\KB2416400-IE8\spcustom.dll

+ 2011-01-30 21:46 . 2009-03-08 09:31 66560 c:\windows\ie8updates\KB2416400-IE8\mshtmled.dll

+ 2011-01-30 21:46 . 2009-03-08 09:34 43008 c:\windows\ie8updates\KB2416400-IE8\licmgr10.dll

+ 2011-01-30 21:46 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB2416400-IE8\jsproxy.dll

+ 2006-02-28 12:00 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll

- 2006-02-28 12:00 . 2009-03-08 09:33 420352 c:\windows\system32\vbscript.dll

+ 2004-08-10 18:51 . 2011-01-30 21:41 509830 c:\windows\system32\perfh009.dat

+ 2006-02-28 12:00 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll

- 2006-02-28 12:00 . 2009-03-08 09:32 611840 c:\windows\system32\mstime.dll

- 2006-02-28 12:00 . 2009-03-08 09:33 726528 c:\windows\system32\jscript.dll

+ 2006-02-28 12:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll

+ 2006-02-28 12:00 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe

+ 2010-10-25 02:25 . 2010-10-25 02:25 165264 c:\windows\system32\drivers\MpFilter.sys

+ 2009-03-08 09:34 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll

+ 2009-03-08 09:34 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll

+ 2009-03-08 09:32 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll

- 2009-03-08 09:32 . 2009-03-08 09:32 611840 c:\windows\system32\dllcache\mstime.dll

+ 2009-03-08 09:31 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2009-03-08 19:09 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll

+ 2009-03-08 09:32 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe

+ 2011-01-30 21:56 . 2011-01-30 21:56 786432 c:\windows\Installer\62bf2.msi

+ 2011-01-30 21:56 . 2011-01-30 21:56 479744 c:\windows\Installer\62bec.msi

+ 2011-01-30 21:56 . 2011-01-30 21:56 301056 c:\windows\Installer\62be7.msi

+ 2011-01-30 21:54 . 2011-01-30 21:54 817152 c:\windows\Installer\62bca.msi

+ 2011-01-30 21:46 . 2009-03-08 09:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll

+ 2011-01-30 21:46 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\updspapi.dll

+ 2011-01-30 21:46 . 2009-05-26 11:40 755576 c:\windows\ie8updates\KB981332-IE8\update.exe

+ 2011-01-30 21:46 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll

+ 2011-01-30 21:46 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe

+ 2011-01-30 21:46 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst.exe

+ 2011-01-30 21:46 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\updspapi.dll

+ 2011-01-30 21:46 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB976662-IE8\update.exe

+ 2011-01-30 21:46 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll

+ 2011-01-30 21:46 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe

+ 2011-01-30 21:46 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst.exe

+ 2011-01-30 21:46 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll

+ 2011-01-30 21:44 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\updspapi.dll

+ 2011-01-30 21:44 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB971961-IE8\update.exe

+ 2011-01-30 21:44 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll

+ 2011-01-30 21:44 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe

+ 2011-01-30 21:44 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst.exe

+ 2011-01-30 21:44 . 2009-03-08 09:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll

+ 2011-01-30 21:46 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB2416400-IE8\wininet.dll

+ 2011-01-30 21:46 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2416400-IE8\updspapi.dll

+ 2011-01-30 21:46 . 2010-02-22 14:23 755576 c:\windows\ie8updates\KB2416400-IE8\update.exe

+ 2011-01-30 21:46 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll

+ 2011-01-30 21:46 . 2010-02-22 14:23 231288 c:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe

+ 2011-01-30 21:46 . 2010-02-22 14:23 231288 c:\windows\ie8updates\KB2416400-IE8\spuninst.exe

+ 2011-01-30 21:46 . 2009-03-08 09:34 109568 c:\windows\ie8updates\KB2416400-IE8\occache.dll

+ 2011-01-30 21:46 . 2009-03-08 09:32 611840 c:\windows\ie8updates\KB2416400-IE8\mstime.dll

+ 2011-01-30 21:46 . 2009-03-08 09:31 183808 c:\windows\ie8updates\KB2416400-IE8\iepeers.dll

+ 2011-01-30 21:46 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll

+ 2011-01-30 21:46 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe

+ 2006-02-28 12:00 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll

+ 2006-02-28 12:00 . 2010-11-06 00:26 5959168 c:\windows\system32\mshtml.dll

+ 2009-03-08 09:34 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll

+ 2009-03-08 09:41 . 2010-11-06 00:26 5959168 c:\windows\system32\dllcache\mshtml.dll

+ 2011-01-30 21:46 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB2416400-IE8\urlmon.dll

+ 2011-01-30 21:46 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB2416400-IE8\mshtml.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2007-07-22 21:27 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-05-12 03:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2006-10-20 23:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-07-22 21:27 16132608 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

R1 MpKsl611250ae;MpKsl611250ae;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D7686B-B170-47B8-9599-DDC5D4956990}\MpKsl611250ae.sys [1/30/2011 4:58 PM 28752]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2011 8:17 AM 135664]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPFILTER

*NewlyCreated* - MPKSL611250AE

*NewlyCreated* - MSMPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2011-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-30 13:17]

2011-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-30 13:17]

2011-01-30 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?ilc=1

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

TCP: {BD2467E0-F50E-4D09-AFB2-14D0E0941E57} = 192.168.3.5,24.213.60.93

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB

FF - ProfilePath - c:\documents and settings\user.FTPD\Application Data\Mozilla\Firefox\Profiles\n2hppjva.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: AniWeather: {4176DFF4-4698-11DE-BEEB-45DA55D89593} - %profile%\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}

FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia

FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-31 07:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-01-31 07:19:41

ComboFix-quarantined-files.txt 2011-01-31 12:19

ComboFix2.txt 2011-01-30 21:33

Pre-Run: 52,808,208,384 bytes free

Post-Run: 52,830,433,280 bytes free

- - End Of File - - 471FDE8783F2AC0AA1FC065A52CD8624

Link to post
Share on other sites

Everything seems to be running great! I can update Windows and everything is running faster. I thought for sure this computer needed the windows disc!

You really know your stuff thanks for everything!!

I don't think I ever got a virus this bad, was it one in particular or several?

Link to post
Share on other sites

Several craps :)

Last steps:

Step 1

  1. Go to Start => Run... and copy & paste next command in the field:
    ComboFix /uninstall


  2. Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

P.S.: Make sure there's a space between ComboFix and /uninstall

Step 2

Please uninstall HiJackThis.

Step 3

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.