Jump to content

Am I still infected?


Wofstar
 Share

Recommended Posts

Last night my wife was browsing a site and a AntiVira AV program popped up saying my laptop was infected. She clicked on the program and everything went crazy. I immediately shut-off my wireless card and searched for the virus online. I found a site on how to remove this particular virus and went through the steps to do so. My problem was that I upgraded my computer from Windows Vista to Windows 7, and the walkthrough called for me to reboot in Safe Mode, but no matter what I tried I could not boot into Safe Mode. I searched for causes and found that others have had the same problem after upgrading to Windows 7, so I went ahead with the walk-through in Normal Mode. It had me download and run rkill.exe which brought up several programs, then had me run Malwarebytes. Once MB was completed it detected several viruses and I removed them. Just to be on the safe side I re-ran runkill.exe and MB again to be sure nothing was on the system. MB found no infections, but when I re-ran runkill.exe it found and stopped:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 02/16/2011 at 3:17:00.

Operating System: Windows 7 Home Premium

Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\InfDefaultInstall.exe

C:\Windows\SysWOW64\runonce.exe

.exe

Rkill completed on 02/16/2011 at 3:17:07.

I then searched for the programs it had terminated and found a thread here on MBForums about these two programs being a threat. So I just wanted to check in and see if I needed to pursue these any further, or am I good to go?

Cheers,

Wof

Link to post
Share on other sites

Ok I had some time and was able to run the scans. Can you please let me know if my Laptop is still infected, and also if there is any certain programs/tools I can get to keep this from happening again?

DDS (Ver_10-12-12.02) - NTFS_AMD64

Run by AngelsBaby at 13:32:51.91 on Wed 02/16/2011

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4086.2982 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\RAVCpl64.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe

C:\Program Files (x86)\HP\QuickPlay\QPService.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\ClamWin\bin\ClamTray.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\msiexec.exe

c:\program files (x86)\hughesnetstatusmeter\HughesNetStatusMeter\HughesNetStatusMeter.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\AngelsBaby\Downloads\dds.scr

C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\Program Files (x86)\HP\Smart Web Printing\hpswp_framework.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [Google Update] "C:\Users\AngelsBaby\AppData\Local\Google\Update\GoogleUpdate.exe" /c

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"

mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [QlbCtrl] %ProgramFiles(x86)%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [uCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"

mRun: [WAWifiMessage] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

mRun: [ClamWin] "C:\Program Files (x86)\ClamWin\bin\ClamTray.exe" --logon

StartupFolder: C:\Users\ANGELS~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\HUGHES~1.LNK - C:\Program Files (x86)\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

mRun-x64: [RtHDVCpl] RAVCpl64.exe

mRun-x64: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

mRun-x64: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun-x64: [iAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"

mRun-x64: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

mRun-x64: [igfxTray] C:\Windows\system32\igfxtray.exe

mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\ANGELS~1\AppData\Roaming\Mozilla\Firefox\Profiles\ime9uo52.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\AngelsBaby\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: C:\Users\AngelsBaby\AppData\Roaming\Mozilla\Firefox\Profiles\ime9uo52.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll

FF - plugin: C:\Users\AngelsBaby\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\AngelsBaby\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;C:\Windows\System32\drivers\PCTCore64.sys [2011-1-4 257232]

R0 pctDS;PC Tools Data Store;C:\Windows\System32\drivers\pctDS64.sys [2011-1-4 452872]

R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\System32\drivers\pctEFA64.sys [2011-1-4 816016]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2011-1-4 366840]

S3 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2011-1-4 1150936]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-13 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

=============== Created Last 30 ================

2011-02-16 19:32:23 -------- d-----w- C:\Users\ANGELS~1\AppData\Roaming\com.hughesnet.HughesNetStatusMeter.92D257A0BA68956E9AA1D50589E83FF4134CD6A8.1

2011-02-15 23:47:40 7844688 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{459E5E6F-9617-4731-B46F-08C11E30DC98}\mpengine.dll

2011-02-15 22:27:51 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{A2EBF9DD-2185-4C91-A8A9-37DAFA43625F}

2011-02-11 14:50:20 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{71ADC5AD-87C6-4F24-B71B-CE9461908A59}

2011-02-11 00:28:26 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{3D159DF5-26A8-45A0-8098-63DFCF51E0BD}

2011-02-09 00:11:44 714752 ----a-w- C:\Windows\System32\kerberos.dll

2011-02-09 00:10:59 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys

2011-02-09 00:00:44 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{EB1908FF-06F2-42BD-973B-584E7B56341C}

2011-02-02 07:47:24 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-02-02 07:47:24 472808 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

2011-01-31 19:08:05 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{28251F71-2821-4817-99D1-1AC76A154F2F}

2011-01-30 14:33:09 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{6D8DE816-93AB-4242-871F-4D4E1743B74A}

2011-01-29 18:15:33 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{5915C938-676B-4B4B-8079-95F34A4C4E53}

2011-01-29 01:54:13 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{4025AEC5-9663-49DF-BF30-A394F929482C}

2011-01-27 22:34:33 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{E10D78B2-E5D1-48E2-BC3D-6E00356128FA}

2011-01-27 10:34:20 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{BD44123F-A86F-4972-BCD3-78D033F73227}

2011-01-26 22:34:01 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{32BD36FC-9F5D-4769-A72D-6A7CC2474F72}

2011-01-26 10:33:47 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{5CC79FA0-5B70-4323-BFEA-3024EBCD5E0A}

2011-01-25 22:42:50 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\Google

2011-01-25 22:33:13 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{87F06104-5F9E-4509-9CFC-07909A2738FD}

2011-01-24 14:09:18 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{14332E2F-46DE-4A2B-A4C8-72E6CE1FD82B}

2011-01-22 21:56:39 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{7FF7ED8E-CD74-4FB4-A15F-D232C91E47AE}

2011-01-22 03:00:46 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{4ACBCE43-3FDC-4DB4-995B-17C75A1B276E}

2011-01-20 20:35:16 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{4FB1F410-D4AB-4857-ACAE-74EF73EA14EB}

2011-01-20 20:35:16 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{11E2D418-941A-43FE-9009-B266EB1B21BC}

2011-01-19 22:26:00 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{B9BB8D9E-FC2F-4355-86C2-F4D21BB78A03}

==================== Find3M ====================

2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys

2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll

2011-01-07 08:06:50 46080 ----a-w- C:\Windows\System32\atmlib.dll

2011-01-07 07:27:11 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-01-07 05:49:20 366080 ----a-w- C:\Windows\System32\atmfd.dll

2011-01-07 05:33:11 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-01-05 06:20:30 612352 ----a-w- C:\Windows\System32\vbscript.dll

2011-01-05 05:37:33 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll

2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys

2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll

2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll

2010-12-21 06:16:16 214016 ----a-w- C:\Windows\System32\winsrv.dll

2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll

2010-12-21 06:16:14 1197056 ----a-w- C:\Windows\System32\wininet.dll

2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll

2010-12-21 06:15:55 264192 ----a-w- C:\Windows\System32\upnp.dll

2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll

2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll

2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll

2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll

2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll

2010-12-21 05:38:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll

2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll

2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll

2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll

2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll

2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll

2010-12-21 00:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2010-12-18 06:11:41 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2010-12-18 05:29:40 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2010-12-18 05:29:31 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll

2010-12-18 04:55:03 482816 ----a-w- C:\Windows\System32\html.iec

2010-12-18 04:20:55 386048 ----a-w- C:\Windows\SysWow64\html.iec

2010-12-18 04:13:40 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2010-12-18 03:47:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2010-12-13 02:37:28 525792 ----a-w- C:\Windows\DIFxAPI.dll

2010-12-13 02:37:26 315392 ----a-w- C:\Windows\HideWin.exe

2010-11-25 16:43:26 257232 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys

2010-11-25 16:42:10 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys

============= FINISH: 13:33:39.94 ===============

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please post the MBAM scan where items were found.

Next, update MBAM, run a Quick Scan, and post its new log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Here is the first scan where the original virus was detected:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5772

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2/16/2011 3:11:04 AM

mbam-log-2011-02-16 (03-11-04).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 314240

Time elapsed: 48 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\agikgaht (Trojan.FakeAlert.Gen) -> Value: agikgaht -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\angelsbaby\AppData\LocalLow\Sun\Java\deployment\cache\6.0\20\70ffd514-7e920e76 (Rogue.Palladium) -> Quarantined and deleted successfully.

c:\Users\angelsbaby\AppData\Local\Temp\ykutyqkdw\nmtpgrjsika.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Here is the new scan, and I now have 3 new threats since I've reconnected to the net to update MB:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5850

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2/23/2011 1:00:59 AM

mbam-log-2011-02-23 (01-00-52).txt

Scan type: Quick scan

Objects scanned: 165039

Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\angelsbaby\AppData\Local\Temp\jar_cache6310443834960232336.tmp (Trojan.Downloader) -> No action taken.

c:\Users\angelsbaby\local settings\temporary internet files\Content.IE5\YGM1J31T\so[1].exe (Trojan.FakeAlert) -> No action taken.

I am working on running the combofix now and will post it once completed.

Link to post
Share on other sites

Oops! here is the completed new scan with the actions taken:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5850

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

2/23/2011 1:04:35 AM

mbam-log-2011-02-23 (01-04-35).txt

Scan type: Quick scan

Objects scanned: 165039

Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\angelsbaby\AppData\Local\Temp\jar_cache6310443834960232336.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Users\angelsbaby\local settings\temporary internet files\Content.IE5\YGM1J31T\so[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Combofix:

ComboFix 11-02-22.03 - AngelsBaby 02/23/2011 1:19.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4086.2932 [GMT -6:00]

Running from: c:\users\AngelsBaby\Desktop\ComboFix.exe

AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}

SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\SysWow64\KBL.LOG

.

((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))

.

2011-02-23 07:34 . 2011-02-23 07:34 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{B9363457-6143-4EFE-9F82-9B44CEE42544}

2011-02-23 07:31 . 2011-02-23 07:31 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-02-23 07:11 . 2011-02-23 07:11 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{BB438AEE-1749-4CAA-A192-9689394CF653}

2011-02-23 07:04 . 2011-01-13 10:20 7844688 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EE8E15FD-BEC2-4118-A5B9-28438509678E}\mpengine.dll

2011-02-16 19:32 . 2011-02-16 19:32 -------- d-----w- c:\users\AngelsBaby\AppData\Roaming\com.hughesnet.HughesNetStatusMeter.92D257A0BA68956E9AA1D50589E83FF4134CD6A8.1

2011-02-15 22:27 . 2011-02-15 22:28 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{A2EBF9DD-2185-4C91-A8A9-37DAFA43625F}

2011-02-11 14:50 . 2011-02-12 03:13 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{71ADC5AD-87C6-4F24-B71B-CE9461908A59}

2011-02-11 00:28 . 2011-02-11 00:28 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{3D159DF5-26A8-45A0-8098-63DFCF51E0BD}

2011-02-09 00:11 . 2010-12-18 06:11 714752 ----a-w- c:\windows\system32\kerberos.dll

2011-02-09 00:10 . 2011-01-26 06:53 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-02-09 00:00 . 2011-02-09 00:00 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{EB1908FF-06F2-42BD-973B-584E7B56341C}

2011-02-02 07:47 . 2011-02-02 07:47 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-02-02 07:47 . 2011-02-02 07:47 472808 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

2011-01-31 19:08 . 2011-01-31 19:08 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{28251F71-2821-4817-99D1-1AC76A154F2F}

2011-01-30 14:33 . 2011-01-30 14:33 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{6D8DE816-93AB-4242-871F-4D4E1743B74A}

2011-01-29 18:15 . 2011-01-29 18:15 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{5915C938-676B-4B4B-8079-95F34A4C4E53}

2011-01-29 01:54 . 2011-01-29 01:54 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{4025AEC5-9663-49DF-BF30-A394F929482C}

2011-01-27 22:34 . 2011-01-27 22:34 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{E10D78B2-E5D1-48E2-BC3D-6E00356128FA}

2011-01-27 10:34 . 2011-01-27 10:34 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{BD44123F-A86F-4972-BCD3-78D033F73227}

2011-01-26 22:34 . 2011-01-26 22:34 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{32BD36FC-9F5D-4769-A72D-6A7CC2474F72}

2011-01-26 10:33 . 2011-01-26 10:34 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{5CC79FA0-5B70-4323-BFEA-3024EBCD5E0A}

2011-01-25 22:42 . 2011-01-25 22:45 -------- d-----w- c:\users\AngelsBaby\AppData\Local\Google

2011-01-25 22:33 . 2011-01-25 22:33 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{87F06104-5F9E-4509-9CFC-07909A2738FD}

2011-01-24 14:09 . 2011-01-24 14:09 -------- d-----w- c:\users\AngelsBaby\AppData\Local\{14332E2F-46DE-4A2B-A4C8-72E6CE1FD82B}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-21 00:09 . 2011-01-08 04:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2011-01-08 04:09 24152 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-13 02:37 . 2010-12-13 02:37 525792 ----a-w- c:\windows\DIFxAPI.dll

2010-12-13 02:37 . 2010-12-13 02:37 315392 ----a-w- c:\windows\HideWin.exe

2010-11-25 16:43 . 2011-01-05 04:47 257232 ----a-w- c:\windows\system32\drivers\PCTCore64.sys

2010-11-25 16:42 . 2011-01-05 04:47 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]

"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]

"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]

"Google Update"="c:\users\AngelsBaby\AppData\Local\Google\Update\GoogleUpdate.exe" [2011-01-25 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]

"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-23 80896]

"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]

"QPService"="c:\program files (x86)\HP\QuickPlay\QPService.exe" [2007-12-20 468264]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]

"WAWifiMessage"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]

"ClamWin"="c:\program files (x86)\ClamWin\bin\ClamTray.exe" [2010-12-06 86016]

c:\users\AngelsBaby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

HughesNetStatusMeter.lnk - c:\program files (x86)\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe [2011-2-16 142336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-13 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2010-11-25 257232]

S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys [2010-06-29 452872]

S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA64.sys [2010-07-16 816016]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-02 187392]

.

Contents of the 'Scheduled Tasks' folder

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-765764038-2876004717-2175413507-1000Core.job

- c:\users\AngelsBaby\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-25 22:42]

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-765764038-2876004717-2175413507-1000UA.job

- c:\users\AngelsBaby\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-25 22:42]

.

--------- x86-64 -----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2007-10-09 5429760]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1702400]

"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712]

"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 701440]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 165912]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 385560]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 363544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

LSP: c:\program files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\users\AngelsBaby\AppData\Roaming\Mozilla\Firefox\Profiles\ime9uo52.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}

.

- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-Run-QlbCtrl - %ProgramFiles(x86)%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-765764038-2876004717-2175413507-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

[HKEY_USERS\S-1-5-21-765764038-2876004717-2175413507-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]

@Denied: (A 2) (Everyone)

@SACL=

@="FlashProp Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9d.ocx"

"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable]

@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@SACL=

@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]

@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]

@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]

@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9d.ocx"

"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@SACL=

@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@SACL=

@="ShockwaveFlash.ShockwaveFlash.9"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]

@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@SACL=

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@SACL=

@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@SACL=

@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@SACL=

@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]

@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9d.ocx"

"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@SACL=

@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]

@SACL=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9d.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@SACL=

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@SACL=

@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@SACL=

@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]

@Denied: (A 2) (Everyone)

@SACL=

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9d.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]

@SACL=

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9d.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]

@SACL=

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]

@Denied: (A 2) (Everyone)

@SACL=

@="IFlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]

@SACL=

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]

@SACL=

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000001

"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe

c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

c:\program files (x86)\CyberLink\Shared Files\RichVideo.exe

c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe

c:\program files (x86)\Hewlett-Packard\Shared\HpqToaster.exe

.

**************************************************************************

.

Completion time: 2011-02-23 01:40:19 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-23 07:40

Pre-Run: 159,327,096,832 bytes free

Post-Run: 159,523,332,096 bytes free

- - End Of File - - 50E435A6E7B9F96BD9C8AF485FF01761

DSS:

DDS (Ver_10-12-12.02) - NTFS_AMD64

Run by AngelsBaby at 1:44:01.37 on Wed 02/23/2011

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4086.2818 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\rundll32.exe

C:\Windows\RAVCpl64.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files (x86)\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files (x86)\HP\QuickPlay\QPService.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\ClamWin\bin\ClamTray.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wuauclt.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\AngelsBaby\Downloads\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\Program Files (x86)\HP\Smart Web Printing\hpswp_framework.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [Google Update] "C:\Users\AngelsBaby\AppData\Local\Google\Update\GoogleUpdate.exe" /c

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"

mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [uCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"

mRun: [WAWifiMessage] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

mRun: [ClamWin] "C:\Program Files (x86)\ClamWin\bin\ClamTray.exe" --logon

StartupFolder: C:\Users\ANGELS~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\HUGHES~1.LNK - C:\Program Files (x86)\HughesNetStatusMeter\HughesNetStatusMeter\HughesNetStatusMeter.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

mRun-x64: [RtHDVCpl] RAVCpl64.exe

mRun-x64: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

mRun-x64: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun-x64: [iAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"

mRun-x64: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

mRun-x64: [igfxTray] C:\Windows\system32\igfxtray.exe

mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\ANGELS~1\AppData\Roaming\Mozilla\Firefox\Profiles\ime9uo52.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\AngelsBaby\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: C:\Users\AngelsBaby\AppData\Roaming\Mozilla\Firefox\Profiles\ime9uo52.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll

FF - plugin: C:\Users\AngelsBaby\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\AngelsBaby\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;C:\Windows\System32\drivers\PCTCore64.sys [2011-1-4 257232]

R0 pctDS;PC Tools Data Store;C:\Windows\System32\drivers\pctDS64.sys [2011-1-4 452872]

R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\System32\drivers\pctEFA64.sys [2011-1-4 816016]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2011-1-4 366840]

S3 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2011-1-4 1150936]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-13 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

=============== Created Last 30 ================

2011-02-23 07:34:04 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{B9363457-6143-4EFE-9F82-9B44CEE42544}

2011-02-23 07:17:46 98816 ----a-w- C:\Windows\sed.exe

2011-02-23 07:17:46 89088 ----a-w- C:\Windows\MBR.exe

2011-02-23 07:17:46 256512 ----a-w- C:\Windows\PEV.exe

2011-02-23 07:17:46 161792 ----a-w- C:\Windows\SWREG.exe

2011-02-23 07:11:11 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{BB438AEE-1749-4CAA-A192-9689394CF653}

2011-02-23 07:04:13 7844688 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{EE8E15FD-BEC2-4118-A5B9-28438509678E}\mpengine.dll

2011-02-16 19:32:23 -------- d-----w- C:\Users\ANGELS~1\AppData\Roaming\com.hughesnet.HughesNetStatusMeter.92D257A0BA68956E9AA1D50589E83FF4134CD6A8.1

2011-02-15 22:27:51 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{A2EBF9DD-2185-4C91-A8A9-37DAFA43625F}

2011-02-11 14:50:20 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{71ADC5AD-87C6-4F24-B71B-CE9461908A59}

2011-02-11 00:28:26 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{3D159DF5-26A8-45A0-8098-63DFCF51E0BD}

2011-02-09 00:11:44 714752 ----a-w- C:\Windows\System32\kerberos.dll

2011-02-09 00:10:59 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys

2011-02-09 00:00:44 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{EB1908FF-06F2-42BD-973B-584E7B56341C}

2011-02-02 07:47:24 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-02-02 07:47:24 472808 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

2011-01-31 19:08:05 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{28251F71-2821-4817-99D1-1AC76A154F2F}

2011-01-30 14:33:09 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{6D8DE816-93AB-4242-871F-4D4E1743B74A}

2011-01-29 18:15:33 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{5915C938-676B-4B4B-8079-95F34A4C4E53}

2011-01-29 01:54:13 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{4025AEC5-9663-49DF-BF30-A394F929482C}

2011-01-27 22:34:33 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{E10D78B2-E5D1-48E2-BC3D-6E00356128FA}

2011-01-27 10:34:20 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{BD44123F-A86F-4972-BCD3-78D033F73227}

2011-01-26 22:34:01 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{32BD36FC-9F5D-4769-A72D-6A7CC2474F72}

2011-01-26 10:33:47 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{5CC79FA0-5B70-4323-BFEA-3024EBCD5E0A}

2011-01-25 22:42:50 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\Google

2011-01-25 22:33:13 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{87F06104-5F9E-4509-9CFC-07909A2738FD}

2011-01-24 14:09:18 -------- d-----w- C:\Users\ANGELS~1\AppData\Local\{14332E2F-46DE-4A2B-A4C8-72E6CE1FD82B}

==================== Find3M ====================

2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys

2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll

2011-01-07 08:06:50 46080 ----a-w- C:\Windows\System32\atmlib.dll

2011-01-07 07:27:11 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-01-07 05:49:20 366080 ----a-w- C:\Windows\System32\atmfd.dll

2011-01-07 05:33:11 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-01-05 06:20:30 612352 ----a-w- C:\Windows\System32\vbscript.dll

2011-01-05 05:37:33 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll

2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys

2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll

2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll

2010-12-21 06:16:16 214016 ----a-w- C:\Windows\System32\winsrv.dll

2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll

2010-12-21 06:16:14 1197056 ----a-w- C:\Windows\System32\wininet.dll

2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll

2010-12-21 06:15:55 264192 ----a-w- C:\Windows\System32\upnp.dll

2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll

2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll

2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll

2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll

2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll

2010-12-21 05:38:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll

2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll

2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll

2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll

2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll

2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll

2010-12-21 00:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2010-12-18 06:11:41 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2010-12-18 05:29:40 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2010-12-18 05:29:31 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll

2010-12-18 04:55:03 482816 ----a-w- C:\Windows\System32\html.iec

2010-12-18 04:20:55 386048 ----a-w- C:\Windows\SysWow64\html.iec

2010-12-18 04:13:40 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2010-12-18 03:47:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2010-12-13 02:37:28 525792 ----a-w- C:\Windows\DIFxAPI.dll

2010-12-13 02:37:26 315392 ----a-w- C:\Windows\HideWin.exe

2010-11-25 16:43:26 257232 ----a-w- C:\Windows\System32\drivers\PCTCore64.sys

2010-11-25 16:42:10 92896 ----a-w- C:\Windows\System32\drivers\pctplsg64.sys

============= FINISH: 1:44:48.57 ===============

Attach2.zip

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

I reran the Eset scanner and it said there were no viruses, I rechecked for a log and this is the only log file in the folder you had me look:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

I don't know if this is correct though.

Link to post
Share on other sites

Here is the security check log:

Results of screen317's Security Check version 0.99.8

Windows 7 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ClamWin Free Antivirus 0.96.5

ESET Online Scanner v3

Spyware Doctor with AntiVirus 8.0

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 23

Java 6 Update 2

Out of date Java installed!

Adobe Flash Player 10.1.102.64

Adobe Reader 8.1.0

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.13)

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

That's okay since it said nothing was found.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

  • Staff

Cool! :D

Then you are good to go.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

After running the Secunia's Software Inspector, it gave me 1 program that needed to be updated; Adobe Flash Player 9.x but when I try to update it I keep getting a version 10 not the one it says: "9.0.283.0 (ActiveX)" can ya help me on updating this?

Other than this I've finished everything you suggested. I am wanting to make sure I have this all right though:

Clamwin = Virus Protector (should I swap this too Avast like on my desktop?)

SpywareBlaster = Spyware Protector

MalwareBytes = Malware Protector (will have the PRO edition this weekend)

and I can run all these programs actively at the same time?

Also do you suggest a certain Firewall protector that wont conflict with the above programs?

I've also attached a jpeg of the update issue:

post-64932-0-77619500-1298705538.png

Link to post
Share on other sites

  • Staff

Hi,

The Secunia scan always seems to be buggy with Flash. It's fine as is.

You can switch to avast; I've never personally used ClamWin (I use Microsoft Security Essentials), but in the end it's up to you.

Yes you can run them all together. I haven't personally tested any 64bit firewalls so I couldn't make any recommendations for you. You could check out these vendors; I think they offer free versions of their commercial firewalls.

Sunbelt Personal Firewall

Comodo

Outpost

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.