Jump to content

Recommended Posts

Hi, I could use some assistance with my computer. I had a previous malware infection that I thought was cleaned, but apparently not. Whenever I use firefox, it automatically changes the proxy settings to 127.0.0.1 on port 50370. If I change the settings back manually, it goes back to the proxy upon each restart. Internet explorer and chrome do not have these problems. Thanks very much for any assistance. I have attached the logs from the instructions and pasted the logs for DDS and Malwarebytes below. GMER Rootkit scanner would not run for me without giving an error message during the scan and shutting down.

DDS Log:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by cdubs at 9:51:25.11 on Tue 03/22/2011

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2047.799 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\AEADISRV.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k bthaudiosvc

C:\Windows\system32\IoctlSvc.exe

C:\Program Files\Soluto\SolutoService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\MillieSoft\TunerFreeMCE\TunerFreeMCEService.exe

C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Soluto\soluto.exe

C:\Windows\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\MediaMall\PlayOn.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Orb Networks\Orb\bin\Orblauncher.exe

C:\Program Files\Orb Networks\Orb\bin\Orb.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\MediaMall\MediaMallServer.exe

C:\Windows\system32\UI0Detect.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\rundll32.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\cdubs\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\cdubs\Downloads\Defogger.exe

C:\Windows\system32\conhost.exe

C:\Users\cdubs\Downloads\dds (1).scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://remote.millermartin.com/

uWindow Title = Internet Explorer, optimized for Bing and MSN

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

{555d4d79-4bd2-4094-a395-cfc534424a05}

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [PlayOn] c:\program files\mediamall\PlayOn.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [soundTray] c:\program files\analog devices\soundmax\SoundTray.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\users\cdubs\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\cdubs\appdata\roaming\dropbox\bin\Dropbox.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Download All by ASUS Download - c:\program files\asus\rt-n16 wireless router utilities\ASDownloadAll.htm

IE: Download using ASUS Download - c:\program files\asus\rt-n16 wireless router utilities\ASDownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass

IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: adobe.com\www

Trusted Zone: millermartin.com\remote

DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} - hxxp://remote.millermartin.com/v4rdpchk.cab

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\cdubs\appdata\roaming\mozilla\firefox\profiles\na8fxo94.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?complete=1&hl=en

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 1

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - component: c:\users\cdubs\appdata\roaming\mozilla\firefox\profiles\na8fxo94.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\users\cdubs\appdata\roaming\mozilla\firefox\profiles\na8fxo94.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: c:\users\cdubs\appdata\roaming\mozilla\firefox\profiles\na8fxo94.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\cdubs\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\users\cdubs\appdata\roaming\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\users\cdubs\appdata\roaming\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\users\cdubs\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\cdubs\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\windows\system32\wat\npWatWeb.dll

.

============= SERVICES / DRIVERS ===============

.

R0 PCGenFAM;PCGenFAM;c:\windows\system32\drivers\PCGenFAM.sys [2010-12-15 181704]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 MpKsla74ac0da;MpKsla74ac0da;c:\programdata\microsoft\microsoft antimalware\definition updates\{53f53220-cf83-4041-9677-e1eb236e9c97}\MpKsla74ac0da.sys [2011-3-21 28752]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe -k bthaudiosvc [2009-7-13 20992]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-25 363344]

R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2010-10-2 3994480]

R2 SolutoService;Soluto PCGenome Core Service;c:\program files\soluto\SolutoService.exe [2010-11-1 331296]

R2 TunerFreeMCEService;TunerFreeMCEService;c:\program files\milliesoft\tunerfreemce\TunerFreeMCEService.exe [2010-8-16 11264]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-23 20952]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]

R3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28u.sys [2010-10-13 750592]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-10-4 105576]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\drivers\athru6.sys [2007-7-5 873472]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\drivers\BthAudioHF.sys [2009-12-21 43008]

S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]

S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [2009-12-21 61952]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-22 54632]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]

S3 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2010-1-12 217088]

S3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\drivers\WMP54Gv41x86.sys [2010-4-7 376160]

S3 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-5 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-13 1343400]

S4 pyTivo;pyTivo;"c:\python26\lib\site-packages\win32\pythonservice.exe" --> c:\python26\lib\site-packages\win32\PythonService.exe [?]

.

=============== Created Last 30 ================

.

2011-03-21 20:02:06 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{53f53220-cf83-4041-9677-e1eb236e9c97}\MpKsla74ac0da.sys

2011-03-21 20:01:25 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{53f53220-cf83-4041-9677-e1eb236e9c97}\mpengine.dll

2011-03-21 19:01:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-03-21 19:01:54 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-03-21 19:01:54 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-03-21 19:01:54 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-03-21 19:01:54 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-03-21 19:01:54 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-03-21 19:01:54 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-03-21 19:01:54 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-03-15 21:25:14 -------- d-----w- c:\program files\RealVNC

2011-03-09 01:04:27 850944 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 01:04:27 642048 ----a-w- c:\windows\system32\CPFilters.dll

2011-03-09 01:04:27 534528 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 01:04:27 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-05 18:46:32 -------- d-----w- c:\windows\system32\SPReview

2011-03-05 18:45:24 -------- d-----w- c:\windows\system32\EventProviders

2011-03-05 18:41:59 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2011-03-05 18:40:59 55808 ----a-w- c:\windows\system32\drivers\hidclass.sys

2011-03-05 18:39:38 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll

2011-03-05 18:39:38 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll

2011-03-05 18:39:38 363008 ----a-w- c:\windows\system32\wbemcomn.dll

2011-03-05 18:39:38 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll

2011-03-05 18:39:29 697344 ----a-w- c:\windows\system32\SmiEngine.dll

2011-03-05 18:39:24 209920 ----a-w- c:\windows\system32\PkgMgr.exe

2011-03-05 18:39:24 189952 ----a-w- c:\windows\system32\wdscore.dll

2011-03-05 18:38:33 323072 ----a-w- c:\windows\system32\drvstore.dll

2011-03-05 18:38:33 257024 ----a-w- c:\windows\system32\dpx.dll

2011-03-05 18:28:31 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-03-05 18:28:30 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-03-05 18:28:30 107520 ----a-w- c:\windows\system32\cdd.dll

2011-03-05 18:28:29 870912 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-05 18:28:28 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-05 18:28:27 219136 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-03-05 18:28:27 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2011-02-23 14:38:30 -------- d-----w- c:\users\cdubs\appdata\roaming\SumatraPDF

2011-02-23 03:55:07 -------- d-----w- c:\program files\SumatraPDF

2011-02-23 03:47:20 -------- d-----w- c:\program files\iPod

2011-02-23 03:42:23 -------- d-----w- c:\program files\Bonjour

.

==================== Find3M ====================

.

2011-03-05 19:12:31 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-01-07 07:45:57 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-07 05:43:36 294400 ----a-w- c:\windows\system32\atmfd.dll

2011-01-07 03:18:24 0 ----a-w- c:\windows\system32\RENB09.tmp

2011-01-07 03:18:24 0 ----a-w- c:\windows\system32\RENAF9.tmp

2011-01-07 03:18:24 0 ----a-w- c:\windows\system32\RENAF8.tmp

2011-01-05 03:51:01 2330624 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 22:51:17 7834824 ----a-w- c:\program files\common files\lpuninstall.exe

.

============= FINISH: 9:52:40.21 ===============

Malwarebytes log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6121

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

3/21/2011 4:43:59 PM

mbam-log-2011-03-21 (16-43-59).txt

Scan type: Full scan (C:\|)

Objects scanned: 371732

Time elapsed: 1 hour(s), 31 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

:welcome:

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

Ok I was able to get it to run after manually deleting the AVG folders and roaming data and running the AVG removal tool 3 times. Here is the log from combofix:

ComboFix 11-03-22.04 - cdubs 03/22/2011 23:38:28.1.2 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2047.1300 [GMT -4:00]

Running from: c:\users\cdubs\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\cdubs\AppData\Roaming\inst.exe

c:\users\cdubs\g2mdlhlpx.exe

c:\users\Mcx1\Favorites\ehthumbs_vista.db

.

.

((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))

.

.

2011-03-23 03:44 . 2011-03-23 03:45 -------- d-----w- c:\users\cdubs\AppData\Local\temp

2011-03-23 03:44 . 2011-03-23 03:44 -------- d-----w- c:\users\Mcx3-CDUBS-PC\AppData\Local\temp

2011-03-23 03:44 . 2011-03-23 03:44 -------- d-----w- c:\users\Mcx2\AppData\Local\temp

2011-03-23 03:44 . 2011-03-23 03:44 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2011-03-23 03:44 . 2011-03-23 03:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-03-23 03:44 . 2011-03-23 03:44 -------- d-----w- c:\users\Ramona\AppData\Local\temp

2011-03-23 03:27 . 2011-03-23 03:27 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9EA25F7E-7E05-4AC1-A03B-2C43C064B40D}\MpKslc13a0775.sys

2011-03-23 03:27 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9EA25F7E-7E05-4AC1-A03B-2C43C064B40D}\mpengine.dll

2011-03-21 19:01 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-03-21 19:01 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-03-21 19:01 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-03-21 19:01 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-03-21 19:01 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-03-21 19:01 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-03-21 19:01 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-03-21 19:01 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

2011-03-15 21:25 . 2011-03-15 21:25 -------- d-----w- c:\program files\RealVNC

2011-03-09 01:04 . 2010-12-23 05:54 850944 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 01:04 . 2010-12-23 05:54 642048 ----a-w- c:\windows\system32\CPFilters.dll

2011-03-09 01:04 . 2010-12-23 05:54 534528 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 01:04 . 2010-12-23 05:50 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-05 18:46 . 2011-03-05 18:46 -------- d-----w- c:\windows\system32\SPReview

2011-03-05 18:45 . 2011-03-05 18:45 -------- d-----w- c:\windows\system32\EventProviders

2011-03-05 18:41 . 2010-11-20 12:30 233344 ----a-w- c:\windows\system32\drivers\msiscsi.sys

2011-03-05 18:40 . 2010-11-20 12:21 233472 ----a-w- c:\windows\system32\taskbarcpl.dll

2011-03-05 18:39 . 2010-11-20 12:21 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll

2011-03-05 18:39 . 2010-11-20 12:21 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll

2011-03-05 18:39 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll

2011-03-05 18:39 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll

2011-03-05 18:39 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll

2011-03-05 18:39 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll

2011-03-05 18:39 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe

2011-03-05 18:38 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll

2011-03-05 18:38 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll

2011-03-05 18:28 . 2010-11-20 12:29 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-03-05 18:28 . 2011-02-03 05:54 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-03-05 18:28 . 2010-11-20 11:56 107520 ----a-w- c:\windows\system32\cdd.dll

2011-03-05 18:28 . 2011-01-07 07:46 870912 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-05 18:28 . 2011-01-07 07:46 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-05 18:28 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2011-03-05 18:28 . 2010-11-20 12:18 219136 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-02-23 14:38 . 2011-02-23 14:51 -------- d-----w- c:\users\cdubs\AppData\Roaming\SumatraPDF

2011-02-23 03:55 . 2011-02-23 03:55 -------- d-----w- c:\program files\SumatraPDF

2011-02-23 03:50 . 2011-02-23 03:50 -------- d-----w- c:\program files\7-Zip

2011-02-23 03:47 . 2011-02-23 03:47 -------- d-----w- c:\program files\iPod

2011-02-23 03:43 . 2011-02-23 03:43 -------- d-----w- c:\program files\Apple Software Update

2011-02-23 03:42 . 2011-02-23 03:42 -------- d-----w- c:\program files\Bonjour

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-05 19:12 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-02-11 06:54 . 2011-01-12 16:50 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-02-03 02:40 . 2010-10-26 19:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-01-11 16:47 . 2011-01-11 16:47 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DA7D1C30-8ABA-4A11-BCE3-FAC5C4A82D6C}\gapaengine.dll

2011-01-07 14:53 . 2011-01-07 14:53 3584 ----a-r- c:\users\cdubs\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2011-01-07 07:45 . 2011-02-09 09:37 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-07 05:43 . 2011-02-09 09:37 294400 ----a-w- c:\windows\system32\atmfd.dll

2011-01-07 03:18 . 2011-01-07 03:18 0 ----a-w- c:\windows\system32\RENB09.tmp

2011-01-07 03:18 . 2011-01-07 03:18 0 ----a-w- c:\windows\system32\RENAF9.tmp

2011-01-07 03:18 . 2011-01-07 03:18 0 ----a-w- c:\windows\system32\RENAF8.tmp

2011-01-05 03:51 . 2011-02-09 09:37 2330624 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 22:51 . 2010-04-29 22:51 7834824 ----a-w- c:\program files\Common Files\lpuninstall.exe

2011-03-18 17:53 . 2011-03-21 19:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\users\cdubs\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\users\cdubs\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\users\cdubs\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]

"PlayOn"="c:\program files\MediaMall\PlayOn.exe" [2011-01-12 49152]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-06-06 1261568]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"SoundTray"="c:\program files\Analog Devices\SoundMAX\SoundTray.exe" [2007-05-21 49152]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

.

c:\users\Ramona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\users\cdubs\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\cdubs\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]

@="Service"

.

[HKLM\~\startupfolder\C:^Users^cdubs^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\cdubs\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-03-17 01:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-09-03 12:18 133104 ----atw- c:\users\cdubs\AppData\Local\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2008-12-08 19:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2008-06-24 20:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

2008-06-08 13:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]

2009-01-27 20:18 425472 ----a-w- c:\program files\TiVo\Desktop\TiVoNotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]

2009-01-27 20:21 2143232 ----a-w- c:\program files\TiVo\Desktop\TiVoServer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TranscodingService]

2009-01-27 20:03 520192 ----a-w- c:\program files\TiVo\Desktop\TranscodingService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

R0 PCGenFAM;PCGenFAM;c:\windows\system32\DRIVERS\PCGenFAM.sys [2010-11-02 181704]

R1 MpKsl1ccae512;MpKsl1ccae512;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1101631-13E3-4ECF-AD62-A4C53CF4F370}\MpKsl1ccae512.sys [x]

R1 MpKsl4def9ca1;MpKsl4def9ca1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C7C7F667-8790-459C-A404-13F1C92A607F}\MpKsl4def9ca1.sys [x]

R1 MpKsl8631b56c;MpKsl8631b56c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1A91AD69-E6DD-4D4C-BAA9-4D021B0BCF5F}\MpKsl8631b56c.sys [x]

R1 MpKsl863278a6;MpKsl863278a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{82EDA7CF-6D90-4606-BA73-78D21B816040}\MpKsl863278a6.sys [x]

R1 MpKslbf4fa4fd;MpKslbf4fa4fd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D2746EDB-F401-4EB3-AA3E-749E1AC8CE1C}\MpKslbf4fa4fd.sys [x]

R1 MpKsldb6a40f0;MpKsldb6a40f0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{82EDA7CF-6D90-4606-BA73-78D21B816040}\MpKsldb6a40f0.sys [x]

R1 MpKslde22baf7;MpKslde22baf7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BD0C477-83BA-43F4-8DF3-513C075AC46C}\MpKslde22baf7.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2011-01-12 3994480]

R2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2010-11-02 331296]

R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athru6.sys [2007-07-05 873472]

R3 BthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\BthAudioHF.sys [2009-12-21 43008]

R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]

R3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [2009-12-21 61952]

R3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 136176]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]

R3 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [2010-01-12 217088]

R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x86.sys [2010-04-07 376160]

R3 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-13 1343400]

R4 pyTivo;pyTivo;c:\python26\lib\site-packages\win32\PythonService.exe [x]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-04-16 717296]

S1 MpKslc13a0775;MpKslc13a0775;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9EA25F7E-7E05-4AC1-A03B-2C43C064B40D}\MpKslc13a0775.sys [2011-03-23 28752]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe [2009-07-14 20992]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-12-20 363344]

S2 TunerFreeMCEService;TunerFreeMCEService;c:\program files\MillieSoft\TunerFreeMCE\TunerFreeMCEService.exe [2010-08-16 11264]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-20 20952]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]

S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28u.sys [2009-08-05 750592]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-06-21 105576]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSLC13A0775

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

bthaudiosvc REG_MULTI_SZ HFGService

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

.

2011-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 18:04]

.

2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 18:04]

.

2011-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4060729944-3990713619-4136860965-1000Core.job

- c:\users\cdubs\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 12:18]

.

2011-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4060729944-3990713619-4136860965-1000UA.job

- c:\users\cdubs\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 12:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://remote.millermartin.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Download All by ASUS Download - c:\program files\ASUS\RT-N16 Wireless Router Utilities\ASDownloadAll.htm

IE: Download using ASUS Download - c:\program files\ASUS\RT-N16 Wireless Router Utilities\ASDownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass

IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms

Trusted Zone: adobe.com\www

Trusted Zone: millermartin.com\remote

DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} - hxxp://remote.millermartin.com/v4rdpchk.cab

FF - ProfilePath - c:\users\cdubs\AppData\Roaming\Mozilla\Firefox\Profiles\na8fxo94.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?complete=1&hl=en

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 1

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

MSConfigStartUp-Adobe Acrobat Speed Launcher - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe

MSConfigStartUp-Ai Nap - c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe

MSConfigStartUp-Cpu Level Up help - c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe

MSConfigStartUp-CPU Power Monitor - c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1 - c:\users\cdubs\AppData\Local\Temp\7zO9383.tmp\MustBeRandomlyNamed\unins000.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-03-22 23:47:43

ComboFix-quarantined-files.txt 2011-03-23 03:47

.

Pre-Run: 189,050,044,416 bytes free

Post-Run: 190,723,039,232 bytes free

.

- - End Of File - - 704B33D630378734C9036C008A492EDC

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FireFox::
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Thanks for your help. I've done the above and here is the latest Combofix log:

ComboFix 11-03-23.03 - cdubs 03/23/2011 15:38:13.2.2 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2047.1288 [GMT -4:00]

Running from: c:\users\cdubs\Desktop\ComboFix.exe

Command switches used :: c:\users\cdubs\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))

.

.

2011-03-23 19:44 . 2011-03-23 19:44 -------- d-----w- c:\users\Ramona\AppData\Local\temp

2011-03-23 19:44 . 2011-03-23 19:44 -------- d-----w- c:\users\Mcx3-CDUBS-PC\AppData\Local\temp

2011-03-23 19:44 . 2011-03-23 19:44 -------- d-----w- c:\users\Mcx2\AppData\Local\temp

2011-03-23 19:44 . 2011-03-23 19:44 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2011-03-23 19:44 . 2011-03-23 19:44 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-03-23 03:48 . 2011-03-23 03:48 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5BFDDF47-F099-4007-A78E-EE85948EC95F}\MpKsl89659bf6.sys

2011-03-23 03:48 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5BFDDF47-F099-4007-A78E-EE85948EC95F}\mpengine.dll

2011-03-23 03:47 . 2011-03-23 19:44 -------- d-----w- c:\users\cdubs\AppData\Local\temp

2011-03-21 19:01 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-03-21 19:01 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-03-21 19:01 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-03-21 19:01 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-03-21 19:01 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-03-21 19:01 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-03-21 19:01 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-03-21 19:01 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

2011-03-15 21:25 . 2011-03-15 21:25 -------- d-----w- c:\program files\RealVNC

2011-03-09 01:04 . 2010-12-23 05:54 850944 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 01:04 . 2010-12-23 05:54 642048 ----a-w- c:\windows\system32\CPFilters.dll

2011-03-09 01:04 . 2010-12-23 05:54 534528 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 01:04 . 2010-12-23 05:50 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-05 18:46 . 2011-03-05 18:46 -------- d-----w- c:\windows\system32\SPReview

2011-03-05 18:45 . 2011-03-05 18:45 -------- d-----w- c:\windows\system32\EventProviders

2011-03-05 18:41 . 2010-11-20 12:30 233344 ----a-w- c:\windows\system32\drivers\msiscsi.sys

2011-03-05 18:40 . 2010-11-20 12:21 233472 ----a-w- c:\windows\system32\taskbarcpl.dll

2011-03-05 18:39 . 2010-11-20 12:21 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll

2011-03-05 18:39 . 2010-11-20 12:21 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll

2011-03-05 18:39 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll

2011-03-05 18:39 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll

2011-03-05 18:39 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll

2011-03-05 18:39 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll

2011-03-05 18:39 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe

2011-03-05 18:38 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll

2011-03-05 18:38 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll

2011-03-05 18:28 . 2010-11-20 12:29 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-03-05 18:28 . 2011-02-03 05:54 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-03-05 18:28 . 2010-11-20 11:56 107520 ----a-w- c:\windows\system32\cdd.dll

2011-03-05 18:28 . 2011-01-07 07:46 870912 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-05 18:28 . 2011-01-07 07:46 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-03-05 18:28 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2011-03-05 18:28 . 2010-11-20 12:18 219136 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-02-23 14:38 . 2011-02-23 14:51 -------- d-----w- c:\users\cdubs\AppData\Roaming\SumatraPDF

2011-02-23 03:55 . 2011-02-23 03:55 -------- d-----w- c:\program files\SumatraPDF

2011-02-23 03:50 . 2011-02-23 03:50 -------- d-----w- c:\program files\7-Zip

2011-02-23 03:47 . 2011-02-23 03:47 -------- d-----w- c:\program files\iPod

2011-02-23 03:43 . 2011-02-23 03:43 -------- d-----w- c:\program files\Apple Software Update

2011-02-23 03:42 . 2011-02-23 03:42 -------- d-----w- c:\program files\Bonjour

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-05 19:12 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-02-11 06:54 . 2011-01-12 16:50 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-02-03 02:40 . 2010-10-26 19:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-01-11 16:47 . 2011-01-11 16:47 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DA7D1C30-8ABA-4A11-BCE3-FAC5C4A82D6C}\gapaengine.dll

2011-01-07 14:53 . 2011-01-07 14:53 3584 ----a-r- c:\users\cdubs\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2011-01-07 07:45 . 2011-02-09 09:37 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-01-07 05:43 . 2011-02-09 09:37 294400 ----a-w- c:\windows\system32\atmfd.dll

2011-01-07 03:18 . 2011-01-07 03:18 0 ----a-w- c:\windows\system32\RENB09.tmp

2011-01-07 03:18 . 2011-01-07 03:18 0 ----a-w- c:\windows\system32\RENAF9.tmp

2011-01-07 03:18 . 2011-01-07 03:18 0 ----a-w- c:\windows\system32\RENAF8.tmp

2011-01-05 03:51 . 2011-02-09 09:37 2330624 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 22:51 . 2010-04-29 22:51 7834824 ----a-w- c:\program files\Common Files\lpuninstall.exe

2011-03-18 17:53 . 2011-03-21 19:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\users\cdubs\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\users\cdubs\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\users\cdubs\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]

"PlayOn"="c:\program files\MediaMall\PlayOn.exe" [2011-01-12 49152]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-06-06 1261568]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"SoundTray"="c:\program files\Analog Devices\SoundMAX\SoundTray.exe" [2007-05-21 49152]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

.

c:\users\Ramona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\users\cdubs\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\cdubs\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]

@="Service"

.

[HKLM\~\startupfolder\C:^Users^cdubs^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\cdubs\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-03-17 01:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-09-03 12:18 133104 ----atw- c:\users\cdubs\AppData\Local\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2008-12-08 19:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2008-06-24 20:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

2008-06-08 13:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]

2009-01-27 20:18 425472 ----a-w- c:\program files\TiVo\Desktop\TiVoNotify.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]

2009-01-27 20:21 2143232 ----a-w- c:\program files\TiVo\Desktop\TiVoServer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TranscodingService]

2009-01-27 20:03 520192 ----a-w- c:\program files\TiVo\Desktop\TranscodingService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

R0 PCGenFAM;PCGenFAM;c:\windows\system32\DRIVERS\PCGenFAM.sys [2010-11-02 181704]

R1 MpKsl1ccae512;MpKsl1ccae512;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C1101631-13E3-4ECF-AD62-A4C53CF4F370}\MpKsl1ccae512.sys [x]

R1 MpKsl4def9ca1;MpKsl4def9ca1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C7C7F667-8790-459C-A404-13F1C92A607F}\MpKsl4def9ca1.sys [x]

R1 MpKsl8631b56c;MpKsl8631b56c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1A91AD69-E6DD-4D4C-BAA9-4D021B0BCF5F}\MpKsl8631b56c.sys [x]

R1 MpKsl863278a6;MpKsl863278a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{82EDA7CF-6D90-4606-BA73-78D21B816040}\MpKsl863278a6.sys [x]

R1 MpKslbf4fa4fd;MpKslbf4fa4fd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D2746EDB-F401-4EB3-AA3E-749E1AC8CE1C}\MpKslbf4fa4fd.sys [x]

R1 MpKsldb6a40f0;MpKsldb6a40f0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{82EDA7CF-6D90-4606-BA73-78D21B816040}\MpKsldb6a40f0.sys [x]

R1 MpKslde22baf7;MpKslde22baf7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BD0C477-83BA-43F4-8DF3-513C075AC46C}\MpKslde22baf7.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2011-01-12 3994480]

R2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2010-11-02 331296]

R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athru6.sys [2007-07-05 873472]

R3 BthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\BthAudioHF.sys [2009-12-21 43008]

R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [2009-08-13 22528]

R3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [2009-12-21 61952]

R3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 136176]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]

R3 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [2010-01-12 217088]

R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\DRIVERS\WMP54Gv41x86.sys [2010-04-07 376160]

R3 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-13 1343400]

R4 pyTivo;pyTivo;c:\python26\lib\site-packages\win32\PythonService.exe [x]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-04-16 717296]

S1 MpKsl89659bf6;MpKsl89659bf6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5BFDDF47-F099-4007-A78E-EE85948EC95F}\MpKsl89659bf6.sys [2011-03-23 28752]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe [2009-07-14 20992]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-12-20 363344]

S2 TunerFreeMCEService;TunerFreeMCEService;c:\program files\MillieSoft\TunerFreeMCE\TunerFreeMCEService.exe [2010-08-16 11264]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-20 20952]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]

S3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28u.sys [2009-08-05 750592]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-06-21 105576]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL89659BF6

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

bthaudiosvc REG_MULTI_SZ HFGService

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

.

2011-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 18:04]

.

2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-19 18:04]

.

2011-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4060729944-3990713619-4136860965-1000Core.job

- c:\users\cdubs\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 12:18]

.

2011-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4060729944-3990713619-4136860965-1000UA.job

- c:\users\cdubs\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 12:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://remote.millermartin.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Download All by ASUS Download - c:\program files\ASUS\RT-N16 Wireless Router Utilities\ASDownloadAll.htm

IE: Download using ASUS Download - c:\program files\ASUS\RT-N16 Wireless Router Utilities\ASDownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass

IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms

Trusted Zone: adobe.com\www

Trusted Zone: millermartin.com\remote

DPF: {050A3800-6C03-48A5-A6D7-14CCF18A700D} - hxxp://remote.millermartin.com/v4rdpchk.cab

FF - ProfilePath - c:\users\cdubs\AppData\Roaming\Mozilla\Firefox\Profiles\na8fxo94.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?complete=1&hl=en

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 1

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(2132)

c:\users\cdubs\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

.

Completion time: 2011-03-23 15:47:03

ComboFix-quarantined-files.txt 2011-03-23 19:47

ComboFix2.txt 2011-03-23 03:47

.

Pre-Run: 186,293,071,872 bytes free

Post-Run: 186,203,279,360 bytes free

.

- - End Of File - - C682438ABD54A33383933E122FCF1913

Link to post
Share on other sites

This guy helped solve a similar problem:

http://www.techmonkeys.co.uk/Thread-trojans-from-website

His code for the combofix changes was a little bit different and also included the user profile path as follows:

Firefox::

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ovlo6lsg.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 0

Do you think adding the path to my user profile might help?

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.