Jump to content

Recommended Posts

Hi Guys, this is my first post here.

I have been removing some malware from a friends computer and thought i had got it all but it turns out i havent.

Basically all i have done is used Rkill to stop any known malicious processes then done a malwarebytes scan of the whole hard drive.

It came up with a load of stuff which i got malwarebytes to remove.

But the AVG keeps popping up with Threat warnings and Infected file warnings. Firefox keep on randomly redirecting me when clicking on a link.

The firewall and ICS keep on being stopped. Basically i cant seem the find and remove any files and/or registry values which might be causing all this.

Any help would be greatly appreciated.

Cheers in advance

Link to post
Share on other sites

post-32477-1261866970.gif

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

I've been seeing some Java infections lately.

Go here and follow the instructions to clear your Java Cache

http://www.java.com/en/download/help/plugin_cache.xml

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Cheers, here is the log

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-31 16:17:17

-----------------------------

16:17:17.313 OS Version: Windows 5.1.2600 Service Pack 3

16:17:17.313 Number of processors: 1 586 0x401

16:17:17.313 ComputerName: DELLPC UserName: Jackie

16:17:22.392 Initialize success

16:17:43.032 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1

16:17:43.032 Disk 0 Vendor: ST3160023AS 8.12 Size: 152587MB BusType: 3

16:17:43.032 Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3160023AS_____________________________8.12____#5&f85c66f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found

16:17:43.032 Device \Driver\atapi -> DriverStartIo 8989027f

16:17:45.048 Disk 0 MBR read successfully

16:17:45.048 Disk 0 MBR scan

16:17:45.048 Disk 0 TDL4@MBR code has been found

16:17:45.048 Disk 0 MBR hidden

16:17:45.048 Disk 0 MBR [TDL4] **ROOTKIT**

16:17:45.048 Disk 0 trace - called modules:

16:17:45.048 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89890439]<<

16:17:45.048 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89900ab8]

16:17:45.048 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8987ebe8]

16:17:45.048 \Driver\atapi[0x898b34d8] -> IRP_MJ_CREATE -> 0x89890439

16:17:45.110 Scan finished successfully

Link to post
Share on other sites

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-31 16:17:17

-----------------------------

16:17:17.313 OS Version: Windows 5.1.2600 Service Pack 3

16:17:17.313 Number of processors: 1 586 0x401

16:17:17.313 ComputerName: DELLPC UserName: Jackie

16:17:22.392 Initialize success

16:17:43.032 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1

16:17:43.032 Disk 0 Vendor: ST3160023AS 8.12 Size: 152587MB BusType: 3

16:17:43.032 Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3160023AS_____________________________8.12____#5&f85c66f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found

16:17:43.032 Device \Driver\atapi -> DriverStartIo 8989027f

16:17:45.048 Disk 0 MBR read successfully

16:17:45.048 Disk 0 MBR scan

16:17:45.048 Disk 0 TDL4@MBR code has been found

16:17:45.048 Disk 0 MBR hidden

16:17:45.048 Disk 0 MBR [TDL4] **ROOTKIT**

16:17:45.048 Disk 0 trace - called modules:

16:17:45.048 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89890439]<<

16:17:45.048 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89900ab8]

16:17:45.048 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8987ebe8]

16:17:45.048 \Driver\atapi[0x898b34d8] -> IRP_MJ_CREATE -> 0x89890439

16:17:45.110 Scan finished successfully

aswMBR version 0.9.4 Copyright© 2011 AVAST Software

Run date: 2011-03-31 16:30:26

-----------------------------

16:30:26.970 OS Version: Windows 5.1.2600 Service Pack 3

16:30:26.970 Number of processors: 1 586 0x401

16:30:26.970 ComputerName: DELLPC UserName: Jackie

16:30:27.298 Initialize success

16:30:29.313 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1

16:30:29.313 Disk 0 Vendor: ST3160023AS 8.12 Size: 152587MB BusType: 3

16:30:29.313 Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST3160023AS_____________________________8.12____#5&f85c66f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found

16:30:29.313 Device \Driver\atapi -> DriverStartIo 8989027f

16:30:31.313 Disk 0 MBR read successfully

16:30:31.313 Disk 0 MBR scan

16:30:31.313 Disk 0 TDL4@MBR code has been found

16:30:31.313 Disk 0 MBR hidden

16:30:31.313 Disk 0 MBR [TDL4] **ROOTKIT**

16:30:31.313 Disk 0 trace - called modules:

16:30:31.313 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89890439]<<

16:30:31.313 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89900ab8]

16:30:31.313 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8987ebe8]

16:30:31.313 \Driver\atapi[0x898b34d8] -> IRP_MJ_CREATE -> 0x89890439

16:30:31.829 Scan finished successfully

16:31:24.798 Disk 0 fixing MBR

16:31:34.798 Disk 0 MBR restored successfully

16:31:34.798 Infection fixed successfully - please reboot ASAP

I Assume i should Reboot but will wait to see what you say

Cheers

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6227

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

31/03/2011 17:00:43

mbam-log-2011-03-31 (17-00-25).txt

Scan type: Quick scan

Objects scanned: 209475

Time elapsed: 17 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\2SPI9KEA4C (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\LocalService\Local Settings\Application Data\sdf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\LocalService\Local Settings\Application Data\sdf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Jackie\Local Settings\Application Data\pse.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (93.188.165.16,93.188.160.46) Good: () -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\Temp\0.7607432248990418.exe (Rogue.Installer) -> No action taken.

c:\WINDOWS\Temp\48665.42085336499.exe (Trojan.Agent) -> No action taken.

Shall i click to remove?

Link to post
Share on other sites

Sorry Saved the log before clicking remove, Here is the second scan which is clean i think

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6227

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

31/03/2011 17:59:54

mbam-log-2011-03-31 (17-59-54).txt

Scan type: Quick scan

Objects scanned: 209479

Time elapsed: 16 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi thanks for all your help.

Its running ok, but AVG Resident shield keeps on popping up saying multiple threats detected.

Only the top 3 popped up after we have been talking. the intelppm.sys was always popping up before.

Resident Shield detection

"Infection";"Object";"Result";"Detection time";"Object Type";"Process"

"Virus identified Win32/Patched.DX";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP11\A0015603.sys";"Infected";"31/03/2011, 19:26:43";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP11\A0015603.sys";"Infected";"31/03/2011, 18:26:43";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP11\A0015603.sys";"Infected";"31/03/2011, 18:20:55";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP11\A0015603.sys";"Infected";"31/03/2011, 16:58:03";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP11\A0015603.sys";"Infected";"31/03/2011, 15:25:08";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP11\A0015603.sys";"Infected";"31/03/2011, 14:25:07";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP11\A0015603.sys";"Infected";"31/03/2011, 13:25:08";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP11\A0015603.sys";"Infected";"31/03/2011, 12:25:10";"file";"C:\WINDOWS\system32\svchost.exe"

"Trojan horse SHeur3.BSRK";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP10\A0014628.dll";"Moved to Virus Vault";"30/03/2011, 22:16:27";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 19:05:49";"file";"C:\WINDOWS\explorer.exe"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 19:02:29";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 18:53:10";"file";"C:\WINDOWS\explorer.exe"

"Trojan horse Pakes.JQV";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP10\A0014599.dll";"Moved to Virus Vault";"30/03/2011, 17:42:11";"file";"C:\WINDOWS\system32\svchost.exe"

"Trojan horse Pakes.JQV";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP10\A0014599.dll";"Object is inaccessible.";"30/03/2011, 16:41:05";"file";"C:\WINDOWS\system32\svchost.exe"

"Trojan horse Pakes.JQV";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP10\A0014599.dll";"Object is inaccessible.";"30/03/2011, 15:42:11";"file";"C:\WINDOWS\system32\svchost.exe"

"Trojan horse Pakes.JQV";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP10\A0014599.dll";"Object is inaccessible.";"30/03/2011, 14:42:10";"file";"C:\WINDOWS\system32\svchost.exe"

"Trojan horse Pakes.JQV";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP10\A0014599.dll";"Object is inaccessible.";"30/03/2011, 13:50:32";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 13:28:25";"file";"C:\Program Files\AVG\AVG10\avgcsrvx.exe"

"Trojan horse Pakes.JQV";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP10\A0014599.dll";"Object is inaccessible.";"30/03/2011, 13:05:05";"file";"C:\WINDOWS\system32\svchost.exe"

"Trojan horse Pakes.JQV";"c:\System Volume Information\_restore{8A46E8F3-C0C9-4292-84DF-254A1C64080B}\RP10\A0014599.dll";"Object is inaccessible.";"30/03/2011, 11:41:51";"file";"C:\WINDOWS\system32\svchost.exe"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:30:02";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:29:32";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:29:02";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:28:32";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:28:02";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:27:32";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:27:02";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:26:32";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:26:02";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:25:31";"file";"System"

"Virus identified Win32/Patched.DX";"c:\WINDOWS\system32\drivers\intelppm.sys";"Object is white-listed (critical/system file that should not be removed)";"30/03/2011, 10:25:01";"file";"System"

Sorry i could only get CSV

Cheers again

Link to post
Share on other sites

Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix.

AVG > AVG Removal Tool (x86) - AVG Removal Tool (x64)

AVG Identity Protection > AVGIDPUninstaller

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

ComboFix 11-04-01.01 - Jackie 02/04/2011 11:03:18.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1270.906 [GMT 1:00]

Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Guest\Application Data\alot

c:\documents and settings\Jackie\Application Data\Adobe\plugs

c:\documents and settings\Jackie\Application Data\PriceGong

c:\documents and settings\Jackie\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Jackie\Application Data\PriceGong\Data\z.xml

c:\documents and settings\Jackie\Local Settings\Application Data\{55F4A85C-A5A5-47AD-89F6-F868B22F02E2}

c:\documents and settings\Jackie\Local Settings\Application Data\{55F4A85C-A5A5-47AD-89F6-F868B22F02E2}\chrome.manifest

c:\documents and settings\Jackie\Local Settings\Application Data\{55F4A85C-A5A5-47AD-89F6-F868B22F02E2}\chrome\content\_cfg.js

c:\documents and settings\Jackie\Local Settings\Application Data\{55F4A85C-A5A5-47AD-89F6-F868B22F02E2}\chrome\content\overlay.xul

c:\documents and settings\Jackie\Local Settings\Application Data\{55F4A85C-A5A5-47AD-89F6-F868B22F02E2}\install.rdf

c:\documents and settings\Jackie\Recent\ANTIGEN.drv

c:\documents and settings\Jackie\Recent\ANTIGEN.exe

c:\documents and settings\Jackie\Recent\ANTIGEN.sys

c:\documents and settings\Jackie\Recent\ANTIGEN.tmp

c:\documents and settings\Jackie\Recent\cb.dll

c:\documents and settings\Jackie\Recent\cb.drv

c:\documents and settings\Jackie\Recent\cb.exe

c:\documents and settings\Jackie\Recent\cb.sys

c:\documents and settings\Jackie\Recent\cb.tmp

c:\documents and settings\Jackie\Recent\cid.sys

c:\documents and settings\Jackie\Recent\CLSV.dll

c:\documents and settings\Jackie\Recent\CLSV.drv

c:\documents and settings\Jackie\Recent\CLSV.exe

c:\documents and settings\Jackie\Recent\CLSV.sys

c:\documents and settings\Jackie\Recent\CLSV.tmp

c:\documents and settings\Jackie\Recent\DBOLE.dll

c:\documents and settings\Jackie\Recent\DBOLE.tmp

c:\documents and settings\Jackie\Recent\ddv.exe

c:\documents and settings\Jackie\Recent\ddv.sys

c:\documents and settings\Jackie\Recent\delfile.drv

c:\documents and settings\Jackie\Recent\delfile.sys

c:\documents and settings\Jackie\Recent\eb.dll

c:\documents and settings\Jackie\Recent\eb.drv

c:\documents and settings\Jackie\Recent\eb.sys

c:\documents and settings\Jackie\Recent\eb.tmp

c:\documents and settings\Jackie\Recent\energy.dll

c:\documents and settings\Jackie\Recent\energy.drv

c:\documents and settings\Jackie\Recent\energy.exe

c:\documents and settings\Jackie\Recent\energy.sys

c:\documents and settings\Jackie\Recent\energy.tmp

c:\documents and settings\Jackie\Recent\exec.dll

c:\documents and settings\Jackie\Recent\exec.drv

c:\documents and settings\Jackie\Recent\exec.sys

c:\documents and settings\Jackie\Recent\exec.tmp

c:\documents and settings\Jackie\Recent\fan.tmp

c:\documents and settings\Jackie\Recent\fix.dll

c:\documents and settings\Jackie\Recent\fix.drv

c:\documents and settings\Jackie\Recent\fix.sys

c:\documents and settings\Jackie\Recent\FS.tmp

c:\documents and settings\Jackie\Recent\FW.sys

c:\documents and settings\Jackie\Recent\gid.dll

c:\documents and settings\Jackie\Recent\gid.tmp

c:\documents and settings\Jackie\Recent\grid.tmp

c:\documents and settings\Jackie\Recent\hymt.exe

c:\documents and settings\Jackie\Recent\kernel32.dll

c:\documents and settings\Jackie\Recent\kernel32.exe

c:\documents and settings\Jackie\Recent\kernel32.sys

c:\documents and settings\Jackie\Recent\kernel32.tmp

c:\documents and settings\Jackie\Recent\PE.dll

c:\documents and settings\Jackie\Recent\PE.drv

c:\documents and settings\Jackie\Recent\PE.exe

c:\documents and settings\Jackie\Recent\PE.sys

c:\documents and settings\Jackie\Recent\PE.tmp

c:\documents and settings\Jackie\Recent\ppal.dll

c:\documents and settings\Jackie\Recent\ppal.drv

c:\documents and settings\Jackie\Recent\ppal.tmp

c:\documents and settings\Jackie\Recent\runddlkey.exe

c:\documents and settings\Jackie\Recent\runddlkey.sys

c:\documents and settings\Jackie\Recent\SICKBOY.exe

c:\documents and settings\Jackie\Recent\SICKBOY.tmp

c:\documents and settings\Jackie\Recent\sld.exe

c:\documents and settings\Jackie\Recent\sld.sys

c:\documents and settings\Jackie\Recent\sld.tmp

c:\documents and settings\Jackie\Recent\SM.exe

c:\documents and settings\Jackie\Recent\SM.sys

c:\documents and settings\Jackie\Recent\SM.tmp

c:\documents and settings\Jackie\Recent\snl2w.drv

c:\documents and settings\Jackie\Recent\snl2w.sys

c:\documents and settings\Jackie\Recent\std.drv

c:\documents and settings\Jackie\Recent\std.sys

c:\documents and settings\Jackie\Recent\tempdoc.sys

c:\documents and settings\Jackie\Recent\tjd.dll

c:\documents and settings\Jackie\Recent\tjd.drv

c:\documents and settings\Jackie\Recent\tjd.exe

c:\documents and settings\Jackie\Recent\tjd.sys

c:\documents and settings\Jackie\Recent\tjd.tmp

c:\documents and settings\Jackie\System

c:\documents and settings\Jackie\System\win_qs8.jqx

c:\documents and settings\Jim\Application Data\PriceGong

c:\documents and settings\Jim\Local Settings\Application Data\{302BF5CF-3101-4C28-A843-00FD884BAD51}

c:\documents and settings\Jim\Local Settings\Application Data\{302BF5CF-3101-4C28-A843-00FD884BAD51}\chrome.manifest

c:\documents and settings\Jim\Local Settings\Application Data\{302BF5CF-3101-4C28-A843-00FD884BAD51}\chrome\content\_cfg.js

c:\documents and settings\Jim\Local Settings\Application Data\{302BF5CF-3101-4C28-A843-00FD884BAD51}\chrome\content\overlay.xul

c:\documents and settings\Jim\Local Settings\Application Data\{302BF5CF-3101-4C28-A843-00FD884BAD51}\install.rdf

c:\windows\regedit.com

c:\windows\system32\Install.txt

c:\windows\system32\tukdtjsr.txt

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MYWEBSEARCHSERVICE

.

.

((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))

.

.

2011-03-30 20:13 . 2011-03-30 20:13 -------- d-----w- c:\program files\ESET

2011-03-29 20:42 . 2011-03-29 20:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ConduitEngine

2011-03-29 20:42 . 2011-03-29 20:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\TranslatorBar_1

2011-03-23 17:39 . 2011-03-23 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\dIeHlFaAoEo05200

2011-03-21 19:07 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-21 19:07 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-21 17:46 . 2011-03-21 17:47 -------- d-----w- c:\documents and settings\Administrator

2011-03-20 23:07 . 2011-03-20 23:13 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine

2011-03-20 23:07 . 2011-03-20 23:10 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\TranslatorBar_1

2011-03-20 19:07 . 2011-03-20 19:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-20 18:54 . 2011-03-30 21:04 -------- d-----w- c:\documents and settings\Jackie\Application Data\45DEA7A52A1172A18D87192997DFBB5C

2011-03-18 12:50 . 2011-03-18 13:09 -------- d-----w- c:\documents and settings\Jackie\Application Data\Sammsoft

2011-03-18 09:42 . 2011-03-18 09:42 -------- d-sh--w- c:\documents and settings\All Users\Application Data\BMOFP

2011-03-18 09:42 . 2011-03-30 20:36 -------- d-sh--w- c:\documents and settings\All Users\Application Data\ed3299

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-27 21:06 . 2010-11-23 11:46 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2011-02-09 13:53 . 2008-12-01 15:58 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-12-01 15:57 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2008-12-02 13:00 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-12-02 13:00 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-12-01 15:58 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2008-12-01 15:56 290048 ----a-w- c:\windows\system32\atmfd.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00bf7b9c-acd2-4080-bea8-b1c41987070f}]

2011-01-17 14:54 175912 ----a-w- c:\program files\TranslatorBar_1\prxtbTra0.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{00bf7b9c-acd2-4080-bea8-b1c41987070f}"= "c:\program files\TranslatorBar_1\prxtbTra0.dll" [2011-01-17 175912]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{00bf7b9c-acd2-4080-bea8-b1c41987070f}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{00BF7B9C-ACD2-4080-BEA8-B1C41987070F}"= "c:\program files\TranslatorBar_1\prxtbTra0.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{00bf7b9c-acd2-4080-bea8-b1c41987070f}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-26 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-06-09 18:52 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^basepagequeue.exe]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\basepagequeue.exe

backup=c:\windows\pss\basepagequeue.exeCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 05:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Cleaner]

2009-03-25 19:17 4265256 ----a-w- c:\program files\Disk Cleaner\DiskCleaner.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX8400 Series]

2007-04-12 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICEE.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]

2007-09-05 21:24 405504 ----a-w- c:\windows\sttray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2008-12-20 07:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 05:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]

2009-10-27 15:10 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-25 04:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-01-26 13:58 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-11-18 15:34 274608 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vvalajij]

2008-04-14 05:42 358400 ----a-w- c:\windows\efiqijiwawanubil.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

.

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [13/07/2010 17:41 20328]

R2 Disk Cleaner Service;Disk Cleaner Service;c:\program files\Disk Cleaner\DiskCleanerService.exe [25/03/2009 20:17 79160]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/01/2010 14:03 135664]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 13:03]

.

2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 13:03]

.

2011-04-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1637723038-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1637723038-682003330-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1637723038-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-03-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1637723038-682003330-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-01 c:\windows\Tasks\User_Feed_Synchronization-{5B53BCB9-B491-44D5-A92D-E7245530B82B}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab

FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\go26o26d.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/gamers_tbar/ws/redir?_iceUrl=true&user_id=58522095&tool_id=62781&qkw=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

MSConfigStartUp-2SPI9KEA4C - c:\windows\Ztynia.exe

MSConfigStartUp-Google Update - c:\documents and settings\Jackie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

MSConfigStartUp-IncrediMail - c:\program files\IncrediMail\bin\IncMail.exe

MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe

MSConfigStartUp-Mqepifohah - c:\windows\muvcoda.dll

MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

MSConfigStartUp-Registry Helper - c:\program files\Registry Helper\RegistryHelper.Exe

MSConfigStartUp-SGPUpdater - c:\program files\Search Guard PlusU\sgpUpdaters.exe

MSConfigStartUp-tukdtjsr - c:\windows\system32\tukdtjsr.exe

MSConfigStartUp-tukdtjsrx - c:\windows\system32\tukdtjsrx.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-02 11:24

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(612)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(7752)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\LMIRfsClientNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-04-02 11:28:20 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-02 10:28

.

Pre-Run: 136,839,249,920 bytes free

Post-Run: 137,689,468,928 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 522800A517BF691F6A2D94338C97849A

Sorry i was away for a couple of days there.

Cheers

Link to post
Share on other sites

FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

You havwe 2 Firewalls. You need to uninstall one of them

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove if listed:

ConduitEngine

Logitech Desktop Messenger

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\ConduitEngine.tmp
c:\documents and settings\All Users\Start Menu\Programs\Startup\basepagequeue.exe
c:\windows\pss\basepagequeue.exe

Folder::
c:\documents and settings\All Users\Application Data\dIeHlFaAoEo05200
c:\documents and settings\LocalService\Local Settings\Application Data\ConduitEngine
c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine
c:\documents and settings\Jackie\Application Data\45DEA7A52A1172A18D87192997DFBB5C
c:\documents and settings\All Users\Application Data\BMOFP
c:\documents and settings\All Users\Application Data\ed3299

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^basepagequeue.exe]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I cant find anything to do with Mcafee anywhere on this computer and i also uninstalled AVG like you instructed me to do

so i dont know why that is still there either? Very strange.

ComboFix 11-04-01.01 - Jackie 03/04/2011 8:52.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1270.880 [GMT 1:00]

Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jackie\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

FILE ::

"c:\documents and settings\All Users\Start Menu\Programs\Startup\basepagequeue.exe"

"c:\windows\pss\basepagequeue.exe"

"c:\windows\system32\ConduitEngine.tmp"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\BMOFP

c:\documents and settings\All Users\Application Data\BMOFP\BMPBEQGP.cfg

c:\documents and settings\All Users\Application Data\dIeHlFaAoEo05200

c:\documents and settings\All Users\Application Data\dIeHlFaAoEo05200\dIeHlFaAoEo05200

c:\documents and settings\All Users\Application Data\ed3299

c:\documents and settings\All Users\Application Data\ed3299\BackUp\Antimalware Doctor.lnk

c:\documents and settings\All Users\Application Data\ed3299\BackUp\McAfee Security Scan Plus.lnk

c:\documents and settings\All Users\Application Data\ed3299\BMP.ico

c:\documents and settings\All Users\Application Data\ed3299\ed3299cfbab8ed9d5cbdd41b1fd14717.ocx

c:\documents and settings\All Users\Application Data\ed3299\x01u8zvvlp45ggv2plxd3gjvk.dll

c:\documents and settings\Jackie\Application Data\45DEA7A52A1172A18D87192997DFBB5C

c:\documents and settings\Jackie\Application Data\45DEA7A52A1172A18D87192997DFBB5C\lsrslt.ini

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_About_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Browse_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Contact_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Hide_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_LikeIcon_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_More_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_MoreFromPublisher_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_MoveLeft_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_MoveRight_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Options_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Privacy_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Refresh_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Upgrade_png.png

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\EngineSettings.json

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\ExternalComponent\http___contextmenu_app_conduit-services_com_apps_TranslatedApps_ashx_productId=1&name=appContextMenu2_0&locale=en-gb.xml

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\ExternalComponent\http___contextmenu_engine_conduit-services_com_apps_TranslatedApps_ashx_productId=1&name=engineContextMenu2_0&locale=en-gb.xml

c:\documents and settings\Jim\Local Settings\Application Data\ConduitEngine\toolbar.cfg

c:\documents and settings\LocalService\Local Settings\Application Data\ConduitEngine

c:\documents and settings\LocalService\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll

c:\documents and settings\LocalService\Local Settings\Application Data\ConduitEngine\toolbar.cfg

c:\windows\system32\ConduitEngine.tmp

.

.

((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))

.

.

2011-03-30 20:13 . 2011-03-30 20:13 -------- d-----w- c:\program files\ESET

2011-03-29 20:42 . 2011-03-29 20:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\TranslatorBar_1

2011-03-21 19:07 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-21 19:07 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-21 17:46 . 2011-03-21 17:47 -------- d-----w- c:\documents and settings\Administrator

2011-03-20 23:07 . 2011-03-20 23:10 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\TranslatorBar_1

2011-03-20 19:07 . 2011-03-20 19:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-18 12:50 . 2011-03-18 13:09 -------- d-----w- c:\documents and settings\Jackie\Application Data\Sammsoft

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2008-12-01 15:58 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-12-01 15:57 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2008-12-02 13:00 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-12-02 13:00 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-12-01 15:58 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2008-12-01 15:56 290048 ----a-w- c:\windows\system32\atmfd.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-04-02_10.24.40 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-03 07:59 . 2011-04-03 07:59 16384 c:\windows\temp\Perflib_Perfdata_64c.dat

+ 2011-04-03 07:59 . 2008-12-16 21:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll

- 2011-04-02 10:13 . 2008-12-16 21:59 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-26 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-06-09 18:52 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 05:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Cleaner]

2009-03-25 19:17 4265256 ----a-w- c:\program files\Disk Cleaner\DiskCleaner.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX8400 Series]

2007-04-12 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICEE.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]

2007-09-05 21:24 405504 ----a-w- c:\windows\sttray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2008-12-20 07:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 05:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]

2009-10-27 15:10 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-25 04:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-01-26 13:58 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-11-18 15:34 274608 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vvalajij]

2008-04-14 05:42 358400 ----a-w- c:\windows\efiqijiwawanubil.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

.

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [13/07/2010 17:41 20328]

R2 Disk Cleaner Service;Disk Cleaner Service;c:\program files\Disk Cleaner\DiskCleanerService.exe [25/03/2009 20:17 79160]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/01/2010 14:03 135664]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 13:03]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 13:03]

.

2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1637723038-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1637723038-682003330-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1637723038-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-03-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1637723038-682003330-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-02 c:\windows\Tasks\User_Feed_Synchronization-{5B53BCB9-B491-44D5-A92D-E7245530B82B}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab

FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\go26o26d.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/gamers_tbar/ws/redir?_iceUrl=true&user_id=58522095&tool_id=62781&qkw=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-03 09:54

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(612)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(7840)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-04-03 09:57:22 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-03 08:57

ComboFix2.txt 2011-04-02 10:28

.

Pre-Run: 137,690,779,648 bytes free

Post-Run: 137,731,596,288 bytes free

.

- - End Of File - - A77B36DD78142C5E25D1D08031F4C60E

Link to post
Share on other sites

We need to collect a file or two

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

http://forums.malwarebytes.org/index.php?showtopic=79858

Collect::
c:\windows\efiqijiwawanubil.dll

File::
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe

Folder::
c:\program files\Common Files\Mcafee

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

ComboFix 11-04-01.01 - Jackie 03/04/2011 15:35:48.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1270.877 [GMT 1:00]

Running from: c:\documents and settings\Jackie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jackie\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

FILE ::

"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe"

.

file zipped: c:\windows\efiqijiwawanubil.dll

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\efiqijiwawanubil.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_McAfee_SiteAdvisor_Service

-------\Service_McAfee SiteAdvisor Service

.

.

((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))

.

.

2011-03-30 20:13 . 2011-03-30 20:13 -------- d-----w- c:\program files\ESET

2011-03-29 20:42 . 2011-03-29 20:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\TranslatorBar_1

2011-03-21 19:07 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-21 19:07 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-21 17:46 . 2011-03-21 17:47 -------- d-----w- c:\documents and settings\Administrator

2011-03-20 23:07 . 2011-03-20 23:10 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\TranslatorBar_1

2011-03-20 19:07 . 2011-03-20 19:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-18 12:50 . 2011-03-18 13:09 -------- d-----w- c:\documents and settings\Jackie\Application Data\Sammsoft

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2008-12-01 15:58 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-12-01 15:57 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2008-12-02 13:00 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-12-02 13:00 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-12-01 15:58 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2008-12-01 15:56 290048 ----a-w- c:\windows\system32\atmfd.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-04-02_10.24.40 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-04-03 14:41 . 2011-04-03 14:41 16384 c:\windows\temp\Perflib_Perfdata_64c.dat

+ 2011-04-03 14:41 . 2008-12-16 21:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll

- 2011-04-02 10:13 . 2008-12-16 21:59 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-26 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-06-09 18:52 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 05:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Cleaner]

2009-03-25 19:17 4265256 ----a-w- c:\program files\Disk Cleaner\DiskCleaner.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX8400 Series]

2007-04-12 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICEE.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]

2007-09-05 21:24 405504 ----a-w- c:\windows\sttray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2008-12-20 07:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 05:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 16:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]

2009-10-27 15:10 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-07-25 04:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-01-26 13:58 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-11-18 15:34 274608 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

.

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [13/07/2010 17:41 20328]

R2 Disk Cleaner Service;Disk Cleaner Service;c:\program files\Disk Cleaner\DiskCleanerService.exe [25/03/2009 20:17 79160]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16/01/2010 14:03 135664]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 13:03]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-16 13:03]

.

2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1637723038-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1801674531-1637723038-682003330-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1637723038-682003330-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-03-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1801674531-1637723038-682003330-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

.

2011-04-02 c:\windows\Tasks\User_Feed_Synchronization-{5B53BCB9-B491-44D5-A92D-E7245530B82B}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab

FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\go26o26d.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/gamers_tbar/ws/redir?_iceUrl=true&user_id=58522095&tool_id=62781&qkw=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Vvalajij - c:\windows\efiqijiwawanubil.dll

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-03 16:20

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(616)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(7424)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-04-03 16:23:22 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-03 15:23

ComboFix2.txt 2011-04-03 08:57

ComboFix3.txt 2011-04-02 10:28

.

Pre-Run: 137,746,071,552 bytes free

Post-Run: 137,726,758,912 bytes free

.

- - End Of File - - 2D81DBA9210EB768571BF1100239ECEC

Upload was successful

Link to post
Share on other sites

Make sure you do this:

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    Green to go

    Yellow for caution

    Red to stop

    WOT has an addon available for both Firefox and IE.

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.