Jump to content

Recommended Posts

I knew it the minute I saw the pop-up window - I was infected. XP Security 2011.

I'm not a techie, but not a newb either. Running XP Home, SP2 on a Dell desktop. IE is primary browser, which is unusable. I was only able to reboot by using last known config, but thats about it. There are no programs on start menu and nothing on my desktop. I am able to launch Windows explorer, but my files are hidden. I'm able to unhide them using the folders option mentioned in another post.

Ran ATF successfully (at least it said it completed). Tried to run MBam - system wouldn't let me. I renamed the file to xxx.com and it would launch, but only got about 10% through when system crashed. Tried this 3 times. Getting the Windows Delayed Write Failed error - not totally sure, but think that error message is legit. There are many other error messages spawned by this evil virus that are obviously bogus.

I have access to a work PC, which I am using to access internet and log the issue. Really would like to get this resolved as I have some personal files on that PC that were not backed up when this occured.

Any help you can provide would be much appreciated.

fcrider

Have not received a reply from anyone since original post - would realllly appreciate some help here...

Update: I was able to get MBAM to run a quick scan. It found 8 bad files on first pass which were removed. Obviously did not remove the virus, so ran a second quick scan and it found 1 bad registry data item which was removed. The logs are pasted below. This obviously did not remove the virus as I still have no control over my programs and the incessant bogus warnings/errors are constant.

I'm reluctant to download other tools/scanners until someone advises me per other posts.

If I don't hear back from anyone will post again with my MBAM logs hoping there is someone who can help me.

Thanks,

fcrider

------------------------

------------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/7/2011 5:34:02 PM

mbam-log-2011-05-07 (17-34-02).txt

Scan type: Quick scan

Objects scanned: 179422

Time elapsed: 14 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 4

Registry Data Items Infected: 7

Folders Infected: 9

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Typelib\{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DB38E21A-0133-419d-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\ShoppingReport2 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport2 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShoppingReport2 (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{DB38E21A-0133-419d-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Value: {DB38E21A-0133-419d-92AD-ECDFD5244D6D} -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Value: {EB620C54-E229-4942-87CE-E717109FC8C6} -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Value: {EB620C54-E229-4942-87CE-E717109FC8C6} -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{DB38E21A-0133-419d-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Value: {DB38E21A-0133-419d-92AD-ECDFD5244D6D} -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\John\Local Settings\Application Data\het.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:

c:\documents and settings\John\application data\shoppingreport2 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\db (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\dwld (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\report (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\res1 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\program files\shoppingreport2 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\program files\shoppingreport2\Bin (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\program files\shoppingreport2\Bin\2.7.37 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\John\application data\shoppingreport2\cs\Config.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\db\Aliases.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\db\Sites.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\dwld\whitelist.xip (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\report\aggr_storage.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\report\send_storage.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\documents and settings\John\application data\shoppingreport2\cs\res1\whitelist.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

c:\program files\shoppingreport2\Uninst.exe (Adware.ShoppingReport2) -> Quarantined and deleted successfully.

------------------------

------------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/7/2011 5:54:48 PM

mbam-log-2011-05-07 (17-54-48).txt

Scan type: Quick scan

Objects scanned: 179353

Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I knew it the minute I saw the pop-up window - I was infected. XP Security 2011.

I'm not a techie, but not a newb either. Running XP Home, SP2 on a Dell desktop. IE is primary browser, which is unusable. I was only able to reboot by using last known config, but thats about it. There are no programs on start menu and nothing on my desktop. I am able to launch Windows explorer, but my files are hidden. I'm able to unhide them using the folders option mentioned in another post.

Ran ATF successfully (at least it said it completed). Tried to run MBam - system wouldn't let me. I renamed the file to xxx.com and it would launch, but only got about 10% through when system crashed. Tried this 3 times. Getting the Windows Delayed Write Failed error - not totally sure, but think that error message is legit. There are many other error messages spawned by this evil virus that are obviously bogus.

I have access to a work PC, which I am using to access internet and log the issue. Really would like to get this resolved as I have some personal files on that PC that were not backed up when this occured.

Any help you can provide would be much appreciated.

fcrider

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Hi screen317,

Thanks for your help!!!! You are providing a very valuable service.

Since last post I have some success doing following.

1) Ran unhide.exe with some success getting files unhidden, although system folders on start menu are still empty.

2) I then ran Rkill after discovering I had Windows Recovery virus (in addition to Windows XP Security 2011), the log is attached.

3) After running Rkill, was able to finally update MBAM. Have run this 3 times (2 quick, 1 full scan) - all logs attached.

4) Installed Microsoft Security Essentials - ran full scan, log attached.

5) Updated Java JRE and Adobe Reader to latest versions

The infected PC is better than it was at original post. No more bogus security windows or hard drive errors, but still suffers from rogue IE windows, random audio Ads, IE scripting errors.

6) Just now launched DDS per your instructions, but got blue screen error after about 5 minutes. Rebooted, ran DDS, same result. Advice?

fcrider

-------------------

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 05/10/2011 at 13:22:43.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\All Users\Application Data\NuHveRXdmtu.exe

C:\Documents and Settings\All Users\Application Data\17555236.exe

Rkill completed on 05/10/2011 at 13:22:52.

----------------------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/10/2011 10:18:23 PM

mbam-log-2011-05-10 (22-18-23).txt

Scan type: Full scan (C:\|)

Objects scanned: 273804

Time elapsed: 5 hour(s), 32 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2560\A0164772.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2560\A0164773.exe (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2560\A0164774.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2560\A0164776.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2560\A0164777.exe (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2560\A0164778.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2567\A0165128.dll (Adware.SmartShopper) -> Quarantined and deleted successfully.

----------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6552

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/11/2011 8:06:02 AM

mbam-log-2011-05-11 (08-06-02).txt

Scan type: Quick scan

Objects scanned: 194142

Time elapsed: 24 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NuHveRXdmtu (Rogue.Agent.SA) -> Value: NuHveRXdmtu -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\John\Local Settings\Application Data\het.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\John\Local Settings\Application Data\het.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:

c:\documents and settings\John\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\John\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

c:\documents and settings\John\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

--------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6556

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/11/2011 1:46:12 PM

mbam-log-2011-05-11 (13-46-12).txt

Scan type: Full scan (C:\|)

Objects scanned: 289299

Time elapsed: 1 hour(s), 44 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 22

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2559\A0164764.exe (Adware.ScanQuery) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2561\A0164964.dll (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2561\A0164965.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2564\A0165098.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2564\A0165099.exe (Adware.ScanQuery) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2565\A0165105.dll (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2565\A0165106.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2569\A0165193.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2569\A0165194.exe (Adware.ScanQuery) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2571\A0165210.dll (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2571\A0165211.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2572\A0165302.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2572\A0165303.exe (Adware.ScanQuery) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2572\A0165305.dll (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2572\A0165306.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2574\A0166340.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2574\A0166342.dll (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2574\A0166343.exe (Adware.Agent.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2574\A0166344.exe (Adware.ScanQuery) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2581\A0169633.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2581\A0169634.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\RP2581\A0169635.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

----------------------------

2011-05-11T05:00:33.843Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)

2011-05-11T05:00:36.718Z Version: Product 3.0.8107.0 Service 3.0.8107.0 Engine 0.0.0.0 AS 0.0.0.0 AV 0.0.0.0

2011-05-11T05:04:32.484Z Version: Product 3.0.8107.0 Service 3.0.8107.0 Engine 1.1.6802.0 AS 1.103.1405.0 AV 1.103.1405.0

2011-05-11T06:22:43.921Z DETECTION Trojan:WinNT/Alureon.S file:C:\WINDOWS\System32\drivers\2995A3.sys

2011-05-11T06:46:35.125Z DETECTION Trojan:WinNT/Alureon.S file:C:\WINDOWS\system32\drivers\2995A3.sys

2011-05-11T06:46:35.156Z DETECTION Rogue:Win32/FakeRean file:C:\Documents and Settings\John\Local Settings\Application Data\het.exe

2011-05-11T06:46:35.171Z DETECTION Program:Win32/PowerRegScheduler file:c:\documents and settings\john\Start Menu\Programs\Startup\PowerReg Scheduler.exe

2011-05-11T06:50:11.890Z Service stopped with exit code 0x0

2011-05-11T06:51:39.140Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)

2011-05-11T06:52:22.875Z Version: Product 3.0.8107.0 Service 3.0.8107.0 Engine 1.1.6802.0 AS 1.103.1405.0 AV 1.103.1405.0

2011-05-11T07:09:20.390Z DETECTION Trojan:Win32/FakeSysdef file:C:\RECYCLER\S-1-5-21-214099845-1815002781-3652652152-1007\Dc12.exe->(UPX)

2011-05-11T07:09:23.328Z DETECTION Trojan:Win32/FakeSysdef file:C:\RECYCLER\S-1-5-21-214099845-1815002781-3652652152-1007\Dc16.exe->(UPX)

2011-05-11T07:09:24.890Z DETECTION Trojan:Win32/FakeSysdef file:C:\RECYCLER\S-1-5-21-214099845-1815002781-3652652152-1007\Dc17.exe

2011-05-11T14:07:12.656Z Service stopped with exit code 0x0

2011-05-11T14:08:39.656Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)

2011-05-11T14:09:01.890Z Version: Product 3.0.8107.0 Service 3.0.8107.0 Engine 1.1.6802.0 AS 1.103.1405.0 AV 1.103.1405.0

2011-05-11T17:32:58.546Z Service stopped with exit code 0x0

2011-05-11T17:34:15.625Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)

2011-05-11T17:34:31.796Z Version: Product 3.0.8107.0 Service 3.0.8107.0 Engine 1.1.6802.0 AS 1.103.1405.0 AV 1.103.1405.0

2011-05-11T19:08:54.328Z DETECTION Adware:Win32/ClickPotato file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2560\A0164775.dll

2011-05-11T19:09:26.000Z DETECTION BrowserModifier:Win32/Zwangi file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2561\A0164964.dll

2011-05-11T19:09:43.250Z DETECTION BrowserModifier:Win32/Zwangi file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2564\A0165098.exe

2011-05-11T19:09:45.390Z DETECTION BrowserModifier:Win32/Zwangi file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2565\A0165105.dll

2011-05-11T19:09:45.578Z DETECTION BrowserModifier:Win32/Zwangi file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2565\A0165106.exe

2011-05-11T19:10:06.765Z DETECTION BrowserModifier:Win32/Zwangi file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2571\A0165210.dll

2011-05-11T19:10:13.828Z DETECTION BrowserModifier:Win32/Zwangi file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2572\A0165305.dll

2011-05-11T19:10:18.515Z DETECTION BrowserModifier:Win32/Zwangi file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2574\A0166342.dll

2011-05-11T19:12:14.125Z DETECTION Trojan:WinNT/Alureon.S file:C:\System Volume Information\_restore{31414675-6CBE-4639-8F67-8C2E395D7683}\RP2581\A0169579.sys

2011-05-11T20:05:06.234Z Service stopped with exit code 0x0

2011-05-11T20:22:41.437Z Service started - Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094)

2011-05-11T20:22:57.171Z Version: Product 3.0.8107.0 Service 3.0.8107.0 Engine 1.1.6802.0 AS 1.103.1405.0 AV 1.103.1405.0

----------------------------------

Link to post
Share on other sites

3rd time's a charm I guess. DDS successfully scanned, DDS.txt log attached.

Thanks,

fcrider

------------------

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by John at 0:08:52.00 on Thu 05/12/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.353 [GMT -6:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Logitech\ImageStudio\LogiTray.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Garmin\gStart.exe

C:\Program Files\Logitech\ImageStudio\LowLight.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\John\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.nytimes.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dellnet.com

uWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web

printing\hpswp_printenhancer.dll

BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: ZuneIEPlugin.ZuneBHO: {a8533c62-9399-4640-b36b-d1dde91eb8b1} - mscoree.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [WebCamRT.exe]

uRun: [gStart] c:\garmin\gStart.exe

uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe

mRun: [DIGStream] c:\program files\digstream\digstream.exe

mRun: [updReg] c:\windows\Updreg.exe

mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe

mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE

mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe

mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe

mRun: [<NO NAME>]

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun

mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\xxx123.exe" /runcleanupscript

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe

uPolicies-explorer: <NO NAME> =

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {00951C02-5731-44e9-B2F5-544EC2279417} - {00951C02-5731-44e9-B2F5-544EC2279417} - mscoree.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft

activesync\INETREPL.DLL

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft

activesync\INETREPL.DLL

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web

printing\hpswp_extensions.dll

IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web

printing\hpswp_extensions.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft

money\system\mnyviewer.dll

Trusted Zone: musicmatch.com\online

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

hxxp://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab

DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coupons.smartsource.com/download/cscmv5X.cab

DPF: {6CB5E471-C305-11D3-99A8-000086395495} - hxxp://toolbar.google.com/data/en/deleon/1.1.57-deleon/GoogleNav.cab

DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL

WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL

Notify: ackpbsc - c:\windows\system32\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\sj7u8ush.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 MpKsl5ed1713c;MpKsl5ed1713c;c:\documents and settings\all users\application data\microsoft\microsoft

antimalware\definition updates\{2d622d29-1464-494a-9c2b-f0eb4e453d7e}\MpKsl5ed1713c.sys [2011-5-11 28752]

R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2008-5-13 198184]

R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-4-6 13619]

R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2009-10-29 9493]

R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-4-6 13647]

R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2009-10-29 10161]

S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2004-10-15 15104]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2009-10-29 27008]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

.

=============== Created Last 30 ================

.

2011-05-11 20:22:59 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition

updates\{2d622d29-1464-494a-9c2b-f0eb4e453d7e}\MpKsl5ed1713c.sys

2011-05-11 20:01:45 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-05-11 16:42:16 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-11 16:19:38 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-05-11 16:19:38 215920 ----a-w- c:\windows\system32\muweb.dll

2011-05-11 16:19:38 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-05-11 05:03:58 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition

updates\{2d622d29-1464-494a-9c2b-f0eb4e453d7e}\mpengine.dll

2011-05-11 05:03:31 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-11 05:00:02 -------- d-----w- c:\program files\Microsoft Security Client

2011-05-09 03:45:38 -------- d-s---w- C:\ComboFix

2011-05-07 16:55:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-04 18:58:50 -------- d-----w- c:\documents and settings\john\Citrix

2011-04-17 22:05:34 -------- d-----w- c:\program files\X2Xsoft

2011-04-17 20:52:56 -------- d-----w- c:\program files\MyTube

2011-04-17 20:24:10 650752 ----a-w- c:\windows\system32\xvidcore.dll

2011-04-17 20:24:10 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2011-04-17 20:24:10 152064 ----a-w- c:\windows\system32\xvid.ax

2011-04-17 20:24:08 -------- d-----w- c:\program files\Xvid

.

==================== Find3M ====================

.

2011-05-11 16:41:48 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2001-06-20 23:19:18 40960 ----a-w- c:\program files\ACMonitor_X83.exe

.

============= FINISH: 0:12:55.95 ===============

Link to post
Share on other sites

Hi screen317,

Update on my infected PC:

First 3 attempts to run ComboFix resulted in BSOD right after launch. After a little research on the BSOD error (....DRIVER_IRQL_NOT_LESS_OR_EQUAL....IDECHNDR.SYS...) I ran scandisk, which found/repaired one bad sector on C: drive. Then I created a restore point, uninstalled Intel Application Accelerator (based on release notes, not required for my HDD config).

Relaunched ComboFix at 1300 (MDT) and it got past the point at which it BSOD last time (woohoo!) but seems to be frozen at the moment. I will let it run until I hear from you or it completes/croaks, whichever comes first. Hopefully will post up a log file soon.

fcrider

Link to post
Share on other sites

Did a cold reboot. ComboFix ran this time (yeah!). During log report phase, popup window said something like "could not locate HP support blah blah..." and asked me to insert the disk. I clicked "cancel" but the window kept popping up. After 3 or 4 times, it went away.

Thanks,

fcrider

---------------------------------------------------------------------

ComboFix 11-05-13.02 - John 05/13/2011 19:53:21.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.431 [GMT -6:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\John\WINDOWS

c:\windows\Downloaded Program Files\CpnMgr.dll

c:\windows\system32\AutoRun.inf

.

Infected copy of c:\windows\SYSTEM32\eudcedit.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eudcedit.exe

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))

.

.

2011-05-13 15:36 . 2011-05-13 15:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2011-05-13 00:16 . 2011-04-11 06:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AF6C6F3C-22D0-4270-8D70-6729F13EEEA3}\mpengine.dll

2011-05-12 06:12 . 2011-04-11 06:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-05-11 20:01 . 2011-05-11 20:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-05-11 17:03 . 2011-05-11 17:03 -------- d-----w- c:\program files\Common Files\Adobe AIR

2011-05-11 16:42 . 2011-05-11 16:42 -------- d-----w- c:\program files\Common Files\Java

2011-05-11 16:42 . 2011-05-11 16:41 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-11 16:19 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-05-11 16:19 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

2011-05-11 06:52 . 2011-05-11 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream

2011-05-11 05:03 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-11 05:00 . 2011-05-11 05:00 -------- d-----w- c:\program files\Microsoft Security Client

2011-05-07 16:55 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-04 18:58 . 2011-05-04 18:58 -------- d-----w- c:\documents and settings\John\Citrix

2011-04-18 14:24 . 2011-04-18 14:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-04-17 22:05 . 2011-04-17 22:05 -------- d-----w- c:\program files\X2Xsoft

2011-04-17 20:52 . 2011-04-17 20:52 -------- d-----w- c:\program files\MyTube

2011-04-17 20:24 . 2011-03-21 13:58 152064 ----a-w- c:\windows\system32\xvid.ax

2011-04-17 20:24 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2011-04-17 20:24 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll

2011-04-17 20:24 . 2011-04-17 20:24 -------- d-----w- c:\program files\Xvid

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-11 16:41 . 2010-07-31 21:36 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-07 05:33 . 2004-06-07 20:19 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2004-03-07 18:28 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2002-02-20 23:46 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2004-12-07 23:37 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2004-03-07 18:25 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2004-03-07 18:25 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 13:18 . 2001-08-18 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2001-08-18 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-12-05 16:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56 . 2001-08-18 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll

2001-06-20 23:19 . 2001-06-19 23:34 40960 ----a-w- c:\program files\ACMonitor_X83.exe

2008-11-15 08:02 . 2008-05-03 16:44 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2008-11-15 08:02 . 2008-05-03 16:44 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2008-11-15 08:02 . 2008-05-03 16:44 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2008-11-15 08:02 . 2008-05-03 16:44 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2008-11-15 08:02 . 2008-05-03 16:44 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-20 68856]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]

"gStart"="c:\garmin\gStart.exe" [2006-09-06 1891416]

"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]

"UpdReg"="c:\windows\Updreg.exe" [2000-05-11 90112]

"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]

"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]

"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-11 155648]

"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-11 61440]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2008-05-13 297000]

"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-22 557056]

"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\Guest\Start Menu\Programs\Startup\

Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [N/A]

.

c:\documents and settings\John\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2008-5-13 128552]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-10-9 169472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2008-05-13 16:20 109568 ----a-w- c:\windows\SYSTEM32\ackpbsc.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2008-05-13 16:20 286720 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk

backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-11-18 03:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"HPSLPSVC"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AirPort\\APAgent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:Bonjour

.

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/13/2008 10:20 AM 198184]

R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\SYSTEM32\DRIVERS\akbus.sys [4/6/2007 11:46 AM 13619]

R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\SYSTEM32\DRIVERS\akpcsc.sys [10/29/2009 2:15 PM 9493]

R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\SYSTEM32\DRIVERS\aksbus.sys [4/6/2007 11:46 AM 13647]

R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\SYSTEM32\DRIVERS\akspcsc.sys [10/29/2009 2:15 PM 10161]

S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [10/15/2004 9:44 AM 15104]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 5:14 PM 135664]

S3 AKSIM;ActivKey Sim;c:\windows\SYSTEM32\DRIVERS\aksim.sys [10/29/2009 2:15 PM 27008]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 5:14 PM 135664]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

2011-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 23:14]

.

2011-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 23:14]

.

2011-05-14 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]

.

2005-11-16 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-02-24 19:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nytimes.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html

IE: {{00951C02-5731-44e9-B2F5-544EC2279417} - {00951C02-5731-44e9-B2F5-544EC2279417} - mscoree.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\sj7u8ush.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-WebCamRT.exe - (no file)

HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe

HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\xxx123.exe

MSConfigStartUp-Lexmark X83 Button Manager - c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

MSConfigStartUp-Lexmark X83 Button Monitor - c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

AddRemove-DivX 5.0.2 Bundle - c:\windows\unvise32.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-13 20:08

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(560)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\accrypto.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\asphatrc.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\windows\system32\aicext.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Localized\acunlockrc.dll

.

- - - - - - - > 'explorer.exe'(3992)

c:\windows\system32\WININET.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\drivers\CDAC11BA.EXE

c:\windows\System32\CTsvcCDA.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\MsPMSPSv.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\devldr32.exe

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\program files\Microsoft ActiveSync\WCESCOMM.EXE

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\msiexec.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2011-05-13 20:18:52 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-14 02:18

.

Pre-Run: 13,337,649,152 bytes free

Post-Run: 14,010,056,704 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 681538FB085D68DA09E0BA4986809700

Link to post
Share on other sites

Microsoft wanted to install some updates, so I let it (hope thats ok) rebooted -- then ran DDS, log attached.

BTW, PC is noticeably faster and, more importantly, no rogue popups or audio ads (!) thus far...

hopeful,

fcrider

--------------------------------------

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by John at 21:11:55.07 on Fri 05/13/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.354 [GMT -6:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Logitech\ImageStudio\LogiTray.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Garmin\gStart.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Documents and Settings\John\Desktop\dds.scr

C:\Program Files\iPod\bin\iPodService.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.nytimes.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll

BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: ZuneIEPlugin.ZuneBHO: {a8533c62-9399-4640-b36b-d1dde91eb8b1} - mscoree.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [gStart] c:\garmin\gStart.exe

uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [DIGStream] c:\program files\digstream\digstream.exe

mRun: [updReg] c:\windows\Updreg.exe

mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe

mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE

mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe

mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun

mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\john\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe

StartupFolder: c:\docume~1\john\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe

StartupFolder: c:\docume~1\john\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

uPolicies-explorer: <NO NAME> =

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {00951C02-5731-44e9-B2F5-544EC2279417} - {00951C02-5731-44e9-B2F5-544EC2279417} - mscoree.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab

DPF: {6CB5E471-C305-11D3-99A8-000086395495} - hxxp://toolbar.google.com/data/en/deleon/1.1.57-deleon/GoogleNav.cab

DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL

WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL

WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL

Notify: ackpbsc - c:\windows\system32\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\sj7u8ush.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2008-5-13 198184]

R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-4-6 13619]

R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2009-10-29 9493]

R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-4-6 13647]

R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2009-10-29 10161]

S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2004-10-15 15104]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2009-10-29 27008]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

.

=============== Created Last 30 ================

.

2011-05-14 01:49:49 -------- d-sha-r- C:\cmdcons

2011-05-14 01:45:31 98816 ----a-w- c:\windows\sed.exe

2011-05-14 01:45:31 89088 ----a-w- c:\windows\MBR.exe

2011-05-14 01:45:31 256512 ----a-w- c:\windows\PEV.exe

2011-05-14 01:45:31 161792 ----a-w- c:\windows\SWREG.exe

2011-05-13 00:16:55 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{af6c6f3c-22d0-4270-8d70-6729f13eeea3}\mpengine.dll

2011-05-12 06:12:39 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2011-05-11 20:01:45 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-05-11 16:42:16 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-11 16:19:38 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-05-11 16:19:38 215920 ----a-w- c:\windows\system32\muweb.dll

2011-05-11 16:19:38 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-05-11 05:03:31 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-11 05:00:02 -------- d-----w- c:\program files\Microsoft Security Client

2011-05-07 16:55:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-04 18:58:50 -------- d-----w- c:\documents and settings\john\Citrix

2011-04-17 22:05:34 -------- d-----w- c:\program files\X2Xsoft

2011-04-17 20:52:56 -------- d-----w- c:\program files\MyTube

2011-04-17 20:24:10 650752 ----a-w- c:\windows\system32\xvidcore.dll

2011-04-17 20:24:10 240640 ----a-w- c:\windows\system32\xvidvfw.dll

2011-04-17 20:24:10 152064 ----a-w- c:\windows\system32\xvid.ax

2011-04-17 20:24:08 -------- d-----w- c:\program files\Xvid

.

==================== Find3M ====================

.

2011-05-11 16:41:48 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2001-06-20 23:19:18 40960 ----a-w- c:\program files\ACMonitor_X83.exe

.

============= FINISH: 21:14:10.40 ===============

Link to post
Share on other sites

  • Staff

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Screen317,

Sorry for delay responding - busy with work stuff.

Infected pc is running much better. No signs of infection with one exception. MSE found one threat in real-time mode: Aleurion.K (disinfected)

MBAM, ESET and SC logs attached.

THANK YOU!!!!

fcrider

---------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6618

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/19/2011 11:19:37 AM

mbam-log-2011-05-19 (11-19-37).txt

Scan type: Quick scan

Objects scanned: 203395

Time elapsed: 41 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------------------------------------

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=6bb330ee25fb4c41a0acbd918c6f8a40

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-19 08:03:09

# local_time=2011-05-19 02:03:09 (-0700, Mountain Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5891 16776533 42 87 0 16929515 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16777214 0 4 227647210 227647210 0 0

# scanned=83353

# found=2

# cleaned=2

# scan_time=7140

C:\Program Files\Uniblue\RegistryBooster\Launcher.exe a variant of Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

---------------------------------

Results of screen317's Security Check version 0.99.11

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Microsoft Security Essentials

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner (remove only)

Java 6 Update 25

Adobe Flash Player

Adobe Reader 9.4.4

Out of date Adobe Reader installed!

Mozilla Firefox (2.0.0) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Microsoft Security Essentials msseces.exe

Microsoft Security Client Antimalware MsMpEng.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Adobe Flash Player

Adobe Reader 9.4.4

Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

Also update Firefox; ensure that you're using version 4.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

Hello 317,

All tasks completed per your instructions, and now using Firefox 4.0 as default browser (I don't need .NET active on this PC anymore). The only discernable nit I have is that my 'Administrative Tools' folder is still empty. All the other empty folders repopulated after the ComboFix ran. Any ideas?

Thanks,

fcrider

Link to post
Share on other sites

  • Staff

Unfortunately you'll have to repopulate that folder manually; the malware hid the contents of that folder in your Temp files, which were subsequently deleted.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

Thanks S317!!!

I'm taking your advice and installing MBAM Pro as well as Spyware Buster on both of my PCs. Having the peace of mind that I have preventative measures is well worth the cost. Thank you again for all of your help!

Hopefully I will not need your services again, but it's good to know you guys are looking out for us!!

Regards,

fcrider

:D

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.