Jump to content

Better Safe than Sorry


Recommended Posts

Background:

Recently I contracted a nasty virus from facebook. Probably half an hour or so I after I got, my computer shutdown and all subsequent attempts to reboot ended the same way. First, the computer would boot into Safe Mode, then restart itself before any icons loaded. Second, upon the restart, the computer would go to the windows login screen and then begin shutting itself down again. It was possible to login, but impossible to do anything (I always got the "This program can't open because windows is shutting down" message). IF I did not login, it would just restart itself back into Safe Mode (no icons) and then back to the login screen etc. Even disabling "automatic restart" (from the pushing F8 upon bootup) did not keep the the computer from restarting itself.

In any case, about a day later I was finally able to fully boot (I had to disconnect from the internet in order to do it). The first thing I did was attempt to run a virus scan (I use Comodo). Much to my dismay, I know had an AV program. I still had AV icons and folders (the symbol was even in the system tray and it showed up in the Add/Remove programs), but there was no actual program...nothing I clicked on would open my AV. So, I went to uninstall it. I was unable to do so. I got a message about missing *.msi file. So, I just tried to reinstall. No luck there either. I was told there was already a copy installed that I would have to uninstall.

Long story short, I was eventually able to uninstall, then reinstall my AV (once again, Comodo). Next thing I did was get Mbam. Ran full scans with both of those and was cautiously optimistic that I was clean. However, Mbam kept giving me notices of blocking outgoing attempts and specific internet pages would not load (specifically facebook). I flushed the dns and all that good stuff but still no go. Furthermore, my borwser (Comodo Dragon) randomly shuts down.

Skip to the end, I eventually got facebook loading again, but Mbam is still stopping all sorts of outgoing attempts. Granted, if it's blocking, that means it's doing its job...but I'd rather it not have a job to do. The browser hasn't shut itself down since facebook came back, but I don't know that there is any connection between the two. I've asked COmodo abou it, and they said perhaps it is an infection.

Both Mbam and Comodo now report that I am clean, but I'm no expert, so I don't delude myself into thinking that my manual removal got everything. So I come to the good people here to help me find anything I missed.

DDS Scan Log

-------------------------

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24

Run by ADMIN at 20:47:23 on 2011-08-25

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2557 [GMT 7:00]

.

AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

FW: COMODO Firewall *Enabled*

.

============== Running Processes ===============

.

C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

E:\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe

C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Tunngle\TnglCtrl.exe

C:\WINDOWS\system32\atwtusb.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\atwtusb.exe

svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe

E:\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe

C:\Program Files\AirLive WL-1700USB\AirLive WL-1700USB Wireless Lan Utility\RtWLan.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [smartRAM] "c:\program files\iobit\advanced systemcare 4\Suo10_SmartRAM.exe" /m

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe

mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot

mRun: [NUSB3MON] "c:\program files\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\QTTask.exe" -atboottime

mRun: [bCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe

mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [COMODO Internet Security] "e:\comodo\comodo internet security\cfp.exe" -h

mRun: [TblMouse] TblMouse.exe

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\airliv~1.lnk - c:\program files\airlive wl-1700usb\airlive wl-1700usb wireless lan utility\RtWLan.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableSecureUIAPaths = 0 (0x0)

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: ??&????????? Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{30F3F535-58D1-4C53-8580-6C59800703B1} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{BA7F5B2E-A772-4FD3-A47C-0A88A9C0D93C} : NameServer = 156.154.70.22,156.154.71.22

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

SecurityProviders: msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\qectkv4b.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1060933&SearchSource=13

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 9666

FF - prefs.js: network.proxy.socks - localhost

FF - prefs.js: network.proxy.socks_port - 9050

FF - prefs.js: network.proxy.ssl - localhost

FF - prefs.js: network.proxy.ssl_port - 9666

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\qectkv4b.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\qectkv4b.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko5.dll

FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\qectkv4b.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko6.dll

FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\qectkv4b.default\extensions\{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: e:\music\00itunes\mozilla plugins\npitunes.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}

FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: UltraSurf Firefox Tool: {5B52016C-D097-4aec-BE61-9F129D8FDDBA} - %profile%\extensions\{5B52016C-D097-4aec-BE61-9F129D8FDDBA}

FF - Ext: PermissionResearch: {32c1ae0f-a1ed-4128-b922-7e83a47d79b7} - %profile%\extensions\{32c1ae0f-a1ed-4128-b922-7e83a47d79b7}

FF - Ext: Freecorder Community Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - %profile%\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-8-7 13496]

R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2010-8-23 18984]

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-9-10 17416]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 242600]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 29400]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-8-7 328536]

R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-8-23 219360]

R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-5-26 154424]

R2 cmdAgent;COMODO Internet Security Helper Service;e:\comodo\comodo internet security\cmdagent.exe [2011-6-30 1793712]

R2 ezGOSvc;Easybits GO Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]

R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-8-7 821080]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-22 366640]

R2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2011-1-8 718072]

R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-22 22712]

R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-11-20 58880]

R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-11-20 137728]

R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-8-7 30368]

R3 RTLWUSB;AirLive WL-1700USB;c:\windows\system32\drivers\RTL8187.sys [2010-8-24 323328]

R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2011-1-8 27136]

R3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-8-7 16080]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ddservice;ddservice;c:\windows\update.7.1\svchostdriver.exe srv --> c:\windows\update.7.1\svchostdriver.exe srv [?]

S2 NetExtAuth;Network Extensible Authentication; [x]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-23 1691480]

S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]

S3 cpuz130;cpuz130;\??\c:\docume~1\admin\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\admin\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-9-15 25832]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-8-7 239472]

.

=============== File Associations ===============

.

chm.file="hh.exe" %1

txtfile=c:\windows\notepad.exe %1

.

=============== Created Last 30 ================

.

2011-08-25 13:15:37 -------- d-sh--w- C:\found.008

2011-08-25 12:18:59 388096 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-25 10:22:42 -------- d-----w- c:\program files\ESET

2011-08-25 08:52:03 11559 ----a-w- C:\Comodo_Support_Tool.cmd

2011-08-23 13:48:17 -------- d-----w- c:\program files\Power Presenter RE II

2011-08-23 13:31:08 -------- d-----w- c:\documents and settings\admin\application data\Artweaver

2011-08-23 13:30:59 -------- d-----w- c:\documents and settings\all users\application data\Artweaver

2011-08-23 13:30:13 6144 ----a-r- c:\windows\system32\drivers\moufiltr.sys

2011-08-23 13:30:03 6144 ----a-r- c:\windows\system32\drivers\walvhid.sys

2011-08-23 13:30:02 -------- d-----w- c:\windows\vhid

2011-08-22 08:01:01 -------- d--h--w- C:\VritualRoot

2011-08-22 07:55:32 -------- d-----w- c:\documents and settings\all users\application data\Comodo

2011-08-22 07:22:33 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader

2011-08-22 07:11:16 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes

2011-08-22 07:11:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-22 07:11:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-08-22 07:11:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-22 07:11:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-21 13:02:31 -------- d-----w- c:\program files\COMODO

2011-08-21 12:55:11 -------- d-----w- c:\program files\AMD APP

2011-08-21 12:54:09 956160 ----a-w- c:\windows\system32\ativvamv.dll

2011-08-21 12:35:46 -------- d-----w- c:\windows\ufa

2011-08-21 12:35:46 -------- d-----w- c:\windows\phoenix

2011-08-21 12:28:20 -------- d--h--w- c:\windows\update.5.0

2011-08-21 12:27:51 246272 ----a-w- c:\windows\unrar.exe

2011-08-21 12:27:38 -------- d--h--w- c:\windows\update.7.1

2011-08-21 12:27:13 -------- d--h--w- c:\windows\update.2

2011-08-21 12:13:38 -------- d--h--w- c:\windows\update.1

2011-08-21 12:13:38 -------- d-----w- c:\windows\av_ico

2011-08-21 12:07:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-21 12:01:47 185344 ----a-w- c:\windows\system32\wbem\framedyn.dll

2011-08-21 11:47:08 -------- d--h--w- c:\windows\update.tray-5-0

2011-08-21 10:55:48 106496 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe

2011-08-21 10:55:48 106496 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe

2011-08-21 10:55:48 106496 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{3ca54984-a14b-42fe-9ff1-7ea90151d725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe

2011-08-21 10:55:45 -------- d-----w- c:\program files\common files\Tencent

2011-08-21 10:54:22 -------- d-----w- c:\documents and settings\admin\application data\Tencent

2011-08-11 07:19:16 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2011-08-11 07:19:16 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2011-08-11 07:18:51 -------- d-----w- c:\program files\iPod

2011-08-11 07:18:49 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2011-08-11 07:18:29 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-08-11 07:18:29 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-08-07 14:03:47 -------- d-----w- c:\documents and settings\admin\local settings\application data\PCHealth

2011-08-07 12:50:56 457856 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-08-07 12:47:52 2690560 -c----w- c:\windows\system32\dllcache\mstscax.dll

2011-08-07 12:47:52 1034240 -c----w- c:\windows\system32\dllcache\mstsc.exe

2011-08-07 12:47:18 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2011-08-07 12:47:17 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2011-08-07 12:47:17 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2011-08-07 12:19:48 -------- d-----w- c:\windows\system32\winrm

2011-08-07 12:19:48 -------- d-----w- c:\windows\system32\GroupPolicy

2011-08-07 12:19:34 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2011-08-07 12:08:54 -------- d--h--w- c:\windows\$hf_mig$

2011-08-07 11:58:16 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-08-07 11:30:25 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2011-08-07 11:30:23 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2011-08-07 11:29:46 -------- d-----w- c:\program files\Application Updater

2011-08-07 11:29:41 -------- d-----w- c:\program files\IObit Toolbar

2011-08-06 06:33:15 109248 ----a-w- c:\windows\system32\mswinsck.ocx

2011-08-06 06:33:13 -------- d-----w- c:\program files\IceChat7

.

==================== Find3M ====================

.

2011-08-22 05:44:30 17488 ----a-w- c:\windows\gdrv.sys

2011-08-11 10:15:30 285256 ----a-w- c:\windows\system32\guard32.dll

2011-08-11 10:15:20 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-08-11 10:15:17 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-08-11 10:15:13 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-06-09 05:43:50 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-06-09 05:43:50 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-06-02 14:07:36 1867904 ----a-w- c:\windows\system32\win32k.sys

2011-05-28 06:59:01 73600 ----a-w- c:\windows\system32\ezGOSvc.dll

2011-05-28 06:59:01 718208 ----a-w- c:\windows\system32\ezGOSvcApp.exe

.

============= FINISH: 20:48:12.21 ===============

ark.log

Attach.txt

hijackthis.log

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 2 weeks later...
  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.