Jump to content

Recommended Posts

My daughter's laptop bogged down and started redirecting searches in her Chrome browser. I checked Firefox and Internet Explorer and they also suffered redirects.

I ran Malwarebytes and removed about a dozen problems. I also ran SuperAntiSpyware and removed numerous other problems.

I tried to install and run Windows Defender, but it kept hanging up with an error indicating I did not have proper privileges to run.

First time trying this help process, so I look forward to your assistance.

Thank you.

Here are the logs:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Owner at 17:44:16 on 2011-10-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.263 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Secunia\PSI\PSIA.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} -

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Ask Toolbar BHO: {d4027c7f-154a-4066-a1ad-4243d8127440} - Nero Toolbar

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Google Update] "c:\documents and settings\owner.mobile1\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [Advanced SystemCare 4] c:\program files\iobit\advanced systemcare 4\ASCTray.exe

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [strgSync.exe] c:\program files\storagesync\StrgSync.exe -w

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

StartupFolder: c:\docume~1\owner~1.mob\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

uPolicies-explorer: NoInstrumentation = 1 (0x1)

IE: &Search

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{FE808127-FC8C-4040-BF88-3E88427E8701} : DhcpNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: AtiExtEvent - Ati2evxx.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner.mobile1\application data\mozilla\firefox\profiles\u17rr9ks.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\owner.mobile1\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\docume~1\owner~1.mob\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\docume~1\owner~1.mob\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-19 328536]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-17 366152]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-7-29 994360]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-12-17 200576]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-17 22216]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2005-11-22 69692]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2010-8-26 10112]

S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2007-1-16 163840]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-11-23 14336]

.

=============== Created Last 30 ================

.

2011-10-17 22:07:31 388096 ----a-r- c:\documents and settings\owner.mobile1\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-10-17 22:07:29 -------- d-----w- c:\program files\Trend Micro

2011-10-17 21:46:14 83224 ----a-w- c:\program files\windows defender\TBD1AC.tmp

2011-10-17 21:37:14 -------- d-----w- c:\documents and settings\owner.mobile1\application data\ElevatedDiagnostics

2011-10-17 19:45:44 -------- d-----w- c:\documents and settings\owner.mobile1\application data\SUPERAntiSpyware.com

2011-10-17 19:45:44 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-10-17 07:45:57 -------- d-----w- c:\documents and settings\owner.mobile1\local settings\application data\Secunia PSI

2011-10-17 07:45:41 -------- d-----w- c:\program files\Secunia

2011-10-17 06:53:35 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-17 06:53:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-17 04:57:56 -------- d-----w- c:\documents and settings\owner.mobile1\application data\IObit

2011-10-16 02:00:52 -------- d-----w- c:\documents and settings\owner.mobile1\application data\QuickScan

2011-10-14 06:27:18 -------- d-----w- c:\documents and settings\owner.mobile1\application data\OpswatLogs

.

==================== Find3M ====================

.

2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

============= FINISH: 17:45:44.87 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/12/2006 10:06:48 PM

System Uptime: 10/17/2011 4:21:28 PM (1 hours ago)

.

Motherboard: Gateway | |

Processor: AMD Turion 64 Mobile Technology ML-32 | Socket 754 | 1794/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 68 GiB total, 24.86 GiB free.

D: is FIXED (FAT32) - 7 GiB total, 4.764 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP37: 3/26/2011 11:51:29 PM - Software Distribution Service 3.0

RP38: 3/28/2011 12:31:40 AM - System Checkpoint

RP39: 3/29/2011 2:11:47 AM - System Checkpoint

RP40: 3/30/2011 2:11:54 AM - System Checkpoint

RP41: 3/31/2011 2:18:22 AM - System Checkpoint

RP42: 4/1/2011 5:30:49 AM - System Checkpoint

RP43: 4/3/2011 3:47:49 AM - System Checkpoint

RP44: 4/4/2011 3:53:30 AM - System Checkpoint

RP45: 4/5/2011 4:18:35 AM - System Checkpoint

RP46: 4/6/2011 5:08:05 AM - System Checkpoint

RP47: 4/17/2011 11:36:38 PM - Software Distribution Service 3.0

RP48: 4/27/2011 2:10:16 AM - Software Distribution Service 3.0

RP49: 4/27/2011 2:39:56 AM - Software Distribution Service 3.0

RP50: 5/10/2011 6:10:14 PM - System Checkpoint

RP51: 5/20/2011 12:53:11 AM - Software Distribution Service 3.0

RP52: 5/24/2011 4:30:14 PM - System Checkpoint

RP53: 5/24/2011 5:37:18 PM - Installed %1 %2.

RP54: 5/24/2011 5:37:57 PM - Installed Windows XP Update for Microsoft Windows (KB971513).

RP55: 5/24/2011 5:38:42 PM - Installed %1 %2.

RP56: 5/24/2011 5:44:27 PM - Installed Windows XP KB2447568.

RP57: 5/24/2011 5:44:47 PM - Installed Microsoft Visual C++ 2005 Redistributable - KB2467175

RP58: 5/24/2011 5:46:56 PM - Installed Windows XP KB2492386.

RP59: 6/16/2011 3:01:13 AM - Software Distribution Service 3.0

RP60: 6/17/2011 3:01:22 AM - System Checkpoint

RP61: 9/7/2011 1:05:10 AM - Software Distribution Service 3.0

RP62: 10/14/2011 1:05:07 AM - Software Distribution Service 3.0

RP63: 10/14/2011 1:53:07 AM - Software Distribution Service 3.0

RP64: 10/16/2011 11:26:10 PM - IObit Uninstaller restore point

RP65: 10/16/2011 11:29:02 PM - IObit Uninstaller restore point

RP66: 10/16/2011 11:29:30 PM - Removed BlackBerry Device Software Updater.

RP67: 10/16/2011 11:31:51 PM - IObit Uninstaller restore point

RP68: 10/16/2011 11:38:17 PM - IObit Uninstaller restore point

RP69: 10/16/2011 11:39:48 PM - IObit Uninstaller restore point

RP70: 10/16/2011 11:41:44 PM - IObit Uninstaller restore point

RP71: 10/16/2011 11:45:09 PM - IObit Uninstaller restore point

RP72: 10/16/2011 11:46:21 PM - IObit Uninstaller restore point

RP73: 10/16/2011 11:46:56 PM - IObit Uninstaller restore point

RP74: 10/16/2011 11:50:45 PM - IObit Uninstaller restore point

RP75: 10/16/2011 11:51:26 PM - IObit Uninstaller restore point

RP76: 10/16/2011 11:53:52 PM - IObit Uninstaller restore point

RP77: 10/16/2011 11:55:15 PM - IObit Uninstaller restore point

RP78: 10/16/2011 11:56:19 PM - IObit Uninstaller restore point

RP79: 10/16/2011 11:56:57 PM - Removed IObit Toolbar v4.7.

RP80: 10/16/2011 11:59:03 PM - IObit Uninstaller restore point

RP81: 10/17/2011 12:00:19 AM - IObit Uninstaller restore point

RP82: 10/17/2011 12:27:12 AM - Installed Windows XP Media Center Edition 2005 KB925766.

RP83: 10/17/2011 12:53:06 AM - Installed Java 6 Update 26

RP84: 10/17/2011 3:58:56 AM - IObit Uninstaller restore point

RP85: 10/17/2011 12:03:35 PM - Installed Windows Defender

RP86: 10/17/2011 4:13:52 PM - Installed Windows Defender

RP87: 10/17/2011 4:46:15 PM - Installed Windows Defender

RP88: 10/17/2011 5:07:28 PM - Installed HiJackThis

.

==== Installed Programs ======================

.

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.0

Advanced SystemCare 4

AnswerWorks 5.0 English Runtime

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI - Software Uninstall Utility

ATI Control Panel

ATI Display Driver

Broadcom 802.11 Network Adapter

Canon Digital Camera USB WIA Driver

Conexant AC-Link Audio

Creative Live! Cam Notebook Pro Driver (1.01.03.0405)

Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Easy-WebPrint

GearDrvs

Google Chrome

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB942288-v3)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

iTunes

Java Auto Updater

Java 6 Update 26

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft .NET Framework 1.0 Hotfix (KB2572066)

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.0 Hotfix (KB979904)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 14

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Mozilla Firefox 7.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB973688)

Napster Burn Engine

PowerDVD

Presto! PageManager 7.15.11

Quicken 2009

QuickTime

Recovery Software Suite Gateway

Secunia PSI (2.0.0.4002)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Excel 2010 (KB2553070)

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2584066)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Smart Defrag 1.11

Soft Data Fax Modem with SmartCP

Sonic Encoders

StorageSync Backup Software

Synaptics Pointing Device Driver

Texas Instruments PCIxx21/x515/xx12 drivers.

The Sims 2

The Sims Complete Collection

TIPCI

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Outlook Social Connector (KB2583935)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows Internet Explorer 8 (KB980302)

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update Rollup 2 for Windows XP Media Center Edition 2005

Viewpoint Media Player

VLC media player 1.1.4

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format Runtime

Windows XP Media Center Edition 2005 KB2502898

Windows XP Media Center Edition 2005 KB925766

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3

.

==== Event Viewer Messages From Past Week ========

.

10/17/2011 3:47:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips SASDIFSV SASKUTIL

10/17/2011 2:42:49 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp AmdK8 amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o Fips hpn i2omp ini910u IntelIde mraid35x ohci1394 perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde

10/17/2011 2:01:27 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

10/17/2011 12:31:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}

10/17/2011 12:23:17 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service mcmscsvc with arguments "" in order to run the server: {9B3BEB4E-1C5E-4A5F-BB36-2F6587DD34E2}

10/17/2011 12:13:29 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

10/17/2011 1:44:50 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips

10/17/2011 1:39:40 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

10/17/2011 1:38:52 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

10/17/2011 1:38:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

10/17/2011 1:38:36 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

10/17/2011 1:38:36 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/16/2011 4:11:54 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer MATT-LAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{FE808127-FC8C-40. The master browser is stopping or an election is being forced.

10/15/2011 7:33:36 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

10/15/2011 7:32:33 PM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

10/13/2011 7:54:38 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SHINIGAMI that believes that it is the master browser for the domain on transport NetBT_Tcpip_{FE808127-FC8C-4040. The master browser is stopping or an election is being forced.

.

==== End Of File ===========================

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Thank you for your response and assistance.

The laptop continues to respond very slowly and redirects make it difficult to access almost any web site.

Following is the log you requested:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8013

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/24/2011 2:16:03 PM

mbam-log-2011-10-24 (14-16-03).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 299752

Time elapsed: 1 hour(s), 4 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Thanks!

Chrome, Firefox and Internet Explorer are accessing various websites without redirects.

Initial boot is still slow, but may be unrelated. Browsers are booting fine and allowing connections to correct web sites.

Here is the ComboFix log:

ComboFix 11-10-24.04 - Owner 10/24/2011 16:15:54.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.501 [GMT -5:00]

Running from: c:\documents and settings\Owner.Mobile1\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Guest\WINDOWS

c:\documents and settings\Owner.Mobile1\WINDOWS

c:\documents and settings\ZZZZZZZZZZZ\WINDOWS

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf

c:\windows\kb913800.exe

c:\windows\system32\config\systemprofile\WINDOWS

D:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))

.

.

2011-10-17 22:07 . 2011-10-17 22:07 388096 ----a-r- c:\documents and settings\Owner.Mobile1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-10-17 22:07 . 2011-10-17 22:07 -------- d-----w- c:\program files\Trend Micro

2011-10-17 21:39 . 2011-10-20 19:09 -------- d-----w- c:\program files\Windows Defender

2011-10-17 21:37 . 2011-10-17 21:37 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\ElevatedDiagnostics

2011-10-17 19:45 . 2011-10-17 19:45 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\SUPERAntiSpyware.com

2011-10-17 19:45 . 2011-10-17 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-10-17 07:45 . 2011-10-17 07:45 -------- d-----w- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Secunia PSI

2011-10-17 07:45 . 2011-10-17 07:45 -------- d-----w- c:\program files\Secunia

2011-10-17 06:53 . 2011-10-17 06:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-17 06:53 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-17 05:54 . 2011-10-17 05:54 -------- d-----w- c:\program files\Common Files\Java

2011-10-17 04:57 . 2011-10-17 05:01 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\IObit

2011-10-17 02:21 . 2011-10-17 02:21 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Local Settings\Application Data\Mozilla

2011-10-17 02:21 . 2011-10-17 02:22 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Application Data\IObit

2011-10-17 02:21 . 2011-10-17 02:21 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Application Data\Search Settings

2011-10-16 02:00 . 2011-10-16 02:00 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\QuickScan

2011-10-14 06:27 . 2011-10-17 04:38 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\OpswatLogs

2011-10-06 05:07 . 2011-10-06 05:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2005-11-23 07:12 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2005-11-23 07:12 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12 . 2005-11-23 07:12 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20 . 2005-11-23 07:12 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48 . 2005-11-23 07:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2005-11-23 07:12 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48 . 2005-11-23 07:12 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56 . 2005-11-23 07:12 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2005-11-23 07:12 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-09-29 06:53 . 2011-10-17 08:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]

.

c:\documents and settings\Owner.Mobile1\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-7-29 291896]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"McMPFSvc"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [5/19/2011 2:08 AM 328536]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/17/2011 1:53 AM 366152]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/17/2005 4:17 PM 200576]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/17/2011 1:53 AM 22216]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]

S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [7/29/2011 4:30 AM 994360]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/22/2005 7:52 PM 69692]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [8/26/2010 4:16 AM 10112]

S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [1/16/2007 8:59 PM 163840]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/23/2005 2:12 AM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-116369751-2669058170-3813519779-1006Core.job

- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-17 08:50]

.

2011-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-116369751-2669058170-3813519779-1006UA.job

- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-17 08:50]

.

2011-10-13 c:\windows\Tasks\SmartDefrag.job

- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-04-01 23:15]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Owner.Mobile1\Application Data\Mozilla\Firefox\Profiles\u17rr9ks.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Advanced SystemCare 3 - c:\program files\IObit\Advanced SystemCare 3\AWC.exe

HKLM-Run-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-24 16:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(952)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-10-24 16:26:38

ComboFix-quarantined-files.txt 2011-10-24 21:26

.

Pre-Run: 27,972,407,296 bytes free

Post-Run: 28,224,737,280 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 71CCC2316D66DF7F684D36699B869BCB

Link to post
Share on other sites

I would use Add/Remove programs and uninstall:

Advanced SystemCare

IObit

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Folder::
c:\documents and settings\ZZZZZZZZZZZ

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I removed Iobit Advanced System Recovery.

I then followed the instructions, running ComboFix.

However, it appeared to hang up and never showed any of the completed steps.

I let is sit for just over an hour, in case it was in fact running, but nothing happened.

It would not let me close, even with Task Mgr., so I had to shut down.

I then booted in Secure Mode, and tried to run it again.

This time it ran within about 10 minutes.

Following is the log:

ComboFix 11-10-24.04 - Owner 10/24/2011 19:06:11.2.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.745 [GMT -5:00]

Running from: c:\documents and settings\Owner.Mobile1\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner.Mobile1\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\downloadmanager\insdl.dll

c:\windows\help\tours\htmltour\unlock_playing.htm

c:\windows\system32\d3d9caps.dat

.

.

((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))

.

.

2011-10-17 22:07 . 2011-10-17 22:07 388096 ----a-r- c:\documents and settings\Owner.Mobile1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-10-17 22:07 . 2011-10-17 22:07 -------- d-----w- c:\program files\Trend Micro

2011-10-17 21:39 . 2011-10-20 19:09 -------- d-----w- c:\program files\Windows Defender

2011-10-17 21:37 . 2011-10-17 21:37 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\ElevatedDiagnostics

2011-10-17 19:45 . 2011-10-17 19:45 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\SUPERAntiSpyware.com

2011-10-17 19:45 . 2011-10-17 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-10-17 07:45 . 2011-10-17 07:45 -------- d-----w- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Secunia PSI

2011-10-17 07:45 . 2011-10-17 07:45 -------- d-----w- c:\program files\Secunia

2011-10-17 06:53 . 2011-10-17 06:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-17 06:53 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-17 05:54 . 2011-10-17 05:54 -------- d-----w- c:\program files\Common Files\Java

2011-10-17 04:57 . 2011-10-17 05:01 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\IObit

2011-10-17 02:21 . 2011-10-17 02:21 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Local Settings\Application Data\Mozilla

2011-10-17 02:21 . 2011-10-17 02:22 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Application Data\IObit

2011-10-17 02:21 . 2011-10-17 02:21 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Application Data\Search Settings

2011-10-16 02:00 . 2011-10-16 02:00 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\QuickScan

2011-10-14 06:27 . 2011-10-17 04:38 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\OpswatLogs

2011-10-06 05:07 . 2011-10-06 05:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2005-11-23 07:12 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2005-11-23 07:12 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12 . 2005-11-23 07:12 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20 . 2005-11-23 07:12 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48 . 2005-11-23 07:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2005-11-23 07:12 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48 . 2005-11-23 07:12 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56 . 2005-11-23 07:12 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2005-11-23 07:12 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-09-29 06:53 . 2011-10-17 08:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]

.

c:\documents and settings\Owner.Mobile1\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"McMPFSvc"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/17/2011 1:53 AM 366152]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/22/2005 7:52 PM 69692]

S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/17/2005 4:17 PM 200576]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/17/2011 1:53 AM 22216]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [8/26/2010 4:16 AM 10112]

S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [1/16/2007 8:59 PM 163840]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/23/2005 2:12 AM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-116369751-2669058170-3813519779-1006Core.job

- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-17 08:50]

.

2011-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-116369751-2669058170-3813519779-1006UA.job

- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-17 08:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Owner.Mobile1\Application Data\Mozilla\Firefox\Profiles\u17rr9ks.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-24 19:15

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(840)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(416)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2011-10-24 19:19:48 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-25 00:19

ComboFix2.txt 2011-10-24 21:26

.

Pre-Run: 29,265,055,744 bytes free

Post-Run: 29,263,130,624 bytes free

.

- - End Of File - - 10E1FD44AF0CD80BD346B33566E153A4

Link to post
Share on other sites

Let's try it again in secure mode.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Folder::
c:\documents and settings\ZZZZZZZZZZZ

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Good Morning.

Performance seems to be about the same, with much improved browser startup times and no signs of redirects.

Following is the new log, run from Safe Mode:

ComboFix 11-10-24.04 - Owner 10/25/2011 9:22.3.1 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.752 [GMT -5:00]

Running from: c:\documents and settings\Owner.Mobile1\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner.Mobile1\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((( Files Created from 2011-09-25 to 2011-10-25 )))))))))))))))))))))))))))))))

.

.

2011-10-17 22:07 . 2011-10-17 22:07 388096 ----a-r- c:\documents and settings\Owner.Mobile1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-10-17 22:07 . 2011-10-17 22:07 -------- d-----w- c:\program files\Trend Micro

2011-10-17 21:39 . 2011-10-20 19:09 -------- d-----w- c:\program files\Windows Defender

2011-10-17 21:37 . 2011-10-17 21:37 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\ElevatedDiagnostics

2011-10-17 19:45 . 2011-10-17 19:45 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\SUPERAntiSpyware.com

2011-10-17 19:45 . 2011-10-17 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-10-17 07:45 . 2011-10-17 07:45 -------- d-----w- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Secunia PSI

2011-10-17 07:45 . 2011-10-17 07:45 -------- d-----w- c:\program files\Secunia

2011-10-17 06:53 . 2011-10-17 06:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-17 06:53 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-17 05:54 . 2011-10-17 05:54 -------- d-----w- c:\program files\Common Files\Java

2011-10-17 04:57 . 2011-10-17 05:01 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\IObit

2011-10-17 02:21 . 2011-10-17 02:21 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Local Settings\Application Data\Mozilla

2011-10-17 02:21 . 2011-10-17 02:22 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Application Data\IObit

2011-10-17 02:21 . 2011-10-17 02:21 -------- d-----w- c:\documents and settings\ZZZZZZZZZZZ\Application Data\Search Settings

2011-10-16 02:00 . 2011-10-16 02:00 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\QuickScan

2011-10-14 06:27 . 2011-10-17 04:38 -------- d-----w- c:\documents and settings\Owner.Mobile1\Application Data\OpswatLogs

2011-10-06 05:07 . 2011-10-06 05:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41 . 2005-11-23 07:12 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41 . 2005-11-23 07:12 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12 . 2005-11-23 07:12 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20 . 2005-11-23 07:12 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48 . 2005-11-23 07:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2005-11-23 07:12 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48 . 2005-11-23 07:12 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56 . 2005-11-23 07:12 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2005-11-23 07:12 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-09-29 06:53 . 2011-10-17 08:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-10-24_21.22.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-10-25 14:41 . 2011-10-25 14:41 16384 c:\windows\temp\Perflib_Perfdata_23c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]

.

c:\documents and settings\Owner.Mobile1\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"McMPFSvc"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/17/2011 1:53 AM 366152]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/17/2005 4:17 PM 200576]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/17/2011 1:53 AM 22216]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\OWNER~1.MOB\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/22/2005 7:52 PM 69692]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [8/26/2010 4:16 AM 10112]

S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [1/16/2007 8:59 PM 163840]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/23/2005 2:12 AM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-116369751-2669058170-3813519779-1006Core.job

- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-17 08:50]

.

2011-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-116369751-2669058170-3813519779-1006UA.job

- c:\documents and settings\Owner.Mobile1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-17 08:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Owner.Mobile1\Application Data\Mozilla\Firefox\Profiles\u17rr9ks.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=685749&p=

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-25 09:41

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(960)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3872)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\wltrysvc.exe

c:\windows\System32\bcmwltry.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\Ati2evxx.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Java\Java Update\jucheck.exe

.

**************************************************************************

.

Completion time: 2011-10-25 09:46:38 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-25 14:46

ComboFix2.txt 2011-10-25 00:19

ComboFix3.txt 2011-10-24 21:26

.

Pre-Run: 31,903,141,888 bytes free

Post-Run: 30,877,691,904 bytes free

.

- - End Of File - - EEF4D46C53FB181C16EAC24C3EBCCF69

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

    •Free browser plug-in for Internet Explorer and Firefox

    •Real-time safety ratings

    •Ideal for Facebook, Twitter and LinkedIn

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

I have followed your suggested steps to further protect her pc.

My daughter's BIG mistake was letting her McAfee security software subscription lapse.

I have three other computers, on which I dilegently maintain security.

This experience highlights the importance of doing so.

This is my first experience with such a serious problem and luckily this great forum exists.

Thanks so much for your time and effort to help get us back on track. :D

Best Regards,

tripdip

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.