[chamber]

Hi,

Looks good, how are things running now?

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[Advertisements]

Things are running so much better. It seems to be working like normal again.



Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
Java™ 6 Update 17
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.1
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

[Steadythisknife]

Things are running so much better. It seems to be working like normal again.



Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
Java™ 6 Update 17
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.1
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

[chamber]

Looks good,

You need to update your Adobe reader. Visit HERE.

Congratulations your logs appear clean!!

Clean up

Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

You should have a good anti spyware program - We recommend MalwareBytes Anti-Malware and SUPERAntiSpyware

MVPS Hosts file The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Spring Cleaning

TFC - Temp File Cleaner by OldTimer - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

[Steadythisknife]

Wow thanks for everything thats great.

[Steadythisknife]

While running the Combofix uninstall I still got a warning message that Windows Antivirus pro was running.

[chamber]

Redownload ComboFix and run it again.

[Steadythisknife]

Ok reinstalled Combofix, upon installation the warning again popped up for Windows Antivrus Pro


ComboFix 09-11-06.03 - myself 11/07/2009 13:01.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.754 [GMT -5:00]
Running from: c:\documents and settings\myself\My Documents\Downloads\ComboFix.exe
AV: Antivirus System PRO *On-access scanning enabled* (Updated) {A8D49023-CEF0-4614-B2F4-E86F1AF0D636}
.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-07 17:42 . 2009-11-07 17:42 0 ----a-w- c:\windows\nsreg.dat
2009-11-07 17:42 . 2009-11-07 17:42 -------- d-----w- c:\documents and settings\myself\Local Settings\Application Data\Mozilla
2009-11-07 17:36 . 2009-11-07 17:36 -------- d-----w- c:\documents and settings\myself\Local Settings\Application Data\Google
2009-11-07 17:32 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\myself\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-07 17:32 . 2009-11-07 17:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-07 17:31 . 2009-11-07 17:32 -------- d-----w- c:\program files\Google
2009-11-07 17:31 . 2009-11-07 17:31 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-07 17:31 . 2009-11-07 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-07 17:31 . 2009-11-07 17:31 -------- d-----w- c:\program files\NOS
2009-11-07 15:01 . 2009-11-07 15:01 -------- d-----w- c:\windows\Sun
2009-11-07 15:00 . 2009-11-07 15:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-07 15:00 . 2009-11-07 15:00 -------- d-----w- c:\program files\Java
2009-11-05 00:23 . 2009-11-05 00:23 -------- d-----w- c:\documents and settings\myself\Application Data\Malwarebytes
2009-11-05 00:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 00:18 . 2009-11-07 12:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 00:18 . 2009-11-05 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 00:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 02:13 . 2009-11-04 02:13 -------- d-----w- c:\program files\Antivirus System PRO
2009-11-03 01:43 . 2009-11-03 01:43 -------- d-----w- c:\windows\system32\LogFiles
2009-10-31 17:32 . 2009-10-31 17:33 -------- d-----w- C:\avlog
2009-10-20 09:45 . 2009-10-20 09:45 -------- d-----w- c:\documents and settings\myself\Local Settings\Application Data\Windows Live Writer
2009-10-20 04:19 . 2009-11-05 01:27 -------- d-----w- c:\documents and settings\myself\Application Data\skypePM
2009-10-20 04:16 . 2009-11-05 02:26 -------- d-----w- c:\documents and settings\myself\Application Data\Skype
2009-10-20 02:59 . 2009-11-01 07:45 -------- d-----w- c:\documents and settings\myself\Application Data\StumbleUpon
2009-10-19 23:47 . 2009-10-19 23:47 -------- d-s---w- c:\documents and settings\myself\UserData
2009-10-19 21:46 . 2009-10-19 21:46 1961720 ----a-w- c:\documents and settings\myself\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 00:37 . 2009-10-20 09:42 55640 ----a-w- c:\documents and settings\myself\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 01:37 . 2009-03-08 06:48 -------- d-----w- c:\program files\Microsoft Works
2009-10-20 04:19 . 2009-10-20 04:19 32 ----a-w- c:\documents and settings\All Users\Application Data\ezsid.dat
2009-10-19 23:06 . 2008-08-01 16:53 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-05-07 08:34 . 2009-03-08 06:49 15523560 ----a-w- c:\program files\U1 Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-18 622592]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-01-23 416768]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-03-06 16858112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Asus Power Management Utility.lnk - c:\program files\ASUS\EeePC\Asus Power Management Utility\Asus Power Management Utility.exe [2009-3-8 294912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\ASUS\\EeePC\\Asus Power Management Utility\\Asus Power Management Utility.exe"=

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [3/8/2009 1:45 AM 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2/23/2009 12:09 AM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 1:23 AM 38400]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [3/8/2009 1:45 AM 306176]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/1/2008 11:37 AM 14336]
S3 StumbleUponUpdateService;StumbleUponUpdateService;"c:\program files\StumbleUpon\StumbleUponUpdateService.exe" --> c:\program files\StumbleUpon\StumbleUponUpdateService.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
FF - ProfilePath - c:\documents and settings\myself\Application Data\Mozilla\Firefox\Profiles\uw7260il.default\
FF - prefs.js: browser.startup.homepage - www.google.com

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 13:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-07 13:08
ComboFix-quarantined-files.txt 2009-11-07 18:08

Pre-Run: 153,356,767,232 bytes free
Post-Run: 153,533,726,720 bytes free

- - End Of File - - 0887E4C78154086E7CB866F063A40B9D

[chamber]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
c:\program files\Antivirus System PRO
C:\avlog

Registry::

Driver::

SecCentre::
AV: Antivirus System PRO *On-access scanning enabled* (Updated) {A8D49023-CEF0-4614-B2F4-E86F1AF0D636}

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


I don't see an anitivirus program installed.

Today's internet is simply suicide without an up to date antivirus, you pleave yourself wide open to any attacks and infections.

Not much point in you and I cleaning up the system if you don't protect yourself after.

However -- if you don't understand or cannot install an antivirus -- please let me know.

Please download ONE of the following antivirus programs and install it.

• Avast!
• Avira
• AVG Free

Once installed, Update it, run full system scan with it and allow it to fix up what it finds.

Reboot if it fixed anything.

[Steadythisknife]

Ok I have downloaded one of the antivirus you listed and now am protected. This log was prior to the install of the antivirus



ComboFix 09-11-06.03 - myself 11/07/2009 15:17.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.742 [GMT -5:00]
Running from: c:\documents and settings\myself\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\myself\Desktop\CFScript.txt
AV: Antivirus System PRO *On-access scanning enabled* (Updated) {A8D49023-CEF0-4614-B2F4-E86F1AF0D636}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\avlog
c:\avlog\log0.txt
c:\avlog\log1.txt
c:\avlog\log2.txt
c:\avlog\log3.txt
c:\avlog\log4.txt
c:\avlog\log5.txt
c:\avlog\log6.txt
c:\avlog\log7.txt
c:\avlog\log8.txt
c:\program files\Antivirus System PRO

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-07 20:12 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-07 20:12 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-07 20:12 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-07 20:12 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-07 20:12 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-07 20:12 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-07 20:12 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-07 20:12 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-07 20:11 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-07 20:11 . 2003-03-18 22:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-11-07 20:11 . 2003-03-18 21:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-11-07 20:11 . 2003-02-21 04:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-11-07 20:11 . 2009-11-07 20:11 -------- d-----w- c:\program files\Alwil Software
2009-11-07 19:56 . 2009-11-07 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-07 19:56 . 2009-11-07 19:56 -------- d-----w- c:\program files\McAfee Security Scan
2009-11-07 19:56 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\myself\Application Data\Mozilla\Firefox\Profiles\uw7260il.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-07 19:56 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\myself\Application Data\Mozilla\Firefox\Profiles\uw7260il.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-07 19:56 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\myself\Application Data\Mozilla\Firefox\Profiles\uw7260il.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-07 17:42 . 2009-11-07 17:42 0 ----a-w- c:\windows\nsreg.dat
2009-11-07 17:42 . 2009-11-07 17:42 -------- d-----w- c:\documents and settings\myself\Local Settings\Application Data\Mozilla
2009-11-07 17:36 . 2009-11-07 17:36 -------- d-----w- c:\documents and settings\myself\Local Settings\Application Data\Google
2009-11-07 17:32 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\myself\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-07 17:32 . 2009-11-07 17:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-07 17:31 . 2009-11-07 17:32 -------- d-----w- c:\program files\Google
2009-11-07 17:31 . 2009-11-07 17:31 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-07 17:31 . 2009-11-07 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-07 17:31 . 2009-11-07 17:31 -------- d-----w- c:\program files\NOS
2009-11-07 15:01 . 2009-11-07 15:01 -------- d-----w- c:\windows\Sun
2009-11-07 15:00 . 2009-11-07 15:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-07 15:00 . 2009-11-07 15:00 -------- d-----w- c:\program files\Java
2009-11-05 00:23 . 2009-11-05 00:23 -------- d-----w- c:\documents and settings\myself\Application Data\Malwarebytes
2009-11-05 00:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 00:18 . 2009-11-07 12:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 00:18 . 2009-11-05 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 00:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 01:43 . 2009-11-03 01:43 -------- d-----w- c:\windows\system32\LogFiles
2009-10-20 09:45 . 2009-10-20 09:45 -------- d-----w- c:\documents and settings\myself\Local Settings\Application Data\Windows Live Writer
2009-10-20 04:19 . 2009-11-05 01:27 -------- d-----w- c:\documents and settings\myself\Application Data\skypePM
2009-10-20 04:16 . 2009-11-05 02:26 -------- d-----w- c:\documents and settings\myself\Application Data\Skype
2009-10-20 02:59 . 2009-11-01 07:45 -------- d-----w- c:\documents and settings\myself\Application Data\StumbleUpon
2009-10-19 23:47 . 2009-10-19 23:47 -------- d-s---w- c:\documents and settings\myself\UserData
2009-10-19 21:46 . 2009-10-19 21:46 1961720 ----a-w- c:\documents and settings\myself\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 00:37 . 2009-10-20 09:42 55640 ----a-w- c:\documents and settings\myself\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 01:37 . 2009-03-08 06:48 -------- d-----w- c:\program files\Microsoft Works
2009-10-20 04:19 . 2009-10-20 04:19 32 ----a-w- c:\documents and settings\All Users\Application Data\ezsid.dat
2009-10-19 23:06 . 2008-08-01 16:53 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-05-07 08:34 . 2009-03-08 06:49 15523560 ----a-w- c:\program files\U1 Setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-07_18.06.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-07 19:54 . 2009-11-07 19:54 16384 c:\windows\temp\Perflib_Perfdata_790.dat
- 2009-11-07 17:45 . 2009-11-07 17:45 16384 c:\windows\temp\Perflib_Perfdata_790.dat
+ 2009-11-07 19:56 . 2009-11-07 19:56 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-18 622592]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-01-23 416768]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-03-06 16858112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Asus Power Management Utility.lnk - c:\program files\ASUS\EeePC\Asus Power Management Utility\Asus Power Management Utility.exe [2009-3-8 294912]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\ASUS\\EeePC\\Asus Power Management Utility\\Asus Power Management Utility.exe"=

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [3/8/2009 1:45 AM 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2/23/2009 12:09 AM 93696]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [11/4/2008 1:23 AM 38400]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [3/8/2009 1:45 AM 306176]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/1/2008 11:37 AM 14336]
S3 StumbleUponUpdateService;StumbleUponUpdateService;"c:\program files\StumbleUpon\StumbleUponUpdateService.exe" --> c:\program files\StumbleUpon\StumbleUponUpdateService.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GETPLUSHELPER
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
FF - ProfilePath - c:\documents and settings\myself\Application Data\Mozilla\Firefox\Profiles\uw7260il.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\myself\Application Data\Mozilla\Firefox\Profiles\uw7260il.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 15:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-07 15:24
ComboFix-quarantined-files.txt 2009-11-07 20:24
ComboFix2.txt 2009-11-07 18:08

Pre-Run: 153,377,071,104 bytes free
Post-Run: 153,383,784,448 bytes free

- - End Of File - - 2DCB37873E9398D1E1C2E6CF020F452D

[chamber]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

SecCentre::
{A8D49023-CEF0-4614-B2F4-E86F1AF0D636}

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[chamber]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.