Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help wanted: Google Redirect Virus


  • Please log in to reply

#1
NikaD

NikaD

    New Member

  • Member
  • Pip
  • 8 posts
My netbook, it appears, has been infected with the Google Redirect virus. On any search website (Google, Yahoo, Bing) and in all of my browsers (Google Chrome, Firefox, IE), a clicked search hit redirects to another website, mostly for other search engines or virus removal software.

I followed the directions in the cleaning guide, to no avail, so now I put this out there in hopes of some help. I appreicate any help, in advance!

The MBAM, GMER and OTL logs follow:

-------

Malwarebytes' Anti-Malware 1.43
Database version: 3494
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/4/2010 9:39:59 PM
mbam-log-2010-01-04 (21-39-59).txt

Scan type: Quick Scan
Objects scanned: 104220
Time elapsed: 12 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-04 20:36:48
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Nicole\LOCALS~1\Temp\uflyipob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA92A6511]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA92A653D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA92A64E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA92A6527]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA92A6569]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 862A8841

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




OTL logfile created on: 1/4/2010 9:04:29 PM - Run 1
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Nicole\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 341.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.04 Gb Total Space | 58.58 Gb Free Space | 82.45% Space Free | Partition Type: NTFS
Drive D: | 72.00 Gb Total Space | 71.91 Gb Free Space | 99.87% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BABYPUTER
Current User Name: Nicole
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/04 20:55:33 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicole\My Documents\Downloads\OTL.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/21 21:12:16 | 02,921,288 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2009/07/08 13:09:39 | 01,150,016 | ---- | M] (NBC Universal) -- C:\Program Files\NBC Direct\DirectPlayerCore.exe
PRC - [2009/04/15 17:08:23 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/10/27 13:38:52 | 00,298,664 | ---- | M] () -- C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
PRC - [2008/10/20 13:32:54 | 02,768,896 | ---- | M] () -- C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
PRC - [2008/10/14 20:38:56 | 00,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2008/10/08 08:43:10 | 00,082,624 | ---- | M] (Sassafras Software Inc.) -- C:\WINDOWS\kass.exe
PRC - [2008/10/08 08:43:06 | 01,041,088 | ---- | M] (Sassafras Software Inc.) -- C:\WINDOWS\keyacc32.exe
PRC - [2008/10/06 21:07:26 | 00,679,936 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2008/08/28 13:34:52 | 01,044,480 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/08/26 15:51:00 | 16,851,456 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/05/21 19:44:30 | 00,299,008 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\MagicKBD\PerformanceManager.exe
PRC - [2008/05/20 23:02:08 | 00,372,736 | ---- | M] (SAMSUNG Electronics Co., Ltd.) -- C:\Program Files\Samsung\MagicKBD\MagicKBD.exe
PRC - [2008/04/14 07:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 07:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2008/02/28 17:00:16 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/02/28 17:00:14 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/02/28 17:00:10 | 00,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2008/02/28 17:00:04 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2007/12/20 23:40:30 | 00,659,456 | ---- | M] (Samsung Electronics,.LTD) -- C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
PRC - [2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2007/04/01 08:02:38 | 01,416,072 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2007/04/01 08:02:38 | 00,568,176 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/04/01 08:02:36 | 00,273,256 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2007/02/22 19:50:00 | 00,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2007/02/22 19:50:00 | 00,112,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2007/02/22 19:50:00 | 00,054,872 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2006/12/19 14:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe
PRC - [2006/12/19 10:27:54 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2006/12/19 10:27:00 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2006/12/19 10:24:50 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2006/11/10 09:46:26 | 01,504,304 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2006/10/30 17:29:28 | 00,036,864 | ---- | M] () -- C:\Program Files\Samsung\Samsung Network Manager\SNMWLANService.exe


========== Modules (SafeList) ==========

MOD - [2010/01/04 20:55:33 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicole\My Documents\Downloads\OTL.exe
MOD - [2008/10/08 08:43:08 | 00,037,568 | ---- | M] (Sassafras Software Inc.) -- C:\WINDOWS\katrack.dll
MOD - [2008/04/14 07:00:00 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\linkinfo.dll
MOD - [2007/04/02 00:00:48 | 00,086,016 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/04 18:59:49 | 01,181,328 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/04/15 17:08:23 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/20 14:18:52 | 00,136,120 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/10/08 08:43:06 | 01,041,088 | ---- | M] (Sassafras Software Inc.) [Auto | Running] -- C:\WINDOWS\keyacc32.exe -- (KeyAccess)
SRV - [2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/04/01 08:02:36 | 00,273,256 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2007/02/22 19:50:00 | 00,144,960 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2007/02/22 19:50:00 | 00,054,872 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2006/12/19 10:24:50 | 00,104,000 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2006/11/10 09:46:26 | 01,504,304 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2006/10/30 17:29:28 | 00,036,864 | ---- | M] () [Auto | Running] -- C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe -- (SNM WLAN Service)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (McAfee, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe ()
O4 - HKLM..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe (SAMSUNG Electronics)
O4 - HKLM..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe (Samsung Electronics,.LTD)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [KeyAccess] C:\WINDOWS\kass.exe (Sassafras Software Inc.)
O4 - HKLM..\Run: [MagicKeyboard] C:\Program Files\Samsung\MagicKBD\PreMKbd.exe ()
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SUPBackGround] C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe ()
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [DirectPlayerCore] C:\Program Files\NBC Direct\DirectPlayerCore.exe (NBC Universal)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.59.247.45 208.59.247.46
O20 - AppInit_DLLs: (KATRACK.DLL) - C:\WINDOWS\katrack.dll (Sassafras Software Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/11 18:32:14 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##Newnika#e\Shell - "" = AutoRun
O33 - MountPoints2\##Newnika#e\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##Newnika#e\Shell\AutoRun\command - "" = N:\setup.exe -- File not found
O33 - MountPoints2\##Newnika#e\Shell\configure\command - "" = N:\setup.exe -- File not found
O33 - MountPoints2\##Newnika#e\Shell\install\command - "" = N:\setup.exe -- File not found
O33 - MountPoints2\{b62bd660-e4ea-11de-8dfb-00234d3ca3b0}\Shell - "" = AutoRun
O33 - MountPoints2\{b62bd660-e4ea-11de-8dfb-00234d3ca3b0}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/01/04 20:10:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Application Data\Malwarebytes
[2010/01/04 20:09:49 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/04 20:09:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/04 20:09:38 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/04 20:09:35 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/04 20:07:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/04 20:07:15 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/04 19:02:24 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/01/04 18:55:59 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/01/04 18:54:58 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/01/04 18:54:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/01/04 18:40:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Local Settings\Application Data\Threat Expert
[2010/01/04 18:19:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/04 18:13:12 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/01 19:28:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Desktop\Pics II
[2008/11/11 18:35:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/11/11 18:35:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/11/11 18:35:17 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/11/11 18:35:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/01/04 20:53:18 | 00,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2010/01/04 20:50:36 | 00,312,172 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/04 20:50:36 | 00,040,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/04 20:50:35 | 00,355,944 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/04 20:50:16 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/04 20:50:15 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/04 20:50:15 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/04 20:50:14 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/04 20:50:13 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/04 20:47:00 | 00,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1828068096-3152881185-2445671163-1005UA.job
[2010/01/04 20:46:05 | 00,001,542 | ---- | M] () -- C:\WINDOWS\keyacc.ini
[2010/01/04 20:45:59 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/04 20:45:47 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/04 20:45:43 | 10,637,02528 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/04 20:28:58 | 03,670,016 | -H-- | M] () -- C:\Documents and Settings\Nicole\NTUSER.DAT
[2010/01/04 20:28:58 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Nicole\ntuser.ini
[2010/01/04 20:09:55 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/04 18:42:37 | 00,002,293 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\Google Chrome.lnk
[2010/01/02 10:18:31 | 00,033,864 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\profile.jpg
[2010/01/01 19:28:05 | 00,008,192 | ---- | M] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/01 12:47:00 | 00,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1828068096-3152881185-2445671163-1005Core.job
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/01/04 20:09:55 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/04 19:56:05 | 00,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/01/04 19:10:20 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/01/04 19:10:19 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/01/04 19:10:18 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/01/04 19:10:18 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/01/04 19:10:16 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/01/04 18:55:43 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/01/04 18:42:37 | 00,002,293 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\Google Chrome.lnk
[2010/01/01 20:22:58 | 00,033,864 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\profile.jpg
[2009/09/17 13:07:02 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/04/11 14:31:06 | 00,008,192 | ---- | C] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/10 02:24:38 | 00,001,520 | ---- | C] () -- C:\WINDOWS\System32\Nicole_KBD.ini
[2009/04/09 11:29:24 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/09 10:57:15 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2009/01/05 14:31:34 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/11/11 18:44:21 | 00,001,522 | ---- | C] () -- C:\WINDOWS\System32\MagicKBD.INI
[2008/11/11 18:44:21 | 00,001,520 | ---- | C] () -- C:\WINDOWS\System32\Owner_KBD.ini
[2008/11/11 18:44:18 | 00,003,425 | ---- | C] () -- C:\WINDOWS\System32\KBDR.INI
[2008/11/11 18:44:18 | 00,002,741 | ---- | C] () -- C:\WINDOWS\System32\KBDD.INI
[2008/11/11 18:44:18 | 00,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDO.INI
[2008/11/11 18:44:18 | 00,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDC.INI
[2008/11/11 18:44:18 | 00,002,606 | ---- | C] () -- C:\WINDOWS\System32\KBDB.INI
[2008/11/11 18:44:18 | 00,002,236 | ---- | C] () -- C:\WINDOWS\System32\KBDQ.INI
[2008/11/11 18:44:18 | 00,001,956 | ---- | C] () -- C:\WINDOWS\System32\KBDE.INI
[2008/11/11 18:44:18 | 00,001,885 | ---- | C] () -- C:\WINDOWS\System32\KBDP.INI
[2008/11/11 18:44:18 | 00,001,857 | ---- | C] () -- C:\WINDOWS\System32\KBDUU.INI
[2008/11/11 18:44:18 | 00,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDG.INI
[2008/11/11 18:44:18 | 00,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDA.INI
[2008/11/11 18:44:18 | 00,001,834 | ---- | C] () -- C:\WINDOWS\System32\KBDU.INI
[2008/11/11 18:44:18 | 00,001,819 | ---- | C] () -- C:\WINDOWS\System32\KBDN.INI
[2008/11/11 18:44:18 | 00,001,699 | ---- | C] () -- C:\WINDOWS\System32\KBDT.INI
[2008/11/11 18:44:18 | 00,001,697 | ---- | C] () -- C:\WINDOWS\System32\KBDV.INI
[2008/11/11 18:44:18 | 00,001,522 | ---- | C] () -- C:\WINDOWS\System32\KBDS.INI
[2008/11/11 18:44:18 | 00,001,476 | ---- | C] () -- C:\WINDOWS\System32\KBDF.INI
[2008/11/11 18:42:05 | 00,000,135 | R--- | C] () -- C:\WINDOWS\System32\lngEng.ini
[2008/11/11 18:42:05 | 00,000,117 | ---- | C] () -- C:\WINDOWS\System32\lngKor.ini
[2008/11/11 18:38:50 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/11/11 18:36:16 | 00,004,300 | ---- | C] () -- C:\WINDOWS\System32\MEMIO.SYS
[2008/11/11 17:12:32 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2007/04/01 08:00:28 | 02,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/04/01 07:41:52 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2006/11/10 09:46:36 | 00,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2006/11/10 09:46:24 | 00,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2005/02/17 11:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 11:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 12:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2000/09/01 12:00:00 | 00,001,542 | ---- | C] () -- C:\WINDOWS\keyacc.ini

========== LOP Check ==========

[2009/04/15 16:45:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\KeyAccess
[2009/09/21 21:12:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NBC Direct
[2009/11/24 14:10:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/01/04 18:58:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/12 20:32:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VanDyke
[2009/07/15 20:14:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2008/11/11 18:39:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLAN
[2009/08/25 08:55:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{02C45027-B817-41FE-A000-2799C43CEF41}
[2010/01/04 21:11:53 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/09/21 21:15:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\IDM
[2009/12/14 16:08:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\NBC Direct
[2009/08/25 08:55:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Seven Zip
[2010/01/04 20:50:13 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/01/04 20:50:14 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/01/04 20:50:15 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/01/04 20:50:15 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/01/04 20:50:16 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2008/04/14 03:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 03:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 07:00:00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

OTL Extras logfile created on: 1/4/2010 9:04:29 PM - Run 1
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Nicole\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 341.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.04 Gb Total Space | 58.58 Gb Free Space | 82.45% Space Free | Partition Type: NTFS
Drive D: | 72.00 Gb Total Space | 71.91 Gb Free Space | 99.87% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BABYPUTER
Current User Name: Nicole
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"57506:TCP" = 57506:TCP:*:Enabled:Pando Media Booster
"57506:UDP" = 57506:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\WINDOWS\keyacc32.exe" = C:\WINDOWS\keyacc32.exe:*:Enabled:KeyAccess -- (Sassafras Software Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Java\jre6\launch4j-tmp\Stanza.exe" = C:\Program Files\Java\jre6\launch4j-tmp\Stanza.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\NBC Direct\DirectPlayerCore.exe" = C:\Program Files\NBC Direct\DirectPlayerCore.exe:*:Enabled:NBC Direct -- (NBC Universal)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution III
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{176130BC-99A1-41FE-A78B-56045E33AD70}" = Cisco Systems VPN Client 4.8.02.0010
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}" = Samsung Magic Doctor
"{34B611A5-B144-478E-AABF-7D3846A9ABB1}" = VanDyke Software SecureFX 6.1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3D4D8BF8-1F7A-4269-B9DA-24D020F247DA}" = Ink Components
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{5CBB720F-08E6-4043-B83F-76C277AF6DE7}" = Samsung Wallpaper
"{6F730513-8688-4C3C-90A3-6B9792CE2EF3}" = Samsung Battery Manager
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71A51B59-E7D3-11DB-A386-005056C00008}" = Namuga 1.3M Webcam
"{7B46F9CF-CF60-492E-816E-95EB1A9D1BB4}" = Play Camera
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E106A57-A17E-431D-B48F-175E42EB9F74}" = imagine digital freedom - Samsung
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A5F483F0-2D79-4FCA-AE09-D0D96E23EBF7}" = Samsung Update Plus
"{ABB14904-A11B-4F42-996C-80FD608A0F17}" = Samsung EDS
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{BD723E53-A42C-4702-AA04-1D74A0311590}" = Magic Keyboard
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{DEA48EFD-22C1-4CD6-B887-EB2E6B2E4735}" = Samsung Network Manager 2.0
"{E23D1D2C-1762-11D5-A8D2-00C04FA35723}" = Sassafras K2 Client
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F46BF5EA-0B4E-4A41-8C4B-3B127346E30F}" = NBC Direct
"{F4F41D14-E0DD-4FB4-AA09-A14225C769BD}" = Atheros WLAN Client
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8.1.3 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CUZ4_is1" = CAM UnZip 4.42
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel® Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"Ink Components" = Ink Components
"InstallShield_{7B46F9CF-CF60-492E-816E-95EB1A9D1BB4}" = Play Camera
"InstallShield_{A5F483F0-2D79-4FCA-AE09-D0D96E23EBF7}" = Samsung Update Plus
"InstallShield_{DEA48EFD-22C1-4CD6-B887-EB2E6B2E4735}" = Samsung Network Manager 2.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Marvell Miniport Driver" = Marvell Miniport Driver
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"PDFAnnotator_is1" = PDF Annotator 2.0.0.258
"Picasa 3" = Picasa 3
"Stanza" = Stanza
"SynTPDeinstKey" = Synaptics Pointing Device Driver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"idm_flash" = IDM Flash 4.4.0.468
"Move Media Player" = Move Media Player
"NBC Direct" = NBC Direct

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/29/2009 7:08:34 PM | Computer Name = BABYPUTER | Source = Application Error | ID = 1000
Description = Faulting application btstac~1.exe, version 5.1.0.3300, faulting module
msvcrt.dll, version 7.0.2600.5512, fault address 0x000360cb.

Error - 12/31/2009 12:47:06 PM | Computer Name = BABYPUTER | Source = Google Update | ID = 20
Description =

Error - 12/31/2009 7:43:39 PM | Computer Name = BABYPUTER | Source = Application Error | ID = 1000
Description = Faulting application btstac~1.exe, version 5.1.0.3300, faulting module
btstac~1.exe, version 5.1.0.3300, fault address 0x00096dd2.

Error - 1/3/2010 11:26:30 PM | Computer Name = BABYPUTER | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/3/2010 11:26:36 PM | Computer Name = BABYPUTER | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/3/2010 11:27:37 PM | Computer Name = BABYPUTER | Source = Application Hang | ID = 1001
Description = Fault bucket 35273598.

Error - 1/3/2010 11:27:43 PM | Computer Name = BABYPUTER | Source = Application Hang | ID = 1001
Description = Fault bucket 35273598.

Error - 1/4/2010 9:47:07 AM | Computer Name = BABYPUTER | Source = Google Update | ID = 20
Description =

Error - 1/4/2010 7:00:27 PM | Computer Name = BABYPUTER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 1/4/2010 7:58:58 PM | Computer Name = BABYPUTER | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 1/4/2010 9:30:21 PM | Computer Name = BABYPUTER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/4/2010 9:32:14 PM | Computer Name = BABYPUTER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 1/4/2010 9:32:14 PM | Computer Name = BABYPUTER | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 1/4/2010 9:40:24 PM | Computer Name = BABYPUTER | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the JavaQuickStarterService service.

Error - 1/4/2010 9:40:32 PM | Computer Name = BABYPUTER | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the PolicyAgent service.

Error - 1/4/2010 9:45:03 PM | Computer Name = BABYPUTER | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the JavaQuickStarterService service.

Error - 1/4/2010 9:46:12 PM | Computer Name = BABYPUTER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/4/2010 9:46:12 PM | Computer Name = BABYPUTER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/4/2010 9:48:20 PM | Computer Name = BABYPUTER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 1/4/2010 9:48:20 PM | Computer Name = BABYPUTER | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053


< End of report >
  • 0

Advertisements


#2
chamber

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link HERE

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

  • 0

#3
NikaD

NikaD

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi there. Thanks for the quick reply. When I woke up this morning, my viruscan had found an infection; I've attached the screen shots of those logs to this message. After I closed the window, about 10 minutes later another one popped up with another deleted temp file. This went on until I disabled the software temporarily.

Here's the result of the Combofix log:

ComboFix 10-01-04.01 - Nicole 01/05/2010 11:08:59.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.738 [GMT -5:00]
Running from: c:\documents and settings\Nicole\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\recycler\S-1-5-21-725345543-1677128483-515967899-1003
c:\windows\irc.txt
c:\windows\msetup
c:\windows\msetup\MSetup.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\AVR10.exe
c:\windows\system32\boMY1.dll
c:\windows\system32\BtwSrv.dll
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Templates\info.tmp
c:\windows\system32\critical_warning.html
c:\windows\system32\drivers\sbncd.sys
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\Iasex.dll
c:\windows\system32\Install.txt
c:\windows\system32\Ipripv32.dll
c:\windows\system32\jigefuwi.dll
c:\windows\system32\jorujedi.dll
c:\windows\system32\junefare.dll
c:\windows\system32\kbdsock.dll
c:\windows\system32\lsm32.sys
c:\windows\system32\mshlps.dll
c:\windows\system32\opeia.exe
c:\windows\system32\pamuzuwa.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winsts.sys
c:\windows\system32\winupdate86.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\zokemare.dll
c:\windows\Temp\3979761276.exe
c:\windows\Temp\4078823776.exe
c:\windows\Temp\45575230.exe
c:\windows\TEMP\mta13187.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_WINSTS
-------\Service_BtwSrv
-------\Service_fastnetsrv
-------\Service_Ias
-------\Service_Iprip
-------\Service_winsts
-------\Legacy_sbncd
-------\Service_sbncd


((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 15:45 . 2010-01-05 15:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-05 15:44 . 2010-01-05 15:44 24064 ----a-w- C:\coptnc.exe
2010-01-05 15:44 . 2010-01-05 15:44 241664 ----a-w- C:\gqps.exe
2010-01-05 15:44 . 2010-01-05 15:44 52736 ----a-w- C:\trhh.exe
2010-01-05 04:11 . 2010-01-05 04:11 23316 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 01:10 . 2010-01-05 01:10 -------- d-----w- c:\documents and settings\Nicole\Application Data\Malwarebytes
2010-01-05 01:09 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 01:09 . 2010-01-05 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 01:09 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 01:09 . 2010-01-05 15:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 01:07 . 2010-01-05 01:07 -------- d-----w- c:\program files\ERUNT
2010-01-04 23:54 . 2010-01-05 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-04 23:40 . 2010-01-04 23:40 -------- d-----w- c:\documents and settings\Nicole\Local Settings\Application Data\Threat Expert
2010-01-04 23:19 . 2010-01-04 23:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-04 23:13 . 2010-01-04 23:13 388096 ----a-r- c:\documents and settings\Nicole\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-04 23:13 . 2010-01-04 23:13 -------- d-----w- c:\program files\TrendMicro
2009-12-14 21:14 . 2009-12-14 21:14 152576 ----a-w- c:\documents and settings\Nicole\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 15:58 . 2008-11-11 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-14 21:19 . 2008-11-11 23:35 -------- d-----w- c:\program files\Java
2009-12-14 21:14 . 2009-11-13 00:52 79488 ----a-w- c:\documents and settings\Nicole\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-14 21:08 . 2009-09-22 02:12 -------- d-----w- c:\documents and settings\Nicole\Application Data\NBC Direct
2009-11-24 19:10 . 2009-09-22 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-10-29 07:45 . 2008-11-11 22:11 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-11-11 22:11 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-11-11 22:11 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-11-11 22:11 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-11-11 22:11 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-11-11 22:11 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-04-22 14:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 20:06 . 2009-09-28 03:22 126970 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\uninstall.exe
2009-10-10 20:06 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-10 05:04 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\plugins\npqmp071503000010.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\kasiyebo.dll
1601-01-01 00:03 . 1601-01-01 00:03 45568 --sha-w- c:\windows\system32\teteripe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-09 133104]
"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2009-07-08 1150016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-10-27 298664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"KeyAccess"="kass.exe" [2008-10-08 82624]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2009-4-9 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\Stanza.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57506:TCP"= 57506:TCP:Pando Media Booster
"57506:UDP"= 57506:UDP:Pando Media Booster

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11/11/2008 6:36 PM 4300]
R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [10/8/2008 8:43 AM 1041088]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [10/30/2006 5:29 PM 36864]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 10:01 PM 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [11/11/2008 6:40 PM 238464]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\Nicole\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS --> c:\docume~1\Nicole\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/4/2010 8:09 PM 38224]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [11/11/2008 5:11 PM 2304]
.
Contents of the 'Scheduled Tasks' folder

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1828068096-3152881185-2445671163-1005Core.job
- c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-09 16:35]

2010-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1828068096-3152881185-2445671163-1005UA.job
- c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-09 16:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {D79C9C71-4700-45B3-BBAC-10CC30A51ECB} = 193.104.110.38,4.2.2.1,208.59.247.45 208.59.247.46
.
- - - - ORPHANS REMOVED - - - -

BHO-{f34d77b9-e57b-45d3-bfed-318e0e42f758} - junefare.dll
HKLM-Run-nutafedone - jorujedi.dll
HKLM-Run-kipafinet - c:\windows\system32\pamuzuwa.dll
SharedTaskScheduler-{4da3a1cf-4831-4d1e-80d8-25d3d4193b46} - c:\windows\system32\pamuzuwa.dll
SSODL-jetidawof-{4da3a1cf-4831-4d1e-80d8-25d3d4193b46} - c:\windows\system32\pamuzuwa.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 11:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,f6,af,72,e2,d9,76,4f,b1,d4,46,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,f6,af,72,e2,d9,76,4f,b1,d4,46,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(820)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2520)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\kass.exe
c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe
c:\program files\SAMSUNG\MagicKBD\PerformanceManager.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Pando Networks\Media Booster\pmb.exe
.
**************************************************************************
.
Completion time: 2010-01-05 11:27:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 16:27

Pre-Run: 64,621,096,960 bytes free
Post-Run: 64,640,122,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CF7D01BD7E0F340FA32E4BE1F1C2A35A

Attached Thumbnails

  • Bredolab_screen_capture.JPG
  • Bredolab_screen_capture_2.JPG

  • 0

#4
chamber

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\coptnc.exe
C:\gqps.exe
C:\trhh.exe
c:\windows\system32\kasiyebo.dll
c:\windows\system32\teteripe.dll

Folder::

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 0
"NoActiveDesktopChanges"= 0

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean


Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
  • 0

#5
NikaD

NikaD

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks again for the quick response. The MBAM and Combo Fix Logs are below:

Malwarebytes' Anti-Malware 1.43
Database version: 3496
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/5/2010 12:30:24 PM
mbam-log-2010-01-05 (12-30-24).txt

Scan type: Quick Scan
Objects scanned: 102971
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d79c9c71-4700-45b3-bbac-10cc30a51ecb}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,208.59.247.45 208.59.247.46 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ndisdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bwsb.gio (Backdoor.Bot) -> Quarantined and deleted successfully.


ComboFix 10-01-04.01 - Nicole 01/05/2010 11:57:33.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.526 [GMT -5:00]
Running from: c:\documents and settings\Nicole\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nicole\Desktop\CFScript.txt

FILE ::
"C:\coptnc.exe"
"C:\gqps.exe"
"C:\trhh.exe"
"c:\windows\system32\kasiyebo.dll"
"c:\windows\system32\teteripe.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\coptnc.exe
C:\gqps.exe
C:\trhh.exe
c:\windows\system32\kasiyebo.dll
c:\windows\system32\teteripe.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 15:45 . 2010-01-05 15:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-05 04:11 . 2010-01-05 04:11 23316 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 01:10 . 2010-01-05 01:10 -------- d-----w- c:\documents and settings\Nicole\Application Data\Malwarebytes
2010-01-05 01:09 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 01:09 . 2010-01-05 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 01:09 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 01:09 . 2010-01-05 15:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 01:07 . 2010-01-05 01:07 -------- d-----w- c:\program files\ERUNT
2010-01-04 23:54 . 2010-01-05 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-04 23:40 . 2010-01-04 23:40 -------- d-----w- c:\documents and settings\Nicole\Local Settings\Application Data\Threat Expert
2010-01-04 23:19 . 2010-01-04 23:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-04 23:13 . 2010-01-04 23:13 388096 ----a-r- c:\documents and settings\Nicole\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-04 23:13 . 2010-01-04 23:13 -------- d-----w- c:\program files\TrendMicro
2009-12-14 21:14 . 2009-12-14 21:14 152576 ----a-w- c:\documents and settings\Nicole\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 15:58 . 2008-11-11 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-14 21:19 . 2008-11-11 23:35 -------- d-----w- c:\program files\Java
2009-12-14 21:14 . 2009-11-13 00:52 79488 ----a-w- c:\documents and settings\Nicole\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-14 21:08 . 2009-09-22 02:12 -------- d-----w- c:\documents and settings\Nicole\Application Data\NBC Direct
2009-11-24 19:10 . 2009-09-22 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-10-29 07:45 . 2008-11-11 22:11 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-11-11 22:11 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-11-11 22:11 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-11-11 22:11 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-11-11 22:11 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-11-11 22:11 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-04-22 14:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 20:06 . 2009-09-28 03:22 126970 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\uninstall.exe
2009-10-10 20:06 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-10 05:04 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\plugins\npqmp071503000010.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-09 133104]
"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2009-07-08 1150016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-10-27 298664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"KeyAccess"="kass.exe" [2008-10-08 82624]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2009-4-9 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\Stanza.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57506:TCP"= 57506:TCP:Pando Media Booster
"57506:UDP"= 57506:UDP:Pando Media Booster

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11/11/2008 6:36 PM 4300]
R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [10/8/2008 8:43 AM 1041088]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 10:01 PM 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [11/11/2008 6:40 PM 238464]
S2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [10/30/2006 5:29 PM 36864]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\Nicole\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS --> c:\docume~1\Nicole\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/4/2010 8:09 PM 38224]
S3 ndisdrv;ndisdrv;c:\windows\system32\ndisdrv.sys [11/11/2008 5:11 PM 2304]
.
Contents of the 'Scheduled Tasks' folder

2010-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1828068096-3152881185-2445671163-1005Core.job
- c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-09 16:35]

2010-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1828068096-3152881185-2445671163-1005UA.job
- c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-09 16:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {D79C9C71-4700-45B3-BBAC-10CC30A51ECB} = 193.104.110.38,4.2.2.1,208.59.247.45 208.59.247.46
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,f6,af,72,e2,d9,76,4f,b1,d4,46,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,f6,af,72,e2,d9,76,4f,b1,d4,46,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(820)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-01-05 12:06:11
ComboFix-quarantined-files.txt 2010-01-05 17:06
ComboFix2.txt 2010-01-05 16:27

Pre-Run: 64,631,013,376 bytes free
Post-Run: 64,595,566,592 bytes free

- - End Of File - - F43CC09BD8E2D884DA4C32C8C6648B81
  • 0

#6
chamber

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi,

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
  • 0

#7
NikaD

NikaD

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Maybe this is the good news I hope it is? If so, thank you VERY much!

Malwarebytes' Anti-Malware 1.43
Database version: 3496
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/5/2010 2:04:51 PM
mbam-log-2010-01-05 (14-04-51).txt

Scan type: Quick Scan
Objects scanned: 102965
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
chamber

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Its a good sign anyway! :)

Lets do a deep scan you see if anything else is there.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

  • 0

#9
NikaD

NikaD

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi again-- so here's the report of the deep scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 5, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 05, 2010 19:22:47
Records in database: 3345039
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 46990
Threats found: 6
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 02:23:14


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir Infected: Backdoor.Win32.Agent.ankf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Infected: Trojan.JS.Hoax.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Ipripv32.dll.vir Infected: Backdoor.Win32.Agent.anlr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir Infected: Trojan.Win32.Agent.deot 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mshlps.dll.vir Infected: Trojan.Win32.Agent.deou 1

Selected area has been scanned.
  • 0

#10
chamber

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
That looks ok, everything is quarantined.

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

Advertisements


#11
NikaD

NikaD

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay, here are the SecurityCheck and DDS reports:

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
``````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 17
Adobe Flash Player 10
Adobe Reader 8.1.5
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````



DDS (Ver_09-12-01.01) - NTFSx86
Run by Nicole at 9:47:04.60 on Wed 01/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.713 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\WINDOWS\kass.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\NBC Direct\DirectPlayerCore.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Pando Networks\Media Booster\pmb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Nicole\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Google Update] "c:\documents and settings\nicole\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DirectPlayerCore] "c:\program files\nbc direct\DirectPlayerCore.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KeyAccess] kass.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{176130bc-99a1-41fe-a78b-56045e33ad70}\Icon3E5562ED7.ico
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\katrack.dll

============= SERVICES / DRIVERS ===============

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-11-11 4300]
R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2008-10-8 1041088]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2006-10-30 36864]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2008-11-11 238464]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\nicole\locals~1\temp\__samsung_update\addmem.sys --> c:\docume~1\nicole\locals~1\temp\__samsung_update\ADDMEM.SYS [?]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-01-05 19:20:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-05 17:17:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 17:17:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 17:17:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 16:56:01 0 d-----w- C:\ComboFix
2010-01-05 16:03:08 0 d-sha-r- C:\cmdcons
2010-01-05 16:00:01 98816 ----a-w- c:\windows\sed.exe
2010-01-05 16:00:01 77312 ----a-w- c:\windows\MBR.exe
2010-01-05 16:00:01 261632 ----a-w- c:\windows\PEV.exe
2010-01-05 16:00:01 161792 ----a-w- c:\windows\SWREG.exe
2010-01-05 04:11:34 23316 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 01:10:03 0 d-----w- c:\docume~1\nicole\applic~1\Malwarebytes
2010-01-05 01:09:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-04 23:13:12 0 d-----w- c:\program files\TrendMicro

==================== Find3M ====================

2010-01-05 19:20:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 9:47:56.01 ===============

Attached Files


  • 0

#12
chamber

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\ndisdrv.sys

Folder::

Registry::

Driver::
ndisdrv


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please download ONE of the following antivirus programs and install it.

Once installed, Update it, run full system scan with it and allow it to fix up what it finds.

Reboot if it fixed anything.


Visit THIS website to obtain the latest update for Adobe reader, yours is quite out of date now.



How are things running?
  • 0

#13
NikaD

NikaD

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Everything looks good! Searches are running like normal again, and it's back up to full speed.

Avast! deleted all the quarantined files, and I ran another full scan after reboot... nothing was found on that scan. I updated the Adobe, as well. And the last ComboFix file is below.

Thank you SO much for your help-- assuming we're finally there?


ComboFix 10-01-04.01 - Nicole 01/06/2010 10:22:35.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.717 [GMT -5:00]
Running from: c:\documents and settings\Nicole\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nicole\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\indisdrv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISDRV
-------\Service_ndisdrv


((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-05 17:17 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 17:17 . 2010-01-05 17:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 17:17 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 15:45 . 2010-01-05 15:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-05 04:11 . 2010-01-05 04:11 23316 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 01:10 . 2010-01-05 01:10 -------- d-----w- c:\documents and settings\Nicole\Application Data\Malwarebytes
2010-01-05 01:09 . 2010-01-05 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 01:07 . 2010-01-05 01:07 -------- d-----w- c:\program files\ERUNT
2010-01-04 23:54 . 2010-01-05 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-04 23:40 . 2010-01-04 23:40 -------- d-----w- c:\documents and settings\Nicole\Local Settings\Application Data\Threat Expert
2010-01-04 23:19 . 2010-01-04 23:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-04 23:13 . 2010-01-04 23:13 388096 ----a-r- c:\documents and settings\Nicole\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-04 23:13 . 2010-01-04 23:13 -------- d-----w- c:\program files\TrendMicro
2009-12-14 21:14 . 2009-12-14 21:14 152576 ----a-w- c:\documents and settings\Nicole\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 14:50 . 2009-09-22 02:12 -------- d-----w- c:\documents and settings\Nicole\Application Data\NBC Direct
2010-01-05 19:20 . 2009-04-22 14:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 15:58 . 2008-11-11 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-14 21:19 . 2008-11-11 23:35 -------- d-----w- c:\program files\Java
2009-12-14 21:14 . 2009-11-13 00:52 79488 ----a-w- c:\documents and settings\Nicole\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 19:10 . 2009-09-22 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-10-29 07:45 . 2008-11-11 22:11 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-11-11 22:11 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-11-11 22:11 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-11-11 22:11 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-11-11 22:11 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-11-11 22:11 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 20:06 . 2009-09-28 03:22 126970 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\uninstall.exe
2009-10-10 20:06 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-10 05:04 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Nicole\Application Data\Move Networks\plugins\npqmp071503000010.dll
.

((((((((((((((((((((((((((((( [email protected]_16.23.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-06 15:28 . 2010-01-06 15:28 16384 c:\windows\Temp\Perflib_Perfdata_6fc.dat
- 2008-11-11 22:11 . 2010-01-05 16:22 40394 c:\windows\system32\perfc009.dat
+ 2008-11-11 22:11 . 2010-01-06 15:32 40394 c:\windows\system32\perfc009.dat
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-11-11 22:11 . 2010-01-06 15:32 312172 c:\windows\system32\perfh009.dat
- 2008-11-11 22:11 . 2010-01-05 16:22 312172 c:\windows\system32\perfh009.dat
+ 2010-01-05 19:20 . 2010-01-05 19:20 149280 c:\windows\system32\javaws.exe
- 2009-12-14 21:20 . 2009-10-11 09:17 149280 c:\windows\system32\javaws.exe
- 2009-12-14 21:20 . 2009-10-11 09:17 145184 c:\windows\system32\javaw.exe
+ 2010-01-05 19:20 . 2010-01-05 19:20 145184 c:\windows\system32\javaw.exe
- 2009-12-14 21:20 . 2009-10-11 09:17 145184 c:\windows\system32\java.exe
+ 2010-01-05 19:20 . 2010-01-05 19:20 145184 c:\windows\system32\java.exe
+ 2010-01-06 14:40 . 2010-01-06 14:40 195584 c:\windows\Installer\43ce58a.msi
+ 2010-01-05 19:20 . 2010-01-05 19:20 1757696 c:\windows\Installer\1546cd.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-09 133104]
"DirectPlayerCore"="c:\program files\NBC Direct\DirectPlayerCore.exe" [2009-07-08 1150016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-10-27 298664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"KeyAccess"="kass.exe" [2008-10-08 82624]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-05 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2009-4-9 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\Stanza.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57506:TCP"= 57506:TCP:Pando Media Booster
"57506:UDP"= 57506:UDP:Pando Media Booster

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11/11/2008 6:36 PM 4300]
R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [10/8/2008 8:43 AM 1041088]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [10/30/2006 5:29 PM 36864]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 10:01 PM 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [11/11/2008 6:40 PM 238464]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\Nicole\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS --> c:\docume~1\Nicole\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1828068096-3152881185-2445671163-1005Core.job
- c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-09 16:35]

2010-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1828068096-3152881185-2445671163-1005UA.job
- c:\documents and settings\Nicole\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-09 16:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netflix.com/MemberHome
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 10:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,f6,af,72,e2,d9,76,4f,b1,d4,46,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,f6,af,72,e2,d9,76,4f,b1,d4,46,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\kass.exe
c:\program files\SAMSUNG\MagicKBD\MagicKBD.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Pando Networks\Media Booster\pmb.exe
.
**************************************************************************
.
Completion time: 2010-01-06 10:37:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 15:37
ComboFix2.txt 2010-01-05 17:06
ComboFix3.txt 2010-01-05 16:27

Pre-Run: 64,390,729,728 bytes free
Post-Run: 64,457,777,152 bytes free

- - End Of File - - 17EF2C9048AF82DDFE7CB553BA2EA772
  • 0

#14
chamber

chamber

    Face Burnin' Malware Fighter

  • Visiting Consultant
  • 2,712 posts
Looks good to me.

Now for the good news,

Congratulations your logs appear clean!! :)

Clean up

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.


  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

You should have a good anti spyware program - We recommend MalwareBytes Anti-Malware and SUPERAntiSpyware

MVPS Hosts file The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Spring Cleaning

TFC - Temp File Cleaner by OldTimer - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
  • 0

#15
NikaD

NikaD

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you so much! What a relief!! :) And I NEVER would have been able to get here myself!

Edited by NikaD, 07 January 2010 - 09:17 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP