Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Generic Dropper JS & Desktop Security 2010


  • Please log in to reply

#1
JonMajor

JonMajor

    Member

  • Member
  • PipPip
  • 41 posts
My computer just popped up a security scan called Desktop Security 2010. This program was installed on my computer and I also got another warning saying i am infected with a Generic Dropper JS virus. My computer is now running slow. I am running a Malwarebyes scan now and will post the log. I will go through the other cleaning tools as well and post the logs. I just got this message and wanted to run Malwarebyes ASAP. I appreciate your help.

Edited by admin, 03 May 2010 - 12:11 PM.

  • 0

Advertisements


#2
JonMajor

JonMajor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Here is my malwarebyes log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/29/2010 11:47:54 AM
mbam-log-2010-04-29 (11-47-54).txt

Scan type: Quick scan
Objects scanned: 142434
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 16

Memory Processes Infected:
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\securitycenter.exe (Rogue.DesktopSecurity2010) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\mfc71.dll (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\MFC71ENU.DLL (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\msvcp71.dll (Rogue.DesktopSecurity2010) -> Delete on reboot.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\msvcr71.dll (Rogue.DesktopSecurity2010) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\securitycenter (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\mharrison\Start Menu\Programs\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\mharrison\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\Desktop Security 2010.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\mfc71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\MFC71ENU.DLL (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\msvcp71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\msvcr71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\securitycenter.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\securityhelper.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Desktop Security 2010\taskmgr.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Start Menu\Programs\Desktop Security 2010.LNK (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.LNK (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Local Settings\Temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\mharrison\Local Settings\Temp\test.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#3
JonMajor

JonMajor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
MBAM did a lot of the removal, but my computer still seems to be infected with something. I did not have time to run the other programs and get more logs. I ran MBAM again and it found another 2 infections, so something is still up. I might be able to run the scans over the weekend. Will keep the forum posted. Thanks for all your help. Great forum and work.
  • 0

#4
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Posted Image


DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.



Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.


If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.




Please do not delete anything unless instructed to.


We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache


Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:


Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have SP3, use the SP2 package.If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.
  • 0

#5
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#6
admin

admin

    Founder Geek

  • Administrator
  • 24,575 posts
Topic opened at starters request.

I started a forum last week, and was unable to respond over the weekend. Please re-open forum. I ran the scan and would like to post the log. Thank you.


  • 0

#7
JonMajor

JonMajor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Thank you. Below is my combo fix log.

ComboFix 10-05-03.01 - mharrison 05/03/2010 13:47:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1460 [GMT -4:00]
Running from: c:\documents and settings\mharrison\Desktop\Downloads\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\WindowsUpdate
c:\windows\system32\Temp

----- BITS: Possible infected sites -----

hxxp://ppc.thomson.com.edgesuite.net
.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-04-29 17:13 . 2010-04-29 17:13 -------- d-----w- c:\program files\ERUNT
2010-04-23 15:19 . 2010-04-23 15:19 -------- d-----w- c:\documents and settings\mharrison\TOSHIBA
2010-04-16 13:51 . 2010-04-16 13:51 -------- d-----w- c:\program files\uTorrent
2010-04-16 13:51 . 2010-04-29 17:20 -------- d-----w- c:\documents and settings\mharrison\Application Data\uTorrent
2010-04-15 21:18 . 2009-12-24 06:59 177664 ------w- c:\windows\system32\dllcache\wintrust.dll
2010-04-15 21:17 . 2010-02-12 04:33 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-04-15 21:17 . 2010-01-13 14:01 86016 ------w- c:\windows\system32\dllcache\cabview.dll
2010-04-15 19:57 . 2010-04-20 20:56 -------- d-----w- c:\documents and settings\mharrison\Application Data\mIRC
2010-04-15 19:57 . 2010-04-20 17:43 -------- d-----w- c:\program files\mIRC
2010-04-14 17:52 . 2010-04-14 17:52 49600 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 17:35 . 2008-10-09 22:53 -------- d-----w- c:\program files\SAAZOD
2010-05-03 13:43 . 2009-06-26 13:33 -------- d-----w- c:\program files\SAAZSBE
2010-04-29 21:07 . 2008-10-03 19:50 -------- d-----w- c:\program files\TeamViewer3
2010-04-29 15:17 . 2009-08-04 20:45 -------- d-----w- c:\documents and settings\mharrison\Application Data\vlc
2010-04-20 14:42 . 2009-06-26 15:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 14:42 . 2009-11-03 15:01 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-14 22:04 . 2009-12-08 20:04 -------- d-----w- c:\documents and settings\mharrison\Application Data\SpinTop
2010-04-08 13:35 . 2009-03-02 14:28 -------- d-----w- c:\program files\LogMeIn
2010-03-30 04:46 . 2009-06-26 15:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-06-26 15:59 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 20:50 . 2010-03-25 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2010-03-25 20:49 . 2010-03-25 18:53 -------- d-----w- c:\program files\Sony
2010-03-25 19:01 . 2010-03-25 19:01 -------- d-----w- c:\documents and settings\mharrison\Application Data\Publish Providers
2010-03-25 19:01 . 2010-03-25 19:01 -------- d-----w- c:\documents and settings\mharrison\Application Data\NetMedia Providers
2010-03-25 19:01 . 2010-03-25 19:01 -------- d-----w- c:\documents and settings\mharrison\Application Data\Sony
2010-03-25 18:52 . 2010-03-25 18:52 -------- d-----w- c:\program files\Sony Setup
2010-03-25 18:00 . 2010-03-25 17:51 -------- d-----w- c:\program files\Image-Line
2010-03-25 17:55 . 2010-03-25 17:55 -------- d-----w- c:\program files\ASIO4ALL v2
2010-03-25 17:54 . 2010-03-25 17:54 -------- d-----w- c:\program files\VstPlugins
2010-03-25 17:54 . 2010-03-25 17:54 -------- d-----w- c:\program files\Outsim
2010-03-24 22:41 . 2010-03-24 22:41 -------- d-----w- c:\documents and settings\mharrison\Application Data\Propellerhead Software
2010-03-24 22:41 . 2010-03-24 22:41 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-03-24 22:41 . 2010-03-24 22:41 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2010-03-24 22:41 . 2010-03-24 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Propellerhead Software
2010-03-24 22:35 . 2010-03-24 22:35 -------- d-----w- c:\program files\Propellerhead
2010-03-23 21:50 . 2010-03-23 21:50 -------- d-----w- c:\documents and settings\mharrison\Application Data\Media Player Classic
2010-03-23 21:49 . 2010-03-23 21:49 -------- d-----w- c:\program files\MPC HomeCinema
2010-03-22 13:25 . 2008-10-28 19:51 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-10 06:15 . 2004-08-11 23:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-11 23:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 18:57 . 2008-02-09 15:39 10530 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-02-16 14:08 . 2004-08-11 23:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-11 23:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-11 23:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2010-01-04 669008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 13:22 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-05-10 17:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-10-09 10:17 2183168 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp 1000 firmware]
2001-12-15 17:10 36864 ------w- c:\program files\hp LaserJet 1000\fwdl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2007-08-03 20:09 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 03:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-04-24 03:01 303104 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonicWALLNetExtender]
2007-06-08 23:02 558776 ----a-w- c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-21 15:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-04-27 07:10 851968 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer3\\TeamViewer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [11/29/2007 9:12 PM 3456]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:22 AM 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [1/16/2010 2:22 AM 203056]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 MSSQL$TOCTTARGPPC05;SQL Server (TOCTTARGPPC05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.EXE [6/26/2009 9:32 AM 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [6/26/2009 9:32 AM 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [3/3/2009 10:21 AM 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [11/21/2006 3:18 PM 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\\SAAZWatchDog --> c:\progra~1\SAAZOD\\SAAZWatchDog [?]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [1/4/2010 6:02 PM 1012080]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [6/8/2007 7:02 PM 19640]
S2 0288931246898572mcinstcleanup;McAfee Application Installer Cleanup (0288931246898572);c:\docume~1\ZBRELL~1\LOCALS~1\Temp\028893~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ZBRELL~1\LOCALS~1\Temp\028893~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-436374069-839522115-1630Core.job
- c:\documents and settings\mharrison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-01 18:58]

2010-05-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-436374069-839522115-1630UA.job
- c:\documents and settings\mharrison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-01 18:58]

2010-05-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-05-03 c:\windows\Tasks\Outlook-Sync Plug-in - mharrison.job
- c:\program files\Outlook-Sync\OutlookPlugin.exe [2008-11-05 00:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sherbcpa.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://10.10.10.2/NELX.cab
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://sherbssl.sherbcpa.com/MLWebCacheCleaner.cab
FF - ProfilePath - c:\documents and settings\mharrison\Application Data\Mozilla\Firefox\Profiles\lgrfd828.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAAZWatchDog]
"ImagePath"="c:\progra~1\SAAZOD\\SAAZWatchDog"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BE75072F-10F2-B6D3-C32D-1169F78155A4}\InProcServer32*]
"eabhkjjpeo"=hex:6b,61,66,61,64,69,64,66,67,64,62,67,68,61,6c,69,68,6b,62,6e,
67,62,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-05-03 13:57:07
ComboFix-quarantined-files.txt 2010-05-03 17:57

Pre-Run: 2,402,328,576 bytes free
Post-Run: 2,363,133,952 bytes free

- - End Of File - - E1F00C1B98885DF0C85ACE5E73F506C8
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP