It just amazes me that people get upset when they are getting free help.
Rootkit infection
#31
Posted 13 December 2010 - 08:20 PM
It just amazes me that people get upset when they are getting free help.
#32
Posted 14 December 2010 - 09:20 AM
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
RenV::
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hkejrhae]
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
#33
Posted 14 December 2010 - 09:54 AM
ComboFix 10-12-11.03 - San San 12/14/2010 9:29.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.941 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
Command switches used :: c:\users\San San\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\hkejrhae.sys . . . . Failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_hkejrhae
-------\Service_hkejrhae
((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.
2010-12-14 15:41 . 2010-12-14 15:44 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-14 15:41 . 2010-12-14 15:41 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games
2010-11-14 21:16 . 2010-11-14 21:16 -------- d-----w- c:\users\San San\AppData\Roaming\Namco
2010-11-14 21:16 . 2010-11-14 21:16 -------- d-----w- c:\programdata\Namco
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-06-14 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-06-14 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre> c:\program files\Malwarebytes' Anti-Malware\mbam .exe c:\program files\QuickTime\QTTask .exe </pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\uts_bus.sys [2007-12-05 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\DRIVERS\uts_mdfl.sys [2007-12-05 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\DRIVERS\uts_mdm.sys [2007-12-05 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\uts_serd.sys [2007-12-05 90880]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2009-01-03 270384]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2008-10-10 274432]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2008-12-01 28672]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*NewlyCreated* - HKEJRHAE
*Deregistered* - hkejrhae
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]
2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]
2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]
2010-12-14 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hkejrhae]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(2944)
c:\windows\system32\cscapi.dll
c:\windows\system32\WINHTTP.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-12-14 09:52:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-14 15:52
ComboFix2.txt 2010-12-13 17:52
ComboFix3.txt 2010-12-12 19:00
Pre-Run: 56,713,940,992 bytes free
Post-Run: 60,038,238,208 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 2529E5B21086B1B60EFEE9EABBF3F8AC
#34
Posted 14 December 2010 - 11:17 AM
#35
Posted 14 December 2010 - 11:41 AM
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
RenV::
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hkejrhae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hkejrhae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hkejrhae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hkejrhae]
RegLockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#36
Posted 14 December 2010 - 12:30 PM
ComboFix 10-12-11.03 - San San 12/14/2010 12:05:09.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.1028 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
Command switches used :: c:\users\San San\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\hkejrhae.sys . . . . Failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_hkejrhae
-------\Service_hkejrhae
((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.
2010-12-14 18:14 . 2010-12-14 18:18 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-14 18:14 . 2010-12-14 18:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-14 18:14 . 2010-12-14 18:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-14 16:10 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B15ACCA3-721B-4346-8E65-2844A952A92F}\mpengine.dll
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games
2010-11-14 21:16 . 2010-11-14 21:16 -------- d-----w- c:\users\San San\AppData\Roaming\Namco
2010-11-14 21:16 . 2010-11-14 21:16 -------- d-----w- c:\programdata\Namco
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-14 18:18 . 2010-04-26 03:56 823808 ----a-w- c:\windows\system32\drivers\hkejrhae.sys
2010-11-29 23:42 . 2010-06-14 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-06-14 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-19 16:41 . 2010-05-04 01:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre> c:\program files\Malwarebytes' Anti-Malware\mbam .exe c:\program files\QuickTime\QTTask .exe </pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - CFCATCHME
*NewlyCreated* - COMHOST
*Deregistered* - CFcatchme
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]
2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]
2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]
2010-12-14 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3344)
c:\windows\System32\SndVolSSO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Kodak\AiO\center\KodakSvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Kodak\AiO\Center\EKDiscovery.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
.
**************************************************************************
.
Completion time: 2010-12-14 12:26:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-14 18:26
ComboFix2.txt 2010-12-14 15:52
ComboFix3.txt 2010-12-13 17:52
ComboFix4.txt 2010-12-12 19:00
Pre-Run: 57,840,939,008 bytes free
Post-Run: 57,689,645,056 bytes free
- - End Of File - - 6DB62D1334115A8A18FF14E995531510
#37
Posted 15 December 2010 - 08:34 AM
#38
Posted 15 December 2010 - 10:26 AM
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
Rootkit::
c:\windows\system32\drivers\hkejrhae.sys
File::
c:\windows\system32\drivers\hkejrhae.sys
RenV::
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#39
Posted 15 December 2010 - 11:52 AM
ComboFix 10-12-11.03 - San San 12/15/2010 10:47:34.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.917 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
Command switches used :: c:\users\San San\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FILE ::
"c:\windows\system32\drivers\hkejrhae.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\hkejrhae.sys
.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.
2010-12-15 17:02 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-15 17:02 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-15 17:02 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-15 17:02 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-15 17:02 . 2010-12-15 17:34 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-15 17:02 . 2010-12-15 17:02 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-15 17:02 . 2010-12-15 17:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-15 17:02 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-15 16:56 . 2010-12-15 16:56 -------- d--h--w- c:\windows\msdownld.tmp
2010-12-14 16:21 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-14 16:21 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-12-14 16:21 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-14 16:21 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-14 16:21 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 16:21 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-14 16:21 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-14 16:19 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-14 16:19 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-12-14 16:18 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-14 16:18 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-14 16:18 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-14 16:18 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-14 16:18 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-14 16:18 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-14 16:18 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-14 16:17 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-14 16:17 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-12-14 16:15 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-14 16:15 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-14 16:10 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B15ACCA3-721B-4346-8E65-2844A952A92F}\mpengine.dll
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-06-14 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-06-14 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-19 16:41 . 2010-05-04 01:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre> c:\program files\Malwarebytes' Anti-Malware\mbam .exe c:\program files\QuickTime\QTTask .exe </pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\uts_bus.sys [2007-12-05 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\DRIVERS\uts_mdfl.sys [2007-12-05 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\DRIVERS\uts_mdm.sys [2007-12-05 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\uts_serd.sys [2007-12-05 90880]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2009-01-03 270384]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2008-10-10 274432]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2008-12-01 28672]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]
2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]
2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]
2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-12-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(1356)
c:\windows\System32\NLSLexicons0009.dll
c:\windows\system32\authui.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\pnidui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2010-12-15 11:42:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-15 17:42
ComboFix2.txt 2010-12-14 18:26
ComboFix3.txt 2010-12-14 15:52
ComboFix4.txt 2010-12-13 17:52
ComboFix5.txt 2010-12-15 16:45
Pre-Run: 56,700,096,512 bytes free
Post-Run: 54,848,868,352 bytes free
- - End Of File - - 19AFB15352FDE44B653A500E3070E5D5
#40
Posted 15 December 2010 - 12:10 PM
I'm going to try the RenV command with CF one more time to see if since the rootkit is gone, we can disinfect them both. If not, we will need to remove MBAM and Quicktime and then reinstall them.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
RenV::
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
#41
Posted 15 December 2010 - 12:37 PM
I can reinstall it then if you think that would be easier?
I will run the above just in case.
#42
Posted 15 December 2010 - 01:23 PM
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.1015 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
Command switches used :: c:\users\San San\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.
2010-12-15 19:04 . 2010-12-15 19:13 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-15 19:04 . 2010-12-15 19:04 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-15 19:04 . 2010-12-15 19:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-15 17:02 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-15 17:02 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-15 17:02 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-15 17:02 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-15 17:02 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-15 16:56 . 2010-12-15 16:56 -------- d--h--w- c:\windows\msdownld.tmp
2010-12-14 16:21 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-14 16:21 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-12-14 16:21 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-14 16:21 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-14 16:21 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 16:21 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-14 16:21 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-14 16:19 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-14 16:19 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-12-14 16:18 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-14 16:18 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-14 16:18 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-14 16:18 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-14 16:18 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-14 16:18 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-14 16:18 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-14 16:17 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-14 16:17 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-12-14 16:15 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-14 16:15 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-14 16:10 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B15ACCA3-721B-4346-8E65-2844A952A92F}\mpengine.dll
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-06-14 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-06-14 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-19 16:41 . 2010-05-04 01:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre> c:\program files\Malwarebytes' Anti-Malware\mbam .exe c:\program files\QuickTime\QTTask .exe </pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\uts_bus.sys [2007-12-05 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\DRIVERS\uts_mdfl.sys [2007-12-05 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\DRIVERS\uts_mdm.sys [2007-12-05 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\uts_serd.sys [2007-12-05 90880]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2009-01-03 270384]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2008-10-10 274432]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2008-12-01 28672]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]
2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]
2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]
2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-12-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-12-15 13:18:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-15 19:18
ComboFix2.txt 2010-12-15 17:42
ComboFix3.txt 2010-12-14 18:26
ComboFix4.txt 2010-12-14 15:52
ComboFix5.txt 2010-12-15 18:51
Pre-Run: 54,645,833,728 bytes free
Post-Run: 54,471,389,184 bytes free
- - End Of File - - 2902266CDCDECB686637C6F7F66D89E5
#43
Posted 15 December 2010 - 01:23 PM
#44
Posted 15 December 2010 - 01:25 PM
Can you please uninstall both Malwarebytes and QuickTime. Once you do that, please run ComboFix one more time as well as a quick scan with the newly installed Malwarebytes.
#45
Posted 15 December 2010 - 02:32 PM
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5322
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
12/15/2010 1:58:02 PM
mbam-log-2010-12-15 (13-58-02).txt
Scan type: Quick scan
Objects scanned: 149045
Time elapsed: 5 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix 10-12-11.03 - San San 12/15/2010 14:19:14.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.922 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.
2010-12-15 20:27 . 2010-12-15 20:27 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-15 20:27 . 2010-12-15 20:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-15 20:27 . 2010-12-15 20:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-15 19:39 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-15 19:39 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-15 17:02 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-15 17:02 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-15 17:02 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-15 17:02 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-15 17:02 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-15 16:56 . 2010-12-15 16:56 -------- d--h--w- c:\windows\msdownld.tmp
2010-12-14 16:21 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-14 16:21 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-12-14 16:21 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-14 16:21 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-14 16:21 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 16:21 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-14 16:21 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-14 16:19 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-14 16:19 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-12-14 16:18 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-14 16:18 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-14 16:18 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-14 16:18 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-14 16:18 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-14 16:18 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-14 16:18 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-14 16:17 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-14 16:17 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-12-14 16:15 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-14 16:15 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-14 16:10 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B15ACCA3-721B-4346-8E65-2844A952A92F}\mpengine.dll
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-19 16:41 . 2010-05-04 01:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre> c:\program files\Malwarebytes' Anti-Malware\mbam .exe c:\program files\QuickTime\QTTask .exe </pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\uts_bus.sys [2007-12-05 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\DRIVERS\uts_mdfl.sys [2007-12-05 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\DRIVERS\uts_mdm.sys [2007-12-05 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\uts_serd.sys [2007-12-05 90880]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2009-01-03 270384]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2008-10-10 274432]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2008-12-01 28672]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]
2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]
2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]
2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]
2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-12-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-15 14:27
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(2464)
c:\program files\Common Files\Symantec Shared\ccSet.dll
c:\windows\System32\msxml3.dll
.
Completion time: 2010-12-15 14:29:32
ComboFix-quarantined-files.txt 2010-12-15 20:29
ComboFix2.txt 2010-12-15 19:18
ComboFix3.txt 2010-12-15 17:42
ComboFix4.txt 2010-12-14 18:26
ComboFix5.txt 2010-12-15 20:17
Pre-Run: 63,920,132,096 bytes free
Post-Run: 63,661,084,672 bytes free
- - End Of File - - 95E9A4392F24A4DFF4ABCD3D296667CD
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users