Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rootkit infection


  • This topic is locked This topic is locked

#31
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
Neighbor has informed me that system has to be returned 12\14 regardless. I tried to talk to her and the owner but the owner says it is for school and her daughter has to have it. I informed them that they take it on their own risk..
It just amazes me that people get upset when they are getting free help. :D
  • 0

Advertisements


#32
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RenV::
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hkejrhae]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

  • 0

#33
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
ComboFix log:


ComboFix 10-12-11.03 - San San 12/14/2010 9:29.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.941 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
Command switches used :: c:\users\San San\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hkejrhae.sys . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hkejrhae
-------\Service_hkejrhae


((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2010-12-14 15:41 . 2010-12-14 15:44 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-14 15:41 . 2010-12-14 15:41 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games
2010-11-14 21:16 . 2010-11-14 21:16 -------- d-----w- c:\users\San San\AppData\Roaming\Namco
2010-11-14 21:16 . 2010-11-14 21:16 -------- d-----w- c:\programdata\Namco

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-06-14 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-06-14 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre>
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\QuickTime\QTTask  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\uts_bus.sys [2007-12-05 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\DRIVERS\uts_mdfl.sys [2007-12-05 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\DRIVERS\uts_mdm.sys [2007-12-05 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\uts_serd.sys [2007-12-05 90880]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2009-01-03 270384]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2008-10-10 274432]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2008-12-01 28672]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - HKEJRHAE
*Deregistered* - hkejrhae
.
Contents of the 'Scheduled Tasks' folder

2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]

2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]

2010-12-14 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hkejrhae]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2944)
c:\windows\system32\cscapi.dll
c:\windows\system32\WINHTTP.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-12-14 09:52:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-14 15:52
ComboFix2.txt 2010-12-13 17:52
ComboFix3.txt 2010-12-12 19:00

Pre-Run: 56,713,940,992 bytes free
Post-Run: 60,038,238,208 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 2529E5B21086B1B60EFEE9EABBF3F8AC
  • 0

#34
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
I've tried 3 times to run Kasperky but each time it fails the update part.
  • 0

#35
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Very stubborn infection

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

RenV::
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hkejrhae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hkejrhae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hkejrhae]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hkejrhae]

RegLockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#36
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
OK brand new CF log:



ComboFix 10-12-11.03 - San San 12/14/2010 12:05:09.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.1028 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
Command switches used :: c:\users\San San\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hkejrhae.sys . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hkejrhae
-------\Service_hkejrhae


((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2010-12-14 18:14 . 2010-12-14 18:18 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-14 18:14 . 2010-12-14 18:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-14 18:14 . 2010-12-14 18:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-14 16:10 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B15ACCA3-721B-4346-8E65-2844A952A92F}\mpengine.dll
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games
2010-11-14 21:16 . 2010-11-14 21:16 -------- d-----w- c:\users\San San\AppData\Roaming\Namco
2010-11-14 21:16 . 2010-11-14 21:16 -------- d-----w- c:\programdata\Namco

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-14 18:18 . 2010-04-26 03:56 823808 ----a-w- c:\windows\system32\drivers\hkejrhae.sys
2010-11-29 23:42 . 2010-06-14 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-06-14 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-19 16:41 . 2010-05-04 01:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre>
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\QuickTime\QTTask  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CFCATCHME
*NewlyCreated* - COMHOST
*Deregistered* - CFcatchme
.
Contents of the 'Scheduled Tasks' folder

2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]

2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]

2010-12-14 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3344)
c:\windows\System32\SndVolSSO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Kodak\AiO\center\KodakSvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Kodak\AiO\Center\EKDiscovery.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
.
**************************************************************************
.
Completion time: 2010-12-14 12:26:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-14 18:26
ComboFix2.txt 2010-12-14 15:52
ComboFix3.txt 2010-12-13 17:52
ComboFix4.txt 2010-12-12 19:00

Pre-Run: 57,840,939,008 bytes free
Post-Run: 57,689,645,056 bytes free

- - End Of File - - 6DB62D1334115A8A18FF14E995531510
  • 0

#37
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
I still have laptop but not sure for how long. How we looking now?
  • 0

#38
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Still got that nasty Vundo file infector. This should do the trick :D


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Rootkit::
c:\windows\system32\drivers\hkejrhae.sys

File::
c:\windows\system32\drivers\hkejrhae.sys

RenV::
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#39
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
New CF log:



ComboFix 10-12-11.03 - San San 12/15/2010 10:47:34.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.917 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
Command switches used :: c:\users\San San\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\hkejrhae.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\hkejrhae.sys

.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-15 17:02 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-15 17:02 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-15 17:02 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-15 17:02 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-15 17:02 . 2010-12-15 17:34 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-15 17:02 . 2010-12-15 17:02 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-15 17:02 . 2010-12-15 17:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-15 17:02 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-15 16:56 . 2010-12-15 16:56 -------- d--h--w- c:\windows\msdownld.tmp
2010-12-14 16:21 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-14 16:21 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-12-14 16:21 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-14 16:21 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-14 16:21 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 16:21 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-14 16:21 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-14 16:19 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-14 16:19 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-12-14 16:18 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-14 16:18 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-14 16:18 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-14 16:18 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-14 16:18 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-14 16:18 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-14 16:18 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-14 16:17 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-14 16:17 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-12-14 16:15 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-14 16:15 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-14 16:10 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B15ACCA3-721B-4346-8E65-2844A952A92F}\mpengine.dll
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-06-14 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-06-14 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-19 16:41 . 2010-05-04 01:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre>
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\QuickTime\QTTask  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\uts_bus.sys [2007-12-05 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\DRIVERS\uts_mdfl.sys [2007-12-05 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\DRIVERS\uts_mdm.sys [2007-12-05 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\uts_serd.sys [2007-12-05 90880]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2009-01-03 270384]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2008-10-10 274432]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2008-12-01 28672]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]

2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]

2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-12-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1356)
c:\windows\System32\NLSLexicons0009.dll
c:\windows\system32\authui.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\pnidui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2010-12-15 11:42:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-15 17:42
ComboFix2.txt 2010-12-14 18:26
ComboFix3.txt 2010-12-14 15:52
ComboFix4.txt 2010-12-13 17:52
ComboFix5.txt 2010-12-15 16:45

Pre-Run: 56,700,096,512 bytes free
Post-Run: 54,848,868,352 bytes free

- - End Of File - - 19AFB15352FDE44B653A500E3070E5D5
  • 0

#40
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Good news is the rootkit is gone, however, MBAM and QTTask are still infected.

I'm going to try the RenV command with CF one more time to see if since the rootkit is gone, we can disinfect them both. If not, we will need to remove MBAM and Quicktime and then reinstall them.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

RenV::
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

Advertisements


#41
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
Would it be easier to remove MBAM since I installed that?
I can reinstall it then if you think that would be easier?
I will run the above just in case.
  • 0

#42
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
ComboFix 10-12-11.03 - San San 12/15/2010 12:53:40.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.1015 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
Command switches used :: c:\users\San San\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-15 19:04 . 2010-12-15 19:13 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-15 19:04 . 2010-12-15 19:04 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-15 19:04 . 2010-12-15 19:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-15 17:02 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-15 17:02 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-15 17:02 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-15 17:02 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-15 17:02 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-15 16:56 . 2010-12-15 16:56 -------- d--h--w- c:\windows\msdownld.tmp
2010-12-14 16:21 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-14 16:21 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-12-14 16:21 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-14 16:21 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-14 16:21 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 16:21 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-14 16:21 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-14 16:19 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-14 16:19 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-12-14 16:18 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-14 16:18 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-14 16:18 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-14 16:18 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-14 16:18 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-14 16:18 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-14 16:18 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-14 16:17 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-14 16:17 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-12-14 16:15 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-14 16:15 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-14 16:10 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B15ACCA3-721B-4346-8E65-2844A952A92F}\mpengine.dll
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-06-14 04:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-06-14 04:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-19 16:41 . 2010-05-04 01:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre>
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\QuickTime\QTTask  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\uts_bus.sys [2007-12-05 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\DRIVERS\uts_mdfl.sys [2007-12-05 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\DRIVERS\uts_mdm.sys [2007-12-05 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\uts_serd.sys [2007-12-05 90880]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2009-01-03 270384]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2008-10-10 274432]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2008-12-01 28672]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]

2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]

2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-12-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-12-15 13:18:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-15 19:18
ComboFix2.txt 2010-12-15 17:42
ComboFix3.txt 2010-12-14 18:26
ComboFix4.txt 2010-12-14 15:52
ComboFix5.txt 2010-12-15 18:51

Pre-Run: 54,645,833,728 bytes free
Post-Run: 54,471,389,184 bytes free

- - End Of File - - 2902266CDCDECB686637C6F7F66D89E5
  • 0

#43
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Lets see if CF can remove the file infector. If not then an uninstall of MBAM and QuickTime will be needed.
  • 0

#44
SpySentinel

SpySentinel

    R.I.P.

  • Retired Staff
  • 5,152 posts
Looks like we posted at the same time :D

Can you please uninstall both Malwarebytes and QuickTime. Once you do that, please run ComboFix one more time as well as a quick scan with the newly installed Malwarebytes.
  • 0

#45
rshaffer61

rshaffer61

    Moderator

  • Topic Starter
  • Moderator
  • 34,114 posts
OK Quicktime and malwarebytes completely uninstalled and then fresh downloads and reinstalls done. Malwarebytes and ComboFix scans done and new logs included below.

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5322

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

12/15/2010 1:58:02 PM
mbam-log-2010-12-15 (13-58-02).txt

Scan type: Quick scan
Objects scanned: 149045
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





ComboFix 10-12-11.03 - San San 12/15/2010 14:19:14.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.922 [GMT -6:00]
Running from: c:\users\San San\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Norton 360 *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Norton 360 *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-15 20:27 . 2010-12-15 20:27 -------- d-----w- c:\users\San San\AppData\Local\temp
2010-12-15 20:27 . 2010-12-15 20:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-12-15 20:27 . 2010-12-15 20:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-15 19:39 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-15 19:39 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-15 17:02 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-15 17:02 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-15 17:02 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-15 17:02 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-15 17:02 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-15 16:56 . 2010-12-15 16:56 -------- d--h--w- c:\windows\msdownld.tmp
2010-12-14 16:21 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-14 16:21 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-12-14 16:21 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-14 16:21 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-14 16:21 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-12-14 16:21 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-14 16:21 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-14 16:19 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-14 16:19 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-12-14 16:18 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-14 16:18 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-14 16:18 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-14 16:18 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-14 16:18 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-14 16:18 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-14 16:18 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-14 16:17 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-14 16:17 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-12-14 16:15 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-14 16:15 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-14 16:10 . 2010-11-16 18:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B15ACCA3-721B-4346-8E65-2844A952A92F}\mpengine.dll
2010-12-11 23:42 . 2010-12-11 23:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\programdata\McAfee Security Scan
2010-12-11 23:41 . 2010-12-11 23:41 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-11 23:40 . 2010-12-11 23:40 -------- d-----w- c:\program files\Common Files\Java
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-11 23:40 . 2010-12-11 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-11 23:22 . 2010-12-11 23:22 -------- d-----w- C:\_OTL
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- c:\program files\trend micro
2010-12-11 21:16 . 2010-12-11 21:17 -------- d-----w- C:\rsit
2010-12-11 17:34 . 2010-12-11 17:34 -------- d-----w- c:\program files\ESET
2010-12-10 17:18 . 2010-12-10 17:18 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-16 23:20 . 2010-11-16 23:20 -------- d-----w- c:\program files\WildTangent Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-28 22:21 . 2010-06-14 04:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 22:39 . 2010-06-14 04:48 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-19 16:41 . 2010-05-04 01:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 21:14 . 2009-10-26 21:14 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
<pre>
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\QuickTime\QTTask  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"jswtrayutil"="c:\program files\Jumpstart\jswtrayutil.exe" [N/A]
"NDSTray.exe"="NDSTray.exe" [N/A]
"cfFncEnabler.exe"="cfFncEnabler.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\San San\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2009-12-21 21760]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKLM\~\startupfolder\C:^Users^San San^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\San San\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\uts_bus.sys [2007-12-05 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\DRIVERS\uts_mdfl.sys [2007-12-05 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\DRIVERS\uts_mdm.sys [2007-12-05 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\uts_serd.sys [2007-12-05 90880]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090219.003\IDSvix86.sys [2009-01-03 270384]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2008-10-10 274432]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2008-12-01 28672]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-14 99376]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-11-15 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\programdata\Kodak\Installer\Registration.exe [2009-04-06 16:34]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 00:09]

2010-12-11 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 23:57]

2010-12-11 c:\windows\Tasks\Norton Security Scan for San San.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-17 11:32]

2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{7B15186C-B24B-4BE3-9F66-4F744E226E5C}.job
- c:\windows\system32\msfeedssync.exe [2010-12-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: campuscruiser.com\www
Trusted Zone: midsouthcc.edu\www
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: timecruiser.com\www
FF - ProfilePath - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm144YYUS&fl=0&ptb=Bqqeu.VGkFiQM3SExfY1bQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: ShopAtHome Intelligent Shopping Toolbar: [email protected] - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\[email protected]
FF - Extension: Comcast Toolbar: {4E77EDAD-9566-4089-88D1-C81498CEE770} - c:\users\San San\AppData\Roaming\Mozilla\Firefox\Profiles\mwkj494g.default\extensions\{4E77EDAD-9566-4089-88D1-C81498CEE770}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80} - c:\users\San San\AppData\Local\{F4B65AE9-C674-4B39-A3DF-6EDF44BC5C80}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-15 14:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2464)
c:\program files\Common Files\Symantec Shared\ccSet.dll
c:\windows\System32\msxml3.dll
.
Completion time: 2010-12-15 14:29:32
ComboFix-quarantined-files.txt 2010-12-15 20:29
ComboFix2.txt 2010-12-15 19:18
ComboFix3.txt 2010-12-15 17:42
ComboFix4.txt 2010-12-14 18:26
ComboFix5.txt 2010-12-15 20:17

Pre-Run: 63,920,132,096 bytes free
Post-Run: 63,661,084,672 bytes free

- - End Of File - - 95E9A4392F24A4DFF4ABCD3D296667CD
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP