Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

XP Anti Spyware 2011


  • This topic is locked This topic is locked

#16
juanabutler

juanabutler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
exeHelper by Raktor
Build 20100414
Run at 18:28:05 on 05/20/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
  • 0

Advertisements


#17
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Did that work?
  • 0

#18
juanabutler

juanabutler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Yep,,,updated mbam and running full scan now. I won't be able to get logs till tomorrow as she has a prior engagement right now.
  • 0

#19
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
OK..We made progress

Post the scan results tomorrow.
  • 0

#20
juanabutler

juanabutler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6630

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/21/2011 5:43:49 PM
mbam-log-2011-05-21 (17-43-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 359552
Time elapsed: 6 hour(s), 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\qnpn7rjv93lf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ebekonobapuy (IPH.Trojan.Hiloti.B) -> Value: Ebekonobapuy -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Juana\Local Settings\Application Data\kwv.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Juana\Local Settings\Application Data\kwv.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Juana\Local Settings\Application Data\kwv.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\asiyopub.dll (IPH.Trojan.Hiloti.B) -> Quarantined and deleted successfully.
c:\documents and settings\Juana\local settings\Temp\jar_cache3523.tmp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Juana\local settings\Temp\a1478.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Mark\local settings\Temp\33.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
  • 0

#21
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Lets run it again to be sure all are gone.

Also let me know how it's running.
  • 0

#22
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
Will do that hopefully today and post the log. I ran TFC and Auslogics Defrag and what a mess. Both took over a hour each to run.. :) :unsure: :yes:
  • 0

#23
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
I'll bet it was.
  • 0

#24
juanabutler

juanabutler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6654

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/23/2011 2:08:45 PM
mbam-log-2011-05-23 (14-08-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 307523
Time elapsed: 1 hour(s), 23 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\yr87fk3d2dnszapq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qmxywkgu (Trojan.FakeAlert.Gen) -> Value: qmxywkgu -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Juana\local settings\Temp\2E.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Juana\local settings\Temp\jar_cache28474.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • 0

#25
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")



Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.
  • 0

Advertisements


#26
juanabutler

juanabutler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Combo fix will not run due to AVG 9.0 is installed. I tried finding the uninstall tool but can't find the one for version 9.0
Using AVG's uninstall command fails due to a registry key error.
  • 0

#27
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
If AVG or CA will not uninstall, it is recommended to uninstall it with AppRemover by Opswat. http://www.appremove...ed-applications
  • 0

#28
juanabutler

juanabutler

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 11-05-23.02 - Juana 05/23/2011 20:36:32.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.746 [GMT -5:00]
Running from: c:\documents and settings\Juana\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dee\Local Settings\Application Data\{777A1FF6-6C95-43A2-92A4-4DD9A08D409C}
c:\documents and settings\Dee\Local Settings\Application Data\{777A1FF6-6C95-43A2-92A4-4DD9A08D409C}\chrome.manifest
c:\documents and settings\Dee\Local Settings\Application Data\{777A1FF6-6C95-43A2-92A4-4DD9A08D409C}\chrome\content\_cfg.js
c:\documents and settings\Dee\Local Settings\Application Data\{777A1FF6-6C95-43A2-92A4-4DD9A08D409C}\chrome\content\overlay.xul
c:\documents and settings\Dee\Local Settings\Application Data\{777A1FF6-6C95-43A2-92A4-4DD9A08D409C}\install.rdf
c:\documents and settings\Dee\WINDOWS
c:\documents and settings\Juana\Application Data\VAP
c:\documents and settings\Juana\Application Data\VAP\firewall.log
c:\program files\Helper
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-04-24 to 2011-05-24 )))))))))))))))))))))))))))))))
.
.
2011-05-24 01:46 . 2011-05-24 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Gtek
2011-05-24 01:46 . 2011-05-24 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2011-05-24 01:34 . 2011-05-24 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2011-05-24 01:33 . 2011-05-24 01:33 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!
2011-05-21 23:22 . 2011-05-21 23:22 -------- d-----w- c:\documents and settings\Juana\Application Data\Auslogics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 20:43 . 2011-04-11 20:43 1409 ----a-w- c:\windows\QTFont.for
2003-03-19 02:20 . 2003-03-19 02:20 1060864 ----a-w- c:\program files\mfc71.dll
2003-03-19 02:12 . 2003-03-19 02:12 1047552 ----a-w- c:\program files\mfc71u.dll
2003-03-19 01:44 . 2003-03-19 01:44 57344 ----a-w- c:\program files\MFC71ENU.DLL
2003-03-19 01:44 . 2003-03-19 01:44 49152 ----a-w- c:\program files\MFC71KOR.DLL
2003-03-19 01:44 . 2003-03-19 01:44 61440 ----a-w- c:\program files\MFC71ITA.DLL
2003-03-19 01:44 . 2003-03-19 01:44 61440 ----a-w- c:\program files\MFC71ESP.DLL
2003-03-19 01:44 . 2003-03-19 01:44 45056 ----a-w- c:\program files\MFC71CHT.DLL
2003-03-19 01:44 . 2003-03-19 01:44 40960 ----a-w- c:\program files\MFC71CHS.DLL
2003-03-19 01:44 . 2003-03-19 01:44 65536 ----a-w- c:\program files\MFC71DEU.DLL
2003-03-19 01:44 . 2003-03-19 01:44 61440 ----a-w- c:\program files\MFC71FRA.DLL
2003-03-19 01:44 . 2003-03-19 01:44 49152 ----a-w- c:\program files\MFC71JPN.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-09-12 20:02 3863136 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-03-28 17:11 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-09-12 3863136]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2010-05-17 1773568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-08 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2010-05-17 1773568]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 23:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 19:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19255:TCP"= 19255:TCP:BitComet 19255 TCP
"19255:UDP"= 19255:UDP:BitComet 19255 UDP
.
R2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [6/13/2010 7:14 PM 56352]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/26/2010 3:44 PM 135664]
S2 Pantech UTM Service;Pantech UTM Service;c:\program files\PCD\Pantech\EUDL\UTM\PantechService.exe [11/23/2010 5:22 PM 65536]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/26/2010 3:44 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
2011-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 20:44]
.
2011-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-26 20:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/update_security_info.php?wizard=1#!/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Juana\Application Data\Mozilla\Firefox\Profiles\121b7jwg.default\
FF - prefs.js: browser.startup.homepage - hxxp://geekstogo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59274
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XULRunner: {45C9815C-61F0-49FF-B325-0572E0B1221A} - c:\documents and settings\Mark\Local Settings\Application Data\{45C9815C-61F0-49FF-B325-0572E0B1221A}
FF - Ext: XULRunner: {9BCBF7D7-E1A4-43ED-B59E-130BFF34CD4E} - c:\documents and settings\Juana\Local Settings\Application Data\{9BCBF7D7-E1A4-43ED-B59E-130BFF34CD4E}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{61c9770d-44de-4ec3-a1cb-98383f2d89a4} - (no file)
BHO-{CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
Toolbar-{61c9770d-44de-4ec3-a1cb-98383f2d89a4} - (no file)
HKCU-Run-tmp - (no file)
HKCU-Run-Malware Protection - c:\documents and settings\All Users\Application Data\defender.exe
HKLM-Run-DLCFCATS - \3\DLCFtime.dll
Notify-avgrsstarter - (no file)
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
AddRemove-Burger Shop 2™ - c:\program files\GoBit
AddRemove-Jenkat Games Arcade - c:\documents and settings\Jerika\Application Data\Jenkat\Jenkat Games Arcade\uninst.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1 - c:\auslogics disk defrag\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 20:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 \3\DLCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\stsystra.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\PCD\Pantech\EUDL\UTM\PantechUTM.exe
.
**************************************************************************
.
Completion time: 2011-05-23 20:50:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-24 01:50
.
Pre-Run: 13,510,799,360 bytes free
Post-Run: 14,573,936,640 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7D187B12B40497C95BD3F2C66F6552CB
  • 0

#29
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
The system is running 100% faster now and the internet is back to broadband load and surfing. :)
  • 0

#30
ldtate

ldtate

    Malware Expert

  • Expert
  • 1,874 posts
  • MVP
Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Folder::
c:\program files\ConduitEngine
c:\program files\Ask.com

FireFox::
FF - ProfilePath - c:\documents and settings\Juana\Application Data\Mozilla\Firefox\Profiles\121b7jwg.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59274
FF - prefs.js: network.proxy.type - 0

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe


Then post the results log using Copy / Paste


Also please describe how your computer behaves at the moment.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP