Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brontok & Perfect Def 2009


  • This topic is locked This topic is locked
15 replies to this topic

#1 LisaAWG

LisaAWG

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 15 May 2009 - 09:36 PM

Hello,

I'm currently running in Safe Mode - my computer has completely stopped working... When I tried to run a browser (Netscape, Mozilla, IE), they would crash and I would get a pop-up window saying that I was infected with win32.Brontok virus. Another window would pop-up "MS feeds synchronization has stopped working". In the end, the browser would close down and eventually there would be nothing on the screen. No small icons, no windows tool bar - nothing.

It was very difficult to get the computer to start in safe-mode. I tried hitting "Start"... but the computer would crash... Finally I guess I crashed the computer so bad that when I tried to boot it back up, it asked if I wanted to start in safe mode.

Anyway, very frustrated...

Thanks!

Lisa


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Garfield at 18:48:32.37 on Fri 05/15/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1606 [GMT -7:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Spy Sweeper *disabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Users\Garfield\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Users\Garfield\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RunSpySweeperScheduleAtStartup] "c:\windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{EF18F771-BF35-4A1C-8E69-CB64F89A2233}
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [realteks] "c:\users\garfield\appdata\roaming\google\vmsclock.exe" 2
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [<NO NAME>]
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "c:\program files\google\gmail notifier\gnotify.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Malwarebytes Anti-Malware Reboot] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\garfield\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: WRNotifier - WRLogonNTF.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\garfield\appdata\roaming\mozilla\firefox\profiles\xryjqewi.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\users\garfield\appdata\roaming\mozilla\firefox\profiles\xryjqewi.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll

============= SERVICES / DRIVERS ===============

S2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-29 210216]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-4-18 366080]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-10 11:47 8,212 a------- c:\windows\mfebcdata
2009-05-09 21:20 <DIR> --d----- c:\windows\pss
2009-05-02 05:52 269,140,243 a------- c:\windows\MEMORY.DMP

==================== Find3M ====================

2009-04-26 22:16 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-26 22:16 51,200 a------- c:\windows\inf\infpub.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-16 20:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 20:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 20:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-02 21:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 21:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 21:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-02 21:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 21:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 21:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 21:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 21:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 21:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 21:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 20:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 19:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 19:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-12-29 19:23 174 a--sh--- c:\program files\desktop.ini
2008-11-30 14:00 86,016 a------- c:\windows\inf\infstor.dat
2008-06-17 16:42 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-12 01:25 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-01-12 01:25 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-01-12 01:25 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:50:13.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 PM

Posted 27 May 2009 - 06:14 AM

Hello and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :) If you still need help, please let me know by replying to this thread. :step4:

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 PM

Posted 27 May 2009 - 08:41 AM

Hello, :thumbup2:

You seem to be running 2 anti virus programs: Symantec and McAfee.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

If you choose to remove McAfee please follow these instructions: http://service.mcafee.com/FAQDocument.aspx?id=TS100507
If you choose to remove Symantec please follow these instructions:http://service1.symantec.com/Support/tsgen...005033108162039
Please only uninstall one of your 2 anti virus programs.


I see that you were running Malwarebytes, could you please post the log from that scan?
To get the log, please start Malwarebytes, go to the tab "Logs" and do a double click on the corresponding log. It should then open in notepad.

Please post a new Log from DDS, so that we will be able to see the current status of your PC:
  • Download DDS by sUBs from one of the following links, if you already deleted the file. Save it to your desktop.
    DDS.com
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 LisaAWG

LisaAWG
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 27 May 2009 - 11:56 PM

Thanks _temp_ for taking on my challenge...

I've removed Norton and did a quick scan on Malwarebytes. Here's that log.

Malwarebytes' Anti-Malware 1.36
Database version: 2096
Windows 6.0.6001 Service Pack 1

5/27/2009 9:45:30 PM
mbam-log-2009-05-27 (21-45-30).txt

Scan type: Quick Scan
Objects scanned: 75656
Time elapsed: 2 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**********************************

DDS Log


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Garfield at 21:49:35.81 on Wed 05/27/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1456 [GMT -7:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Spy Sweeper *disabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Garfield\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RunSpySweeperScheduleAtStartup] "c:\windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{EF18F771-BF35-4A1C-8E69-CB64F89A2233}
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [realteks] "c:\users\garfield\appdata\roaming\google\vmsclock.exe" 2
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000096.000001da
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [<NO NAME>]
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "c:\program files\google\gmail notifier\gnotify.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Malwarebytes Anti-Malware Reboot] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\garfield\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: WRNotifier - WRLogonNTF.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\garfield\appdata\roaming\mozilla\firefox\profiles\xryjqewi.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\users\garfield\appdata\roaming\mozilla\firefox\profiles\xryjqewi.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll

============= SERVICES / DRIVERS ===============

S2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-29 210216]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-4-18 366080]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-27 21:32 <DIR> --d----- c:\programdata\NortonInstaller
2009-05-27 21:32 <DIR> --d----- c:\progra~2\NortonInstaller
2009-05-09 21:20 <DIR> --d----- c:\windows\pss
2009-05-02 05:52 269,140,243 a------- c:\windows\MEMORY.DMP

==================== Find3M ====================

2009-04-26 22:16 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-26 22:16 51,200 a------- c:\windows\inf\infpub.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-16 20:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 20:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 20:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-02 21:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 21:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 21:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-02 21:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 21:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 21:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 21:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 21:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 21:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 21:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 20:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 19:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 19:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-12-29 19:23 174 a--sh--- c:\program files\desktop.ini
2008-11-30 14:00 86,016 a------- c:\windows\inf\infstor.dat
2008-06-17 16:42 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-12 01:25 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-01-12 01:25 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-01-12 01:25 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 21:49:54.29 ===============


Thanks again.

Lisa

Attached Files



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 PM

Posted 28 May 2009 - 06:53 AM

Hi, :thumbup2:

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 LisaAWG

LisaAWG
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 28 May 2009 - 05:16 PM

Thanks _temp_ :thumbup2:



ComboFix 09-05-28.01 - Garfield 05/28/2009 15:07.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1494 [GMT -7:00]
Running from: c:\users\Garfield\Desktop\ComboFix.exe
SP: Spy Sweeper *disabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Garfield\AppData\Roaming\Google\vmsclock.exe
D:\Desktop.ini
E:\desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-28 22:11 . 2009-05-28 22:11 -------- d-----w c:\users\Garfield\AppData\Local\temp
2009-05-28 04:32 . 2009-05-28 04:32 -------- d-----w c:\progra~2\NortonInstaller
2009-05-07 17:43 . 2009-05-07 17:43 16141 ----a-w c:\users\Garfield\AppData\Roaming\dvdcss\lego.exe
2009-05-07 17:43 . 2009-05-07 17:43 145131 ----a-w c:\users\Garfield\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\nomad.exe
2009-05-07 17:43 . 2009-05-07 17:43 11410 ----a-w c:\users\Garfield\AppData\Roaming\GarageGames\msgdi.dll
2009-05-07 17:43 . 2009-05-07 17:43 10121 ----a-w c:\users\Garfield\AppData\Roaming\GTek\kern.dll
2009-05-07 17:43 . 2009-05-07 17:43 422 ----a-w c:\users\Garfield\AppData\Roaming\Apple Computer\socks1.exe
2009-05-07 17:43 . 2009-05-07 17:43 13221 ----a-w c:\users\Garfield\AppData\Roaming\AdobeUM\rengo.dll
2009-05-07 17:43 . 2009-05-07 17:43 11232 ----a-w c:\users\Garfield\AppData\Roaming\Adobe\shalom.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 04:33 . 2007-02-14 08:18 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-09 01:16 . 2008-07-05 12:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-07 17:43 . 2009-01-25 23:15 -------- d-----w c:\users\Garfield\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-07 17:43 . 2008-11-26 16:52 -------- d-----w c:\users\Garfield\AppData\Roaming\GTek
2009-05-07 17:43 . 2008-06-02 22:48 -------- d-----w c:\users\Garfield\AppData\Roaming\GarageGames
2009-05-07 17:43 . 2007-10-15 13:52 -------- d-----w c:\users\Garfield\AppData\Roaming\dvdcss
2009-05-07 17:43 . 2007-08-09 03:44 -------- d-----w c:\users\Garfield\AppData\Roaming\AdobeUM
2009-05-07 17:43 . 2007-07-31 22:39 -------- d-----w c:\users\Garfield\AppData\Roaming\Apple Computer
2009-05-03 10:01 . 2007-02-14 08:11 -------- d-----w c:\progra~2\Microsoft Help
2009-04-27 05:16 . 2008-05-08 02:54 -------- d-----w c:\program files\SG2
2009-04-26 07:44 . 2008-12-30 04:33 -------- d-----w c:\program files\McAfee
2009-04-17 10:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-06 22:32 . 2009-01-04 03:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-07-05 12:55 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 18:06 . 2008-12-30 04:33 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-12-30 04:33 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-12-30 04:33 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-12-30 04:33 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-12-30 04:33 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-17 03:38 . 2009-04-17 06:35 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 06:35 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-03 04:46 . 2009-04-17 06:35 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 06:35 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-17 06:34 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-17 06:35 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 06:35 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 06:35 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 06:34 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-17 06:35 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 06:35 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 06:35 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 06:35 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 06:35 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-17 06:34 26624 ----a-w c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RunSpySweeperScheduleAtStartup"="c:\windows\system32\msfeedssync.exe" [2008-01-19 12800]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-03 636072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-20 151552]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 5367608]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-28 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-28 81920]
"Malwarebytes Anti-Malware Reboot"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-28 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-30 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584]

c:\users\Garfield\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2007-2-14 34520]

c:\users\Garfield\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1088F676-6614-4214-9D06-CE620175434C}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{9C87B66F-CEB2-4C65-A56D-00C202CDD216}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{B945B534-3BC5-407E-BBE4-FB03BA8F51BC}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{ECFE0557-06A6-405F-B7DA-3A4CE727D434}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{35C8F422-D8E2-42EE-BE44-A3CF815CE269}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{786CE00B-75E3-441D-994C-B21A4BA48112}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{B7EC48E5-CE0F-4C07-9508-EA449C4B8DD6}"= TCP:9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{AA299B76-AB28-48BF-856D-EF410CEFD860}"= TCP:1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{DDF5DB28-98F0-4943-8015-4ACA780B6BFA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0CC678C5-2AA8-4FB2-93CA-7C01AEF2DD2B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2268AE1D-6CE0-436A-8566-754DEBFA1086}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{211C362A-33FF-4709-8A5F-6155E4CEACEE}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{745C47E0-9A9F-4ADE-9D51-427995EFC3FA}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{54897BE7-2818-4DC8-B6C1-F64F99CCEA88}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{8D4F5BBD-C56C-4B5E-8DEA-5AB7AE237884}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{7FA77F65-2A96-4389-BF08-E6BC81074E3D}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{9FCF1645-AA97-4B2D-93F2-DA8DD6B2DB84}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{890053C6-F692-4305-A0A9-59AE7B30D7B2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{12DD79F1-5DB0-4098-9A00-75983CDC1932}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{77835890-0A4F-480F-BFD7-6A0F59F5854B}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3A2C0C4D-DCF4-4602-96D4-A1AAC8A4792B}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F945D9B0-F7EB-4589-9E37-9AA519942EC9}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{83508E32-7654-41C8-B4DC-6FC180FBB39D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7487C506-B030-45B5-A2D9-8F090AD4CB52}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{A65B336C-B9AA-4CEE-BA97-F88096D42EF8}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{899EABDA-B0F7-4543-A61F-E9275B0E790F}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{56A6F52C-F7B8-4FEB-B223-237D3AFD13A8}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{4B131543-3432-407E-9A43-E9D7877DE281}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{213F6494-50D9-459C-A7DB-0C9C328D34CE}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{77E82785-4834-4759-BED9-6655212E866D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{1BCB34AD-E928-4990-B445-98DA12675725}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{A6CAE536-183E-4D50-8FBF-173FE747354C}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0876F5DD-1C94-4894-AF9C-C583D406B71F}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A031442C-A15C-4A21-9AB1-5B8A3660B436}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F16DD04D-BB28-47D9-A740-65CA8E9F9378}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{90667BEA-ED32-4AC7-865D-E0B436A02585}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{08B2BA89-9503-40B6-9352-DFF9E5364BD1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{506947F8-A048-4DE8-B6D1-605228E8F1A7}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 11:32 AM 208896]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 10:13 AM 29696]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/29/2008 9:36 PM 210216]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\System32\drivers\hcw18bda.sys [4/18/2007 2:30 PM 366080]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-realteks - c:\users\Garfield\AppData\Roaming\Google\vmsclock.exe
HKLM-Run-Lexmark X74-X75 - c:\program files\Lexmark X74-X75\lxbbbmgr.exe
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Garfield\AppData\Roaming\Mozilla\Firefox\Profiles\xryjqewi.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\users\Garfield\AppData\Roaming\Mozilla\Firefox\Profiles\xryjqewi.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 15:11
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000046

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-28 15:14
ComboFix-quarantined-files.txt 2009-05-28 22:13

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 157,174,345,728 bytes free

221 --- E O F --- 2009-05-16 02:21

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 PM

Posted 29 May 2009 - 06:54 AM

Hi, :thumbup2:

How's your PC doing?

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\users\Garfield\AppData\Roaming\dvdcss\lego.exe

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please do this for the following files as well:

c:\users\Garfield\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\nomad.exe
c:\users\Garfield\AppData\Roaming\GarageGames\msgdi.dll
c:\users\Garfield\AppData\Roaming\GTek\kern.dll
c:\users\Garfield\AppData\Roaming\Apple Computer\socks1.exe
c:\users\Garfield\AppData\Roaming\AdobeUM\rengo.dll
c:\users\Garfield\AppData\Roaming\Adobe\shalom.exe


Please post back the results of the scans in your next post.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 LisaAWG

LisaAWG
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 29 May 2009 - 09:02 PM

Well, I'm not running is Safe mode anymore and I ran the Jotti scan FOUND NOTHING for all files that you requested.

Computer seems to be running fine.

Thanks for your help _temp_!!!

:thumbup2:

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 PM

Posted 30 May 2009 - 12:14 PM

Hi LisaAWG,

great to hear your PC is doing better! :thumbup2:
There are still some malicious entries left though. Please do the following:

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic227237.html]http://www.bleepingcomputer.com/forums/t/227237/brontok-perfect-def-2009/
Collect::
c:\users\Garfield\AppData\Roaming\dvdcss\lego.exe
c:\users\Garfield\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\nomad.exe
c:\users\Garfield\AppData\Roaming\GarageGames\msgdi.dll
c:\users\Garfield\AppData\Roaming\GTek\kern.dll
c:\users\Garfield\AppData\Roaming\Apple Computer\socks1.exe
c:\users\Garfield\AppData\Roaming\AdobeUM\rengo.dll
c:\users\Garfield\AppData\Roaming\Adobe\shalom.exe

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 LisaAWG

LisaAWG
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 30 May 2009 - 09:26 PM

Hello _temp_,

here's the report for you...

Thanks,

Lisa

ComboFix 09-05-30.03 - Garfield 05/30/2009 18:04.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1395 [GMT -7:00]
Running from: c:\users\Garfield\Desktop\ComboFix.exe
Command switches used :: c:\users\Garfield\Desktop\CFScript.txt
SP: Spy Sweeper *disabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active


file zipped: c:\users\Garfield\AppData\Roaming\Adobe\shalom.exe
file zipped: c:\users\Garfield\AppData\Roaming\AdobeUM\rengo.dll
file zipped: c:\users\Garfield\AppData\Roaming\Apple Computer\socks1.exe
file zipped: c:\users\Garfield\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\nomad.exe
file zipped: c:\users\Garfield\AppData\Roaming\dvdcss\lego.exe
file zipped: c:\users\Garfield\AppData\Roaming\GarageGames\msgdi.dll
file zipped: c:\users\Garfield\AppData\Roaming\GTek\kern.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Garfield\AppData\Roaming\Adobe\shalom.exe
c:\users\Garfield\AppData\Roaming\AdobeUM\rengo.dll
c:\users\Garfield\AppData\Roaming\Apple Computer\socks1.exe
c:\users\Garfield\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\nomad.exe
c:\users\Garfield\AppData\Roaming\dvdcss\lego.exe
c:\users\Garfield\AppData\Roaming\GarageGames\msgdi.dll
c:\users\Garfield\AppData\Roaming\GTek\kern.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 01:11 . 2009-05-31 01:11 -------- d-----w c:\users\Garfield\AppData\Local\temp
2009-05-30 21:15 . 2009-05-30 21:15 -------- d-----w c:\progra~2\Yahoo! Companion
2009-05-28 04:32 . 2009-05-28 04:32 -------- d-----w c:\progra~2\NortonInstaller
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 01:05 . 2009-01-25 23:15 -------- d-----w c:\users\Garfield\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-31 01:05 . 2008-11-26 16:52 -------- d-----w c:\users\Garfield\AppData\Roaming\GTek
2009-05-31 01:05 . 2008-06-02 22:48 -------- d-----w c:\users\Garfield\AppData\Roaming\GarageGames
2009-05-31 01:05 . 2007-10-15 13:52 -------- d-----w c:\users\Garfield\AppData\Roaming\dvdcss
2009-05-31 01:05 . 2007-08-09 03:44 -------- d-----w c:\users\Garfield\AppData\Roaming\AdobeUM
2009-05-31 01:05 . 2007-07-31 22:39 -------- d-----w c:\users\Garfield\AppData\Roaming\Apple Computer
2009-05-30 02:07 . 2007-08-03 23:41 -------- d-----w c:\program files\Java
2009-05-30 01:49 . 2007-02-14 08:11 -------- d-----w c:\progra~2\Microsoft Help
2009-05-30 01:43 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-28 04:33 . 2007-02-14 08:18 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-09 01:16 . 2008-07-05 12:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 05:16 . 2008-05-08 02:54 -------- d-----w c:\program files\SG2
2009-04-26 07:44 . 2008-12-30 04:33 -------- d-----w c:\program files\McAfee
2009-04-06 22:32 . 2009-01-04 03:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-07-05 12:55 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 18:06 . 2008-12-30 04:33 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-12-30 04:33 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-12-30 04:33 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-12-30 04:33 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-12-30 04:33 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-17 03:38 . 2009-04-17 06:35 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 06:35 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-09 12:19 . 2008-12-18 02:53 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-03 04:46 . 2009-04-17 06:35 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 06:35 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-17 06:34 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-17 06:35 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 06:35 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 06:35 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 06:34 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-17 06:35 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 06:35 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 06:35 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 06:35 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 06:35 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-17 06:34 26624 ----a-w c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RunSpySweeperScheduleAtStartup"="c:\windows\system32\msfeedssync.exe" [2008-01-19 12800]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-20 151552]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 5367608]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-28 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8473120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-28 81920]
"Malwarebytes Anti-Malware Reboot"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-28 185872]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]

c:\users\Garfield\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2007-2-14 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1088F676-6614-4214-9D06-CE620175434C}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{9C87B66F-CEB2-4C65-A56D-00C202CDD216}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{B945B534-3BC5-407E-BBE4-FB03BA8F51BC}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{ECFE0557-06A6-405F-B7DA-3A4CE727D434}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{35C8F422-D8E2-42EE-BE44-A3CF815CE269}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{786CE00B-75E3-441D-994C-B21A4BA48112}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{B7EC48E5-CE0F-4C07-9508-EA449C4B8DD6}"= TCP:9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{AA299B76-AB28-48BF-856D-EF410CEFD860}"= TCP:1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{DDF5DB28-98F0-4943-8015-4ACA780B6BFA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0CC678C5-2AA8-4FB2-93CA-7C01AEF2DD2B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2268AE1D-6CE0-436A-8566-754DEBFA1086}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{211C362A-33FF-4709-8A5F-6155E4CEACEE}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{745C47E0-9A9F-4ADE-9D51-427995EFC3FA}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{54897BE7-2818-4DC8-B6C1-F64F99CCEA88}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{8D4F5BBD-C56C-4B5E-8DEA-5AB7AE237884}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{7FA77F65-2A96-4389-BF08-E6BC81074E3D}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{9FCF1645-AA97-4B2D-93F2-DA8DD6B2DB84}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{890053C6-F692-4305-A0A9-59AE7B30D7B2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{12DD79F1-5DB0-4098-9A00-75983CDC1932}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{77835890-0A4F-480F-BFD7-6A0F59F5854B}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3A2C0C4D-DCF4-4602-96D4-A1AAC8A4792B}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F945D9B0-F7EB-4589-9E37-9AA519942EC9}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{83508E32-7654-41C8-B4DC-6FC180FBB39D}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7487C506-B030-45B5-A2D9-8F090AD4CB52}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{A65B336C-B9AA-4CEE-BA97-F88096D42EF8}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{899EABDA-B0F7-4543-A61F-E9275B0E790F}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{56A6F52C-F7B8-4FEB-B223-237D3AFD13A8}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{4B131543-3432-407E-9A43-E9D7877DE281}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{213F6494-50D9-459C-A7DB-0C9C328D34CE}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{77E82785-4834-4759-BED9-6655212E866D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{1BCB34AD-E928-4990-B445-98DA12675725}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{A6CAE536-183E-4D50-8FBF-173FE747354C}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0876F5DD-1C94-4894-AF9C-C583D406B71F}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A031442C-A15C-4A21-9AB1-5B8A3660B436}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F16DD04D-BB28-47D9-A740-65CA8E9F9378}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{90667BEA-ED32-4AC7-865D-E0B436A02585}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{08B2BA89-9503-40B6-9352-DFF9E5364BD1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{506947F8-A048-4DE8-B6D1-605228E8F1A7}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [9/3/2006 11:32 AM 208896]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/29/2008 9:36 PM 210216]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\System32\drivers\hcw18bda.sys [4/18/2007 2:30 PM 366080]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [5/10/2006 10:13 AM 29696]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Garfield\AppData\Roaming\Mozilla\Firefox\Profiles\xryjqewi.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\users\Garfield\AppData\Roaming\Mozilla\Firefox\Profiles\xryjqewi.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 18:11
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000046

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-31 18:14
ComboFix-quarantined-files.txt 2009-05-31 01:13
ComboFix2.txt 2009-05-28 22:14

Pre-Run: 153,841,418,240 bytes free
Post-Run: 153,858,469,888 bytes free

222 --- E O F --- 2009-05-30 01:51
Upload was successful

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 PM

Posted 31 May 2009 - 10:23 AM

Hi LisaAWG,

First the good news:your logs look clean. :)


The bad news is, that I got confused about your anti virus program. :thumbup2:
Is McAfee's anti virus program really installed on your PC? If not please reinstall symantec or choose a free (for personal use only) anti virus program like Avast! or Antivir.


Additionally I'd like to bring your PC up to date, in order to make it more secure. :step4:

First of all I would like to ask you, to install an outbound firewall.
A comprehensive tutorial and a list of possible firewalls can be found here.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

You also have old versions of the adobe flashplugin installed,
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • Adobe Flash Player 9 ActiveX
  • Java™ 6 Update 11
  • Java™ 6 Update 6
  • Java™ 6 Update 7
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer

Please also update and run Malwarebytes Anti-Malware once more and post the log here.


regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 LisaAWG

LisaAWG
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 31 May 2009 - 11:56 PM

Hi _temp_,

I've got McAfee installed & I think it's running... I may have disabled it for the last scan that I posted for you.

Thanks,

Lisa

Malwarebytes' Anti-Malware 1.37
Database version: 2204
Windows 6.0.6001 Service Pack 1

5/31/2009 9:54:27 PM
mbam-log-2009-05-31 (21-54-27).txt

Scan type: Quick Scan
Objects scanned: 82243
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 PM

Posted 01 June 2009 - 07:21 AM

Hi LisaAWG,

good to hear, that you have an anti virus program running. :step4:

Please do the following to clean up your PC:
  • Delete the tools used during the disinfection:
  • Uninstall ComboFix.exe And all Backups of the files it deleted
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Some more links you might find of interest:Have a nice day
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 LisaAWG

LisaAWG
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 01 June 2009 - 08:35 PM

Thanks _temp_,

Combofix seems to have disappeared w/o me deleting it...

Your advice is very useful and I will refer to it to make sure I don't get infected again.

:thumbup2:

Lisa

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:26 PM

Posted 02 June 2009 - 02:41 PM

Hi Lisa, :thumbup2:
Uninstalling Combofix does more than simply delete the file combofix.exe from your Desktop.
Do undo all the changes we did to your PC please follow these instructions instead:
  • Download OTCleanIt from one of the following mirrors and save it to yourdesktop:
  • Double click on Posted Image
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
regards _temp_

Edited by _temp_, 02 June 2009 - 02:42 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users