Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rotscx issues


  • Please log in to reply
16 replies to this topic

#1 TheAndy500

TheAndy500

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 25 September 2009 - 07:39 AM

This is the only thing I've been able to run. Everything else, including regedit, gives me the "open with" dialog. There's also porn all over the desktop and police pro on the desktop (but not running). This is my friend's computer, I don't know exactly what happened to it but it looks like it had a bunch of problems and somebody tried to fix them with partial success. The main problems are that nothing can be run/opened, warnings that things can't be run at startup, blue screening, and some bogus popups. Though the pop ups seem to have disappeared along with the blue screens when I started with most recent settings that worked, but it also hasn't been connected to the internet since I've had it. For some reason the wireless only finds two computer-to-computer networks that I'm not sure exist, one called "Library". The infected computer is running XP, my computer is now running Ubuntu.

ROOTREPEAL AD, 2007-2009

==================================================

Scan Start Time: 2009/09/24 16:18

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================



Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAA756000 Size: 98304 File Visible: No Signed: -

Status: -



Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AA0000 Size: 8192 File Visible: No Signed: -

Status: -



Name: tatertot.scr.sys

Image Path: C:\WINDOWS\system32\drivers\tatertot.scr.sys

Address: 0xA9F07000 Size: 49152 File Visible: No Signed: -

Status: -



Hidden/Locked Files

-------------------

Path: C:\HIBERFIL.SYS

Status: Locked to the Windows API!



Path: C:\RootRepeal report 09-24-09 (16-18-03).txt

Status: Visible to the Windows API, but not on disk.



Path: c:\windows\system32\uactmp.db

Status: Allocation size mismatch (API: 1409024, Raw: 0)



Path: C:\WINDOWS\SYSTEM32\rotscxqlldymex.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\rotscxmphesiaw.dat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\rotscxbdqbnylt.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\rotscxepaepasr.dat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\rotscxevxbnmdi.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxssjbbmxxsr.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxouqdwpcvkp.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxwiwasspdsx.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxiqqvnmsbco.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxpfwbdywbde.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxecdarplaxl.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxnsesvjuycv.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\DRIVERS\rotscxpuyqxsiw.sys

Status: Invisible to the Windows API!



Stealth Objects

-------------------

Object: Hidden Module [Name: ROTSCXQLLDYMEX.DLL]

Process: svchost.exe (PID: 1064) Address: 0x10000000 Size: 53248



Object: Hidden Module [Name: ROTSCXEVXBNMDI.DLL]

Process: Explorer.EXE (PID: 1948) Address: 0x10000000 Size: 32768



Hidden Services

-------------------

Service Name: rotscxsbfpmnvs

Image Path: C:\WINDOWS\system32\drivers\rotscxpuyqxsiw.sys



==EOF==

BC AdBot (Login to Remove)

 


#2 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 12 October 2009 - 04:02 PM

Hello TheAndy500,

Reboot the computer into Safe Mode with networking (Tap F8 during startup until a menu appears then select Safe Mode with networking)

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Steven

#3 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 13 October 2009 - 09:40 AM

It's going to give me the "open with" dialog.

#4 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 13 October 2009 - 01:19 PM

Did you actually try it? I have seen many systems where they can access the programs in Safe Mode when they can't normally. I want you to actually try and post the result.
Steven

#5 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 13 October 2009 - 03:30 PM

Tried it, no good. I can't connect to the internet on it at all. It has two bogus wireless connections and the LAN doesn't work either. I copied the file onto my usb drive and put it on there. Still gives me the "open with" dialogue box.

#6 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 13 October 2009 - 07:55 PM

ok - let's me get a little more information straight so I can figure out what you have.

1. The infected computer is running Ubuntu. Is this a Live CD? dual-boot?

2. You have access to a "clean" computer to transfer files and programs via flash drive - correct?

3. Were you able to copy DDS.scr to your system and if so, were you able to install it in Safe Mode?
Steven

#7 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 13 October 2009 - 10:16 PM

The infected computer is running XP


1) The infected computer is Windows XP

2) Yes, I have a clean computer, which is running Ubuntu.

3) I don't know what DDS.scr is, but I did the rootrepeal as tatertot.scr which worked which is how I got the log I posted with the original post.

#8 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 13 October 2009 - 10:24 PM

At the top of this forum (Under Forum Guidelines) it states:

Read this topic before posting a log.

Please follow the directions there for DDS.
Steven

#9 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 14 October 2009 - 03:52 PM

DDS (Ver_09-10-13.01) - FAT32x86 MINIMAL

Run by Administrator at 16:25:21.62 on Wed 10/14/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.810 [GMT -4:00]



AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}



============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://global.acer.com

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mWinlogon: Userinit=userinit.exe

BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL

BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\1.bin\M3PLUGIN.DLL,UPF

mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sysldtray] c:\windows\ld14.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [MRT] "c:\windows\system32\MRT.exe" /R

mExplorerRun: [exec] c:\windows\system32\msrtben.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab

DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204396251609

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://www.cvsphoto.com/upload/activex/v2_0_0_12/PCAXSetupv2.0.0.12.cab?

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Notification Packages = scecli kbdap2.dll



============= SERVICES / DRIVERS ===============



S1 Filter;Filter;\??\c:\windows\system32\drivers\filter.sys --> c:\windows\system32\drivers\Filter.sys [?]

S2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2008-2-26 4096]

S2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2008-2-26 78208]

S2 Iprip;HTTP Security Services Client;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [2008-11-6 28762]

S2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-29 835208]

S2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe --> c:\windows\system32\sopidkc.exe [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-18 24652]

S2 vpzryqypsruwzw;vpzryqypsruwzw;\??\c:\windows\system32\drivers\mnpeefxkjxix.sys --> c:\windows\system32\drivers\mnpeefxkjxix.sys [?]

S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-6-19 1097728]

S3 M1000Srv;M5603C USB2.0 Camera Driver;c:\windows\system32\drivers\M1000KNT.sys [2005-6-10 283973]



=============== Created Last 30 ================



2009-10-13 16:22 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE

2009-10-13 16:21 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache

2009-09-21 17:28 294 a------- c:\windows\system32\MRT.INI

2009-09-21 17:08 0 a------- c:\windows\system32\uactmp.db



==================== Find3M ====================



2009-09-13 18:35 31,232 a------- c:\windows\system32\wingenocx.dll

2009-09-13 18:04 19,968 a------- c:\windows\system32\UACsbpcfqptxb.dll

2009-09-13 18:04 29,696 a------- c:\windows\system32\UACknfpolhyym.dll

2009-09-13 18:04 1,008,640 a------- c:\windows\system32\wscsvc32.exe

2009-09-13 18:04 1,245,184 a------- c:\windows\system32\UACpnkpaavndw.dll

2009-09-13 18:03 6,589 a------- c:\windows\system32\uacinit.dll

2009-09-13 18:03 74,240 a------- c:\windows\system32\UACeakwyksrqw.dll

2009-09-13 18:03 24,576 a------- c:\windows\system32\UACalqpuxvnxt.dll

2009-09-08 12:32 64,000 a------- c:\windows\ld14.exe

2009-08-17 17:15 40,960 a--shr-- c:\windows\system32\flashad32.dll

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

2009-07-26 15:52 4 ----h--- c:\windows\fonts\mlog

2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll

2009-07-19 09:19 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll

2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll

2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll

2008-08-23 21:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat



============= FINISH: 16:25:52.98 ===============

Attached Files



#10 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 15 October 2009 - 08:27 AM

ok - I see quite a bit of infections so let's go ahead and start with this:

Download Combofix.

Rename Combofix.exe to apple.scr

Run/install apple.scr

Post the log it creates.
Steven

#11 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 16 October 2009 - 11:31 PM

Ok, I ran it once, the log said to run it again and the computer said I had to do chkdsk. So I did a chkdsk and then ran combofix again. The second time it said it found a rootkit and told me to write down several files (they appear in the second log). Then I could actually open files again. So I installed malawarebytes and ran it, then updated it and ran it again. So you have four logs down here. Go scroll happy:

LOG ONE:

ComboFix 09-10-16.03 - Acer Valued Customer 10/16/2009 20:29.1.2 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.584 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\apple.scr

Command switches used :: /S

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}



WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.



Overlay aborted ... Please run ComboFix once more

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\documents and settings\Acer Valued Customer\Application Data\FunWebProducts

c:\documents and settings\Acer Valued Customer\Application Data\FunWebProducts\Data\Acer Valued Customer\avatar.dat

c:\documents and settings\Acer Valued Customer\Application Data\FunWebProducts\Data\Acer Valued Customer\zbucks.dat

c:\documents and settings\Acer Valued Customer\Desktop\Windows Police Pro.lnk

c:\documents and settings\Acer Valued Customer\Start Menu\Programs\Windows Police Pro

c:\documents and settings\Acer Valued Customer\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk

c:\documents and settings\All Users\Application Data\Microsoft\id.txt

c:\documents and settings\All Users\Desktop\nudetube.com.lnk

c:\documents and settings\All Users\Desktop\pornotube.com.lnk

c:\documents and settings\All Users\Desktop\youporn.com.lnk

c:\program files\DDnsFilter

c:\program files\DDnsFilter\DDnsFilter.dll

c:\program files\FunWebProducts

c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html

c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html

c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html

c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html

c:\program files\Internet Explorer\msimg32.dll

c:\program files\MyWebSearch

c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG

c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL

c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL

c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL

c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL

c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL

c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL

c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL

c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR

c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL

c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL

c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE

c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL

c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV

c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT

c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL

c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG

c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST

c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE

c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL

c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL

c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE

c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE

c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL

c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST

c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL

c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL

c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL

c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE

c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE

c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE

c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL

c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL

c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL

c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE

c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL

c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S

c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm

c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css

c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css

c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js

c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm

c:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm

c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm

c:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf

c:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif

c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico

c:\program files\MyWebSearch\bar\Cache\0001D8A8

c:\program files\MyWebSearch\bar\Cache\00062676

c:\program files\MyWebSearch\bar\Cache\0006280C

c:\program files\MyWebSearch\bar\Cache\0029E72C.bin

c:\program files\MyWebSearch\bar\Cache\0029E874

c:\program files\MyWebSearch\bar\Cache\0037017B

c:\program files\MyWebSearch\bar\Cache\00370DCF.bin

c:\program files\MyWebSearch\bar\Cache\00370EC9.bin

c:\program files\MyWebSearch\bar\Cache\00370F27.bin

c:\program files\MyWebSearch\bar\Cache\00371040.bin

c:\program files\MyWebSearch\bar\Cache\00371179.bin

c:\program files\MyWebSearch\bar\Cache\004B517E.bin

c:\program files\MyWebSearch\bar\Cache\004B52A7.bin

c:\program files\MyWebSearch\bar\Cache\004B5353.bin

c:\program files\MyWebSearch\bar\Cache\004B540E.bin

c:\program files\MyWebSearch\bar\Cache\00CCFC90

c:\program files\MyWebSearch\bar\Cache\files.ini

c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S

c:\program files\MyWebSearch\bar\Game\CHESS.F3S

c:\program files\MyWebSearch\bar\Game\REVERSI.F3S

c:\program files\MyWebSearch\bar\History\search3

c:\program files\MyWebSearch\bar\icons\CM.ICO

c:\program files\MyWebSearch\bar\icons\MFC.ICO

c:\program files\MyWebSearch\bar\icons\PSS.ICO

c:\program files\MyWebSearch\bar\icons\SMILEY.ICO

c:\program files\MyWebSearch\bar\icons\WB.ICO

c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO

c:\program files\MyWebSearch\bar\Message\COMMON.F3S

c:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif

c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif

c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm

c:\program files\MyWebSearch\bar\Message\COMMON\center.htm

c:\program files\MyWebSearch\bar\Message\COMMON\index.htm

c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif

c:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif

c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm

c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif

c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif

c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm

c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm

c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif

c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif

c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S

c:\program files\MyWebSearch\bar\Notifier\DOG.F3S

c:\program files\MyWebSearch\bar\Notifier\FISH.F3S

c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S

c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S

c:\program files\MyWebSearch\bar\Notifier\MAID.F3S

c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S

c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S

c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S

c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S

c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S

c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm

c:\program files\MyWebSearch\bar\Settings\s_pid.dat

c:\program files\MyWebSearch\bar\Settings\setting2.htm

c:\program files\MyWebSearch\bar\Settings\settings.dat

c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

c:\program files\Protection System

c:\program files\Protection System\core.cga

c:\program files\Protection System\coreext.dll

c:\program files\Protection System\firewall.dll

c:\program files\Protection System\help.ico

c:\program files\Protection System\psystem.exe

c:\program files\Protection System\uninstall.exe

c:\program files\Windows Police Pro

c:\program files\Windows Police Pro\msvcm80.dll

c:\program files\Windows Police Pro\msvcp80.dll

c:\program files\Windows Police Pro\msvcr80.dll

c:\program files\Windows Police Pro\windows Police Pro.exe

c:\program files\WinPCap

c:\program files\WinPCap\daemon_mgm.exe

c:\program files\WinPCap\npf_mgm.exe

c:\program files\WinPCap\rpcapd.exe

c:\windows\010112010146120114.xe

c:\windows\0101120101465049.xe

c:\windows\Fonts\mlog

c:\windows\Install.txt

c:\windows\Installer\48c25.msp

c:\windows\Installer\48c3b.msp

c:\windows\ld14.exe

c:\windows\system32\certstore.dat

c:\windows\system32\comsa32.sys

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk

c:\windows\system32\drivers\npf.sys

c:\windows\system32\f3PSSavr.scr

c:\windows\system32\FInstall.sys

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\sdra64.exe

c:\windows\system32\UACalqpuxvnxt.dll

c:\windows\system32\UACeakwyksrqw.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjnbeextpdt.db

c:\windows\system32\UACknfpolhyym.dll

c:\windows\system32\UACpnkpaavndw.dll

c:\windows\system32\UACsbpcfqptxb.dll

c:\windows\system32\uactmp.db

c:\windows\system32\UACxvmdbwviwb.dat

c:\windows\system32\WanPacket.dll

c:\windows\system32\wingenocx.dll

c:\windows\system32\wpcap.dll

c:\windows\system32\wscsvc32.exe



c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe



.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Legacy_6TO4

-------\Legacy_DDNSFILTER

-------\Legacy_IAS

-------\Legacy_IPRIP

-------\Legacy_MSNCACHE

-------\Legacy_MYWEBSEARCHSERVICE

-------\Legacy_SOPIDKC

-------\Service_6to4

-------\Service_Iprip

-------\Service_msncache

-------\Service_MyWebSearchService

-------\Service_SfX

-------\Service_sopidkc





((((((((((((((((((((((((( Files Created from 2009-09-17 to 2009-10-17 )))))))))))))))))))))))))))))))

.



2009-10-17 00:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-10-17 00:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-16 20:03 . 2009-10-16 20:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-10-13 20:22 . 2009-10-13 20:22 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-10-13 20:21 . 2009-10-13 20:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-17 00:45 . 2006-08-01 20:01 12 ----a-w- c:\windows\bthservsdp.dat

2009-09-08 16:32 . 2009-09-08 16:32 189 ----a-w- c:\windows\dxxdv34567.bat

2009-08-26 04:26 . 2006-08-01 18:29 90352 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-23 05:36 . 2009-08-23 05:36 -------- d-----w- c:\program files\Reference Assemblies

2009-08-17 21:15 . 2009-07-26 18:34 40960 --sha-r- c:\windows\system32\flashad32.dll

2009-08-05 09:01 . 2004-08-04 09:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"Google Update"="c:\documents and settings\Acer Valued Customer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-14 133104]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\MSMSGS.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SecondLife\\SLVoice.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=

"c:\\Program Files\\AIM6\\AIM6.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Acer Valued Customer\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Acer Valued Customer\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58746:TCP"= 58746:TCP:PandoRest Listening Port



R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [8/29/2008 5:29 PM 835208]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/18/2008 2:09 PM 24652]

S1 Filter;Filter;\??\c:\windows\system32\drivers\Filter.sys --> c:\windows\system32\drivers\Filter.sys [?]

S2 vpzryqypsruwzw;vpzryqypsruwzw;\??\c:\windows\system32\drivers\mnpeefxkjxix.sys --> c:\windows\system32\drivers\mnpeefxkjxix.sys [?]

S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [6/19/2006 12:20 PM 1097728]

S3 M1000Srv;M5603C USB2.0 Camera Driver;c:\windows\system32\drivers\M1000KNT.sys [6/10/2005 5:44 PM 283973]



[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder



2009-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]



2009-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-408563588-2433329953-4136401050-1005Core.job

- c:\documents and settings\Acer Valued Customer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-14 18:07]



2009-10-17 c:\windows\Tasks\User_Feed_Synchronization-{E80D9B97-FFC6-4C26-8071-D8489FC67658}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm172YYUS

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -



URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

WebBrowser-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe

HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL

HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

AddRemove-Protection System - c:\program files\Protection System\Uninstall.exe

AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe







**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-16 22:30

Windows 5.1.2600 Service Pack 3 FAT NTAPI



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'winlogon.exe'(860)

c:\windows\system32\msv1_0.dll



- - - - - - - > 'lsass.exe'(916)

c:\windows\system32\WININET.dll



- - - - - - - > 'explorer.exe'(3164)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\mcshield.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe

c:\windows\system32\wscntfy.exe

c:\program files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe

c:\windows\system32\MRT.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\AIM6\aolsoftware.exe

.

**************************************************************************

.

Completion time: 2009-10-17 22:34 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-17 02:34



Pre-Run: 10,826,088,448 bytes free

Post-Run: 12,055,281,664 bytes free



353 --- E O F --- 2009-09-21 21:28









LOG TWO:

ComboFix 09-10-16.03 - Acer Valued Customer 10/16/2009 23:31.2.2 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.564 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\apple.scr

Command switches used :: /S

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Created a new restore point

* Resident AV is active





WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\windows\system32\drivers\rotscxpuyqxsiw.sys

c:\windows\system32\rotscxbdqbnylt.dll

c:\windows\system32\rotscxepaepasr.dat

c:\windows\system32\rotscxevxbnmdi.dll

c:\windows\system32\rotscxmphesiaw.dat

c:\windows\system32\rotscxqlldymex.dll



.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Service_rotscxsbfpmnvs

-------\Legacy_rotscxsbfpmnvs





((((((((((((((((((((((((( Files Created from 2009-09-17 to 2009-10-17 )))))))))))))))))))))))))))))))

.



2009-10-17 03:27 . 2009-10-17 03:27 -------- d-----w- C:\FOUND.007

2009-10-17 00:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-10-17 00:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-10-16 20:03 . 2009-10-16 20:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-10-13 20:22 . 2009-10-13 20:22 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-10-13 20:21 . 2009-10-13 20:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-17 03:23 . 2006-08-01 20:01 12 ----a-w- c:\windows\bthservsdp.dat

2009-09-08 16:32 . 2009-09-08 16:32 189 ----a-w- c:\windows\dxxdv34567.bat

2009-08-26 04:26 . 2006-08-01 18:29 90352 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-23 05:36 . 2009-08-23 05:36 -------- d-----w- c:\program files\Reference Assemblies

2009-08-17 21:15 . 2009-07-26 18:34 40960 --sha-r- c:\windows\system32\flashad32.dll

2009-08-05 09:01 . 2004-08-04 09:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

.



((((((((((((((((((((((((((((( SnapShot@2009-10-17_02.30.26 )))))))))))))))))))))))))))))))))))))))))

.

- 2006-08-01 18:25 . 2009-10-17 00:52 71834 c:\windows\system32\perfc009.dat

+ 2006-08-01 18:25 . 2009-10-17 03:34 71834 c:\windows\system32\perfc009.dat

- 2008-02-26 14:47 . 2009-10-17 00:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-02-26 14:47 . 2009-10-17 03:06 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-09-08 16:38 . 2009-10-17 00:46 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-09-08 16:38 . 2009-10-17 03:06 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2008-02-26 14:47 . 2009-10-17 03:06 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-02-26 14:47 . 2009-10-17 00:46 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2006-08-01 18:25 . 2009-10-17 03:34 443960 c:\windows\system32\perfh009.dat

- 2006-08-01 18:25 . 2009-10-17 00:52 443960 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Acer Valued Customer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-14 133104]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\MSMSGS.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SecondLife\\SLVoice.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=

"c:\\Program Files\\AIM6\\AIM6.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Acer Valued Customer\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Acer Valued Customer\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58746:TCP"= 58746:TCP:PandoRest Listening Port



R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [8/29/2008 5:29 PM 835208]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/18/2008 2:09 PM 24652]

S1 Filter;Filter;\??\c:\windows\system32\drivers\Filter.sys --> c:\windows\system32\drivers\Filter.sys [?]

S2 vpzryqypsruwzw;vpzryqypsruwzw;\??\c:\windows\system32\drivers\mnpeefxkjxix.sys --> c:\windows\system32\drivers\mnpeefxkjxix.sys [?]

S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [6/19/2006 12:20 PM 1097728]

S3 M1000Srv;M5603C USB2.0 Camera Driver;c:\windows\system32\drivers\M1000KNT.sys [6/10/2005 5:44 PM 283973]



[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder



2009-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]



2009-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-408563588-2433329953-4136401050-1005Core.job

- c:\documents and settings\Acer Valued Customer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-14 18:07]



2009-10-17 c:\windows\Tasks\User_Feed_Synchronization-{E80D9B97-FFC6-4C26-8071-D8489FC67658}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm172YYUS

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -



URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)







**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-16 23:37

Windows 5.1.2600 Service Pack 3 FAT NTAPI



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

Completion time: 2009-10-17 23:38

ComboFix-quarantined-files.txt 2009-10-17 03:38

ComboFix2.txt 2009-10-17 02:34



Pre-Run: 11,927,814,144 bytes free

Post-Run: 11,902,189,568 bytes free



132 --- E O F --- 2009-09-21 21:28







LOG THREE:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3



10/16/2009 11:52:24 PM

mbam-log-2009-10-16 (23-52-24).txt



Scan type: Quick Scan

Objects scanned: 102136

Time elapsed: 4 minute(s), 25 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 59

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 7



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.



Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.



Files Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Protection System Support.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\flashad32.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\dxxdv34567.bat (KoobFace.Trace) -> Quarantined and deleted successfully.







LOG FOUR:



Malwarebytes' Anti-Malware 1.41

Database version: 2973

Windows 5.1.2600 Service Pack 3



10/17/2009 12:17:42 AM

mbam-log-2009-10-17 (00-17-35).txt



Scan type: Quick Scan

Objects scanned: 107666

Time elapsed: 4 minute(s), 1 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\Documents and Settings\Acer Valued Customer\Desktop\MakeTheWebBetter.exe (Adware.MakeTheWebBetter) -> No action taken.

C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> No action taken.

#12 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 17 October 2009 - 09:13 AM

ok - that is looking much better. Update McAffee and scan your system - post anything that it is not able to remove (if any)

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Steven

#13 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 17 October 2009 - 06:28 PM

The following is from the bitdefender log. I am also attaching the full report (it was in .html format). I am also attaching the relevant logs from the McAfee scan, which found 48 files I believe.


C:\system volume information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP323\A0086887.dll


Infected with: Trojan.Generic.2250076

C:\system volume information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP323\A0086887.dll


Deleted

C:\system volume information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP354\A0096791.dll


Infected with: Gen:Trojan.Heur.TDSS.bu4@kyM7tuai

C:\system volume information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP354\A0096791.dll


Disinfection failed

C:\system volume information\_restore{7B7DEB03-030A-4AD9-BC80-5104764DE8E6}\RP354\A0096791.dll


Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxbdqbnylt.dll.vir


Infected with: Gen:Trojan.Heur.TDSS.bu4@kyM7tuai

C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxbdqbnylt.dll.vir


Disinfection failed

C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxbdqbnylt.dll.vir


Deleted

Attached Files



#14 dahli

dahli

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 17 October 2009 - 07:29 PM

Things are looking real good. McAfee and Bitdefender mostly found items that were removed by Combofix or in your System Restore folder. We will still be doing a couple scans or logs to make sure we have everything. While I am reviewing the logs to make sure I did not miss anything, can you update me on what problems still exist if any. Thanks.
Steven

#15 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 17 October 2009 - 09:10 PM

I used it a bit and I can't see anything wrong with it. The wireless started working again after the McAfee scan and a reboot. I can now open files without the "open with" dialog, though I obviously didn't open everything on the computer, just IE and iTunes to test. No more blue screens, no more porn, it looks good to me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users