Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with seres.exe, svcst.exe, windows police pro, antivirus 2010, system security


  • This topic is locked This topic is locked
25 replies to this topic

#1 And then:

And then:

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 21 October 2009 - 11:39 PM

Hello.

My desktop pc is infected with seres.exe, svcst.exe, windows police pro, antivirus 2010, and system security. I first noticed the infection on 10/17. I followed the removal guides on this site and was able to install Process Explorer, Fixtm.reg, and Malwarebytes successfully. I could not get Malwarebytes to run because pump.exe was killing the program. I even tried to rename the exe file a few times without success. I ran Spybot S&D to remove whatever I could find and rebooted, but all the stuff came back.

Then I located the pump.exe file in my C:\WINDOWS\system32 directory. I saw that the file was created about the same time and date when the infections were first noticed, so I deleted the program and cleaned the recycle bin. Now when I boot up no infections are immediately obvious, but I can no longer open certain applications. For example, when I try to open Excel, I get a message saying the application is not found, but when I try to open an Excel file I previously had saved in My Documents, the file opens without issue. I can then create new Excel files as needed by keeping my older document open and using the options in Excel. The same thing is true for Word files. I can make new blank documents as long as I open a previously saved Word file first, but I cannot open Word from my Start menu on its own. Internet Excplorer opens without a problem, as does My Computer, but other programs I have (such as Photoshop, Malwarebytes, and Root Repeal.exe) ask me what program I would like to open the file with and I have to pick the program from a list. Sometimes this is no problem (like for Photoshop or Root Repeal, I just browse or select the file from the list presented) but Malware bytes gives the error message "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe is not a valid Win32 Application". When I try to run a system restore, I click on System in my Control Pannel and get the error message "C:\WINDOWS\system32\rundll32.exe Application not found".

I still get the occaisional re-direct when web browsing, and the pop-ups I saw before I deleted pump.exe, but nowhere near as much as before. Finally, I cannot seem to figure out how to attach my Attach.txt and Ark.txt files to this post, but I can provide the results once copypasta has been requested.

I just wanted to say good luck. We're all counting on you.




DDS (Ver_09-10-13.01) - NTFSx86
Run by Gregg Waldron at 22:25:19.98 on Wed 10/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.174 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
svchost
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gregg Waldron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0b84851b-24f7-46c1-a36b-64324e9932c7} - vidohosi.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport-] "c:\progra~1\dellsu~1\DSAgnt.exe" /startup
uRun: [mserv] c:\documents and settings\gregg waldron\application data\seres.exe
uRun: [svchost] c:\documents and settings\gregg waldron\application data\svcst.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [sealmon] c:\documents and settings\kelly williams\desktop\sealedmedia\sealmon.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [FLMOFFICE4DMOUSE] c:\program files\micro innovations\optical scroll\mouse32a.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
mRun: [30511313] c:\documents and settings\all users\application data\30511313\30511313.exe
mRun: [89107227] c:\documents and settings\all users\application data\89107227\89107227.exe
mRun: [72697132] c:\documents and settings\all users\application data\72697132\72697132.exe
mRun: [fokegakoj] Rundll32.exe "c:\windows\system32\kapekabo.dll",a
mRun: [70739026] c:\documents and settings\all users\application data\70739026\70739026.exe
mRun: [sotisuvebu] Rundll32.exe "fewohite.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\evolue~1.lnk - c:\windows\installer\{d4fe08fd-c342-4a50-ae8b-3e9236dc20ed}\_3490A01862136E4A51872C.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.libaccess.fdu.edu/lib/fdu/support/plugins/ebraryRdr.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - hxxp://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://genzyme.webex.com/client/T26L10NSP49EP4/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4805/mcfscan.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\tawagifi.dll c:\windows\system32\kapekabo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: tusunulim - {9a569f44-7ceb-4c40-800e-75eaef27a853} - c:\windows\system32\kapekabo.dll
STS: kupuhivus: {9a569f44-7ceb-4c40-800e-75eaef27a853} - c:\windows\system32\kapekabo.dll

============= SERVICES / DRIVERS ===============

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-1-29 266240]
R3 evomouflt;Evoluent Mouse filter;c:\windows\system32\drivers\evomouflt.sys [2006-12-11 12288]
S2 gupdate1c9b0cbce7aea02;Google Update Service (gupdate1c9b0cbce7aea02);c:\program files\google\update\GoogleUpdate.exe [2009-3-29 133104]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2004-12-10 30336]
UnknownUnknown Mraloapcc;Mraloapcc; [x]

============== File Associations ===============

exefile=c:\windows\system32\pump.exe "%1" %*

=============== Created Last 30 ================

2009-10-21 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\70739026
2009-10-20 22:47 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-10-20 20:09 <DIR> --d----- c:\docume~1\greggw~1\applic~1\Malwarebytes
2009-10-20 20:00 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 20:00 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-20 20:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-20 19:55 3,550,592 a------- C:\explorer.exe
2009-10-20 19:47 109 a------- C:\fixtm.reg
2009-10-20 18:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\72697132
2009-10-19 20:47 0 a------- c:\windows\system32\11478.exe
2009-10-19 20:27 0 a------- c:\windows\system32\15724.exe
2009-10-19 20:07 0 a------- c:\windows\system32\19169.exe
2009-10-19 19:47 0 a------- c:\windows\system32\26500.exe
2009-10-19 19:27 0 a------- c:\windows\system32\6334.exe
2009-10-19 19:07 0 a------- c:\windows\system32\18467.exe
2009-10-19 18:47 0 a------- c:\windows\system32\41.exe
2009-10-19 18:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\89107227
2009-10-19 18:44 54,272 a------- c:\windows\system32\vodonuwe.dll
2009-10-17 11:17 <DIR> --d----- c:\windows\system32\schtml
2009-10-17 11:14 1 a------- c:\windows\wp3.dat
2009-10-17 11:14 287,232 a------- c:\windows\svohost.exe
2009-10-17 11:14 58 a------- c:\windows\wp4.dat
2009-10-17 11:14 96 a------- c:\windows\system32\wwp.htm
2009-10-17 11:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\30511313
2009-10-17 11:07 17,851 a------- c:\windows\yhehovyme.sys
2009-10-17 11:07 17,266 a------- c:\windows\system32\utanu.bin
2009-10-17 11:07 16,389 a------- c:\program files\common files\xemax.dll
2009-10-17 11:07 15,468 a------- c:\windows\jorajad.dat
2009-10-17 11:07 13,220 a------- c:\windows\gyros.exe
2009-10-17 11:07 12,327 a------- c:\docume~1\alluse~1\applic~1\qogi.scr
2009-10-17 11:07 12,013 a------- c:\windows\system32\noxo.bat
2009-10-17 11:07 15,779 a------- c:\windows\opexaci._sy
2009-10-17 11:07 13,134 a------- c:\program files\common files\qimyteco.bat
2009-10-17 11:07 11,682 a------- c:\program files\common files\yvicera.bat
2009-10-17 11:07 11,387 a------- c:\windows\system32\zenigipi.scr
2009-10-17 11:07 11,132 a------- c:\windows\system32\tatej.ban
2009-10-17 11:05 168,448 a------- c:\windows\system32\_scui.cpl
2009-10-17 11:04 0 a------- c:\windows\system32\AVR09.exe
2009-10-17 11:00 9,216 a------- C:\svhkapw.exe
2009-10-17 11:00 52,736 a------- C:\nmihj.exe
2009-10-17 11:00 22,016 a------- C:\cwxa.exe
2009-10-17 11:00 192,008 a------- C:\lyqr.exe
2009-10-17 11:00 49,152 a------- C:\bqefoh.exe
2009-10-17 11:00 24,576 a------- C:\jboy.exe
2009-10-17 10:58 44,544 a------- c:\docume~1\greggw~1\applic~1\svcst.exe
2009-10-17 10:58 44,544 a------- c:\docume~1\greggw~1\applic~1\seres.exe
2009-10-15 19:48 3,120 a------- c:\windows\system32\WINGMS7.ocx
2009-10-15 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ProDigitalSoftware
2009-10-15 19:47 <DIR> --d----- c:\docume~1\greggw~1\applic~1\WinBatch
2009-10-02 14:10 56,708 a---h--- c:\windows\system32\mlfcache.dat
2009-10-01 17:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 10:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 17:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 06:35 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 04:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 11:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 10:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 10:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 10:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2006-05-08 19:43 56 -c-shr-- c:\windows\system32\130E573B2E.sys
2009-07-19 18:46 1,051,170 a--sh--- c:\windows\system32\diguweha.exe
2009-07-20 18:24 39,424 a--sh--- c:\windows\system32\fejuvizo.dll
2009-07-21 12:34 53,760 a--sh--- c:\windows\system32\fewohite.dll
2009-07-18 10:31 39,424 a--sh--- c:\windows\system32\fitozeba.dll
2009-07-17 11:12 24,576 a--sh--- c:\windows\system32\fiyamepe.exe
2009-07-21 12:33 1,050,658 a--sh--- c:\windows\system32\gawojuso.exe
2009-07-21 12:33 91,648 a--sh--- c:\windows\system32\kapekabo.dll
2006-05-08 19:43 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2009-07-19 18:46 27,648 a--sh--- c:\windows\system32\nebiteda.exe
2009-07-17 11:12 1,111,631 a--sh--- c:\windows\system32\regizogu.exe
2009-07-19 18:46 1,051,170 a--sh--- c:\windows\system32\rujudagu.exe
2009-07-18 10:31 1,081,890 a--sh--- c:\windows\system32\sosafuji.exe
2009-07-20 18:24 1,051,682 a--sh--- c:\windows\system32\suhamose.exe
2009-07-17 11:12 1,079,842 a--sh--- c:\windows\system32\vafiyene.exe
2009-07-21 12:33 39,424 a--sh--- c:\windows\system32\vidasasa.dll
2009-07-21 12:34 53,760 a--sh--- c:\windows\system32\vidohosi.dll
2009-07-19 18:46 39,424 a--sh--- c:\windows\system32\yovalono.dll
2009-07-21 12:33 53,760 a--sh--- c:\windows\system32\zodetego.dll
2008-08-26 18:02 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 22:28:01.60 ===============

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 22 October 2009 - 04:52 AM

Hi And then:,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
    • Log to your usual account.
  • Please do the following:
    • Press CTRL+SHIFT+ESC.
    • While holding the CTRL button click under File menu on the New Task (Runů)
    • The command prompt will open.
    • Copy and paste or type assoc.exe=exefile and hit enter.
    • Copy and paste or type ftype exefile="%1" %* and hit enter.
    • Close the command prompt.
  • Once in Safe Mode do the following:
    • Go to the installed folder of Malwarebytes and rename the mbam.exe to clear.exe run it.
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately and restart in normal mode.


  • Please copy and paste both Attach.txt and Ark.tx.


#3 And then:

And then:
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 22 October 2009 - 08:59 PM

Thank you for the rapid response, farbar. I agree to refrain from making any system changes as you requested.

I started in safe mode and entered the commands as instructed. I also renamed the mbam.exe file to clear.exe. I was not able to rune malwarebytes, however. double clicking on the clear.exe file or doing File>Open had no response. I tried right clicking on it and selecting Run As...>Current User and got the following message: "C:\\Program Files\Malwarebytes' Anti-Malware\clear.exe A device attached to the system is not functioning".

I rebooted in normal mode, and the usual viruses were active again, and also Windows Security Center, which I do not remember seeing before. I was able to kill Police Pro, Antivirus 2010, and System Security using Process Explorer and the fixtm.reg files like before. I took no action against Windows Security Center, ignoring it instead.

I can see how to attach files now, so yesterday's Attach.txt and Ark.txt are now attached.

I await further instructions from you on how to proceed.

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 23 October 2009 - 03:07 AM

  • Please set your system to show all files and extentions:
    • Click Start, open Computer, select the Tools menu and click Folder Options.
    • Select the View Tab. Under the Hidden files and folders heading, check Show hidden files and folders.
    • Uncheck: Hide file extensions for known file types
    • Uncheck: Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
  • Download ComboFix from one of these locations but rename it to iexplore.exe before you save it.

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 And then:

And then:
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 23 October 2009 - 08:17 PM

OK, I screwed up a little and did not uncheck "Hide protected oerating system files (recommended) option before running Combofix.exe. Please let me know if I should run Combofix.exe again because of this. I also renamed Combofix as myapp.exe instead of iexpolre.exe. Sorry I did not follow your instructions, it was unintentional error on my part.

Here is my log file.


ComboFix 09-10-22.01 - Gregg Waldron 10/23/2009 18:22.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.152 [GMT -4:00]
Running from: c:\documents and settings\Gregg Waldron\Desktop\myapp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\11461518
c:\documents and settings\All Users\Application Data\11461518\11461518.exe
c:\documents and settings\All Users\Application Data\30511313
c:\documents and settings\All Users\Application Data\30511313\30511313.bat
c:\documents and settings\All Users\Application Data\30511313\30511313.exe
c:\documents and settings\All Users\Application Data\70739026
c:\documents and settings\All Users\Application Data\70739026\70739026.bat
c:\documents and settings\All Users\Application Data\70739026\70739026.exe
c:\documents and settings\All Users\Application Data\72697132
c:\documents and settings\All Users\Application Data\72697132\72697132.bat
c:\documents and settings\All Users\Application Data\72697132\72697132.exe
c:\documents and settings\All Users\Application Data\89107227
c:\documents and settings\All Users\Application Data\89107227\89107227.bat
c:\documents and settings\All Users\Application Data\89107227\89107227.exe
c:\documents and settings\All Users\Application Data\kavici.exe
c:\documents and settings\All Users\Application Data\poqicime._sy
c:\documents and settings\All Users\Application Data\qogi.scr
c:\documents and settings\All Users\Application Data\zesak.com
c:\documents and settings\All Users\Documents\cysy.inf
c:\documents and settings\All Users\Documents\exeku.scr
c:\documents and settings\All Users\Documents\hyqo.exe
c:\documents and settings\All Users\Documents\udum.reg
c:\documents and settings\Gregg Waldron\Application Data\edifofogyf.exe
c:\documents and settings\Gregg Waldron\Application Data\hiwi._dl
c:\documents and settings\Gregg Waldron\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Gregg Waldron\Application Data\omuw.ban
c:\documents and settings\Gregg Waldron\Application Data\seres.exe
c:\documents and settings\Gregg Waldron\Application Data\svcst.exe
c:\documents and settings\Gregg Waldron\Application Data\uriwevekit.sys
c:\documents and settings\Gregg Waldron\Cookies\femi.scr
c:\documents and settings\Gregg Waldron\Cookies\foxa.pif
c:\documents and settings\Gregg Waldron\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Gregg Waldron\Desktop\Security Tool.lnk
c:\documents and settings\Gregg Waldron\Desktop\Windows Police Pro.lnk
c:\documents and settings\Gregg Waldron\Favorites\games.url
c:\documents and settings\Gregg Waldron\Local Settings\Application Data\exeber.com
c:\documents and settings\Gregg Waldron\Local Settings\Application Data\hamo._sy
c:\documents and settings\Gregg Waldron\Local Settings\Application Data\ikymasose.scr
c:\documents and settings\Gregg Waldron\Local Settings\Application Data\jixefubih.reg
c:\documents and settings\Gregg Waldron\Local Settings\Application Data\qawogot.scr
c:\documents and settings\Gregg Waldron\Local Settings\Application Data\tigagipife._dl
c:\documents and settings\Gregg Waldron\Local Settings\Application Data\yheloh.inf
c:\documents and settings\Gregg Waldron\Local Settings\Application Data\zokyrig.exe
c:\documents and settings\Gregg Waldron\Local Settings\Temporary Internet Files\ebydatawib._dl
c:\documents and settings\Gregg Waldron\Local Settings\Temporary Internet Files\fopyxib.inf
c:\documents and settings\Gregg Waldron\Local Settings\Temporary Internet Files\ifuzywis.bat
c:\documents and settings\Gregg Waldron\Local Settings\Temporary Internet Files\jetow._sy
c:\documents and settings\Gregg Waldron\Local Settings\Temporary Internet Files\jilesuvycy.ban
c:\documents and settings\Gregg Waldron\Local Settings\Temporary Internet Files\ybemosycu.pif
c:\documents and settings\Gregg Waldron\Local Settings\Temporary Internet Files\zyfojucupo._sy
c:\documents and settings\Gregg Waldron\My Documents\explorer.exe
c:\documents and settings\Gregg Waldron\My Documents\ZbThumbnail.info
c:\documents and settings\Gregg Waldron\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Gregg Waldron\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Gregg Waldron\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Gregg Waldron\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Gregg Waldron\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Gregg Waldron\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\documents and settings\Kelly Williams\My Documents\ZbThumbnail.info
C:\explorer.exe
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\heryxy._sy
c:\program files\Common Files\huxahem.sys
c:\program files\Common Files\ifym.sys
c:\program files\Common Files\ilenowu.dl
c:\program files\Common Files\izaja.exe
c:\program files\Common Files\qimyteco.bat
c:\program files\Common Files\ulopufef._sy
c:\program files\Common Files\xemax.dll
c:\program files\Common Files\yvicera.bat
c:\program files\WinBudget
c:\program files\WinBudget\bin\matrix.dat
c:\windows\aqaxujav.bin
c:\windows\azyhysehuk.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\elycyt.bat
c:\windows\ezytu.dl
c:\windows\gyros.exe
c:\windows\haruwam.vbs
c:\windows\helixaj.dl
c:\windows\jefimiqika.dll
c:\windows\laquhuciwa.dll
c:\windows\opexaci._sy
c:\windows\owypexivec.bat
c:\windows\svohost.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\cozujigyr.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\fewohite.dll
c:\windows\system32\fitozeba.dll
c:\windows\system32\jopopaya.dll
c:\windows\system32\kehegi._sy
c:\windows\system32\lelimafu.exe
c:\windows\system32\luyehije.dll
c:\windows\system32\noxo.bat
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\regizogu.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\sobipore.dll
c:\windows\system32\tatej.ban
c:\windows\system32\utanu.bin
c:\windows\system32\vamyjuludo._sy
c:\windows\system32\vodonuwe.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wojuqo.vbs
c:\windows\system32\wpcap.dll
c:\windows\system32\yobuwiji.exe
c:\windows\system32\yovalono.dll
c:\windows\system32\zelayira.exe
c:\windows\system32\zenigipi.scr
c:\windows\xoroqo.ban
c:\windows\yhehovyme.sys
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://82.98.231.100
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 22:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-23 22:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-23 21:52 . 2009-10-23 21:52 10548 ----a-w- c:\windows\system32\ugynynoriw.com
2009-10-22 03:08 . 2009-10-22 03:08 0 ----a-w- c:\documents and settings\Gregg Waldron\settings.dat
2009-10-21 00:09 . 2009-10-21 00:09 -------- d-----w- c:\documents and settings\Gregg Waldron\Application Data\Malwarebytes
2009-10-21 00:00 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 00:00 . 2009-10-23 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 00:00 . 2009-10-21 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 00:00 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 23:47 . 2009-10-20 23:47 109 ----a-w- C:\fixtm.reg
2009-10-17 15:14 . 2009-10-20 22:25 1 ----a-w- c:\windows\wp3.dat
2009-10-17 15:14 . 2009-10-20 22:25 58 ----a-w- c:\windows\wp4.dat
2009-10-17 15:08 . 2009-10-17 15:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-17 15:07 . 2009-10-17 15:07 15468 ----a-w- c:\windows\jorajad.dat
2009-10-17 15:00 . 2009-10-17 15:00 9216 ----a-w- C:\svhkapw.exe
2009-10-17 15:00 . 2009-10-17 15:00 52736 ----a-w- C:\nmihj.exe
2009-10-17 15:00 . 2009-10-17 15:00 22016 ----a-w- C:\cwxa.exe
2009-10-17 15:00 . 2009-10-17 15:00 192008 ----a-w- C:\lyqr.exe
2009-10-17 15:00 . 2009-10-17 15:00 49152 ----a-w- C:\bqefoh.exe
2009-10-17 15:00 . 2009-10-17 15:00 24576 ----a-w- C:\jboy.exe
2009-10-15 23:51 . 2009-10-15 23:51 -------- d-----w- c:\documents and settings\Gregg Waldron\Local Settings\Application Data\ProDigital
2009-10-15 23:48 . 2009-10-15 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ProDigitalSoftware
2009-10-15 23:47 . 2009-10-15 23:47 -------- d-----w- c:\documents and settings\Gregg Waldron\Application Data\WinBatch
2009-10-02 18:10 . 2009-10-02 18:10 56708 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-01 21:11 . 2009-10-01 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 21:57 . 2006-01-02 22:52 -------- d-----w- c:\program files\Dl_cats
2009-10-23 21:52 . 2009-10-23 21:52 16935 ----a-w- c:\program files\Common Files\wemyqa.lib
2009-10-13 10:53 . 2008-06-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-02 18:09 . 2005-12-18 18:57 69616 -c--a-w- c:\documents and settings\Kelly Williams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 18:01 . 2007-12-26 02:25 -------- d-----w- c:\documents and settings\Kelly Williams\Application Data\Apple Computer
2009-10-01 21:12 . 2007-12-26 02:24 -------- d-----w- c:\program files\iTunes
2009-10-01 21:11 . 2007-12-26 02:24 -------- d-----w- c:\program files\iPod
2009-10-01 21:11 . 2007-12-26 02:20 -------- d-----w- c:\program files\Common Files\Apple
2009-10-01 21:07 . 2007-12-26 02:23 -------- d-----w- c:\program files\QuickTime
2009-09-20 06:50 . 2005-12-19 03:24 69616 -c--a-w- c:\documents and settings\Gregg Waldron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 21:48 . 2007-01-19 22:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 14:20 . 2009-07-27 01:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 01:14 . 2009-09-06 01:13 -------- d-----w- c:\program files\RegiStax 5
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 23:42 . 2008-09-09 23:01 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2007-12-26 02:21 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-08-10 18:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2004-08-10 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-10 19:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-10 19:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-10 19:02 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-10 18:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-10 19:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-13 18:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-09-13 18:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-10 19:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-10 18:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2004-08-04 04:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-05-08 23:43 . 2005-12-19 03:23 56 -csh--r- c:\windows\system32\130E573B2E.sys
2009-07-19 22:46 . 2009-07-19 22:46 1051170 --sha-w- c:\windows\system32\diguweha.exe
2009-07-20 22:24 . 2009-07-20 22:24 39424 --sha-w- c:\windows\system32\fejuvizo.dll
2009-07-17 15:12 . 2009-07-17 15:12 24576 --sha-w- c:\windows\system32\fiyamepe.exe
2009-07-21 16:33 . 2009-07-21 16:33 1050658 --sha-w- c:\windows\system32\gawojuso.exe
2009-07-23 01:22 . 2009-07-23 01:22 39424 --sha-w- c:\windows\system32\kenahapu.dll
2006-05-08 23:43 . 2005-12-19 03:23 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-19 22:46 . 2009-07-19 22:46 27648 --sha-w- c:\windows\system32\nebiteda.exe
2009-07-23 01:22 . 2009-07-23 01:22 91648 --sha-w- c:\windows\system32\rahuziti.dll
2009-07-19 22:46 . 2009-07-19 22:46 1051170 --sha-w- c:\windows\system32\rujudagu.exe
2009-07-18 14:31 . 2009-07-18 14:31 1081890 --sha-w- c:\windows\system32\sosafuji.exe
2009-07-20 22:24 . 2009-07-20 22:24 1051682 --sha-w- c:\windows\system32\suhamose.exe
2009-07-22 04:33 . 2009-07-22 04:33 91648 --sha-w- c:\windows\system32\torajigu.dll
2009-07-17 15:12 . 2009-07-17 15:12 1079842 --sha-w- c:\windows\system32\vafiyene.exe
2009-07-21 16:33 . 2009-07-21 16:33 39424 --sha-w- c:\windows\system32\vidasasa.dll
2009-07-21 16:34 . 2009-07-21 16:34 53760 --sha-w- c:\windows\system32\vidohosi.dll
2009-07-21 16:33 . 2009-07-21 16:33 53760 --sha-w- c:\windows\system32\zodetego.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-12-04 17:46 . 2006-06-20 03:48 94208 c:\documents and settings\Kelly Williams\Desktop\SealedMedia\bak\sealmon.exe

2005-12-08 03:10 . 2004-10-15 01:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

2005-06-10 16:44 . 2005-06-10 16:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2006-01-02 22:53 . 2005-07-22 13:03 425984 c:\program files\Dell Photo AIO Printer 924\bak\dlccmon.exe

2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-09-21 20:36 . 2009-09-21 20:36 305440 c:\program files\iTunes\iTunesHelper.exe

2007-11-21 01:28 . 2007-09-25 06:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2004-08-10 19:01 . 2004-10-13 16:24 1694208 c:\program files\Messenger\bak\msmsgs.exe
2008-08-22 20:15 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2007-06-13 00:07 . 2007-06-13 00:07 356352 c:\program files\Micro Innovations\Optical Scroll\bak\mouse32a.exe

2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe

2003-05-21 06:21 . 2003-05-21 06:21 90112 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

2004-08-10 18:51 . 2004-08-04 11:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-10 18:51 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2005-12-08 03:10 . 2005-09-20 13:32 77824 c:\windows\system32\bak\hkcmd.exe

2005-12-08 03:10 . 2005-09-20 13:36 114688 c:\windows\system32\bak\igfxpers.exe

2005-12-08 03:10 . 2005-09-20 13:35 94208 c:\windows\system32\bak\igfxtray.exe

2005-12-08 03:36 . 2005-05-31 10:33 122941 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0b84851b-24f7-46c1-a36b-64324e9932c7}]
2009-07-21 16:34 53760 --sha-w- c:\windows\system32\vidohosi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-13 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport-"="c:\progra~1\DELLSU~1\DSAgnt.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [N/A]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [N/A]
"igfxtray"="c:\windows\system32\igfxtray.exe" [N/A]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [N/A]
"igfxpers"="c:\windows\system32\igfxpers.exe" [N/A]
"sealmon"="c:\documents and settings\Kelly Williams\Desktop\SealedMedia\sealmon.exe" [N/A]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [N/A]
"FLMOFFICE4DMOUSE"="c:\program files\Micro Innovations\Optical Scroll\mouse32a.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"30511313"="c:\documents and settings\All Users\Application Data\30511313\30511313.exe" [N/A]
"89107227"="c:\documents and settings\All Users\Application Data\89107227\89107227.exe" [N/A]
"72697132"="c:\documents and settings\All Users\Application Data\72697132\72697132.exe" [N/A]
"70739026"="c:\documents and settings\All Users\Application Data\70739026\70739026.exe" [N/A]
"11461518"="c:\docume~1\ALLUSE~1\APPLIC~1\11461518\11461518.exe" [N/A]
"fokegakoj"="c:\windows\system32\sobipore.dll" [N/A]
"sotisuvebu"="fewohite.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-11 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Evoluent Mouse Manager.lnk - c:\windows\Installer\{D4FE08FD-C342-4A50-AE8B-3E9236DC20ED}\_3490A01862136E4A51872C.exe [2007-10-21 1150]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Portrait Displays\\Shared\\HookManager.exe"=

R3 evomouflt;Evoluent Mouse filter;c:\windows\system32\drivers\evomouflt.sys [12/11/2006 11:32 PM 12288]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [1/29/2009 6:10 PM 266240]
S2 gupdate1c9b0cbce7aea02;Google Update Service (gupdate1c9b0cbce7aea02);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2009 8:09 PM 133104]
S4 Agprvprtstwk;Agprvprtstwk;c:\windows\system32\fixmapi.exe [8/10/2004 2:51 PM 3072]
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 00:09]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 00:09]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-10 00:12]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-08-01 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{2f25df11-5ad0-43e2-81f0-fdccfb677634} - c:\windows\system32\sobipore.dll
SSODL-zupohijon-{2f25df11-5ad0-43e2-81f0-fdccfb677634} - c:\windows\system32\sobipore.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 19:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_1a7c&Pid_0068\6&12cb7a5&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3260)
c:\windows\system32\WININET.dll
c:\program files\Evoluent\VMouse\MouseHook.DLL
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\progra~1\McAfee\MSC\mclogsrv.exe
c:\progra~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\McAfee\MSC\mcpromgr.exe
c:\progra~1\McAfee\MSC\mctskshd.exe
c:\progra~1\McAfee\MSC\mcusrmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\fxssvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\myapp\CF24097.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Evoluent\VMouse\EvoMouExec.exe
c:\program files\Portrait Displays\Pivot Software\floater.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\myapp\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 19:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 23:42

Pre-Run: 41,317,249,024 bytes free
Post-Run: 41,896,034,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6E266491E831BF3240C1FC3468FB89F5

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 24 October 2009 - 03:54 AM

Well done it was imporatant to run ComboFix. :(
  • Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/266076/infected-with-seresexe-svcstexe-windows-police-pro-antivirus-2010-system-security/?p=1469779
    
    Collect::
    c:\windows\system32\ugynynoriw.com
    c:\windows\jorajad.dat
    C:\svhkapw.exe
    C:\nmihj.exe
    C:\cwxa.exe
    C:\lyqr.exe
    C:\bqefoh.exe
    C:\jboy.exe
    c:\program files\Common Files\wemyqa.lib
    c:\windows\system32\fejuvizo.dll
    c:\windows\system32\fiyamepe.exe
    c:\windows\system32\gawojuso.exe
    c:\windows\system32\sosafuji.exe
    c:\windows\system32\suhamose.exe
    :\windows\system32\torajigu.dll
    c:\windows\system32\vafiyene.exe
    Folder::
    c:\windows\system32\config\systemprofile\IETldCache
    File::
    c:\windows\system32\130E573B2E.sys
    c:\windows\system32\kenahapu.dll
    c:\windows\system32\nebiteda.exe
    c:\windows\system32\rahuziti.dll
    c:\windows\system32\rujudagu.exe
    c:\windows\system32\vidasasa.dll
    c:\windows\system32\vidohosi.dll
    c:\windows\system32\zodetego.dll
    c:\windows\system32\sobipore.dll
    C:\fixtm.reg
    c:\windows\wp3.dat
    c:\windows\wp4.dat
    AtJob::
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "30511313"=-
    "89107227"=-
    "72697132"=-
    "70739026"=-
    "11461518"=-
    "fokegakoj"=-
    "sotisuvebu"=-

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Now follow the steps in previous post to run Malwarebytes. I expect it to run without renaming. You may update it first. Hoe you run it is not important as far as it runs and removes what it found. Please include its log too.


#7 And then:

And then:
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 24 October 2009 - 09:52 AM

My Combofix log is below. Malwarebytes did not run. I renamed the .exe file as mbam.exe and as clear.exe. Noting happened when I ran the file (no error messages, etc.). Should I reinstall malwarebytes perhaps?

ComboFix 09-10-23.01 - Gregg Waldron 10/24/2009 9:36.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.108 [GMT -4:00]
Running from: c:\documents and settings\Gregg Waldron\Desktop\myapp.exe
Command switches used :: c:\documents and settings\Gregg Waldron\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"C:\fixtm.reg"
"c:\windows\system32\130E573B2E.sys"
"c:\windows\system32\kenahapu.dll"
"c:\windows\system32\nebiteda.exe"
"c:\windows\system32\rahuziti.dll"
"c:\windows\system32\rujudagu.exe"
"c:\windows\system32\sobipore.dll"
"c:\windows\system32\vidasasa.dll"
"c:\windows\system32\vidohosi.dll"
"c:\windows\system32\zodetego.dll"
"c:\windows\wp3.dat"
"c:\windows\wp4.dat"

file zipped: c:\program files\Common Files\wemyqa.lib
file zipped: c:\windows\jorajad.dat
file zipped: c:\windows\system32\fejuvizo.dll
file zipped: c:\windows\system32\fiyamepe.exe
file zipped: c:\windows\system32\gawojuso.exe
file zipped: c:\windows\system32\sosafuji.exe
file zipped: c:\windows\system32\suhamose.exe
file zipped: c:\windows\system32\ugynynoriw.com
file zipped: c:\windows\system32\vafiyene.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fixtm.reg
c:\program files\Common Files\wemyqa.lib
c:\windows\jorajad.dat
c:\windows\system32\130E573B2E.sys
c:\windows\system32\fejuvizo.dll
c:\windows\system32\fiyamepe.exe
c:\windows\system32\gawojuso.exe
c:\windows\system32\kenahapu.dll
c:\windows\system32\mafopiwo.dll
c:\windows\system32\mevozeha.dll
c:\windows\system32\nebiteda.exe
c:\windows\system32\rahuziti.dll
c:\windows\system32\ruyebana.exe
c:\windows\system32\sosafuji.exe
c:\windows\system32\suhamose.exe
c:\windows\system32\ugynynoriw.com
c:\windows\system32\vafiyene.exe
c:\windows\system32\vidasasa.dll
c:\windows\system32\vidohosi.dll
c:\windows\system32\zodetego.dll
c:\windows\wp3.dat
c:\windows\wp4.dat
c:\windows\system32\config\systemprofile\IETldCache . . . . failed to delete
c:\windows\system32\config\systemprofile\IETldCache\index.dat . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-23 22:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-23 22:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-22 03:08 . 2009-10-22 03:08 0 ----a-w- c:\documents and settings\Gregg Waldron\settings.dat
2009-10-21 00:09 . 2009-10-21 00:09 -------- d-----w- c:\documents and settings\Gregg Waldron\Application Data\Malwarebytes
2009-10-21 00:00 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 00:00 . 2009-10-23 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 00:00 . 2009-10-21 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 00:00 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 15:08 . 2009-10-24 14:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-15 23:51 . 2009-10-15 23:51 -------- d-----w- c:\documents and settings\Gregg Waldron\Local Settings\Application Data\ProDigital
2009-10-15 23:48 . 2009-10-15 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ProDigitalSoftware
2009-10-15 23:47 . 2009-10-15 23:47 -------- d-----w- c:\documents and settings\Gregg Waldron\Application Data\WinBatch
2009-10-02 18:10 . 2009-10-02 18:10 56708 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-01 21:11 . 2009-10-01 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 14:14 . 2008-06-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-24 01:34 . 2006-01-02 22:52 -------- d-----w- c:\program files\Dl_cats
2009-10-02 18:09 . 2005-12-18 18:57 69616 -c--a-w- c:\documents and settings\Kelly Williams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 18:01 . 2007-12-26 02:25 -------- d-----w- c:\documents and settings\Kelly Williams\Application Data\Apple Computer
2009-10-01 21:12 . 2007-12-26 02:24 -------- d-----w- c:\program files\iTunes
2009-10-01 21:11 . 2007-12-26 02:24 -------- d-----w- c:\program files\iPod
2009-10-01 21:11 . 2007-12-26 02:20 -------- d-----w- c:\program files\Common Files\Apple
2009-10-01 21:07 . 2007-12-26 02:23 -------- d-----w- c:\program files\QuickTime
2009-09-20 06:50 . 2005-12-19 03:24 69616 -c--a-w- c:\documents and settings\Gregg Waldron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 21:48 . 2007-01-19 22:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 14:20 . 2009-07-27 01:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 01:14 . 2009-09-06 01:13 -------- d-----w- c:\program files\RegiStax 5
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 23:42 . 2008-09-09 23:01 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2007-12-26 02:21 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-08-10 18:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2004-08-10 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-10 19:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-10 19:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-10 19:02 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-10 18:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-10 19:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-13 18:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-09-13 18:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-10 19:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-10 18:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2004-08-04 04:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2006-05-08 23:43 . 2005-12-19 03:23 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-22 04:33 . 2009-07-22 04:33 91648 --sha-w- c:\windows\system32\torajigu.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-23_23.21.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-12-17 20:59 . 2009-10-24 14:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-12-17 20:59 . 2009-10-23 23:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-12-17 20:59 . 2009-10-24 14:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-17 20:59 . 2009-10-23 23:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-17 15:08 . 2009-10-23 23:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-24 14:12 . 2009-10-24 14:07 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-12-17 20:59 . 2009-10-24 14:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-12-17 20:59 . 2009-10-23 23:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-06-28 17:26 . 2009-10-13 10:53 35088 c:\windows\Installer\{91120000-0017-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-06-28 17:26 . 2009-10-24 14:12 35088 c:\windows\Installer\{91120000-0017-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-06-28 17:26 . 2009-10-24 14:12 18704 c:\windows\Installer\{91120000-0017-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-06-28 17:26 . 2009-10-13 10:53 18704 c:\windows\Installer\{91120000-0017-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-06-28 17:26 . 2009-10-13 10:53 20240 c:\windows\Installer\{91120000-0017-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-06-28 17:26 . 2009-10-24 14:12 20240 c:\windows\Installer\{91120000-0017-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-10-27 01:13 . 2006-10-27 01:13 38168 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\REFEDIT.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 65824 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\NAME.DLL
+ 2006-10-27 01:13 . 2006-10-27 01:13 26936 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSOEURO.DLL
+ 2006-10-26 23:48 . 2006-10-26 23:48 14664 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSOCFU.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 56120 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACERCLR.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 15160 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEODTXT.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 15160 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEODPDX.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 15160 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEODEXL.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 15160 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEODDBS.DLL
+ 2006-10-27 19:00 . 2006-10-27 19:00 47976 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEERR.DLL
+ 2009-10-24 14:13 . 2009-10-24 14:13 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\1ded203bd27031c3a5e3441f94b528c0\Microsoft.VisualC.ni.dll
+ 2007-10-15 03:44 . 2007-10-15 03:44 324608 c:\windows\Installer\2ac9f.msp
+ 2007-10-15 03:46 . 2007-10-15 03:46 324608 c:\windows\Installer\2ac99.msp
- 2008-06-28 17:26 . 2009-10-13 10:53 217864 c:\windows\Installer\{91120000-0017-0000-0000-0000000FF1CE}\misc.exe
+ 2008-06-28 17:26 . 2009-10-24 14:12 217864 c:\windows\Installer\{91120000-0017-0000-0000-0000000FF1CE}\misc.exe
- 2008-06-28 17:21 . 2008-06-28 17:21 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2009-10-24 14:14 . 2009-10-24 14:14 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2006-10-27 00:06 . 2006-10-27 00:06 439600 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\SETUP.EXE
+ 2006-10-27 00:13 . 2006-10-27 00:13 503624 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\SELFCERT.EXE
+ 2006-10-27 01:30 . 2006-10-27 01:30 482088 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\PORTCONN.DLL
+ 2006-07-26 22:53 . 2006-07-26 22:53 459080 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL
+ 2006-10-27 00:00 . 2006-10-27 00:00 285008 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\OISGRAPH.DLL
+ 2006-10-27 00:00 . 2006-10-27 00:00 998208 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\OISAPP.DLL
+ 2006-10-27 00:00 . 2006-10-27 00:00 274744 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\OIS.EXE
+ 2006-10-27 00:06 . 2006-10-27 00:06 232816 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ODEPLOY.EXE
+ 2006-10-26 23:55 . 2006-10-26 23:55 538904 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSTORES.DLL
+ 2006-10-26 23:55 . 2006-10-26 23:55 832800 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSTORDB.EXE
+ 2006-10-26 17:56 . 2006-10-26 17:56 505136 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSSOAP30.DLL
+ 2006-10-26 17:56 . 2006-10-26 17:56 436520 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSORUN.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 428816 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSODCW.DLL
+ 2006-10-27 18:59 . 2006-10-27 18:59 161080 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSOCF.DLL
+ 2006-10-26 17:58 . 2006-10-26 17:58 117552 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSCONV97.DLL
+ 2006-10-26 23:55 . 2006-10-26 23:55 828704 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MEDCAT.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 173328 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\IEAWSDC.DLL
+ 2006-10-27 19:09 . 2006-10-27 19:09 726872 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\FPWEL.DLL
+ 2006-10-27 19:09 . 2006-10-27 19:09 983376 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\FPWEC.DLL
+ 2006-10-27 01:07 . 2006-10-27 01:07 417088 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\FPNSE.DLL
+ 2006-10-26 23:48 . 2006-10-26 23:48 434528 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\DWTRIG20.EXE
+ 2006-10-26 23:48 . 2006-10-26 23:48 439568 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\DWDCW20.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 205616 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\CLVIEW.EXE
+ 2006-10-27 19:41 . 2006-10-27 19:41 399640 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\CDLMSO.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 371568 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEXBE.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 224104 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACETXT.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 551800 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEREP.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 289648 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACER3X.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 260976 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACER2X.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 392048 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEPDE.DLL
+ 2006-10-27 19:00 . 2006-10-27 19:00 387960 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEOLEDB.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 279352 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEODBC.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 207736 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACELTS.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 629616 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEEXCL.DLL
+ 2006-10-27 00:13 . 2006-10-27 00:13 338800 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEEXCH.DLL
+ 2006-10-27 19:00 . 2006-10-27 19:00 191360 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEES.DLL
+ 2006-10-27 19:00 . 2006-10-27 19:00 576376 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACEDAO.DLL
+ 2006-10-26 23:49 . 2006-10-26 23:49 970528 c:\windows\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSONSEXT.DLL
+ 2009-10-24 14:13 . 2009-10-24 14:13 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll
+ 2009-10-24 14:13 . 2009-10-24 14:13 593408 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\8ad38ebb07c0d5b5bbf15f8f3c11c6be\System.Messaging.ni.dll
+ 2009-10-24 14:13 . 2009-10-24 14:13 864256 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Web.Autho#\841dc881d4968eb06514134f7a8cef77\Microsoft.Web.Authoring.ni.dll
+ 2007-10-15 03:43 . 2007-10-15 03:43 5749760 c:\windows\Installer\2ac78.msp
+ 2007-10-15 04:10 . 2007-10-15 04:10 8300032 c:\windows\Installer\2ac70.msp
+ 2007-05-09 21:19 . 2007-05-09 21:19 2585936 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.6215\VBE6.DLL
+ 2006-10-27 18:57 . 2006-10-27 18:57 2330968 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\STSLIST.DLL
+ 2006-10-27 19:09 . 2006-10-27 19:09 6075200 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\SPDESIGN.EXE
+ 2006-10-27 00:07 . 2006-10-27 00:07 6536992 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\OSETUP.DLL
+ 2006-10-27 00:14 . 2006-10-27 00:14 7033152 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\OFFOWC.DLL
+ 2006-10-27 00:00 . 2006-10-27 00:00 6635320 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\MSORES.DLL
+ 2006-10-26 23:21 . 2006-10-26 23:21 1682232 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\FPSRVUTL.DLL
+ 2006-10-27 19:00 . 2006-10-27 19:00 1751904 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\ACECORE.DLL
+ 2006-10-26 23:49 . 2006-10-26 23:49 1011488 c:\windows\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSDAIPP.DLL
+ 2009-10-24 14:13 . 2009-10-24 14:13 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\ffa1018e8022964eb51025c2c6d8727a\System.Data.OracleClient.ni.dll
+ 2009-10-24 14:13 . 2009-10-24 14:13 1602048 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Web.Desig#\7e4331c1a8d372c49fd0857eddc0f16e\Microsoft.Web.Design.Client.ni.dll
+ 2007-10-15 03:43 . 2007-10-15 03:43 12743168 c:\windows\Installer\2ac8a.msp
+ 2007-10-15 04:10 . 2007-10-15 04:10 64090624 c:\windows\Installer\2ac69.msp
+ 2006-10-27 19:14 . 2006-10-27 19:14 14151456 c:\windows\Installer\$PatchCache$\Managed\00002119710000000000000000F01FEC\12.0.4518\OART.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-12-04 17:46 . 2006-06-20 03:48 94208 c:\documents and settings\Kelly Williams\Desktop\SealedMedia\bak\sealmon.exe

2005-12-08 03:10 . 2004-10-15 01:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

2005-06-10 16:44 . 2005-06-10 16:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2006-01-02 22:53 . 2005-07-22 13:03 425984 c:\program files\Dell Photo AIO Printer 924\bak\dlccmon.exe

2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-09-21 20:36 . 2009-09-21 20:36 305440 c:\program files\iTunes\iTunesHelper.exe

2007-11-21 01:28 . 2007-09-25 06:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2004-08-10 19:01 . 2004-10-13 16:24 1694208 c:\program files\Messenger\bak\msmsgs.exe
2008-08-22 20:15 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2007-06-13 00:07 . 2007-06-13 00:07 356352 c:\program files\Micro Innovations\Optical Scroll\bak\mouse32a.exe

2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe

2003-05-21 06:21 . 2003-05-21 06:21 90112 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

2004-08-10 18:51 . 2004-08-04 11:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-10 18:51 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2005-12-08 03:10 . 2005-09-20 13:32 77824 c:\windows\system32\bak\hkcmd.exe

2005-12-08 03:10 . 2005-09-20 13:36 114688 c:\windows\system32\bak\igfxpers.exe

2005-12-08 03:10 . 2005-09-20 13:35 94208 c:\windows\system32\bak\igfxtray.exe

2005-12-08 03:36 . 2005-05-31 10:33 122941 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-13 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport-"="c:\progra~1\DELLSU~1\DSAgnt.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [N/A]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [N/A]
"igfxtray"="c:\windows\system32\igfxtray.exe" [N/A]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [N/A]
"igfxpers"="c:\windows\system32\igfxpers.exe" [N/A]
"sealmon"="c:\documents and settings\Kelly Williams\Desktop\SealedMedia\sealmon.exe" [N/A]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [N/A]
"FLMOFFICE4DMOUSE"="c:\program files\Micro Innovations\Optical Scroll\mouse32a.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"30511313"="c:\documents and settings\All Users\Application Data\30511313\30511313.exe" [N/A]
"89107227"="c:\documents and settings\All Users\Application Data\89107227\89107227.exe" [N/A]
"72697132"="c:\documents and settings\All Users\Application Data\72697132\72697132.exe" [N/A]
"70739026"="c:\documents and settings\All Users\Application Data\70739026\70739026.exe" [N/A]
"11461518"="c:\docume~1\ALLUSE~1\APPLIC~1\11461518\11461518.exe" [N/A]
"fokegakoj"="c:\windows\system32\mevozeha.dll" [N/A]
"sotisuvebu"="fewohite.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-11 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Evoluent Mouse Manager.lnk - c:\windows\Installer\{D4FE08FD-C342-4A50-AE8B-3E9236DC20ED}\_3490A01862136E4A51872C.exe [2007-10-21 1150]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Portrait Displays\\Shared\\HookManager.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

R3 evomouflt;Evoluent Mouse filter;c:\windows\system32\drivers\evomouflt.sys [12/11/2006 11:32 PM 12288]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [1/29/2009 6:10 PM 266240]
S2 gupdate1c9b0cbce7aea02;Google Update Service (gupdate1c9b0cbce7aea02);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2009 8:09 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 00:09]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 00:09]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-10 00:12]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-08-01 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{0b84851b-24f7-46c1-a36b-64324e9932c7} - vidohosi.dll
SharedTaskScheduler-{6cef0513-36ef-4043-be2f-851fb9c01270} - c:\windows\system32\mevozeha.dll
SSODL-lamanegur-{6cef0513-36ef-4043-be2f-851fb9c01270} - c:\windows\system32\mevozeha.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 10:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_1a7c&Pid_0068\6&12cb7a5&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(992)
c:\windows\system32\WININET.dll
c:\program files\Evoluent\VMouse\MouseHook.DLL
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\progra~1\McAfee\MSC\mclogsrv.exe
c:\progra~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\McAfee\MSC\mcpromgr.exe
c:\progra~1\McAfee\MSC\mctskshd.exe
c:\progra~1\McAfee\MSC\mcusrmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\fxssvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\myapp\CF21700.exe
c:\program files\Evoluent\VMouse\EvoMouExec.exe
c:\program files\Portrait Displays\Pivot Software\floater.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\myapp\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 10:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 14:39
ComboFix2.txt 2009-10-23 23:42

Pre-Run: 41,741,484,032 bytes free
Post-Run: 41,326,051,328 bytes free

- - End Of File - - F1E9F0C795F65F9F1F9FA4A0C67CB359

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 24 October 2009 - 10:17 AM

  • We will run comboFix once more.

    Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    RegLocK::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "30511313"=-
    "89107227"=-
    "72697132"=-
    "70739026"=-
    "11461518"=-
    "fokegakoj"=-
    "sotisuvebu"=-

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Now first uninstall MBAM then remove its folders and then reinstall it again. No need for renaming. Just run and let fix what it found and post the log.

Edited by farbar, 24 October 2009 - 07:04 PM.
spelling


#9 And then:

And then:
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 24 October 2009 - 06:38 PM

OK. Malwarebytes ran successfully after reinstalation. Here are the Combofix and Malwarebytes logs:


ComboFix 09-10-23.01 - Gregg Waldron 10/24/2009 16:15.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.222 [GMT -4:00]
Running from: c:\documents and settings\Gregg Waldron\Desktop\myapp.exe
Command switches used :: c:\documents and settings\Gregg Waldron\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-23 22:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-23 22:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-22 03:08 . 2009-10-22 03:08 0 ----a-w- c:\documents and settings\Gregg Waldron\settings.dat
2009-10-21 00:09 . 2009-10-21 00:09 -------- d-----w- c:\documents and settings\Gregg Waldron\Application Data\Malwarebytes
2009-10-21 00:00 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 00:00 . 2009-10-24 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 00:00 . 2009-10-21 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 00:00 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 15:08 . 2009-10-24 14:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-15 23:51 . 2009-10-15 23:51 -------- d-----w- c:\documents and settings\Gregg Waldron\Local Settings\Application Data\ProDigital
2009-10-15 23:48 . 2009-10-15 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ProDigitalSoftware
2009-10-15 23:47 . 2009-10-15 23:47 -------- d-----w- c:\documents and settings\Gregg Waldron\Application Data\WinBatch
2009-10-02 18:10 . 2009-10-02 18:10 56708 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-01 21:11 . 2009-10-01 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 14:14 . 2008-06-28 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-24 01:34 . 2006-01-02 22:52 -------- d-----w- c:\program files\Dl_cats
2009-10-02 18:09 . 2005-12-18 18:57 69616 -c--a-w- c:\documents and settings\Kelly Williams\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 18:01 . 2007-12-26 02:25 -------- d-----w- c:\documents and settings\Kelly Williams\Application Data\Apple Computer
2009-10-01 21:12 . 2007-12-26 02:24 -------- d-----w- c:\program files\iTunes
2009-10-01 21:11 . 2007-12-26 02:24 -------- d-----w- c:\program files\iPod
2009-10-01 21:11 . 2007-12-26 02:20 -------- d-----w- c:\program files\Common Files\Apple
2009-10-01 21:07 . 2007-12-26 02:23 -------- d-----w- c:\program files\QuickTime
2009-09-20 06:50 . 2005-12-19 03:24 69616 -c--a-w- c:\documents and settings\Gregg Waldron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 21:48 . 2007-01-19 22:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 14:20 . 2009-07-27 01:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 01:14 . 2009-09-06 01:13 -------- d-----w- c:\program files\RegiStax 5
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 23:42 . 2008-09-09 23:01 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2007-12-26 02:21 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-08-10 18:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2004-08-10 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-10 19:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-10 19:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-10 19:02 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-10 18:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-10 19:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-09-13 18:44 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-09-13 18:44 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-10 19:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-10 18:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 14:20 . 2004-08-04 04:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2006-05-08 23:43 . 2005-12-19 03:23 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-22 04:33 . 2009-07-22 04:33 91648 --sha-w- c:\windows\system32\torajigu.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-10-24_14.23.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-12-17 20:59 . 2009-10-24 19:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-12-17 20:59 . 2009-10-24 14:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-12-17 20:59 . 2009-10-24 19:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-17 20:59 . 2009-10-24 14:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-24 14:12 . 2009-10-24 14:07 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-10-24 14:12 . 2009-10-24 19:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2005-12-17 20:59 . 2009-10-24 19:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-12-17 20:59 . 2009-10-24 14:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-12-04 17:46 . 2006-06-20 03:48 94208 c:\documents and settings\Kelly Williams\Desktop\SealedMedia\bak\sealmon.exe

2005-12-08 03:10 . 2004-10-15 01:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe

2005-06-10 16:44 . 2005-06-10 16:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2006-01-02 22:53 . 2005-07-22 13:03 425984 c:\program files\Dell Photo AIO Printer 924\bak\dlccmon.exe

2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe
2009-09-21 20:36 . 2009-09-21 20:36 305440 c:\program files\iTunes\iTunesHelper.exe

2007-11-21 01:28 . 2007-09-25 06:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2004-08-10 19:01 . 2004-10-13 16:24 1694208 c:\program files\Messenger\bak\msmsgs.exe
2008-08-22 20:15 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2007-06-13 00:07 . 2007-06-13 00:07 356352 c:\program files\Micro Innovations\Optical Scroll\bak\mouse32a.exe

2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe
2009-09-05 05:54 . 2009-09-05 05:54 417792 c:\program files\QuickTime\QTTask.exe

2003-05-21 06:21 . 2003-05-21 06:21 90112 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe

2004-08-10 18:51 . 2004-08-04 11:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-10 18:51 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2005-12-08 03:10 . 2005-09-20 13:32 77824 c:\windows\system32\bak\hkcmd.exe

2005-12-08 03:10 . 2005-09-20 13:36 114688 c:\windows\system32\bak\igfxpers.exe

2005-12-08 03:10 . 2005-09-20 13:35 94208 c:\windows\system32\bak\igfxtray.exe

2005-12-08 03:36 . 2005-05-31 10:33 122941 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-13 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupport-"="c:\progra~1\DELLSU~1\DSAgnt.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [N/A]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [N/A]
"igfxtray"="c:\windows\system32\igfxtray.exe" [N/A]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [N/A]
"igfxpers"="c:\windows\system32\igfxpers.exe" [N/A]
"sealmon"="c:\documents and settings\Kelly Williams\Desktop\SealedMedia\sealmon.exe" [N/A]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [N/A]
"FLMOFFICE4DMOUSE"="c:\program files\Micro Innovations\Optical Scroll\mouse32a.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"30511313"="c:\documents and settings\All Users\Application Data\30511313\30511313.exe" [N/A]
"89107227"="c:\documents and settings\All Users\Application Data\89107227\89107227.exe" [N/A]
"72697132"="c:\documents and settings\All Users\Application Data\72697132\72697132.exe" [N/A]
"70739026"="c:\documents and settings\All Users\Application Data\70739026\70739026.exe" [N/A]
"11461518"="c:\docume~1\ALLUSE~1\APPLIC~1\11461518\11461518.exe" [N/A]
"fokegakoj"="c:\windows\system32\mevozeha.dll" [N/A]
"sotisuvebu"="fewohite.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-11 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Evoluent Mouse Manager.lnk - c:\windows\Installer\{D4FE08FD-C342-4A50-AE8B-3E9236DC20ED}\_3490A01862136E4A51872C.exe [2007-10-21 1150]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Portrait Displays\\Shared\\HookManager.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

R3 evomouflt;Evoluent Mouse filter;c:\windows\system32\drivers\evomouflt.sys [12/11/2006 11:32 PM 12288]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [1/29/2009 6:10 PM 266240]
S2 gupdate1c9b0cbce7aea02;Google Update Service (gupdate1c9b0cbce7aea02);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2009 8:09 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 00:09]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-30 00:09]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-10 00:12]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-08-01 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_1a7c&Pid_0068\6&12cb7a5&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\program files\Evoluent\VMouse\MouseHook.DLL
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-24 16:53
ComboFix-quarantined-files.txt 2009-10-24 20:52
ComboFix2.txt 2009-10-24 14:39
ComboFix3.txt 2009-10-23 23:42

Pre-Run: 41,307,996,160 bytes free
Post-Run: 41,296,994,304 bytes free

- - End Of File - - 953647D9AE7B698E7ECADEEEE9DDB815



Malwarebytes' Anti-Malware 1.41
Database version: 3027
Windows 5.1.2600 Service Pack 3

10/24/2009 7:22:11 PM
mbam-log-2009-10-24 (19-22-11).txt

Scan type: Quick Scan
Objects scanned: 107327
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{b0e43034-50f5-1f84-8098-824b44f2dbc3} (Adware.Admedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lizkavd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fokegakoj (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\30511313 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\89107227 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72697132 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\70739026 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11461518 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sotisuvebu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\torajigu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 24 October 2009 - 07:24 PM

Good news you could run Malwarebytes. :(

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • If you don't use a Dial-up connection you may uninstall the following program:

    NetWaiting

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
  • I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note: If it find nothing, there will be no log to save.

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


#11 And then:

And then:
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 25 October 2009 - 11:03 AM

I removed the software per your recomendations and updated JAVA. Thanks for the info on the file sharing. I'll pass it along to my wife for her consideration.

Here is my ESET log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=b28212ac17269b4ea59862cfcd313a72
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-25 08:18:35
# local_time=2009-10-25 04:18:35 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114627
# found=63
# cleaned=63
# scan_time=6836
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp3.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp5.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOleHelp7.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAdvancedVirusRemover19.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPlus.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Gregg Waldron\Application Data\Sun\Java\Deployment\cache\6.0\59\4d13647b-2489ec56 Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\[4]-Submit_2009-10-24_09.35.42.zip multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\11461518\11461518.exe.vir a variant of Win32/Kryptik.AXJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\30511313\30511313.exe.vir a variant of Win32/Kryptik.AVG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\70739026\70739026.exe.vir a variant of Win32/Kryptik.AWF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\72697132\72697132.exe.vir a variant of Win32/Kryptik.AWF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\89107227\89107227.exe.vir a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Gregg Waldron\Application Data\seres.exe.vir a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Gregg Waldron\Application Data\svcst.exe.vir a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AVEngn.dll.vir Win32/Adware.AntiSpyware2010 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\lelimafu.exe.vir a variant of Win32/Kryptik.AXJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\nebiteda.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\regizogu.exe.vir a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\yobuwiji.exe.vir a variant of Win32/Kryptik.ALL trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\dbsinit.exe.vir Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\wispex.html.vir Win32/Adware.WinAntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000007.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000013.exe Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000014.exe Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000017.cpl Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000030.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000047.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000048.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000119.exe Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000134.exe a variant of Win32/Kryptik.AXJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000136.exe a variant of Win32/Kryptik.AVG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000138.exe a variant of Win32/Kryptik.AWF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000140.exe a variant of Win32/Kryptik.AWF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000142.exe a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000147.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000148.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000159.exe Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000160.dll Win32/Adware.AntiSpyware2010 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000167.exe Win32/Adware.XPAntiSpyware.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000168.cpl Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000180.cpl Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000194.exe a variant of Win32/Kryptik.AXJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000198.exe a variant of Win32/Kryptik.AVX trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000199.exe Win32/Adware.WinAntiVirus application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000201.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000203.exe a variant of Win32/Kryptik.ALL trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000319.exe Win32/Cimag.AU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000320.exe a variant of Win32/Kryptik.AVJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000321.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000322.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000323.exe a variant of Win32/Kryptik.AEJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000324.exe Win32/TrojanDownloader.Small.NJI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000442.dll Win32/Cimag.AU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000443.exe a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000444.exe a variant of Win32/Kryptik.AVV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000454.exe Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 25 October 2009 - 11:18 AM

In fact ESET found almost nothing new. Those found infected file were either in the Spybot folder, ComboFix quarantine folder (where the removed infections are kept) or in System volume Information folder were the restore points are kept. We empty those folders when we uninstall Combofix.

Please post a fresh DDS log for a final review and tell me how is the computer running now.

#13 And then:

And then:
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 25 October 2009 - 12:25 PM

The computer is running normally. Here is my DDS log. The other file is attached.


DDS (Ver_09-10-13.01) - NTFSx86
Run by Gregg Waldron at 13:13:17.78 on Sun 10/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.74 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Evoluent\VMouse\EvoMouExec.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Gregg Waldron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport-] "c:\progra~1\dellsu~1\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [sealmon] c:\documents and settings\kelly williams\desktop\sealedmedia\sealmon.exe
mRun: [FLMOFFICE4DMOUSE] c:\program files\micro innovations\optical scroll\mouse32a.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\evolue~1.lnk - c:\windows\installer\{d4fe08fd-c342-4a50-ae8b-3e9236dc20ed}\_3490A01862136E4A51872C.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com.libaccess.fdu.edu/lib/fdu/support/plugins/ebraryRdr.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} - hxxp://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://genzyme.webex.com/client/T26L10NSP49EP4/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4805/mcfscan.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-1-29 266240]
R3 evomouflt;Evoluent Mouse filter;c:\windows\system32\drivers\evomouflt.sys [2006-12-11 12288]
S2 gupdate1c9b0cbce7aea02;Google Update Service (gupdate1c9b0cbce7aea02);c:\program files\google\update\GoogleUpdate.exe [2009-3-29 133104]

=============== Created Last 30 ================

2009-10-25 02:22 <DIR> --d----- c:\program files\ESET
2009-10-25 02:17 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-25 02:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-24 19:02 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 19:02 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-24 19:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 18:57 50,176 a------- c:\windows\system32\proquota.exe
2009-10-23 18:57 50,176 a------- c:\windows\system32\dllcache\proquota.exe
2009-10-23 18:15 <DIR> a-dshr-- C:\cmdcons
2009-10-23 18:10 236,544 a------- c:\windows\PEV.exe
2009-10-23 18:10 161,792 a------- c:\windows\SWREG.exe
2009-10-23 18:10 98,816 a------- c:\windows\sed.exe
2009-10-23 17:52 16,777 a------- c:\windows\yxeda.db
2009-10-22 21:24 12,171 a------- c:\windows\evixaru.lib
2009-10-21 23:08 0 a------- c:\documents and settings\gregg waldron\settings.dat
2009-10-20 20:09 <DIR> --d----- c:\docume~1\greggw~1\applic~1\Malwarebytes
2009-10-20 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-17 11:14 96 a------- c:\windows\system32\wwp.htm
2009-10-15 19:48 3,120 a------- c:\windows\system32\WINGMS7.ocx
2009-10-15 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ProDigitalSoftware
2009-10-15 19:47 <DIR> --d----- c:\docume~1\greggw~1\applic~1\WinBatch
2009-10-02 14:10 56,708 a---h--- c:\windows\system32\mlfcache.dat
2009-10-01 17:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 10:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 17:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 06:35 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 04:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-06 19:24 327,896 a------- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24 209,632 a------- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24 35,552 a------- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24 53,472 a------- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24 96,480 a------- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23 575,704 a------- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23 1,929,952 a------- c:\windows\system32\dllcache\wuaueng.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 11:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 10:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 10:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 10:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2006-05-08 19:43 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-08-26 18:02 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 13:15:44.20 ===============

Attached Files



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:22 AM

Posted 25 October 2009 - 01:14 PM

Everything looks good. :(
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
    
    [HKEY_CLASSES_ROOT\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}]
    @="Microsoft Url Search Hook"
    
    [HKEY_CLASSES_ROOT\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InProcServer32]
    @="C:\\WINDOWS\\system32\\ieframe.dll"
    "ThreadingModel"="Apartment"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "0BF43445-2F28-4351-9252-17FE6E806AA0"=-
    
    [-HKEY_CLASSES_ROOT\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "ef99bd32-c1fb-11d2-892f-0090271d4f88"=-
    
    [-HKEY_CLASSES_ROOT\CLSID\{ef99bd32-c1fb-11d2-892f-0090271d4f88}]
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.


  • Go to Start => Run => copy and paste next command in the field then hit enter:

    "%userporfile%\Desktop\myapp.exe" /Uninstall


    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  • Also delete any other tool we used from your computer.
******

Please consult this article on How To Prevent Malware.

Happy Surfing. :(

#15 And then:

And then:
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 25 October 2009 - 01:51 PM

When I try to run the command to uninstall myapp.exe, I get the follwoing error message:

Windows cannot find '%userporfile%\Desktop\myapp.exe'. Make sure you typed the name correctly, and then try again.

Can I just remove myapp.exe with the add / remove programs option?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users