Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups come up in IE when using FireFox for no reason


  • This topic is locked This topic is locked
13 replies to this topic

#1 viza

viza

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 27 October 2009 - 01:54 PM

I recently had a relative use my computer as she was a adult I didn't monitor her. She was visiting countless website like tagged, myspace and others like them. After she was thru I have been getting popups in Internet Explorer when using FireFox as well as some websites like pogo.com do not load on this computer now and they did before. I have done virus scan and the like using Mcafee Security Center vr. 9.15 : Build 9.15.135

I have also added a hijackthis log from trend micro
________________________________________________________________________________

DDS (Ver_09-10-26.01) - NTFSx86
Run by Kenneth at 14:35:07.02 on Tue 10/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.96 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1151432726\ee\AOLSoftware.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark Z2300 Series\lxdpMsdMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdpserv.exe
C:\WINDOWS\system32\lxdpcoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kenneth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [AOL Fast Start] "c:\progra~1\americ~1.0\AOL.EXE" -b
mRun: [HostManager] c:\program files\common files\aol\1151432726\ee\AOLSoftware.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [lxdpmon.exe] "c:\program files\lexmark z2300 series\lxdpmon.exe"
mRun: [lxdpamon] "c:\program files\lexmark z2300 series\lxdpamon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sirivemiy] Rundll32.exe "c:\windows\system32\zututebu.dll",a
dRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxps://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151427825450
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151428167263
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxps://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v54/wwspades/wwspades.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll
AppInit_DLLs: ranutoka.dll c:\windows\system32\zututebu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: fuyatuteh - {5a783ece-7fbe-4414-9320-fbc6df30a2a2} - c:\windows\system32\zututebu.dll
STS: kupuhivus: {5a783ece-7fbe-4414-9320-fbc6df30a2a2} - c:\windows\system32\zututebu.dll
LSA: Notification Packages = scecli lowakoda.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenneth\applic~1\mozilla\firefox\profiles\j1nv9g9w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - Google.com
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2005-2-23 53248]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [2009-3-30 98984]
S3 CA_LIC_CLNT;CA License Client;"c:\program files\ca\sharedcomponents\ca_lic\\lic98rmt.exe" --> c:\program files\ca\sharedcomponents\ca_lic\\lic98rmt.exe [?]

=============== Created Last 30 ================

2100-02-23 18:35:34 768 ----a-w- c:\program files\x73_lut.dat
2100-02-08 20:03:54 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2009-10-27 18:27:47 0 d-----w- c:\program files\Trend Micro
2009-10-26 13:35:03 0 d-----w- c:\program files\MSECache
2009-10-12 22:58:21 0 d-----w- c:\program files\iPod
2009-10-12 22:57:58 0 d-----w- c:\program files\iTunes
2009-10-12 22:57:58 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-10 03:22:43 0 d-sh--w- C:\found.000
2009-10-01 18:59:54 40611 ----a-w- c:\windows\Run32S40.mch
2009-10-01 18:58:22 697 ----a-w- c:\windows\mfont.dat
2009-10-01 18:58:21 35 ----a-w- c:\windows\A4W.INI
2009-10-01 18:58:21 0 d-----w- c:\windows\A4W_DATA
2009-09-30 00:59:00 67360 ----a-w- c:\docume~1\kenneth\applic~1\GDIPFONTCACHEV1.DAT

==================== Find3M ====================

2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 19:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2001-07-26 20:58:46 47 ----a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 16:46:44 8116 ----a-w- c:\program files\OSLO3071b2.USB
2001-05-08 20:36:42 114688 ----a-w- c:\program files\lxarscan.dll
2001-04-23 18:22:14 1437 ----a-w- c:\program files\gtx73.ini
2009-07-27 06:51:09 51200 --sha-w- c:\windows\system32\dozilibe.dll
2009-07-26 18:51:15 172544 --sha-w- c:\windows\system32\gunawedi.dll
2009-07-27 06:51:09 87552 --sha-w- c:\windows\system32\jaderevo.dll
2009-07-27 06:52:26 51200 --sha-w- c:\windows\system32\kowawese.dll
2009-07-26 18:51:15 81920 --sha-w- c:\windows\system32\litenotu.dll
2009-07-27 06:52:26 51200 --sha-w- c:\windows\system32\lowakoda.dll
2009-07-27 06:52:26 51200 --sha-w- c:\windows\system32\ranutoka.dll
2009-07-27 06:51:09 171520 --sha-w- c:\windows\system32\zututebu.dll
2008-09-07 18:56:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 14:37:26.03 ===============

Attached Files


Edited by viza, 27 October 2009 - 02:21 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:41 AM

Posted 28 October 2009 - 01:14 PM

Hi viza,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.


Please download Malwarebytes' Anti-Malware from one of these ocations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 viza

viza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 28 October 2009 - 02:41 PM

ok thats fine with me

as for installing Malwarebytes' Anti-Malware. I have downloaded it from both websites and installed it but each version I get the same error, when trying to run the program a search box comes up saying "Windows is searching for mbam.exe. To locate the file yourself click browse"

I cant find the mbam.exe anywhere

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:41 AM

Posted 28 October 2009 - 03:25 PM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#5 viza

viza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 28 October 2009 - 04:47 PM

I received these messages when I used combo fix
__________________

McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Artemis!090580DB84D4 (Trojan), Artemis!090580DB84D4 (Trojan)
Location: C:\32788R22FWJFW\eXereg.exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.
__________________________________________________________________
---------------------------
32788R22FWJFW\EXEreg.exe
---------------------------
Windows cannot find '32788R22FWJFW\EXEreg.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
---------------------------
OK
---------------------------
______________________________________________________________________



ComboFix 09-10-27.08 - Kenneth 10/28/2009 17:14.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.153 [GMT -4:00]
Running from: c:\documents and settings\Kenneth\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SelectRebates
c:\recycler\S-1-5-21-1004336348-1482476501-725345543-1004
c:\windows\system32\Data
c:\windows\system32\dozilibe.dll
c:\windows\system32\falefula.dll
c:\windows\system32\gelebefo.dll
c:\windows\system32\gidahumu.dll.tmp
c:\windows\system32\gunawedi.dll
c:\windows\system32\hanupive.dll
c:\windows\system32\jaderevo.dll
c:\windows\system32\kowawese.dll
c:\windows\system32\lajihuga.dll
c:\windows\system32\litenotu.dll
c:\windows\system32\lowakoda.dll
c:\windows\system32\nevipepi.dll
c:\windows\system32\ranutoka.dll
c:\windows\system32\suvuwutu.dll.tmp
c:\windows\system32\tedovitu.dll.tmp
c:\windows\system32\vowihuvi.dll
c:\windows\system32\zututebu.dll
c:\windows\Tasks\gupgpnwh.job

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w- c:\program files\x73_lut.dat
2100-02-08 20:03 . 2001-05-11 15:39 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2009-10-28 19:33 . 2009-10-28 19:33 -------- d-----w- c:\documents and settings\Kenneth\Application Data\Malwarebytes
2009-10-28 19:33 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 19:33 . 2009-10-28 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 19:33 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 19:33 . 2009-10-28 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 18:38 . 2009-10-27 18:38 0 ----a-w- c:\documents and settings\Kenneth\settings.dat
2009-10-27 18:27 . 2009-10-27 18:27 -------- d-----w- c:\program files\Trend Micro
2009-10-26 23:03 . 2009-10-26 23:03 -------- d-----w- c:\documents and settings\Kenneth\Local Settings\Application Data\AOL OCP
2009-10-26 21:55 . 2009-10-26 21:55 -------- d-----w- c:\documents and settings\Kenneth\Local Settings\Application Data\WorldWinner.com
2009-10-26 13:35 . 2009-10-26 13:35 -------- d-----w- c:\program files\MSECache
2009-10-16 07:23 . 2009-10-16 07:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-12 22:58 . 2009-10-12 22:58 -------- d-----w- c:\program files\iPod
2009-10-12 22:57 . 2009-10-12 22:59 -------- d-----w- c:\program files\iTunes
2009-10-12 22:57 . 2009-10-12 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-10 03:22 . 2009-10-10 03:22 -------- d-----w- C:\found.000
2009-10-01 18:58 . 2009-10-01 18:58 697 ----a-w- c:\windows\mfont.dat
2009-10-01 18:58 . 2009-10-01 19:03 -------- d-----w- c:\windows\A4W_DATA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 14:00 . 2006-07-15 07:00 -------- d-----w- c:\program files\Pix2Fone
2009-10-26 23:04 . 2009-06-10 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-26 01:47 . 2007-10-07 05:53 -------- d-----w- c:\program files\McAfee
2009-10-21 04:10 . 2009-08-01 23:42 -------- d-----w- c:\documents and settings\Kenneth\Application Data\Apple Computer
2009-10-12 22:58 . 2009-08-01 23:36 -------- d-----w- c:\program files\Common Files\Apple
2009-10-12 22:55 . 2006-06-27 18:26 -------- d-----w- c:\program files\QuickTime
2009-09-27 01:20 . 2006-06-29 00:54 -------- d-----w- c:\program files\Java
2009-09-24 20:03 . 2006-06-28 16:04 67360 -c--a-w- c:\documents and settings\Kenneth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 14:22 . 2007-10-07 05:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-10-07 05:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-10-07 05:55 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-10-07 05:55 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-10-07 05:55 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 23:26 . 2006-06-28 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-04-28 14:58 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 19:09 . 2009-08-20 19:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:24 . 2006-06-27 17:06 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-05-26 08:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-06-27 17:06 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-06-27 17:06 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2006-06-27 16:39 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-09-03 16:28 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-06-27 17:06 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-06-27 17:11 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2006-06-27 16:39 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2002-09-03 16:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2002-09-03 16:50 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2001-07-26 20:58 . 2000-01-11 16:50 47 ----a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 16:46 . 2001-07-20 14:48 8116 ----a-w- c:\program files\OSLO3071b2.USB
2001-05-08 20:36 . 2000-12-05 19:56 114688 ----a-w- c:\program files\lxarscan.dll
2001-04-23 18:22 . 2100-02-08 19:53 1437 ----a-w- c:\program files\gtx73.ini
2008-12-26 03:55 . 2006-08-10 02:24 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-26 03:55 . 2006-08-10 02:24 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-26 03:55 . 2008-03-01 11:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-26 03:55 . 2008-03-01 11:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 03:55 . 2006-08-10 02:24 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AOL Fast Start"="c:\progra~1\AMERIC~1.0\AOL.EXE" [2005-07-12 50776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1151432726\ee\AOLSoftware.exe" [2008-06-24 41824]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-03-15 99480]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2005-09-13 487424]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-11 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
"lxdpamon"="c:\program files\Lexmark Z2300 Series\lxdpamon.exe" [2008-03-27 16040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2006-07-29 5354792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Neopets\\Toolbar\\toolbar.dll"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1151432726\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\WINDOWS\\system32\\lxdpcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpwbgw.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2/23/2005 4:56 PM 53248]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [3/30/2009 12:31 AM 98984]
S3 CA_LIC_CLNT;CA License Client;"c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe" --> c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-07 16:22]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-07 16:22]

2009-10-28 c:\windows\Tasks\User_Feed_Synchronization-{261F48E1-ACE5-4000-BAFA-0168EE7F2CDB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kenneth\Application Data\Mozilla\Firefox\Profiles\j1nv9g9w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - Google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{eb150611-51d2-421e-b1dc-8aebd9954883} - kowawese.dll
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM-Run-sirivemiy - c:\windows\system32\hanupive.dll
HKLM-Run-bepobafoka - lowakoda.dll
SharedTaskScheduler-{5f3f6730-bead-47ad-80ea-11ac82fd4739} - c:\windows\system32\hanupive.dll
SSODL-tavuwavam-{5f3f6730-bead-47ad-80ea-11ac82fd4739} - c:\windows\system32\hanupive.dll
AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 17:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdpcoms.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\combofix\CF10098.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Pure Networks\Router Service\pnroutsv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Lexmark Z2300 Series\lxdpMsdMon.exe
c:\progra~1\AMERIC~1.0\waol.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\AMERIC~1.0\shellmon.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 17:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 21:43

Pre-Run: 23,857,528,832 bytes free
Post-Run: 24,077,688,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 5B8C857A8AA60FE451EF28654E12D622

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:41 AM

Posted 28 October 2009 - 05:12 PM

Why didn't you disabled McAfee as instructed?

Please delete your copy of ComboFix.
Disable McAfee as instructed.
Download a fresh copy of ComboFix and run it again.

#7 viza

viza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 28 October 2009 - 05:59 PM

here you go. i thought that i had it all the way disabled the first time but mcafee so confusing when it comes to disabling things. theres not just one disable button to do it all =/

--------------------------------------------------------------------------------------------------------------
ComboFix 09-10-27.08 - Kenneth 10/28/2009 18:43.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.194 [GMT -4:00]
Running from: c:\documents and settings\Kenneth\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w- c:\program files\x73_lut.dat
2100-02-08 20:03 . 2001-05-11 15:39 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2009-10-28 19:33 . 2009-10-28 19:33 -------- d-----w- c:\documents and settings\Kenneth\Application Data\Malwarebytes
2009-10-28 19:33 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 19:33 . 2009-10-28 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 19:33 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 19:33 . 2009-10-28 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 18:38 . 2009-10-27 18:38 0 ----a-w- c:\documents and settings\Kenneth\settings.dat
2009-10-27 18:27 . 2009-10-27 18:27 -------- d-----w- c:\program files\Trend Micro
2009-10-26 23:03 . 2009-10-26 23:03 -------- d-----w- c:\documents and settings\Kenneth\Local Settings\Application Data\AOL OCP
2009-10-26 21:55 . 2009-10-26 21:55 -------- d-----w- c:\documents and settings\Kenneth\Local Settings\Application Data\WorldWinner.com
2009-10-26 13:35 . 2009-10-26 13:35 -------- d-----w- c:\program files\MSECache
2009-10-16 07:23 . 2009-10-16 07:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-12 22:58 . 2009-10-12 22:58 -------- d-----w- c:\program files\iPod
2009-10-12 22:57 . 2009-10-12 22:59 -------- d-----w- c:\program files\iTunes
2009-10-12 22:57 . 2009-10-12 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-10 03:22 . 2009-10-10 03:22 -------- d-----w- C:\found.000
2009-10-01 18:58 . 2009-10-01 18:58 697 ----a-w- c:\windows\mfont.dat
2009-10-01 18:58 . 2009-10-01 19:03 -------- d-----w- c:\windows\A4W_DATA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 14:00 . 2006-07-15 07:00 -------- d-----w- c:\program files\Pix2Fone
2009-10-26 23:04 . 2009-06-10 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-26 01:47 . 2007-10-07 05:53 -------- d-----w- c:\program files\McAfee
2009-10-21 04:10 . 2009-08-01 23:42 -------- d-----w- c:\documents and settings\Kenneth\Application Data\Apple Computer
2009-10-12 22:58 . 2009-08-01 23:36 -------- d-----w- c:\program files\Common Files\Apple
2009-10-12 22:55 . 2006-06-27 18:26 -------- d-----w- c:\program files\QuickTime
2009-09-27 01:20 . 2006-06-29 00:54 -------- d-----w- c:\program files\Java
2009-09-24 20:03 . 2006-06-28 16:04 67360 -c--a-w- c:\documents and settings\Kenneth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 14:22 . 2007-10-07 05:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-10-07 05:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-10-07 05:55 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-10-07 05:55 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-10-07 05:55 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 23:26 . 2006-06-28 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-04-28 14:58 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 19:09 . 2009-08-20 19:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:24 . 2006-06-27 17:06 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-05-26 08:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-06-27 17:06 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-06-27 17:06 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2006-06-27 16:39 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-09-03 16:28 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-06-27 17:06 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-06-27 17:11 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2006-06-27 16:39 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2002-09-03 16:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2001-07-26 20:58 . 2000-01-11 16:50 47 ----a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 16:46 . 2001-07-20 14:48 8116 ----a-w- c:\program files\OSLO3071b2.USB
2001-05-08 20:36 . 2000-12-05 19:56 114688 ----a-w- c:\program files\lxarscan.dll
2001-04-23 18:22 . 2100-02-08 19:53 1437 ----a-w- c:\program files\gtx73.ini
2008-12-26 03:55 . 2006-08-10 02:24 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-26 03:55 . 2006-08-10 02:24 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-26 03:55 . 2008-03-01 11:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-26 03:55 . 2008-03-01 11:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 03:55 . 2006-08-10 02:24 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-28_21.28.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-27 16:46 . 2009-10-28 22:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-06-27 16:46 . 2009-10-28 18:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-28 22:11 . 2009-10-28 22:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AOL Fast Start"="c:\progra~1\AMERIC~1.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1151432726\ee\AOLSoftware.exe" [2008-06-24 41824]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-03-15 99480]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2005-09-13 487424]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-11 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
"lxdpamon"="c:\program files\Lexmark Z2300 Series\lxdpamon.exe" [2008-03-27 16040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2006-07-29 5354792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Neopets\\Toolbar\\toolbar.dll"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1151432726\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\WINDOWS\\system32\\lxdpcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpwbgw.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2/23/2005 4:56 PM 53248]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [3/30/2009 12:31 AM 98984]
S3 CA_LIC_CLNT;CA License Client;"c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe" --> c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-07 16:22]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-07 16:22]

2009-10-28 c:\windows\Tasks\User_Feed_Synchronization-{261F48E1-ACE5-4000-BAFA-0168EE7F2CDB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kenneth\Application Data\Mozilla\Firefox\Profiles\j1nv9g9w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - Google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 18:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-28 18:53
ComboFix-quarantined-files.txt 2009-10-28 22:52
ComboFix2.txt 2009-10-28 21:44

Pre-Run: 24,136,306,688 bytes free
Post-Run: 24,119,300,096 bytes free

- - End Of File - - 9E1385636057FFA4EBFA7B3CD58C34D0

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:41 AM

Posted 28 October 2009 - 06:11 PM

Well done. :(

Indeed McAfee is difficult to deal with.

Please enable McAfee again after running ComboFix.
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
    TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"="http://windowsupdate.microsoft.com/"
    "Completed"=hex:01,00
    SkipFix::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Please uninstall Malwarebytes. Remove all its folders (you also use Windows search to find and delete the folders).:
    c:\program files\Malwarebytes' Anti-Malware
    c:\documents and settings\Kenneth\Application Data\Malwarebytes

    Then follow the instruction in the previous post to install, run, let remove what it found and post the log.


#9 viza

viza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 28 October 2009 - 07:09 PM

hope I got them right :(
______________________________________________________________________________

ComboFix 09-10-27.08 - Kenneth 10/28/2009 19:33.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.176 [GMT -4:00]
Running from: c:\documents and settings\Kenneth\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kenneth\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w- c:\program files\x73_lut.dat
2100-02-08 20:03 . 2001-05-11 15:39 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2009-10-28 19:33 . 2009-10-28 19:33 -------- d-----w- c:\documents and settings\Kenneth\Application Data\Malwarebytes
2009-10-28 19:33 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 19:33 . 2009-10-28 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 19:33 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 19:33 . 2009-10-28 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 18:38 . 2009-10-27 18:38 0 ----a-w- c:\documents and settings\Kenneth\settings.dat
2009-10-27 18:27 . 2009-10-27 18:27 -------- d-----w- c:\program files\Trend Micro
2009-10-26 23:03 . 2009-10-26 23:03 -------- d-----w- c:\documents and settings\Kenneth\Local Settings\Application Data\AOL OCP
2009-10-26 21:55 . 2009-10-26 21:55 -------- d-----w- c:\documents and settings\Kenneth\Local Settings\Application Data\WorldWinner.com
2009-10-26 13:35 . 2009-10-26 13:35 -------- d-----w- c:\program files\MSECache
2009-10-16 07:23 . 2009-10-16 07:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-12 22:58 . 2009-10-12 22:58 -------- d-----w- c:\program files\iPod
2009-10-12 22:57 . 2009-10-12 22:59 -------- d-----w- c:\program files\iTunes
2009-10-12 22:57 . 2009-10-12 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-10 03:22 . 2009-10-10 03:22 -------- d-----w- C:\found.000
2009-10-01 18:58 . 2009-10-01 18:58 697 ----a-w- c:\windows\mfont.dat
2009-10-01 18:58 . 2009-10-01 19:03 -------- d-----w- c:\windows\A4W_DATA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 14:00 . 2006-07-15 07:00 -------- d-----w- c:\program files\Pix2Fone
2009-10-26 23:04 . 2009-06-10 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-10-26 01:47 . 2007-10-07 05:53 -------- d-----w- c:\program files\McAfee
2009-10-21 04:10 . 2009-08-01 23:42 -------- d-----w- c:\documents and settings\Kenneth\Application Data\Apple Computer
2009-10-12 22:58 . 2009-08-01 23:36 -------- d-----w- c:\program files\Common Files\Apple
2009-10-12 22:55 . 2006-06-27 18:26 -------- d-----w- c:\program files\QuickTime
2009-09-27 01:20 . 2006-06-29 00:54 -------- d-----w- c:\program files\Java
2009-09-24 20:03 . 2006-06-28 16:04 67360 -c--a-w- c:\documents and settings\Kenneth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 14:22 . 2007-10-07 05:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-10-07 05:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-10-07 05:55 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-10-07 05:55 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-10-07 05:55 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 23:26 . 2006-06-28 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-04-28 14:58 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 19:09 . 2009-08-20 19:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:24 . 2006-06-27 17:06 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-05-26 08:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-06-27 17:06 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-06-27 17:06 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2006-06-27 16:39 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-09-03 16:28 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-06-27 17:06 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-06-27 17:11 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2006-06-27 16:39 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2002-09-03 16:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2001-07-26 20:58 . 2000-01-11 16:50 47 ----a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 16:46 . 2001-07-20 14:48 8116 ----a-w- c:\program files\OSLO3071b2.USB
2001-05-08 20:36 . 2000-12-05 19:56 114688 ----a-w- c:\program files\lxarscan.dll
2001-04-23 18:22 . 2100-02-08 19:53 1437 ----a-w- c:\program files\gtx73.ini
2008-12-26 03:55 . 2006-08-10 02:24 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-26 03:55 . 2006-08-10 02:24 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-26 03:55 . 2008-03-01 11:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-26 03:55 . 2008-03-01 11:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 03:55 . 2006-08-10 02:24 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-28_21.28.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-27 16:46 . 2009-10-28 22:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-06-27 16:46 . 2009-10-28 18:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AOL Fast Start"="c:\progra~1\AMERIC~1.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1151432726\ee\AOLSoftware.exe" [2008-06-24 41824]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-03-15 99480]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2005-09-13 487424]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-11 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
"lxdpamon"="c:\program files\Lexmark Z2300 Series\lxdpamon.exe" [2008-03-27 16040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2006-07-29 5354792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Neopets\\Toolbar\\toolbar.dll"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1151432726\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\WINDOWS\\system32\\lxdpcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpwbgw.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2/23/2005 4:56 PM 53248]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [3/30/2009 12:31 AM 98984]
S3 CA_LIC_CLNT;CA License Client;"c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe" --> c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-07 16:22]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-10-07 16:22]

2009-10-28 c:\windows\Tasks\User_Feed_Synchronization-{261F48E1-ACE5-4000-BAFA-0168EE7F2CDB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kenneth\Application Data\Mozilla\Firefox\Profiles\j1nv9g9w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - Google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 19:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-28 19:37
ComboFix-quarantined-files.txt 2009-10-28 23:36
ComboFix2.txt 2009-10-28 22:53
ComboFix3.txt 2009-10-28 21:44

Pre-Run: 24,133,894,144 bytes free
Post-Run: 24,116,342,784 bytes free

- - End Of File - - F35E573BC20DA5404734E7BDB186C2FA



_________________________________________________________________________________________

Malwarebytes' Anti-Malware 1.41
Database version: 3050
Windows 5.1.2600 Service Pack 3

10/28/2009 8:08:08 PM
mbam-log-2009-10-28 (20-08-08).txt

Scan type: Quick Scan
Objects scanned: 109001
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:41 AM

Posted 28 October 2009 - 07:40 PM

You have done it very well.

We want to make sure nothing is left. If ESET found anything in System Volume Information (where the system restores are kept) or Quarantine folder (the removed infections by ComboFix) don't worry about them. We will empty those folders at the end.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
  • I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note: If it find nothing, there will be no log to save.

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


#11 viza

viza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 29 October 2009 - 08:13 AM

eset scan log..


C:\Qoobox\Quarantine\C\WINDOWS\system32\dozilibe.dll.vir a variant of Win32/Adware.SuperJuan.K application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\falefula.dll.vir a variant of Win32/Adware.Virtumonde.NFY application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\gelebefo.dll.vir a variant of Win32/AntiAV.NDE trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\gunawedi.dll.vir a variant of Win32/Kryptik.AVX trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hanupive.dll.vir a variant of Win32/Adware.Virtumonde.NFY application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\kowawese.dll.vir a variant of Win32/Adware.SuperJuan.K application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\lajihuga.dll.vir a variant of Win32/AntiAV.NDE trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\lowakoda.dll.vir a variant of Win32/Adware.SuperJuan.K application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\nevipepi.dll.vir a variant of Win32/Adware.Virtumonde.NFY application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ranutoka.dll.vir a variant of Win32/Adware.SuperJuan.K application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\vowihuvi.dll.vir a variant of Win32/AntiAV.NDE trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\zututebu.dll.vir a variant of Win32/Kryptik.AVX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206173.dll a variant of Win32/Adware.SuperJuan.K application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206174.dll a variant of Win32/Adware.Virtumonde.NFY application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206175.dll a variant of Win32/AntiAV.NDE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206176.dll a variant of Win32/Kryptik.AVX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206178.dll a variant of Win32/Adware.SuperJuan.K application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206180.dll a variant of Win32/Adware.SuperJuan.K application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206181.dll a variant of Win32/Adware.Virtumonde.NFY application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206182.dll a variant of Win32/Adware.SuperJuan.K application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206183.dll a variant of Win32/AntiAV.NDE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{9DAFE4C8-7B05-4313-AB07-5570260C2E05}\RP2078\A0206184.dll a variant of Win32/Kryptik.AVX trojan cleaned by deleting - quarantined

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:41 AM

Posted 29 October 2009 - 09:02 AM

ESET found actually nothing else than those removed or those that we would remove any way.

Everything looks good. :(


Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /u


This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.


Happy Surfing viza.!

#13 viza

viza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 29 October 2009 - 03:22 PM

thank you!! everything is working great and it all runs so much faster now

can i ask what it was my computer had? :(

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:41 AM

Posted 29 October 2009 - 04:36 PM

can i ask what it was my computer had?

If you look at the ESET flagged files (already removed by ComboFix) and see the log of Malwarebytes you see various kind of infections.

Glad I could help.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users