Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a virus which opens Internet Explorer


  • This topic is locked This topic is locked
20 replies to this topic

#1 Optimistic1

Optimistic1

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 11 January 2010 - 03:31 PM

This virus opens Internet Explorer and accesses various websites. I don't think the sites themselves are particularly dangerous - online poker, MadBid auction site, travel sites etc etc.

This virus will open a new IE window whether I have IE already open or not.

(Edit added 12 Jan 09: I have identified b.exe running multiple sessions. I do not know if b.exe causes the problem which is the subject of this post, or if it is a separate problem)

Any help gratefully received!

Here is the DDS text log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jeff at 19:28:17.68 on 11/01/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.276 [GMT 0:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\system32\PGPserv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Xobni\XobniService.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\msb.exe
C:\Users\Jeff\AppData\Local\Temp\b.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Jeff\AppData\Local\Temp\b.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jeff\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = ${URL_SEARCHPAGE}
uStart Page = hxxp://www.racingpost.com/
mSearch Page = ${URL_SEARCHPAGE}
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus Office B40W(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiele.exe /fu "c:\windows\temp\E_SFEAA.tmp" /EF "HKCU"
uRun: [EPSON Stylus Office B40W(Network) (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiele.exe /fu "c:\windows\temp\E_SC10E.tmp" /EF "HKCU"
uRun: [Updater shortcut] c:\program files\t-mobile\web'n'walk manager\WTGU.exe
uRun: [Monopod] c:\users\jeff\appdata\local\temp\b.exe
uRun: [agent.exe] c:\users\jeff\appdata\roaming\pc\agent.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [LosAlamos] rundll32.exe c:\windows\system32\sshnas.dll,AddConsoleAliasAW
uRun: [E8WECRKKMV] c:\users\jeff\appdata\local\temp\b.exe
uRun: [eMuleAutoStart] c:\program files\emule\emule.exe -AutoStart
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [DataCardMonitor] c:\program files\t-mobile\web'n'walk manager\DataCardMonitor.exe
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\jeff\appdata\roaming\micros~1\windows\startm~1\programs\startup\trdcre~1.lnk - c:\program files\toshiba\trdcreminder\TRDCReminder.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{e2957f3d-0f9d-413f-b071-60380ce43617}\Icon6560581611.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: PGPmapih.dll
LSA: Notification Packages = scecli PGPpwflt

================= FIREFOX ===================

FF - ProfilePath - c:\users\jeff\appdata\roaming\mozilla\firefox\profiles\njd61dmb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mytalktalk.co.uk
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBTEmailConfig.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-19 214664]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-3-19 187904]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-19 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-19 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-19 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-19 34248]

=============== Created Last 30 ================

2010-01-11 18:05:50 0 d-----w- c:\programdata\Citrix
2010-01-11 18:01:29 0 d-----w- c:\program files\Citrix
2010-01-11 18:01:08 61224 ----a-w- c:\users\jeff\GoToAssistDownloadHelper.exe
2010-01-11 17:43:00 0 d-----w- c:\users\jeff\appdata\roaming\McAfee
2010-01-11 16:22:27 192512 ----a-w- c:\windows\msb.exe
2010-01-11 13:26:06 0 d-----w- c:\program files\K-Lite Codec Pack
2010-01-10 09:47:39 192512 ----a-w- c:\windows\msa.exe
2010-01-10 09:46:36 233984 ----a-w- c:\windows\system32\sshnas.dll
2010-01-07 18:25:00 68128 ----a-w- c:\windows\system32\bbebadfda.dll
2010-01-07 18:25:00 0 d-----w- c:\programdata\boost_interprocess
2010-01-07 18:24:57 165920 ----a-w- c:\windows\bbebadfda.exe
2010-01-07 18:24:53 0 d-----w- c:\users\jeff\appdata\roaming\Multi File Downloader
2010-01-07 17:32:11 0 d-----w- c:\programdata\eMule
2010-01-07 15:31:47 0 d-----w- c:\program files\Conduit
2010-01-07 15:31:37 0 d-----w- c:\program files\ToggleEN
2010-01-07 13:04:30 0 d-----w- c:\program files\Xobni
2010-01-06 13:23:49 0 d-----w- c:\users\jeff\appdata\roaming\Azureus
2010-01-06 13:23:11 0 d-----w- c:\program files\AskBarDis
2010-01-04 21:36:18 0 d-----w- c:\programdata\FileCure

==================== Find3M ====================

2010-01-05 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-12 14:15:30 178176 ----a-w- c:\windows\system32\unrar.dll
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 08:12:21 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-18 08:12:21 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 08:12:21 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 08:12:20 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-18 08:11:58 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-03 08:00:38 8151784 ----a-w- c:\users\jeff\Babylon8_setup.exe
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-17 12:10:48 3438783 ----a-w- c:\users\jeff\InstallRarZilla2.55.exe
2009-10-17 12:01:47 5696860 ----a-w- c:\users\jeff\peazip-2.7.WIN64.exe
2009-10-16 07:51:07 253440 ----a-w- c:\users\jeff\freezip.exe
2009-10-15 16:48:26 5234424 ----a-w- c:\users\jeff\jZipV1.exe
2009-10-15 12:24:44 904984 ----a-w- c:\users\jeff\cuz4_setup.exe
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2007-11-14 11:01:17 1131976 ----a-w- c:\program files\erase-setup-0003.exe
2007-06-25 08:29:19 16508560 ----a-w- c:\program files\win-jre-1.5.0-09[1]
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:31:54.43 ===============

Attached Files


Edited by Optimistic1, 12 January 2010 - 08:32 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 AM

Posted 13 January 2010 - 06:07 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Optimistic1

Optimistic1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 13 January 2010 - 12:43 PM

Thanks for your help. I've folloed these instructions, Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3554
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

13/01/2010 17:02:33
mbam-log-2010-01-13 (17-02-33).txt

Scan type: Quick Scan
Objects scanned: 101302
Time elapsed: 8 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Worm.Allaple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\LREC75DND7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\E8WECRKKMV (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control center (Rogue.ControlCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\HT (Rogue.Antispy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e8wecrkkmv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\losalamos (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agent.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Jeff\freezip.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\guide.html (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg1.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg10.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg2.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg3.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg4.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg5.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg6.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg7.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg8.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\faq\images\gimg9.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\AppData\Roaming\pc\settings.ini (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Users\Jeff\Desktop\Control Center.lnk (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 AM

Posted 13 January 2010 - 12:51 PM

Hi,

Navigate to and delete the following file:

c:\windows\bbebadfda.exe

Then, * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
The rest looks OK again.

Let me know in your next reply how things are now.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Optimistic1

Optimistic1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 13 January 2010 - 01:30 PM

Hi,

I went to this file but cannot delete it. I get a message saying it is open in another program. I restarted my machine hoping to catch it as soon as I restarted but got the same problem.

As I could not complete the first step I have not completed the others in case they were dependant on my completing the first step.

Thanks.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 AM

Posted 13 January 2010 - 01:40 PM

Hi,

I want to have a look at the file first..

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

c:\windows\bbebadfda.exe

Select it and click ok:
Then click the Send File button below.

Let me know once you uploaded the file.

Edited by miekiemoes, 13 January 2010 - 01:40 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Optimistic1

Optimistic1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 13 January 2010 - 02:00 PM

I tried to put it into the field but get the same sort of message - File in use etc. Tried to copy it somewhere first - same result.

Thanks for your patience.....

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 AM

Posted 13 January 2010 - 02:07 PM

Hmm, this is interesting.
I really want a copy of this file, but let's have a look first with another tool if it shows what may be locking it and what else is still present, so do next please...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Edited by miekiemoes, 13 January 2010 - 02:08 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Optimistic1

Optimistic1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 13 January 2010 - 02:17 PM

OK, I need to go out now so I'll do this when I'm sure not to rush things. Thanks so much for your help :-)

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 AM

Posted 13 January 2010 - 02:20 PM

That's OK. Just take your time. smile.gif
I'll see when you reply (if I'm not offline already either since it's already evening here). Otherwise it will be tomorrow. smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Optimistic1

Optimistic1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 14 January 2010 - 09:54 AM

Hi again,

Here's the Combofix log file.

After running Combofix I took the three steps in your previous post - cleared out IE, Firefox & ran cleanmgr.

Do you think it's OK now?

Thanks :-)

Attached Files



#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 AM

Posted 14 January 2010 - 10:10 AM

Hi,

This appears to be one of those infections who are really stubborn and cause a system extremely unstable. It has a related dll with it that is loaded under winlogon.
It's not the first time that this variant causes a system unbootable, so that's why I suggest you backup any important data first, just to be on the safe side, because you never know with this variant.

Once you have done this...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

QUOTE
Collect::[8]
c:\windows\system32\bbebadfda.dll
c:\windows\ujf635.bin
c:\windows\bbebadfda.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

But I have a feeling that Combofix will also fail to delete the file and we probably need to delete it via Recovery console. Anyway, let's see first how Combofix deals with it...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Optimistic1

Optimistic1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 14 January 2010 - 12:06 PM

Hi, I've restarted Combofix, switched off McAfee.

I assume I navigate to the website after Combofix has fnished running, given the instruction not to open any programs during its operation?

thanks

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:20 AM

Posted 14 January 2010 - 12:09 PM

QUOTE
I assume I navigate to the website after Combofix has fnished running,
Yes, once Combofix has finished.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Optimistic1

Optimistic1
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 14 January 2010 - 12:34 PM

OK, I've sent the file.

Incidentally, I get a Windows message at startup which tells me that Windows is blocking programs at startup that require permission to run.

Here's the Combofix file:

If you're anywhere near Sandbach or Reading I probably owe you beer!

ComboFix 10-01-13.0C - Jeff 14/01/2010 17:00:41.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.1060 [GMT 0:00]
Running from: c:\users\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\users\Jeff\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\bbebadfda.exe
file zipped: c:\windows\system32\bbebadfda.dll
file zipped: c:\windows\ujf635.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\bbebadfda.exe
c:\windows\system32\bbebadfda.dll
c:\windows\ujf635.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bbebadfda


((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 )))))))))))))))))))))))))))))))
.

2010-01-14 17:07 . 2010-01-14 17:18 -------- d-----w- c:\users\Jeff\AppData\Local\temp
2010-01-14 17:07 . 2010-01-14 17:07 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-13 17:48 . 2010-01-14 14:23 -------- d-----w- c:\program files\Antbar
2010-01-13 16:51 . 2010-01-13 16:51 -------- d-----w- c:\users\Jeff\AppData\Roaming\Malwarebytes
2010-01-13 16:51 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 16:51 . 2010-01-13 16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 16:51 . 2010-01-13 16:51 -------- d-----w- c:\programdata\Malwarebytes
2010-01-13 16:51 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 11:04 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 11:04 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-11 18:05 . 2010-01-11 18:05 -------- d-----w- c:\programdata\Citrix
2010-01-11 18:01 . 2010-01-11 18:01 -------- d-----w- c:\program files\Citrix
2010-01-11 18:01 . 2010-01-11 18:01 -------- d-----w- c:\users\Jeff\AppData\Local\Citrix
2010-01-11 18:01 . 2010-01-11 18:01 61224 ----a-w- c:\users\Jeff\GoToAssistDownloadHelper.exe
2010-01-11 18:00 . 2010-01-11 18:00 -------- d-----w- c:\users\Jeff\AppData\Local\Apps
2010-01-11 18:00 . 2010-01-11 18:01 -------- d-----w- c:\users\Jeff\AppData\Local\Deployment
2010-01-11 17:44 . 2009-09-30 12:11 288096 ----a-w- c:\users\Jeff\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-01-11 17:43 . 2010-01-11 17:43 -------- d-----w- c:\users\Jeff\AppData\Roaming\McAfee
2010-01-11 13:28 . 2010-01-11 13:29 -------- d-----w- c:\users\Jeff\AppData\Roaming\Media Player Classic
2010-01-10 09:52 . 2010-01-10 09:52 -------- d-----w- c:\windows\Sun
2010-01-07 18:25 . 2010-01-08 10:29 -------- d-----w- c:\programdata\boost_interprocess
2010-01-07 18:24 . 2010-01-08 09:55 -------- d-----w- c:\users\Jeff\AppData\Roaming\Multi File Downloader
2010-01-07 17:32 . 2010-01-11 14:30 -------- d-----w- c:\programdata\eMule
2010-01-07 17:19 . 2010-01-11 14:30 -------- d-----w- c:\users\Jeff\AppData\Local\eMule
2010-01-07 13:04 . 2010-01-13 07:17 -------- d-----w- c:\program files\Xobni
2010-01-06 13:23 . 2010-01-11 09:02 -------- d-----w- c:\users\Jeff\AppData\Roaming\Azureus
2010-01-04 21:36 . 2010-01-04 21:36 -------- d-----w- c:\programdata\FileCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 16:52 . 2008-08-06 08:16 -------- d-----w- c:\users\Jeff\AppData\Roaming\Skype
2010-01-14 09:39 . 2009-07-29 09:15 -------- d-----w- c:\users\Jeff\AppData\Roaming\HCM Updater
2010-01-13 18:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-13 18:02 . 2008-11-21 12:51 -------- d-----w- c:\programdata\Google Updater
2010-01-13 07:12 . 2008-08-04 09:11 160798 ----a-w- c:\windows\system32\PGPlspRollback.reg
2010-01-13 07:03 . 2009-04-27 13:00 -------- d-----w- c:\programdata\WinZip
2010-01-11 17:41 . 2008-03-19 09:07 -------- d-----w- c:\program files\McAfee
2010-01-11 17:41 . 2008-03-19 09:06 -------- d-----w- c:\programdata\McAfee
2010-01-11 14:09 . 2009-10-18 16:39 -------- d-----w- c:\program files\Vuze
2010-01-11 13:27 . 2010-01-11 13:26 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-06 12:18 . 2008-08-06 08:16 -------- d-----r- c:\program files\Skype
2010-01-06 12:18 . 2008-11-24 08:24 -------- d-----w- c:\programdata\Skype
2010-01-06 10:39 . 2008-11-24 08:25 -------- d-----w- c:\users\Jeff\AppData\Roaming\skypePM
2010-01-05 18:00 . 2010-01-11 13:26 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-23 00:34 . 2008-03-19 09:10 -------- d-----w- c:\program files\Google
2009-12-12 14:15 . 2010-01-11 13:26 178176 ----a-w- c:\windows\system32\unrar.dll
2009-12-05 12:26 . 2009-12-05 12:26 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-03 15:59 . 2009-12-02 15:30 -------- d-----w- c:\users\Jeff\AppData\Roaming\eBookPro6
2009-12-03 13:15 . 2009-12-03 11:51 -------- d-----w- c:\program files\OFFSystem
2009-11-26 06:54 . 2009-11-26 06:53 -------- d-----w- c:\program files\iTunes
2009-11-26 06:53 . 2009-11-26 06:53 -------- d-----w- c:\program files\iPod
2009-11-26 06:53 . 2008-11-16 14:23 -------- d-----w- c:\program files\Common Files\Apple
2009-11-26 06:50 . 2009-11-26 06:49 -------- d-----w- c:\program files\QuickTime
2009-11-26 06:44 . 2009-11-26 06:44 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-24 18:27 . 2009-11-24 18:27 -------- d-----w- c:\program files\safebetplan
2009-11-24 11:14 . 2009-11-24 11:14 -------- d-----w- c:\program files\Betfair
2009-11-21 06:40 . 2009-12-09 08:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 08:23 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 08:23 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 08:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-18 08:45 . 2008-03-19 08:38 -------- d-----w- c:\program files\Java
2009-11-18 08:13 . 2009-11-18 08:13 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-18 08:12 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 08:11 . 2009-11-18 08:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-09 12:31 . 2009-12-10 08:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-10 08:40 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-10 08:40 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 08:00 . 2009-11-03 08:00 8151784 ----a-w- c:\users\Jeff\Babylon8_setup.exe
2009-10-29 09:17 . 2009-11-25 00:25 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-17 12:10 . 2009-10-17 12:10 3438783 ----a-w- c:\users\Jeff\InstallRarZilla2.55.exe
2009-10-17 12:01 . 2009-10-17 12:01 5696860 ----a-w- c:\users\Jeff\peazip-2.7.WIN64.exe
2007-11-14 11:01 . 2008-10-03 09:22 1131976 ----a-w- c:\program files\erase-setup-0003.exe
2007-06-25 08:29 . 2008-10-03 09:22 16508560 ----a-w- c:\program files\win-jre-1.5.0-09[1]
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2009-10-09 13:53 613496 ----a-w- c:\windows\System32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-12-29 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Updater shortcut"="c:\program files\T-Mobile\web'n'walk Manager\WTGU.exe" [2008-06-19 857544]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25626408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NDSTray.exe"="NDSTray.exe" [BU]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 1029416]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"DataCardMonitor"="c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe" [2009-07-14 253952]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

c:\users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PGPtray.exe.lnk - c:\windows\Installer\{B560691D-502C-4441-B639-44E9AD7A6996}\Icon6560581611.exe [2010-1-13 55296]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\PGPmapih.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:00,46,f6,2d,ec,4b,ca,01

R0 pgpfs;PGP File Sharing;c:\windows\System32\drivers\PGPfsfd.sys [09/10/2009 13:53 136312]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\System32\drivers\RtlProt.sys [03/08/2008 09:14 25896]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\System32\drivers\CHDART.sys [19/03/2008 08:31 187904]
R3 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [15/01/2008 09:34 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\System32\drivers\QIOMem.sys [09/04/2007 15:13 8192]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187B.sys [03/08/2008 08:56 290304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-19 20:27]

2010-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 18:27]

2010-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 18:27]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.racingpost.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\njd61dmb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mytalktalk.co.uk
FF - component: c:\program files\Mozilla Firefox\extensions\{038cb5c7-48ea-4af9-94e0-a1646542e62b}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-14 17:18
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe??TEMP=c:\users\Jeff\AppData\Loc???[?K?? 8??????sers\Jeff\AppData\Local\Temp?TRACE_FORMAT_SEARCH_PATH=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat?USERD
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????&?x?,??X???????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1184)
c:\windows\system32\PGPfsshl.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\windows\system32\PGPserv.exe
c:\program files\TalkTalk\bin\sprtsvc.exe
c:\program files\Common Files\Supportsoft\bin\tgsrvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2010-01-14 17:21:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-14 17:21
ComboFix2.txt 2010-01-14 14:32

Pre-Run: 41,489,797,120 bytes free
Post-Run: 41,130,061,824 bytes free

- - End Of File - - 97338749D2ECA4421433A4960D02D88A
Upload was successful




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users