Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a rootkit that is hiding.


  • This topic is locked This topic is locked
18 replies to this topic

#1 nighttrain20

nighttrain20

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 12 January 2010 - 05:39 PM

After several attempts "In the Am I'm infected, What do I do" forum Moderator "Rigel" sent me here to see if we can remove this bugger. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/281606/slow-to-boot-up/ ~ OB

i believe that I have followed the instructions properly

Here is the DDs report and I up loaded the attach & arc files.

Awaiting your instructions.

Thank You in advanced.

Tony

DDS Report:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Dad's Computer at 20:24:55.79 on 01/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.207 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\CAPM3RSK.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM3SWK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM3SWK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad's Computer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2k1.exe /p24 "epson stylus photo rx500" /o14 "\\mine\Printer" /M "Stylus Photo RX500"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\canonp~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\dad's computer\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2005102501/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E302F157-A890-4B6F-A421-839D25055D6D} - hxxp://www.novalogic.com/pub/NLSysInfo.ocx
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-16 28544]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2008-12-15 7040]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-25 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-25 144704]
R2 RapidPortM3;RapidPortM3;c:\windows\system32\drivers\CAPM3LP.SYS [2009-7-2 22976]
R3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [2003-1-31 8384]
R3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [2003-1-31 100256]
R3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2008-12-15 17792]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-25 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-25 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-25 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-25 40552]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2005-1-30 17792]
S2 gupdate1c9babfb4d33912;Google Update Service (gupdate1c9babfb4d33912);c:\program files\google\update\GoogleUpdate.exe [2009-4-11 133104]
S3 Cdfssokw;Cdfssokw;c:\windows\system32\drivers\isapnp.sys [2001-8-17 37248]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-25 34248]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S4 0230331239922897mcinstcleanup;McAfee Application Installer Cleanup (0230331239922897);c:\windows\temp\023033~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\023033~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-01-09 15:51:40 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-01-09 15:39:31 0 d-----w- c:\windows\ERUNT
2010-01-09 15:30:10 0 dc----w- C:\SDFix
2010-01-01 19:31:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 19:31:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 19:31:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 13:09:45 0 d-----w- c:\documents and settings\dad's computer\DoctorWeb
2009-12-27 16:34:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-26 18:32:25 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-26 18:32:25 0 d-----w- c:\docume~1\dad'sc~1\applic~1\SUPERAntiSpyware.com
2009-12-26 18:00:00 0 d-----w- c:\program files\AskBarDis
2009-12-20 15:30:19 0 d-----w- c:\docume~1\dad'sc~1\applic~1\com.comcast.callerid.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2009-12-20 15:29:56 0 d-----w- c:\program files\Comcast Universal Caller ID
2009-12-20 15:29:38 0 d-----w- c:\docume~1\dad'sc~1\applic~1\com.comcast.callerid.4C7707E731FA230A00265DE26809CEAF299D5FFD.1
2009-12-13 17:49:44 0 d-sh--w- c:\documents and settings\dad's computer\UserData
2009-12-13 17:04:49 0 d-sh--w- c:\documents and settings\dad's computer\PrivacIE
2009-12-13 17:04:45 0 d-sh--w- c:\documents and settings\dad's computer\IECompatCache
2009-12-13 16:38:06 2746 ------w- c:\windows\LottoBuster.ini
2009-12-13 16:33:56 0 dc----w- C:\Lotto Buster
2009-12-13 16:02:22 25216 ----a-w- c:\windows\system32\drivers\tap0901.sys

==================== Find3M ====================

2009-12-27 16:29:23 98304 ----a-w- c:\windows\DUMP700f.tmp
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2002-04-16 15:27:54 5 --sha-w- c:\windows\system32\CdI5T.drv
2008-09-05 21:22:40 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 20:26:01.01 ===============

Attached Files


Edited by Orange Blossom, 12 January 2010 - 07:13 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:34 PM

Posted 14 January 2010 - 02:18 PM

Hi nighttrain20,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt.
Also please update me about the current condition of your computer.

#3 nighttrain20

nighttrain20
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 14 January 2010 - 06:11 PM

Hello,

Thank You for helping me. My Google Search is still being hijacked, and when I first load IE it seems to take a long time to open.
here is the DDS log:

Awaiting instructions.

Attached Files

  • Attached File  DDS.txt   12.89KB   1 downloads


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:34 PM

Posted 14 January 2010 - 06:44 PM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
We are going to have a preliminary round.
  1. You have the program Winpatrol installed on your machine and that is good. If Winpatrol is running we need to disable Winpatrol so it does not interfere with the fixes we are about to do:

    Right-click the Winpatrol icon on the right-hand of taskbar (System Tray or Notification Area) and select Exit Program.

  2. Please uninstall Alcohol 120% as it might interfere with our fixes. You may install it again when we are done.

  3. I see on the log Ask Toolbar is installed on your computer:

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Ask Toolbar or Vuze toolbar

    Also remove the folder in bold (if present) only after uninstalling Ask Toolbar:
    C:\Program Files\AskBar
    c:\program files\askbardis

  4. I see on the log the Coupon Printer for Windows is installed on your computer:
    This program is known to be bundled with adware/spyware.

    For more information please see this:
    A Closer Look at Coupons.com

    To uninstall Coupon Printer for Windows:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Coupon Printer for Windows

    Also delete the folders in bold (if present):

    C:\Program Files\Coupon
    C:\Program Files\Coupons

  5. Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  6. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  7. Please download gmer.zip and save to your desktop.
    • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Double-click on gmer.exe to start the program.
    • Allow the gmer.sys driver to load if asked.
    • Do NOT click scan. GMER does an automatic quick scan when run.
    • Click the copy button on the right side of GMER and then paste into your next reply.

Edited by farbar, 14 January 2010 - 06:49 PM.


#5 nighttrain20

nighttrain20
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 15 January 2010 - 06:42 AM

I believe I did all that is asked.

My system had a "system failure" after the GMER scan so I rebooted it.
attached are the logs

Awaiting instructions.

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:34 PM

Posted 15 January 2010 - 07:42 AM

Please copy and paste the logs to your reply instead of attaching.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#7 nighttrain20

nighttrain20
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 15 January 2010 - 06:30 PM

I ran combfix and here is the log.

Awaiting instructions.

ComboFix 10-01-15.01 - Dad's Computer 01/15/2010 18:06:11.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.586 [GMT -5:00]
Running from: c:\documents and settings\Dad's Computer\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\desktop
c:\windows\desktop\keno.xls

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - c:\windows\SYSTEM32\DRIVERS\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2009-12-15 to 2010-01-15 )))))))))))))))))))))))))))))))
.

2010-01-13 16:03 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 15:51 . 2010-01-09 15:51 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-01-09 15:39 . 2010-01-09 15:39 -------- d-----w- c:\windows\ERUNT
2010-01-09 15:30 . 2010-01-09 16:32 -------- dc----w- C:\SDFix
2010-01-09 15:27 . 2010-01-09 15:27 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-09 15:24 . 2010-01-09 15:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-01 19:31 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 19:31 . 2010-01-15 10:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 19:31 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 13:09 . 2009-12-28 14:53 -------- d-----w- c:\documents and settings\Dad's Computer\DoctorWeb
2009-12-27 16:34 . 2009-12-27 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 18:32 . 2009-12-27 16:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-26 18:32 . 2009-12-26 18:32 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\SUPERAntiSpyware.com
2009-12-20 15:30 . 2009-12-20 15:30 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\com.comcast.callerid.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2009-12-20 15:29 . 2009-12-27 16:34 -------- d-----w- c:\program files\Comcast Universal Caller ID
2009-12-20 15:29 . 2009-12-20 15:29 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\com.comcast.callerid.4C7707E731FA230A00265DE26809CEAF299D5FFD.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 10:53 . 2010-01-15 10:53 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-15 10:47 . 2006-12-20 00:52 -------- d-----w- c:\program files\Morpheus
2010-01-15 10:41 . 2005-01-14 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-31 17:58 . 2009-12-26 18:33 52224 ----a-w- c:\documents and settings\Dad's Computer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-31 17:58 . 2009-12-26 18:33 117760 ----a-w- c:\documents and settings\Dad's Computer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-27 16:34 . 2009-10-25 14:56 -------- d-----w- c:\program files\Password Solutions
2009-12-27 16:34 . 2009-03-15 14:24 -------- d-----w- c:\program files\Trojan Remover
2009-12-27 16:34 . 2008-12-10 20:55 -------- d-----w- c:\program files\Aladdins Palace
2009-12-27 16:29 . 2005-01-14 06:04 98304 ----a-w- c:\windows\DUMP700f.tmp
2009-12-26 18:32 . 2005-12-15 20:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-21 18:43 . 2009-03-25 19:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-21 18:31 . 2009-05-08 12:35 38784 ----a-w- c:\documents and settings\Dad's Computer\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-20 12:45 . 2005-01-20 21:41 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\AdobeUM
2009-12-13 16:48 . 2009-12-13 16:34 219640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-05 12:30 . 2009-12-05 12:24 -------- d-----w- c:\program files\HQuote
2009-12-04 23:34 . 2009-02-19 18:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-28 12:53 . 2005-01-20 21:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-26 11:58 . 2008-09-28 18:09 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\BitTorrent
2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-03 01:42 . 2009-10-03 01:04 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 20:37 . 2009-10-27 20:37 127872 ----a-w- c:\documents and settings\Dad's Computer\Application Data\Move Networks\uninstall.exe
2009-10-27 20:23 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Dad's Computer\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2002-04-16 15:27 . 2002-04-16 15:27 5 --sha-w- c:\windows\SYSTEM32\CdI5T.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-03-08 337216]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Canon PC1200 iC D700 Status Window.LNK - c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM3LAK.EXE [2009-7-1 30208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]
backup=c:\windows\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Comcast Universal Caller ID.lnk]
path=c:\documents and settings\Dad's Computer\Start Menu\Programs\Startup\Comcast Universal Caller ID.lnk
backup=c:\windows\pss\Comcast Universal Caller ID.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Morpheus.lnk]
backup=c:\windows\pss\Morpheus.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Registration .LNK]
backup=c:\windows\pss\Registration .LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Sid Registration.lnk]
backup=c:\windows\pss\Sid Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Sins of a Solar Empire Launcher.lnk]
backup=c:\windows\pss\Sins of a Solar Empire Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^UniversalCallerID.lnk]
path=c:\documents and settings\Dad's Computer\Start Menu\Programs\Startup\UniversalCallerID.lnk
backup=c:\windows\pss\UniversalCallerID.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinService32]
ssmon [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeVersionCue]
2003-10-13 21:24 1732608 -c--a-w- c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 -c--a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-11-16 05:05 127035 -c--a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2007-02-19 18:39 2875392 ----a-w- c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo RX500]
2003-06-01 20:00 99840 ----a-w- c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I2K1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-03-16 22:27 133104 ----atw- c:\documents and settings\Dad's Computer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-11-16 00:44 1200128 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-06-29 15:23 135168 ----a-w- c:\program files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 21:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 11:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 16:06 11776 -c--a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-10-07 18:33 13574144 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-10-07 18:33 86016 ----a-w- c:\windows\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-10-07 18:33 1630208 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2008-08-21 01:18 443968 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2003-02-26 00:27 77887 ----a-w- c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2009-03-21 01:41 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-03-21 01:41 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 19:33 1388544 -c--a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-21 01:41 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TurboHddUsb]
2008-12-15 19:15 3327488 ----a-w- c:\program files\TurboHddUsb\TurboHddUsb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"gusvc"=2 (0x2)
"DSBrokerService"=3 (0x3)
"Coar160"=3 (0x3)
"AresChatServer"=3 (0x3)
"AdobeVersionCue"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"\\\\mine\\Cute FTP\\CuteFTP\\CUTFTP32.EXE"=
"c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"c:\\Program Files\\NAIC Club Accounting 2\\jre\\bin\\java.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"\\\\MINE\\MICROSOFT GAMES\\Links 2003\\LINKSMMIII.EXE"=
"c:\\Documents and Settings\\Dad's Computer\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5000:TCP"= 5000:TCP:AresChatServer

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [03/16/2009 6:12 PM 28544]
R1 FNETURPX;FNETURPX;c:\windows\SYSTEM32\DRIVERS\FNETURPX.SYS [12/15/2008 2:15 PM 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 RapidPortM3;RapidPortM3;c:\windows\SYSTEM32\DRIVERS\CAPM3LP.SYS [07/02/2009 10:28 AM 22976]
R3 FNETTBOH;FNETTBOH;c:\windows\SYSTEM32\DRIVERS\FNETTBOH.SYS [12/15/2008 2:15 PM 17792]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [01/30/2005 6:26 PM 17792]
S2 gupdate1c9babfb4d33912;Google Update Service (gupdate1c9babfb4d33912);c:\program files\Google\Update\GoogleUpdate.exe [04/11/2009 11:08 AM 133104]
S3 Cdfssokw;Cdfssokw;c:\windows\SYSTEM32\DRIVERS\isapnp.sys [08/17/2001 2:58 PM 37248]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S4 0230331239922897mcinstcleanup;McAfee Application Installer Cleanup (0230331239922897);c:\windows\TEMP\023033~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\023033~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [01/02/2007 4:19 PM 639224]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/03/2006 6:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 16:07]

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 16:07]

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1469528180-1414648073-3814679842-1006.job
- c:\documents and settings\Dad's Computer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-16 22:27]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-25 16:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-25 16:22]

2010-01-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-01-15 c:\windows\Tasks\User_Feed_Synchronization-{07495E2C-D59C-4BD3-A2F3-88040359BD02}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Dad's Computer\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {E302F157-A890-4B6F-A421-839D25055D6D} - hxxp://www.novalogic.com/pub/NLSysInfo.ocx
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe
MSConfigStartUp-SPSTEALT - c:\program files\Smart Protector Pro\SmartProtector-Pro.exe
MSConfigStartUp-Spybot - Search & Destroy - c:\program files\Spybot - Search & Destroy\SpybotSD.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-15 18:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1469528180-1414648073-3814679842-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e9,9e,46,e1,3b,7b,35,93,b6,71,2e,a7,ab,4c,2c,c6,cd,8a,97,a7,73,5f,c8,
32,ea,3b,ac,26,df,3c,12,ea,91,80,26,4c,fb,b8,ab,1c,11,b3,d6,b2,47,d7,8f,fd,\
"??"=hex:16,d7,d1,e0,b0,77,ec,e1,fa,f2,b0,3a,3d,81,3f,17

[HKEY_USERS\S-1-5-21-1469528180-1414648073-3814679842-1006\Software\SecuROM\License information*]
"datasecu"=hex:a1,a9,f6,2c,b9,df,c7,98,9e,73,83,3c,97,05,16,5a,44,0b,b2,65,89,
6c,0a,29,a7,a5,54,fc,06,dd,67,ac,1c,8f,a7,33,9a,14,45,97,50,bd,78,1e,8b,09,\
"rkeysecu"=hex:3c,42,92,f0,9b,39,b0,c6,c0,0f,a0,e4,e6,61,98,6f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\system32\CAPM3RSK.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
c:\windows\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
c:\windows\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM3SWK.EXE
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM3SWK.EXE
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\locator.exe
c:\program files\internet explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2010-01-15 18:27:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-15 23:26
ComboFix2.txt 2009-03-20 21:32
ComboFix3.txt 2009-03-20 20:43
ComboFix4.txt 2009-03-20 18:39

Pre-Run: 82,944,319,488 bytes free
Post-Run: 83,150,053,376 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 485CC69B1CF4F9561029031ADFE99F14

#8 nighttrain20

nighttrain20
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 15 January 2010 - 06:49 PM

WinPatrol keep poping up with a "file type change alert" message
_______________________________________________________________________

The program currently associated with this file type is:
RUN A DLL AS AN APP
Microsoft Corp
c:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\iframe.dll,OpenURL %l

A change was made to use the following program for this file type.
RUN A DLL AS AN APP
Microsoft Corp
rundll32.exe ieframe.dll,OpenURL %l

It asks "Is this change ok" Yes or No
__________________________________________________________________

I clicked no and 5 min. later it popped up again....what should I do?

Tony



#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:34 PM

Posted 15 January 2010 - 06:54 PM

Combofix removed the rootkit. The redirecting should have been stopped by now.
  1. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    Trusted Zone: turbotax.com
    Trusted Zone: musicmatch.com\online
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    Skipfix::


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.

  3. Tell me how is your computer running.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:34 PM

Posted 15 January 2010 - 07:08 PM

See step #1 from my second post (under Removal Instruction). It is up to you to let Winpatrol ruin our fixes or keep it shut down or at least let the changes to be taken place.

Please hold on with running ComboFix and don't run it until we make this clear.

Edited to add: I saw your second post after I posted the fix.

Edited by farbar, 15 January 2010 - 07:39 PM.
To add the last sentence


#11 nighttrain20

nighttrain20
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 16 January 2010 - 06:01 AM

I followed your instructions and here is the generated log below.

ComboFix 10-01-15.05 - Dad's Computer 01/16/2010 5:50.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.586 [GMT -5:00]
Running from: c:\documents and settings\Dad's Computer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad's Computer\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-13 16:03 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 15:51 . 2010-01-09 15:51 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-01-09 15:39 . 2010-01-09 15:39 -------- d-----w- c:\windows\ERUNT
2010-01-09 15:30 . 2010-01-09 16:32 -------- dc----w- C:\SDFix
2010-01-09 15:27 . 2010-01-09 15:27 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-09 15:24 . 2010-01-09 15:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-01 19:31 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-01 19:31 . 2010-01-15 10:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 19:31 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 13:09 . 2009-12-28 14:53 -------- d-----w- c:\documents and settings\Dad's Computer\DoctorWeb
2009-12-27 16:34 . 2009-12-27 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 18:32 . 2009-12-27 16:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-26 18:32 . 2009-12-26 18:32 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\SUPERAntiSpyware.com
2009-12-20 15:30 . 2009-12-20 15:30 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\com.comcast.callerid.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2009-12-20 15:29 . 2009-12-27 16:34 -------- d-----w- c:\program files\Comcast Universal Caller ID
2009-12-20 15:29 . 2009-12-20 15:29 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\com.comcast.callerid.4C7707E731FA230A00265DE26809CEAF299D5FFD.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 10:53 . 2010-01-15 10:53 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-15 10:47 . 2006-12-20 00:52 -------- d-----w- c:\program files\Morpheus
2010-01-15 10:41 . 2005-01-14 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-31 17:58 . 2009-12-26 18:33 52224 ----a-w- c:\documents and settings\Dad's Computer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-31 17:58 . 2009-12-26 18:33 117760 ----a-w- c:\documents and settings\Dad's Computer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-27 16:34 . 2009-10-25 14:56 -------- d-----w- c:\program files\Password Solutions
2009-12-27 16:34 . 2009-03-15 14:24 -------- d-----w- c:\program files\Trojan Remover
2009-12-27 16:34 . 2008-12-10 20:55 -------- d-----w- c:\program files\Aladdins Palace
2009-12-27 16:29 . 2005-01-14 06:04 98304 ----a-w- c:\windows\DUMP700f.tmp
2009-12-26 18:32 . 2005-12-15 20:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-21 18:43 . 2009-03-25 19:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-21 18:31 . 2009-05-08 12:35 38784 ----a-w- c:\documents and settings\Dad's Computer\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-20 12:45 . 2005-01-20 21:41 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\AdobeUM
2009-12-13 16:48 . 2009-12-13 16:34 219640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-05 12:30 . 2009-12-05 12:24 -------- d-----w- c:\program files\HQuote
2009-12-04 23:34 . 2009-02-19 18:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-28 12:53 . 2005-01-20 21:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-26 11:58 . 2008-09-28 18:09 -------- d-----w- c:\documents and settings\Dad's Computer\Application Data\BitTorrent
2009-11-21 15:51 . 2004-08-04 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-03 01:42 . 2009-10-03 01:04 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-27 20:37 . 2009-10-27 20:37 127872 ----a-w- c:\documents and settings\Dad's Computer\Application Data\Move Networks\uninstall.exe
2009-10-27 20:23 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Dad's Computer\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-10-21 05:38 . 2004-08-04 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2002-04-16 15:27 . 2002-04-16 15:27 5 --sha-w- c:\windows\SYSTEM32\CdI5T.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-03-08 337216]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Canon PC1200 iC D700 Status Window.LNK - c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAPM3LAK.EXE [2009-7-1 30208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]
backup=c:\windows\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Comcast Universal Caller ID.lnk]
path=c:\documents and settings\Dad's Computer\Start Menu\Programs\Startup\Comcast Universal Caller ID.lnk
backup=c:\windows\pss\Comcast Universal Caller ID.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Morpheus.lnk]
backup=c:\windows\pss\Morpheus.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Registration .LNK]
backup=c:\windows\pss\Registration .LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Sid Registration.lnk]
backup=c:\windows\pss\Sid Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^Sins of a Solar Empire Launcher.lnk]
backup=c:\windows\pss\Sins of a Solar Empire Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad's Computer^Start Menu^Programs^Startup^UniversalCallerID.lnk]
path=c:\documents and settings\Dad's Computer\Start Menu\Programs\Startup\UniversalCallerID.lnk
backup=c:\windows\pss\UniversalCallerID.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinService32]
ssmon [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeVersionCue]
2003-10-13 21:24 1732608 -c--a-w- c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 -c--a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-11-16 05:05 127035 -c--a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2007-02-19 18:39 2875392 ----a-w- c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo RX500]
2003-06-01 20:00 99840 ----a-w- c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I2K1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-03-16 22:27 133104 ----atw- c:\documents and settings\Dad's Computer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-11-16 00:44 1200128 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-06-29 15:23 135168 ----a-w- c:\program files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 21:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 11:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 16:06 11776 -c--a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-10-07 18:33 13574144 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-10-07 18:33 86016 ----a-w- c:\windows\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-10-07 18:33 1630208 ----a-w- c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2008-08-21 01:18 443968 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2003-02-26 00:27 77887 ----a-w- c:\program files\WordPerfect Office 11\Programs\QFSCHD110.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2009-03-21 01:41 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-03-21 01:41 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 19:33 1388544 -c--a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-21 01:41 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TurboHddUsb]
2008-12-15 19:15 3327488 ----a-w- c:\program files\TurboHddUsb\TurboHddUsb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"gusvc"=2 (0x2)
"DSBrokerService"=3 (0x3)
"Coar160"=3 (0x3)
"AresChatServer"=3 (0x3)
"AdobeVersionCue"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"\\\\mine\\Cute FTP\\CuteFTP\\CUTFTP32.EXE"=
"c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"c:\\Program Files\\NAIC Club Accounting 2\\jre\\bin\\java.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"\\\\MINE\\MICROSOFT GAMES\\Links 2003\\LINKSMMIII.EXE"=
"c:\\Documents and Settings\\Dad's Computer\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5000:TCP"= 5000:TCP:AresChatServer

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [03/16/2009 6:12 PM 28544]
R1 FNETURPX;FNETURPX;c:\windows\SYSTEM32\DRIVERS\FNETURPX.SYS [12/15/2008 2:15 PM 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 RapidPortM3;RapidPortM3;c:\windows\SYSTEM32\DRIVERS\CAPM3LP.SYS [07/02/2009 10:28 AM 22976]
R3 FNETTBOH;FNETTBOH;c:\windows\SYSTEM32\DRIVERS\FNETTBOH.SYS [12/15/2008 2:15 PM 17792]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [01/30/2005 6:26 PM 17792]
S2 gupdate1c9babfb4d33912;Google Update Service (gupdate1c9babfb4d33912);c:\program files\Google\Update\GoogleUpdate.exe [04/11/2009 11:08 AM 133104]
S3 Cdfssokw;Cdfssokw;c:\windows\SYSTEM32\DRIVERS\isapnp.sys [08/17/2001 2:58 PM 37248]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S4 0230331239922897mcinstcleanup;McAfee Application Installer Cleanup (0230331239922897);c:\windows\TEMP\023033~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\023033~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [01/02/2007 4:19 PM 639224]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/03/2006 6:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 16:07]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 16:07]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1469528180-1414648073-3814679842-1006.job
- c:\documents and settings\Dad's Computer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-16 22:27]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-25 16:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-25 16:22]

2010-01-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-01-16 c:\windows\Tasks\User_Feed_Synchronization-{07495E2C-D59C-4BD3-A2F3-88040359BD02}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Dad's Computer\Start Menu\Programs\UltimateBet\UltimateBet.lnk
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {E302F157-A890-4B6F-A421-839D25055D6D} - hxxp://www.novalogic.com/pub/NLSysInfo.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 05:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1469528180-1414648073-3814679842-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e9,9e,46,e1,3b,7b,35,93,b6,71,2e,a7,ab,4c,2c,c6,cd,8a,97,a7,73,5f,c8,
32,ea,3b,ac,26,df,3c,12,ea,91,80,26,4c,fb,b8,ab,1c,11,b3,d6,b2,47,d7,8f,fd,\
"??"=hex:16,d7,d1,e0,b0,77,ec,e1,fa,f2,b0,3a,3d,81,3f,17

[HKEY_USERS\S-1-5-21-1469528180-1414648073-3814679842-1006\Software\SecuROM\License information*]
"datasecu"=hex:a1,a9,f6,2c,b9,df,c7,98,9e,73,83,3c,97,05,16,5a,44,0b,b2,65,89,
6c,0a,29,a7,a5,54,fc,06,dd,67,ac,1c,8f,a7,33,9a,14,45,97,50,bd,78,1e,8b,09,\
"rkeysecu"=hex:3c,42,92,f0,9b,39,b0,c6,c0,0f,a0,e4,e6,61,98,6f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(15612)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-16 05:58:13
ComboFix-quarantined-files.txt 2010-01-16 10:58
ComboFix2.txt 2010-01-15 23:27
ComboFix3.txt 2009-03-20 21:32
ComboFix4.txt 2009-03-20 20:43
ComboFix5.txt 2010-01-16 10:49

Pre-Run: 83,485,347,840 bytes free
Post-Run: 83,486,498,816 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 5832373574B4B5D42803DCF49B3BC12C


#12 nighttrain20

nighttrain20
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 16 January 2010 - 06:33 AM

I updated JAVA as asked.

My system boots up faster, and my IE loads faster.

No more redirecting going on & my overall performance seem faster.

Is there more we need to do ?

Thanks,

Tony

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:34 PM

Posted 16 January 2010 - 06:37 AM

Everything looks good . thumbup2.gif

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

You may clean your desktop from any logs or tool we used.

Happy Surfing Tony. smile.gif



#14 nighttrain20

nighttrain20
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 16 January 2010 - 07:05 AM

When I try to follow your instyructions to uninstall I get the prompt"Windows cannot find ComboFix. Make sure you typed the name correctly.

Also Should I keep WinPAtrol working on my computer?

As I update programs like Adobe MAcromedia Flash WinRAR It allerts me to a change.....should I allow these changes?


Thanks

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:34 PM

Posted 16 January 2010 - 07:11 AM

Did you copied and pasted or typed the command?

Are you sure ComboFix is on your desktop and is not deleted by McAfee?

If it is there disable McAfee auto-protection temporarily and try this command:

"c:\documents and settings\Dad's Computer\Desktop\ComboFix.exe" /uninstall

In case it is deleted download it again to you desktop and apply the command.

Tell me if you could do it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users