Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google site re-direct, Hijacked???


  • Please log in to reply
8 replies to this topic

#1 bschoch

bschoch

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 02 February 2010 - 01:44 PM

Hi. I have been having this problem, that aparently seems pretty common .
It started with a little icon n the tool bar at the bottom that looked like a red circle with a x in it and a baloon popped up that said your compurt is infected clike her to remove ti. Downloaded MALWARE BYTES from downloads.cnet.com, found 11 infections first time, then2 or so, and none now. BUT google searches still getting redirected to other search sites.
We did not, but have used this computer for banking stuff, but not since the problem started, with no saved passwords or anything.
There are errors showing up in event viewe, i have typed the error messages below. When i go to the microsoft help link it says no user action required for the errors and warnings

Please help to guide me! :thumbsup:
Thank you.

MESSAGE 1:
The master browser has received a server announcement from the computer BDS2 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E8A5B964-9B20-4F82-A038. The master browser is stopping or an election is being forced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp

MESSAGE 2:
The browser was unable to retrieve a list of servers from the browser master \\BDS2 on the network \Device\NetBT_Tcpip_{E8A5B964-9B20-4F82-A038-153F1D4F9845}. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

MESSAGE 3:
A request has been submitted to promote the computer to backup when it is already a master browser.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:25 AM

Posted 02 February 2010 - 04:19 PM

Hello and welcome..
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 bschoch

bschoch
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 03 February 2010 - 01:57 PM

[quote name='boopme' date='Feb 2 2010, 04:19 PM' post='1612904']
Hello and welcome..
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


MALWARE LOG:

Malwarebytes' Anti-Malware 1.44
Database version: 3685
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

02/03/2010 1:54:59 PM
mbam-log-2010-02-03 (13-54-59).txt

Scan type: Quick Scan
Objects scanned: 145625
Time elapsed: 11 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:25 AM

Posted 03 February 2010 - 02:53 PM

Please run the ATF and SAS scans..
Also the First infected log from Malwarebytes so I can see what was here.

If nothing is found ,start a new topic in the XP firum up top with those Event Viewer messages.

Edited by boopme, 03 February 2010 - 02:58 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 bschoch

bschoch
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 03 February 2010 - 06:42 PM

I ran ATF-cleaner and super anti spyware. I also had ran combofix previously and malwarebytes twice previously, see logs below:

Superantispyware log, ran today:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2010 at 04:24 PM

Application Version : 4.33.1000

Core Rules Database Version : 4551
Trace Rules Database Version: 2363

Scan type : Complete Scan
Total Scan Time : 01:58:05

Memory items scanned : 285
Memory threats detected : 0
Registry items scanned : 6699
Registry threats detected : 0
File items scanned : 75185
File threats detected : 68

Adware.Tracking Cookie
.ads.pointroll.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.bluestreak.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.paypal.112.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
data.coremetrics.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.bfast.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.phg.hitbox.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.hitbox.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.perf.overture.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.e-2dj6wjkocodjsap.stats.esomniture.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.e-2dj6wjl4qicjcbo.stats.esomniture.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.footballfanatics.112.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.nextstat.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.nextstat.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.icc.intellisrv.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.e-2dj6wgkywgd5cdp.stats.esomniture.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
server.iad.liveperson.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.discountmugs.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.e-2dj6wjloehcpago.stats.esomniture.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.buycom.122.2o7.net [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]
.ehg-trilegiant.hitbox.com [ C:\Documents and Settings\Dr. Brett\Application Data\Mozilla\Firefox\Profiles\bfumvo5h.default\cookies.txt ]


Combo fix log, ran 2-2-10:

ComboFix 10-02-01.02 - Dr. Brett 02/01/2010 20:11:05.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.756 [GMT -5:00]
Running from: F:\dfasdfix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\s
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\29358.exe
c:\windows\system32\autorun.ini
c:\windows\system32\install.exe
c:\windows\Temp\1869580767.dll
c:\windows\Uninstall.ini

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-02-02 00:58 . 2010-02-02 00:58 -------- d-----w- C:\FOUND.000
2010-02-01 01:16 . 2010-02-01 01:16 -------- d-----w- c:\program files\IObit
2010-02-01 01:16 . 2010-02-01 01:16 -------- d-----w- c:\documents and settings\Dr. Brett\Application Data\IObit
2010-01-25 23:55 . 2010-01-25 23:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-24 23:20 . 2010-01-24 23:20 -------- d-----w- c:\documents and settings\Dr. Brett\Application Data\Malwarebytes
2010-01-24 23:20 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 23:20 . 2010-01-24 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-24 23:20 . 2010-01-24 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 23:20 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 12:35 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-05 10:00 . 2010-01-05 10:00 1318252 ----a-w- c:\windows\system32\errnipdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 00:07 . 2009-11-09 13:24 79488 ----a-w- c:\documents and settings\Dr. Brett\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-05 10:00 . 2004-08-04 10:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 10:00 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-17 14:05 . 2009-12-17 14:05 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-12-15 01:36 . 2009-12-15 01:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-14 19:48 . 2009-12-14 19:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SACore
2009-12-14 19:41 . 2009-12-14 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-14 19:38 . 2009-12-14 19:38 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-14 19:38 . 2009-12-14 19:38 -------- d-----w- c:\program files\McAfee.com
2009-12-14 19:38 . 2009-12-14 19:37 -------- d-----w- c:\program files\McAfee
2009-12-14 19:25 . 2009-12-14 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-08 20:03 . 2009-12-08 20:03 -------- d--h--r- c:\documents and settings\Eppie\Application Data\yahoo!
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\AcLayers.dll
2009-11-04 21:54 . 2009-12-14 19:38 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 21:54 . 2009-12-14 19:38 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 21:54 . 2009-12-14 19:38 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 21:54 . 2009-11-04 21:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 21:53 . 2009-12-14 19:31 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2008-05-07 2500096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Detector 3.lnk
backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-10-08 00:50 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 01:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2005-11-16 21:54 385024 ----a-w- c:\acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 10:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-06-03 09:50 204800 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2006-03-27 20:04 712704 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 11:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McENUI]
2009-07-08 02:02 1176808 ----a-w- c:\progra~1\McAfee\MHN\McENUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 02:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-08-27 22:59 398672 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 10:00 59392 ------w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2005-10-17 21:24 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 10:00 455168 ------w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 10:00 455168 ------w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-04-18 20:10 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 14:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
2005-03-04 18:13 32768 ------w- c:\windows\system32\Keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
2005-02-26 00:35 49152 ------w- c:\windows\system32\SiSPower.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-02-23 23:13 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-24 19:09 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-10-08 04:43 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-10-08 04:44 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-08-27 16:05 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2004-06-03 09:51 172032 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 14:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2009-09-04 18:16 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\System32\\lxcfcoms.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\lxcfpswx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/14/2009 2:41 PM 93320]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/27/2009 11:05 AM 92008]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [10/02/2009 6:29 PM 18560]
S3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys --> c:\windows\system32\DRIVERS\USA19H2k.sys [?]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS --> c:\windows\system32\DRIVERS\USA19H2kp.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-01 c:\windows\Tasks\User_Feed_Synchronization-{940DD286-DFDC-4019-8D45-A19EAA505AF3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-14 17:22]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-14 17:22]

2010-02-01 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-02-01 21:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-PCMService - c:\program files\Arcade\PCMService.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 20:15
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly?mmand:?10???????????????/keyword????????????MMURIConstraint?!????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????!??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-742795053-4225887568-2191267482-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-742795053-4225887568-2191267482-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-742795053-4225887568-2191267482-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-742795053-4225887568-2191267482-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-742795053-4225887568-2191267482-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-742795053-4225887568-2191267482-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\DesktopAppInstall\oemDesktop2]
"Name"="oemDesktop2"
"DisplayName"="Media Wizard"
"Param1"="\\EXTRAS\\DESKTOP\\Media_Wizard\\Media_Wizard_3.0.exe"
"Param2"=""
"Type"="createprocess"
"Order"=dword:00000000
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1275210071-1645522239-839522115-1003_Classes\Software\CLASSES\CLSID\{16AA07BC-8680-FA2A-79E3-8A7108EFBAEA}*\InprocServer32]
"{16AA07BC-8680-FA2A-79E3-8A7108EFBAEA}"=hex:aa,bd,51,8f,53,0b,89,d1,51,6d,ff,
34,22,1b,69,0b,b5,6e,c8,eb,e4,1a,12,19,aa,bd,51,8f,53,0b,89,d1,aa,bd,51,8f,\

[HKEY_USERS\S-1-5-21-1275210071-1645522239-839522115-1003_Classes\Software\CLASSES\CLSID\{4F83A50C-8A5D-B8CA-3CE6-77289763F6E1}*\InprocServer32]
"{4F83A50C-8A5D-B8CA-3CE6-77289763F6E1}"=hex:70,e6,4b,e8,8c,00,17,45,3d,df,eb,
ce,a5,e9,3b,48,c6,4b,6a,b8,61,df,c3,88,70,e6,4b,e8,8c,00,17,45,70,e6,4b,e8,\

[HKEY_USERS\S-1-5-21-1275210071-1645522239-839522115-1003_Classes\Software\CLASSES\CLSID\{B9171833-609A-6914-B834-F7D9BA58F5B9}*\InprocServer32]
"{B9171833-609A-6914-B834-F7D9BA58F5B9}"=hex:09,87,05,17,3c,7d,00,17,53,a8,d9,
84,3b,60,39,0e,bd,9e,42,42,3b,d5,d8,fc,09,87,05,17,3c,7d,00,17,09,87,05,17,\

[HKEY_USERS\S-1-5-21-1275210071-1645522239-839522115-1003_Classes\Software\CLASSES\CLSID\{BE154681-464F-F92C-3BE1-BDB835F01016}*\InprocServer32]
"{BE154681-464F-F92C-3BE1-BDB835F01016}"=hex:e9,d8,86,27,66,81,51,e5,98,b3,33,
bb,46,90,ae,97,07,2d,0b,92,91,50,02,ef,e9,d8,86,27,66,81,51,e5,e9,d8,86,27,\

[HKEY_USERS\S-1-5-21-1275210071-1645522239-839522115-1003_Classes\Software\CLASSES\CLSID\{FBB0FBF5-0A8C-5E68-92D1-3B4F698F1B3A}*\InprocServer32]
"{FBB0FBF5-0A8C-5E68-92D1-3B4F698F1B3A}"=hex:22,48,51,a1,dc,94,cf,da,b1,0f,b6,
3c,ea,a3,d6,c5,17,e0,7d,4e,7e,db,a3,b1,22,48,51,a1,dc,94,cf,da,22,48,51,a1,\
.
Completion time: 2010-02-01 20:16:46
ComboFix-quarantined-files.txt 2010-02-02 01:16

Pre-Run: 11,111,170,048 bytes free
Post-Run: 11,558,780,928 bytes free

- - End Of File - - 6A221821B3DE24696714496E0B4D1E0C


Original MBAM log, first ran 1-24-2010:

Malwarebytes' Anti-Malware 1.44
Database version: 3630
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

01/24/2010 7:59:35 PM
mbam-log-2010-01-24 (19-59-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 242198
Time elapsed: 1 hour(s), 35 minute(s), 48 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 8
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Brett\Local Settings\Temp\362.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Brett\Local Settings\Temp\WLgM.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Brett\Local Settings\Temp\366.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Brett\Local Settings\Temporary Internet Files\Content.IE5\EO7QZ48J\eH9c59b387V0100f070006R5a45f118102Td7057b23201l0409Kb7bb6143318J0b0006010[1] (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Second time ran MBAM 1-25-2010:
Malwarebytes' Anti-Malware 1.44
Database version: 3630
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

01/25/2010 11:35:47 AM
mbam-log-2010-01-25 (11-35-47).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 241986
Time elapsed: 1 hour(s), 26 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\42779920.Evt (Rootkit.Agent.H) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:25 AM

Posted 03 February 2010 - 10:12 PM

Did these Events occur after running ComboFix.
They look like network card problems.
This PC appears clean.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 bschoch

bschoch
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 04 February 2010 - 08:20 AM

Did these Events occur after running ComboFix.
They look like network card problems.
This PC appears clean.


OK, it was acting up 1-24-10. I ran MBAM, which found several infections, got rid of the pop ups but kept redirecting. I ran MBAM couple more times. Then ran couple other freeware programs.

Then stumbled upon this site and ran combofix, which appears to have cleaned it and fixed the site redirects.

Then ran ATF and superantispyware, and updated and ran MBAM again.

Combofix had deleted some files, as well as MBAM (in logs above, towards the bottom of my post).

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:25 AM

Posted 04 February 2010 - 09:40 PM

Hello,

Does this topic concern the same computer as this one: http://www.bleepingcomputer.com/forums/t/293286/computer-hijacked-email-list-stolen/ ?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 bschoch

bschoch
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 05 February 2010 - 01:48 PM

Hello,

Does this topic concern the same computer as this one: http://www.bleepingcomputer.com/forums/t/293286/computer-hijacked-email-list-stolen/ ?

Orange Blossom :thumbsup:



No, that is a different computer. This post is my laptop, which appears to be fixed. The other post is my mom's computer, and ironically she began having the problems after connecting thru my network at my house. I hope it is just a coincidence.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users