Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gala stole my Google... Etc


  • This topic is locked This topic is locked
8 replies to this topic

#1 SWAGGY

SWAGGY

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 03 March 2010 - 01:15 PM

Hi there,

I am fixing my sister's computer. It appears that either the 4 year old or the husband has been randomly clicking something. You know ...random facebook links, youtube videos and that junk on the little kid game sites?! I found a really similar thread to my issue but I don't want to make an error in trying to fix this issue but blindly using the same instructions.

http://www.bleepingcomputer.com/forums/ind...m+Search+Engine

above is the thread that is the same gala issue, google searches from the IE toolbar redirect to findgala.com. I thought the issue was merely with IE but the porn popup with in my Firefox AND the IE, but the search on Firefox appears fine. the random porn pop ups from "sugarxxx.com", however I googled that and got nothing.

She has Macafee thru her Comcast, which apparently does not work well. I was wondering if I should uninstall it and install Microsoft Security Essentials.
http://microsoft.com/securityessentials instead? Anyway...

I have run Malwarebytes, CCleaner, Spybot (which there are 13 entries that it cannot remove notes below), Eusing Reg cleaner, Advanced Windows Care, Hitman Pro 3.5 (which everyone swears fixes this issue but it scanned clean), and spyware blaster.

Microsoft.Windows.Redirectedhosts section and Fraud.WindowsProtectionSuite section on the Spybot report listed 13 different items, but I can't get them to remove because of an error. The error states:
"Unexpected error in fixing problems (cannot create file "C:\WINDOWS\system32\drivers\etc\hosts". Access is denied"


I did the prep for this entry but the computer froze for an hour (is it supposed to take that long?) when I running that gmer scan.

Here is the DDS log, please advise if I should try the GMER log again, or if this is sufficient for now:


DDS (Ver_09-12-01.01) - NTFSx86
Run by julie degelder at 10:13:50.75 on Wed 03/03/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.240 [GMT -6:00]

AV: Security Antivirus *On-access scanning enabled* (Updated) {F0A3DDE4-9BEB-47FC-AA06-EAB4FC5A4F31}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Security Antivirus *enabled* {8BC91425-309A-47B2-8459-2C43F04B0482}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hot Wheels\HotwheelsWatcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Citrix\GoToMyPC\G2ProcessFactory.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\julie degelder\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/comcast.html
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] "c:\windows\system32\adobe\shockwave 11\SwHelper_1152602.exe" -Update
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Hot Wheels® Turbo Driver™ Watcher] c:\program files\hot wheels\HotwheelsWatcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /runonce
StartupFolder: c:\documents and settings\julie degelder\start menu\programs\startup\PowerReg Scheduler.exe
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: avldr - avldr.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options -
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\julied~1\applic~1\mozilla\firefox\profiles\269kqkei.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nptidfusionplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-15 214664]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-3-16 616408]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-15 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-15 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-15 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-15 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-15 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-15 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-15 40552]
S2 0030301267631676mcinstcleanup;McAfee Application Installer Cleanup (0030301267631676);c:\windows\temp\003030~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\003030~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S2 PEVSystemStart;PEVSystemStart;cmd /k start /i "/dC:" "c:\combofix\hidec.exe" "c:\combofix\swreg.exe" acl "hkey_local_machine\system\currentcontrolset\enum\root\LEGACY_Beep" /RESET /Q --> cmd [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]

=============== Created Last 30 ================

2010-03-03 16:11:48 0 ----a-w- c:\documents and settings\julie degelder\defogger_reenable
2010-03-03 00:11:58 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-03 00:11:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-03-03 00:11:23 0 d-----w- c:\program files\Hitman Pro 3.5
2010-03-02 17:53:00 0 d-----w- c:\program files\IObit
2010-03-02 17:33:26 111472 ----a-w- c:\windows\system32\gotomon.dll
2010-03-02 17:33:24 0 d-----w- c:\docume~1\alluse~1\applic~1\CitrixLogs
2010-03-02 17:32:56 7046096 ----a-w- c:\documents and settings\julie degelder\gosetup.exe
2010-03-02 16:59:57 411368 ----a-w- c:\windows\system32\REN55.tmp
2010-03-02 15:32:42 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-03-02 15:32:41 0 d-----w- c:\program files\SpywareBlaster
2010-03-02 15:29:57 0 d-----w- c:\docume~1\julied~1\applic~1\Malwarebytes
2010-03-02 15:29:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 15:29:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 15:29:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-28 02:07:15 0 d-----w- c:\program files\NortonInstaller
2010-02-11 19:03:27 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SALKV
2010-02-11 19:03:03 0 d-sh--w- c:\docume~1\alluse~1\applic~1\5cabca8
2010-02-06 05:10:08 0 d-----w- c:\program files\iPod
2010-02-06 05:09:39 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2008-10-02 20:54:34 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 10:15:16.79 ===============

Thank you in advance for your help, I really appreciate your time spent in helping me with this!

Natalie

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 05 March 2010 - 06:48 AM

Hi,

* Download: HostsXpert
Unzip hoster to an own folder, eg C:\HostsXpert
Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

In case you get an error there...
Since you already have malwarebytes installed.....

Open Malwarebytes > More Tools tab > Fileassasin > Click Run Tool
Then an explorer Window will open.
Copy and paste next in the field under file name:

C:\WINDOWS\system32\drivers\etc\hosts

Then Click open next to it.

You should see this image:



Click yes there.

FileAssassin will then delete the hosts file.

To recreate it again (default hosts file), start Hostxpert again.
It will give a warning that the hosts file doesn't exist and Press OK to create hosts file.
Click OK there.

Let me know if that solved your issue.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SWAGGY

SWAGGY
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 05 March 2010 - 05:20 PM

hi there, Thank you for your reply. This does not fix the gala problem, however I ran another Spybot scan and those 13 errors are gone. Here is another log, not sure if it is needed.


DDS (Ver_09-12-01.01) - NTFSx86
Run by julie degelder at 16:12:35.89 on Fri 03/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.229 [GMT -6:00]

AV: Security Antivirus *On-access scanning enabled* (Updated) {F0A3DDE4-9BEB-47FC-AA06-EAB4FC5A4F31}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Security Antivirus *enabled* {8BC91425-309A-47B2-8459-2C43F04B0482}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hot Wheels\HotwheelsWatcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\julie degelder\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/comcast.html
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Hot Wheels® Turbo Driver™ Watcher] c:\program files\hot wheels\HotwheelsWatcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /runonce
StartupFolder: c:\documents and settings\julie degelder\start menu\programs\startup\PowerReg Scheduler.exe
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: avldr - avldr.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options -

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\julied~1\applic~1\mozilla\firefox\profiles\269kqkei.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nptidfusionplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-15 214664]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-3-16 616408]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-15 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-15 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-15 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-15 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-15 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-15 40552]
S2 0244131267728533mcinstcleanup;McAfee Application Installer Cleanup (0244131267728533);c:\windows\temp\024413~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\024413~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-24 135664]
S2 PEVSystemStart;PEVSystemStart;cmd /k start /i "/dC:" "c:\combofix\hidec.exe" "c:\combofix\swreg.exe" acl "hkey_local_machine\system\currentcontrolset\enum\root\LEGACY_Beep" /RESET /Q --> cmd [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-15 34248]

=============== Created Last 30 ================

2010-03-05 22:06:21 0 d-----w- c:\program files\NortonInstaller
2010-03-03 16:11:48 0 ----a-w- c:\documents and settings\julie degelder\defogger_reenable
2010-03-03 00:11:58 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-03 00:11:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-03-03 00:11:23 0 d-----w- c:\program files\Hitman Pro 3.5
2010-03-02 17:53:00 0 d-----w- c:\program files\IObit
2010-03-02 17:33:26 111472 ----a-w- c:\windows\system32\gotomon.dll
2010-03-02 17:33:24 0 d-----w- c:\docume~1\alluse~1\applic~1\CitrixLogs
2010-03-02 17:32:56 7046096 ----a-w- c:\documents and settings\julie degelder\gosetup.exe
2010-03-02 15:32:42 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-03-02 15:32:41 0 d-----w- c:\program files\SpywareBlaster
2010-03-02 15:29:57 0 d-----w- c:\docume~1\julied~1\applic~1\Malwarebytes
2010-03-02 15:29:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 15:29:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 15:29:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-11 19:03:27 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SALKV
2010-02-11 19:03:03 0 d-sh--w- c:\docume~1\alluse~1\applic~1\5cabca8
2010-02-06 05:10:08 0 d-----w- c:\program files\iPod
2010-02-06 05:09:39 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-12-17 23:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-10-02 20:54:34 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 16:13:43.14 ===============


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 06 March 2010 - 01:55 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.



AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SWAGGY

SWAGGY
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 06 March 2010 - 02:31 PM


Hi there,

I am doing this fix via gotomypc.com, so I ran the combofix and the remote computer rebooted itself and this log came up after the reboot. I am not sure exactly what happened, or if that is what is supposed to happen, etc.

Thanks again smile.gif
Natalie



ComboFix 10-03-05.03 - julie degelder 03/06/2010 3:15.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.469 [GMT -6:00]
Running from: c:\documents and settings\julie degelder\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\JULIED~1\LOCALS~1\Temp\TempFolder.aaa\dirapi.dll
c:\docume~1\JULIED~1\LOCALS~1\Temp\TempFolder.aaa\iml32.dll
c:\docume~1\JULIED~1\LOCALS~1\Temp\TempFolder.aaa\proj.dll
c:\docume~1\JULIED~1\LOCALS~1\Temp\TempFolder.aaa\xtras\budapi.x32
c:\docume~1\JULIED~1\LOCALS~1\Temp\TempFolder.aaa\xtras\budtray.x32
c:\docume~1\JULIED~1\LOCALS~1\Temp\TempFolder.aaa\xtras\UsbAccessXtra.x32
c:\documents and settings\julie degelder\Local Settings\Temp\TempFolder.aaa\dirapi.dll
c:\documents and settings\julie degelder\Local Settings\Temp\TempFolder.aaa\iml32.dll
c:\documents and settings\julie degelder\Local Settings\Temp\TempFolder.aaa\proj.dll
c:\documents and settings\julie degelder\Local Settings\Temp\TempFolder.aaa\xtras\budapi.x32
c:\documents and settings\julie degelder\Local Settings\Temp\TempFolder.aaa\xtras\budtray.x32
c:\documents and settings\julie degelder\Local Settings\Temp\TempFolder.aaa\xtras\UsbAccessXtra.x32

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 09:26 . 2010-03-06 09:28 -------- d-----w- c:\windows\LastGood
2010-03-03 00:11 . 2010-03-05 22:01 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-03 00:11 . 2010-03-03 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-03 00:11 . 2010-03-03 00:11 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-03-02 17:53 . 2010-03-02 17:53 -------- d-----w- c:\program files\IObit
2010-03-02 17:33 . 2010-02-22 21:58 111472 ----a-w- c:\windows\system32\gotomon.dll
2010-03-02 17:33 . 2010-03-02 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\CitrixLogs
2010-03-02 17:32 . 2010-03-02 17:33 7046096 ----a-w- c:\documents and settings\julie degelder\gosetup.exe
2010-03-02 15:32 . 2005-08-26 01:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-03-02 15:32 . 2010-03-02 16:03 -------- d-----w- c:\program files\SpywareBlaster
2010-03-02 15:29 . 2010-03-02 15:29 -------- d-----w- c:\documents and settings\julie degelder\Application Data\Malwarebytes
2010-03-02 15:29 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 15:29 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 15:29 . 2010-03-02 15:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-11 19:03 . 2010-02-11 19:03 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SALKV
2010-02-11 19:03 . 2010-02-28 14:17 -------- d-sh--w- c:\documents and settings\All Users\Application Data\5cabca8
2010-02-06 05:10 . 2010-02-06 05:10 -------- d-----w- c:\program files\iPod
2010-02-06 05:09 . 2010-02-06 05:11 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 16:23 . 2010-03-06 16:23 -------- d-----w- c:\program files\NortonInstaller
2010-03-06 16:19 . 2009-05-10 21:31 -------- d-----w- c:\program files\Hot Wheels
2010-03-05 21:05 . 2009-01-31 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-03 17:11 . 2007-09-01 20:52 30248 -c--a-w- c:\documents and settings\julie degelder\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-02 22:41 . 2007-08-28 15:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 17:33 . 2007-10-28 22:58 -------- d-----w- c:\program files\Citrix
2010-03-02 17:33 . 2007-08-28 15:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-02 17:11 . 2007-08-28 14:58 -------- d-----w- c:\program files\Java
2010-03-02 17:02 . 2009-01-18 23:46 -------- d-----w- c:\program files\Activision Value
2010-03-02 17:00 . 2007-08-28 14:58 -------- d-----w- c:\program files\Common Files\Java
2010-03-02 17:00 . 2010-03-02 17:00 61440 ----a-w- c:\documents and settings\julie degelder\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-451913d7-n\decora-sse.dll
2010-03-02 17:00 . 2010-03-02 17:00 503808 ----a-w- c:\documents and settings\julie degelder\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1e0541ca-n\msvcp71.dll
2010-03-02 17:00 . 2010-03-02 17:00 499712 ----a-w- c:\documents and settings\julie degelder\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1e0541ca-n\jmc.dll
2010-03-02 17:00 . 2010-03-02 17:00 348160 ----a-w- c:\documents and settings\julie degelder\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1e0541ca-n\msvcr71.dll
2010-03-02 17:00 . 2010-03-02 17:00 12800 ----a-w- c:\documents and settings\julie degelder\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-451913d7-n\decora-d3d.dll
2010-03-02 16:21 . 2009-11-10 03:06 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-03-02 16:14 . 2009-01-31 18:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-02 15:56 . 2007-09-25 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-02 15:34 . 2008-05-27 13:28 -------- d-----w- c:\program files\CCleaner
2010-03-02 05:19 . 2009-06-16 02:06 -------- d-----w- c:\documents and settings\john skelton\Application Data\CallingID
2010-02-28 02:08 . 2009-11-15 22:35 79488 ----a-w- c:\documents and settings\john skelton\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-11 18:07 . 2009-11-16 01:04 79488 ----a-w- c:\documents and settings\julie degelder\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-06 05:10 . 2007-09-25 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 05:01 . 2010-02-06 05:01 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 10:46 . 2007-09-02 18:24 -------- d-----w- c:\program files\Google
2010-01-20 01:17 . 2009-06-16 02:05 -------- d-----w- c:\documents and settings\john skelton\Application Data\comcasttb
2010-01-13 01:46 . 2010-02-11 19:03 443384 ----a-w- c:\documents and settings\All Users\Application Data\5cabca8\sqlite3.dll
2010-01-13 01:46 . 2010-02-11 19:03 710136 ----a-w- c:\documents and settings\All Users\Application Data\5cabca8\mozcrt19.dll
2010-01-11 23:01 . 2009-07-09 01:49 -------- d-----w- c:\program files\QuickTime
2010-01-11 22:46 . 2009-07-31 01:04 -------- d-----w- c:\program files\Safari
2010-01-11 22:43 . 2010-01-11 22:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-17 23:14 . 2008-12-07 18:41 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Hot Wheels® Turbo Driver™ Watcher"="c:\program files\Hot Wheels\HotwheelsWatcher.exe" [2008-01-25 2870612]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-03-05 5650240]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-09-17 284024]

c:\documents and settings\julie degelder\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-6-6 256000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 21:58 58672 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2009-12-16 00:13 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PictureMover.lnk]
backup=c:\windows\pss\PictureMover.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2008-08-13 22:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2008-11-25 17:58 356352 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"IDriverT"=3 (0x3)
"hnmsvc"=2 (0x2)
"GoToAssist"=3 (0x3)
"DSBrokerService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 3:37 PM 616408]
S2 0244131267728533mcinstcleanup;McAfee Application Installer Cleanup (0244131267728533);c:\windows\TEMP\024413~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\024413~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 3:39 PM 135664]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2008 6:47 PM 18560]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 21:39]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 21:39]

2010-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-16 18:22]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-16 18:22]

2010-03-06 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-09-17 14:00]

2010-03-06 c:\windows\Tasks\User_Feed_Synchronization-{B9FBD114-362E-43C2-9003-323B6580C4E5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/comcast.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\julie degelder\Application Data\Mozilla\Firefox\Profiles\269kqkei.default\
FF - prefs.js: browser.search.selectedEngine - Comcast Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 10:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\avldr.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(1064)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\docume~1\JULIED~1\LOCALS~1\Temp\TempFolder.aab\xtras\budtray.x32
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Citrix\GoToMyPC\g2mainh.exe
c:\program files\Citrix\GoToMyPC\g2host.exe
c:\program files\Citrix\GoToMyPC\g2printh.exe
c:\program files\Citrix\GoToMyPC\g2audioh.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-06 10:26:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 16:26

Pre-Run: 220,333,387,776 bytes free
Post-Run: 220,169,302,016 bytes free

- - End Of File - - 55441BF8ADC5BEEA96F844BBCFBB86DB


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 07 March 2010 - 07:58 AM

Hi,

Are you still having problems now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SWAGGY

SWAGGY
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 07 March 2010 - 01:56 PM

I think we are good now (I was not sure if combofix was a fix or another scan... sorry about that), I went in and deleted all the search engine boxes on all of the browser windows and readded them (google was still gala on IE on the toolbar) and ran all the spyware scans again and it seems to be working now. no porn pop ups which is a plus with the 4 year old factor! Thank you for your help, truly appreciated!



#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 08 March 2010 - 02:00 AM

Hi,

Good to hear...

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:12 AM

Posted 10 March 2010 - 11:32 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users