Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have active internet connection, browsers don't work


  • This topic is locked This topic is locked
7 replies to this topic

#1 phyllisp160

phyllisp160

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 28 March 2010 - 08:56 PM

I originally posted this over here: http://www.bleepingcomputer.com/forums/t/305551/have-active-internet-connection-browsers-dont-work/

Here's what I said over there:
----------------
One of our computers got hit with a trojan that disabled Norton and Malwarebytes and all browsing except to the pages that tried to get you to buy whatever program was supposed to "fix" the problem. We managed to get rid of the pop-ups warning of impending doom (by deleting the most recent files deposited on the machine) and got Norton and Malwarebytes running again. Malwarebytes found nothing, nor did Norton, but it did clean up the registry. Everything seems fine now, except neither browser -- IE or Chrome -- can get anywhere.

The internet connection is active. I can successfully ping sites from the command prompt, packets are going out and coming in, and the 2nd computer -- which connects through the same router -- can get to the internet just fine (that's the computer I'm using).

I'm to the point where I think all we can do is reformat, but he has soooo much stuff on his computer that it's going to be a major time investment to back up the files and reinstall all the software. I thought I'd come here first and see if anyone had any suggestions. Thanks in advance.
-------------------

Following instructions given over there, I've read the "getting started" guide and am posting the requested files. Thanks so much for any advice you can give me.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Barron at 18:43:02.56 on Sun 03/28/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1451 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\YouSendIt\Express\YouSendIt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\Barron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {348FE907-249E-4C65-A838-F34A193FE1D1} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [YouSendIt.exe] c:\program files\yousendit\express\YouSendIt.exe -ui none
uRun: [userini] c:\windows\explorer.exe:userini.exe
uRun: [ugfhsyvd] c:\documents and settings\barron\local settings\application data\umlmcq\chrlsftav.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [USBToolTip] "c:\program files\pinnacle\shared files\\programs\usbtip\USBTip.exe"
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uExplorerRun: [userini] c:\windows\system32\userini.exe
mExplorerRun: [userini] c:\windows\system32\userini.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
IE: &Search
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216153108232
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217775983328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: WB - c:\program files\alienguise\fastload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IPC Configuration Utility - No File
LSA: Notification Packages = :\windows\syste

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R1 TeksKernel;TeksKernel;c:\windows\system32\drivers\TeksKernel.sys [2004-7-8 9060]
R2 ProductivITService;ProductivIT Service;c:\program files\alienautopsy\TEKS_Service.exe [2004-7-8 77824]
S2 gupdate1ca0ff56dcf4fac;Google Update Service (gupdate1ca0ff56dcf4fac);c:\program files\google\update\GoogleUpdate.exe [2009-7-28 133104]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-14 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-14 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-14 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-14 40552]
S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;c:\windows\system32\drivers\MarvinAVS.sys [2007-5-9 434176]
S4 Adpdmfwmir;Adpdmfwmir; [x]

=============== Created Last 30 ================

2010-03-28 20:16:21 0 d-----w- c:\windows\setup.pss
2010-03-17 23:24:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-03-17 10:34:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-03-17 10:32:05 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-03-17 10:11:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-17 10:09:37 8212 ----a-w- c:\windows\mfebcdata
2010-02-27 00:59:27 0 d-----w- C:\My Music

==================== Find3M ====================

2010-03-28 17:48:43 2708 ----a-w- c:\windows\system32\tmp.reg
2010-03-19 01:47:37 1947 ----a-w- c:\windows\eReg.dat
2010-01-16 17:55:28 1033728 ----a-w- c:\windows\explorer.exe
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-09-14 16:40:34 16476 ----a-w- c:\program files\common files\tunecivuty._sy
2009-09-14 16:40:34 16166 ----a-w- c:\program files\common files\azidap._dl
2009-09-14 16:40:34 11344 ----a-w- c:\program files\common files\hocofo.dat
2002-07-26 22:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
2008-12-17 07:09:46 109 --sha-w- c:\windows\system32\540125235.dat
2008-08-03 18:06:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071420080721\index.dat
2008-08-03 18:06:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080320080804\index.dat

============= FINISH: 18:44:12.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 PM

Posted 29 March 2010 - 04:07 PM

Hi phyllisp160,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

You may download ComboFix and transfer it to the internet computer. In case it didn't run rename it to kat.exe and run it.
  1. Go to Start => Control Panel => Internet Options => click on the Connections tab, then click on LAN Settings. The following items should be unchecked:
      • Automatically detect settings
      • Use a proxy server for your LAN
    • Check if IE connects and tell me about it but proceed with the next step anyway.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 phyllisp160

phyllisp160
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 29 March 2010 - 07:32 PM

Thanks for responding. I agree not to make any changes to my system.

1) I went to Start => Control Panel => Internet Options => clicked on the Connections tab, then clicked on LAN Settings. "Automatically detect settings" was already unchecked, but "Use a proxy server for your LAN" was checked. I unchecked it per your instructions. I opened IE and it connected to the internet, yay! :-)

2) I downloaded and ran ComboFix. It prompted for installation of the recovery console, and I agreed. Below is the log produced, ComboFix.txt

-----------------------

ComboFix 10-03-29.02 - Barron 03/29/2010 19:58:38.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -4:00]
Running from: c:\documents and settings\Barron\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bt.log
c:\documents and settings\All Users\Documents\amanavuco.reg
c:\documents and settings\All Users\Documents\buhocixuna.reg
c:\documents and settings\All Users\Documents\cetiduqivi.vbs
c:\recycler\S-1-5-21-73586283-329068152-725345543-1003
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.2.inf
c:\windows\eSellerateEngine.dll
c:\windows\qyruhys._sy
c:\windows\system32\404Fix.exe
c:\windows\system32\540125235.dat
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\xyzic._sy
E:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PODMENA
-------\Legacy_PODMENADRV


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-28 17:27 . 2010-03-28 17:27 35448 ----a-w- c:\documents and settings\Barron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 23:24 . 2010-03-17 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-17 10:34 . 2010-03-28 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-17 10:32 . 2010-03-17 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-17 10:11 . 2010-03-17 10:11 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-09 23:09 . 2010-03-09 23:10 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 17:34 . 2008-07-21 21:50 -------- d-----w- c:\program files\Google
2010-03-28 15:07 . 2008-07-16 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-27 16:17 . 2010-03-27 16:16 20846064 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-27 16:16 . 2010-03-27 16:16 8405312 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-27 16:16 . 2010-03-27 16:16 149000 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-27 16:15 . 2010-03-27 16:15 10309448 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-27 16:15 . 2010-03-27 16:15 79368 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-27 16:15 . 2010-03-27 16:15 64000 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-27 16:15 . 2010-03-27 16:15 52288 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-27 16:15 . 2010-03-27 16:15 50688 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-27 16:15 . 2010-03-27 16:15 49152 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-27 16:15 . 2010-03-27 16:15 118784 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-27 02:27 . 2010-03-27 02:27 439816 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\setup.exe
2010-03-24 20:31 . 2009-12-17 04:32 249968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-19 01:47 . 2008-08-09 06:42 1947 ----a-w- c:\windows\eReg.dat
2010-03-18 01:52 . 2008-07-15 20:10 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 19:43 . 2009-03-15 21:54 -------- d-----w- c:\program files\Sony
2010-03-17 10:32 . 2008-07-15 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-15 14:02 . 2005-09-21 14:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-15 12:56 . 2008-08-09 06:33 -------- d-----w- c:\program files\Maxis
2010-02-28 08:33 . 2009-03-15 17:26 -------- d-----w- c:\documents and settings\Barron\Application Data\Azureus
2010-02-28 03:04 . 2010-01-23 14:47 -------- d-----w- c:\program files\NewBlue
2010-02-26 16:38 . 2010-01-09 01:53 -------- d-----w- c:\documents and settings\Barron\Application Data\YouSendIt
2010-02-15 23:12 . 2010-02-15 23:12 -------- d-----w- c:\program files\YouSendIt
2010-02-15 16:13 . 2009-03-15 21:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-12 06:38 . 2009-05-27 00:10 -------- d-----w- c:\program files\Celtx
2010-02-06 21:14 . 2010-02-06 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-02-06 21:13 . 2010-02-06 21:08 -------- d-----w- c:\program files\Kodak
2010-02-06 21:12 . 2010-02-06 21:12 -------- d-----w- c:\program files\Common Files\Kodak
2010-02-06 21:10 . 2010-02-06 21:10 11572208 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\QUICK\QuickTimeInstaller.exe
2010-02-06 21:10 . 2010-02-06 21:10 163840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\KDEVICES\CR2\cr_stop.exe
2010-02-06 21:10 . 2010-02-06 21:10 69632 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\Ksu\KSUStop.exe
2010-02-06 21:10 . 2010-02-06 21:10 167936 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\CCS\CCSStop.exe
2010-02-06 21:09 . 2010-02-06 21:09 401408 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_9_10bdde9\EasyShrx.Dll
2010-02-06 21:09 . 2010-02-06 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-02-02 23:26 . 2008-08-10 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-27 14:18 . 2010-01-27 14:18 503808 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4957440f-n\msvcp71.dll
2010-01-27 14:18 . 2010-01-27 14:18 499712 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4957440f-n\jmc.dll
2010-01-27 14:18 . 2010-01-27 14:18 348160 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4957440f-n\msvcr71.dll
2010-01-27 14:18 . 2010-01-27 14:18 61440 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ef35d22-n\decora-sse.dll
2010-01-27 14:18 . 2010-01-27 14:18 12800 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ef35d22-n\decora-d3d.dll
2010-01-16 17:55 . 2004-08-04 12:00 1033728 ----a-w- c:\windows\explorer.exe
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-07-15 20:27 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-09-14 16:40 . 2009-09-14 16:40 16476 ----a-w- c:\program files\Common Files\tunecivuty._sy
2009-09-14 16:40 . 2009-09-14 16:40 16166 ----a-w- c:\program files\Common Files\azidap._dl
2009-09-14 16:40 . 2009-09-14 16:40 11344 ----a-w- c:\program files\Common Files\hocofo.dat
2002-07-26 22:02 . 2008-07-15 21:44 153088 ----a-w- c:\program files\UNWISE.EXE
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-10 39408]
"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2010-01-27 82432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-27 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2008-12-23 181624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-7-15 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-15 113664]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

R1 TeksKernel;TeksKernel;c:\windows\system32\drivers\TeksKernel.sys [7/8/2004 05:14 PM 9060]
R2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [7/8/2004 05:22 PM 77824]
S2 gupdate1ca0ff56dcf4fac;Google Update Service (gupdate1ca0ff56dcf4fac);c:\program files\Google\Update\GoogleUpdate.exe [7/28/2009 10:36 PM 133104]
S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;c:\windows\system32\drivers\MarvinAVS.sys [5/9/2007 09:37 AM 434176]
S4 Adpdmfwmir;Adpdmfwmir; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-10 23:26]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 02:36]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-userini - c:\windows\explorer.exe:userini.exe
HKCU-Run-ugfhsyvd - c:\documents and settings\Barron\Local Settings\Application Data\umlmcq\chrlsftav.exe
HKLM-Explorer_Run-userini - c:\windows\system32\userini.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3120384684-4046105588-908169298-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\docume~1\Barron\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2010-03-29 20:13:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 00:13

Pre-Run: 45,325,692,928 bytes free
Post-Run: 45,256,736,768 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CD96C407181AD75203F6895418D3F4D8


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 PM

Posted 30 March 2010 - 02:45 AM

Great. thumbup2.gif
  1. You have the latest version of Java (Java 6 Update 18) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java™ 6 Update 7

  2. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    Fcopy::
    c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
    Driver::
    Adpdmfwmir
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    Trusted Zone: internet


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  3. Please tell me how is your computer running.


#5 phyllisp160

phyllisp160
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 30 March 2010 - 06:10 AM

Thanks so much for your response.

1) I uninstalled Java 6 Update 7.

2) I created CFScript.txt as instructed and dragged it into ComboFix. ComboFix gave me a message that there is an updated version and asked whether I wanted to install it. My gut feeling was that this would probably be okay, but I did not want to risk making the change while we're in the middle of diagnosis/treatment, so I said no. ComboFix ran; log followis the text portion of this message.

3) Computer seems to be running fine. The browser does work now (initial problem/symptom solved). I've encouraged the boyfriend to browse from my machine if he needs internet access, since this machine currently has no anti-virus program installed, but the browser history tells me he did otherwise overnight >:-/ It doesn't look like he went to anywhere too dicey, but I'll feel better when we have something installed again. Still, we had Norton installed before and it didn't help keep the current Big Bad out, did it? Grrr. Time to try something new, I'm thinking.

I just want to express my appreciation again. What a wonderful service to the community you all provide! It takes me back to a much earlier day in the internet, when the community was smaller and it was pretty much geeks helping geeks in a text-based world. ~ Phyllis

--------------------------------------
ComboFix 10-03-29.02 - Barron 03/30/2010 6:29.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1514 [GMT -4:00]
Running from: c:\documents and settings\Barron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Barron\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Adpdmfwmir


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-28 17:27 . 2010-03-28 17:27 35448 ----a-w- c:\documents and settings\Barron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-27 16:16 . 2010-03-27 16:17 20846064 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-27 16:16 . 2010-03-27 16:16 8405312 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-27 16:16 . 2010-03-27 16:16 149000 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-27 16:15 . 2010-03-27 16:15 10309448 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-27 16:15 . 2010-03-27 16:15 79368 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-27 16:15 . 2010-03-27 16:15 64000 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-27 16:15 . 2010-03-27 16:15 52288 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-27 16:15 . 2010-03-27 16:15 50688 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-27 16:15 . 2010-03-27 16:15 49152 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-27 16:15 . 2010-03-27 16:15 118784 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-27 02:27 . 2010-03-27 02:27 439816 ----a-w- c:\documents and settings\Barron\Application Data\Real\Update\setup3.10\setup.exe
2010-03-17 23:24 . 2010-03-17 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-17 10:34 . 2010-03-28 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-17 10:32 . 2010-03-17 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-17 10:11 . 2010-03-17 10:11 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-09 23:09 . 2010-03-09 23:10 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 10:24 . 2008-08-18 00:16 -------- d-----w- c:\program files\Java
2010-03-30 10:24 . 2008-08-18 00:16 -------- d-----w- c:\program files\Common Files\Java
2010-03-28 17:34 . 2008-07-21 21:50 -------- d-----w- c:\program files\Google
2010-03-28 15:07 . 2008-07-16 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-24 20:31 . 2009-12-17 04:32 249968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-19 01:47 . 2008-08-09 06:42 1947 ----a-w- c:\windows\eReg.dat
2010-03-18 01:52 . 2008-07-15 20:10 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 19:43 . 2009-03-15 21:54 -------- d-----w- c:\program files\Sony
2010-03-17 10:32 . 2008-07-15 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-15 14:02 . 2005-09-21 14:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-15 12:56 . 2008-08-09 06:33 -------- d-----w- c:\program files\Maxis
2010-02-28 08:33 . 2009-03-15 17:26 -------- d-----w- c:\documents and settings\Barron\Application Data\Azureus
2010-02-28 03:04 . 2010-01-23 14:47 -------- d-----w- c:\program files\NewBlue
2010-02-26 16:38 . 2010-01-09 01:53 -------- d-----w- c:\documents and settings\Barron\Application Data\YouSendIt
2010-02-15 23:12 . 2010-02-15 23:12 -------- d-----w- c:\program files\YouSendIt
2010-02-15 16:13 . 2009-03-15 21:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-12 06:38 . 2009-05-27 00:10 -------- d-----w- c:\program files\Celtx
2010-02-06 21:14 . 2010-02-06 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-02-06 21:13 . 2010-02-06 21:08 -------- d-----w- c:\program files\Kodak
2010-02-06 21:12 . 2010-02-06 21:12 -------- d-----w- c:\program files\Common Files\Kodak
2010-02-06 21:10 . 2010-02-06 21:10 11572208 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\QUICK\QuickTimeInstaller.exe
2010-02-06 21:10 . 2010-02-06 21:10 163840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\KDEVICES\CR2\cr_stop.exe
2010-02-06 21:10 . 2010-02-06 21:10 69632 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\Ksu\KSUStop.exe
2010-02-06 21:10 . 2010-02-06 21:10 167936 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\CCS\CCSStop.exe
2010-02-06 21:09 . 2010-02-06 21:09 401408 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_9_10bdde9\EasyShrx.Dll
2010-02-06 21:09 . 2010-02-06 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-02-02 23:26 . 2008-08-10 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-27 14:18 . 2010-01-27 14:18 503808 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4957440f-n\msvcp71.dll
2010-01-27 14:18 . 2010-01-27 14:18 499712 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4957440f-n\jmc.dll
2010-01-27 14:18 . 2010-01-27 14:18 348160 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4957440f-n\msvcr71.dll
2010-01-27 14:18 . 2010-01-27 14:18 61440 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ef35d22-n\decora-sse.dll
2010-01-27 14:18 . 2010-01-27 14:18 12800 ----a-w- c:\documents and settings\Barron\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ef35d22-n\decora-d3d.dll
2010-01-16 17:55 . 2004-08-04 12:00 1033728 ------w- c:\windows\explorer.exe
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-07-15 20:27 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-09-14 16:40 . 2009-09-14 16:40 16476 ----a-w- c:\program files\Common Files\tunecivuty._sy
2009-09-14 16:40 . 2009-09-14 16:40 16166 ----a-w- c:\program files\Common Files\azidap._dl
2009-09-14 16:40 . 2009-09-14 16:40 11344 ----a-w- c:\program files\Common Files\hocofo.dat
2002-07-26 22:02 . 2008-07-15 21:44 153088 ----a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-10 39408]
"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2010-01-27 82432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-09-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-27 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2008-12-23 181624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-7-15 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-15 113664]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-15 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-8-11 757760]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

R1 TeksKernel;TeksKernel;c:\windows\system32\drivers\TeksKernel.sys [7/8/2004 05:14 PM 9060]
R2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [7/8/2004 05:22 PM 77824]
S2 gupdate1ca0ff56dcf4fac;Google Update Service (gupdate1ca0ff56dcf4fac);c:\program files\Google\Update\GoogleUpdate.exe [7/28/2009 10:36 PM 133104]
S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;c:\windows\system32\drivers\MarvinAVS.sys [5/9/2007 09:37 AM 434176]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-10 23:26]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 02:36]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3120384684-4046105588-908169298-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\WININET.dll
c:\docume~1\Barron\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2010-03-30 06:43:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 10:43

Pre-Run: 44,777,504,768 bytes free
Post-Run: 44,972,179,456 bytes free

- - End Of File - - 58F809965634A96F570E19A2EFB0E7F6





#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 PM

Posted 30 March 2010 - 07:26 AM

You are most welcome and thank you for your kind words Phyllis. smile.gif

It looks good now and you are good to go. The only thing that concerns me is lack of an antivirus. You need to install an antivirus program as soon as you can before using the computer. Also I saw a lot of McAfee leftovers on the initial DDS log. If you have not run Norton and McAfee removal tool you need to run both of them and then install an antivirus.
  1. You have still some leftovers from an incomplete uninstalled McAfee AntiVirus on your computer.
    To remove McAfee AntiVirus I recommend you to use McAfee Consumer Product Removal tool (MCPR.exe).

    For download and instruction to use McAfee Consumer Product Removal tool click on majorgeeks.com

  2. You may still have some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  3. Among the paid antiviruses I recommend Kaspersky and ESET NOD32.

    If the you need time to decide I recommend this good free antivirus for the moment:

    Avira
    • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.

  4. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  5. Run a complete scan with whatever antivirus you have installed and let remove what it finds.

You may post back if still you need assistance. Otherwise happy surfing both to you and your boyfriend. smile.gif


#7 phyllisp160

phyllisp160
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 30 March 2010 - 06:28 PM

Looks like we're good to go!

1) McAfee remnants removed.

2) Norton remnants removed.

3) Avira installed and updated.

4) ComboFix uninstalled.

5) Avira scan run, came up clean.

Thank you again so much! ~ Phyllis

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 PM

Posted 30 March 2010 - 07:04 PM

You are most welcome Phyllis. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users