Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijack and other nagging issues left from vundo virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 8eight

8eight

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 18 April 2010 - 10:09 PM

I had issues with a Vundo virus, the original symptoms included google search hijacks and redirects, blocking of MBAM, turning off certain security for Macafee, and blocking other basic functions. I went through directions for self cleaning posted in the malwarebytes and bleeping computer forums and was able to reinstall Mbam and remove the virus through combination of Mbam, RRT, Super-Antispyware, and CCleaner.

Mbam is working fine and updating with not signs of infection from scans although I am still experiencing Google redirects and I am unable to access my system restore. Also now when using Mozilla it locks up and freezes once in a while, where I can still move the cursor and modify my windows task bar but the start menu and task manager are inaccessible and I am forced to reboot. I've posting my DDS/Attach logs & Hijackthis Logs but am unable to provide a GMER log. I've gotten the Windows blue screen error when trying to run it and in safe mode it ran for a few hours and then froze. Any help would be appreciated I just want to get rid of these residual intrusions.

Attach.txt Log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/6/2009 4:55:59 PM
System Uptime: 4/18/2010 1:03:16 PM (0 hours ago)

Motherboard: Dell Inc. | | 0C234M
Processor: Intel® Core™2 Duo CPU P8600 @ 2.40GHz | U2E1 | 2394/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 466 GiB total, 281.676 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP86: 1/5/2010 5:39:41 AM - System Checkpoint
RP87: 1/6/2010 5:48:42 AM - System Checkpoint
RP88: 1/7/2010 6:12:41 AM - System Checkpoint
RP89: 1/8/2010 12:13:47 PM - System Checkpoint
RP90: 1/9/2010 6:23:22 PM - System Checkpoint
RP91: 1/10/2010 8:37:33 PM - System Checkpoint
RP92: 1/11/2010 9:31:54 PM - System Checkpoint
RP93: 1/13/2010 3:00:16 AM - Software Distribution Service 3.0
RP94: 1/14/2010 3:19:07 AM - System Checkpoint
RP95: 1/15/2010 7:49:58 AM - System Checkpoint
RP96: 1/16/2010 6:27:29 PM - System Checkpoint
RP97: 1/17/2010 8:01:42 PM - System Checkpoint
RP98: 1/18/2010 9:34:03 PM - System Checkpoint
RP99: 1/20/2010 1:16:06 AM - System Checkpoint
RP100: 1/20/2010 3:00:15 AM - Software Distribution Service 3.0
RP101: 1/21/2010 7:34:14 AM - System Checkpoint
RP102: 1/22/2010 8:17:57 AM - Software Distribution Service 3.0
RP103: 1/23/2010 8:33:28 AM - System Checkpoint
RP104: 1/24/2010 11:14:34 AM - System Checkpoint
RP105: 1/25/2010 11:52:55 AM - System Checkpoint
RP106: 1/26/2010 2:44:12 PM - System Checkpoint
RP107: 1/27/2010 11:55:58 PM - System Checkpoint
RP108: 1/29/2010 7:09:00 AM - System Checkpoint
RP109: 1/30/2010 12:13:01 PM - System Checkpoint
RP110: 1/31/2010 5:13:49 PM - System Checkpoint
RP111: 2/1/2010 11:03:20 PM - System Checkpoint
RP112: 2/3/2010 12:17:44 AM - System Checkpoint
RP113: 2/4/2010 4:22:51 AM - System Checkpoint
RP114: 2/5/2010 8:16:27 AM - System Checkpoint
RP115: 2/6/2010 2:08:44 PM - System Checkpoint
RP116: 2/8/2010 12:34:51 PM - System Checkpoint
RP117: 2/9/2010 12:43:10 PM - System Checkpoint
RP118: 2/10/2010 1:20:02 PM - System Checkpoint
RP119: 2/11/2010 3:00:15 AM - Software Distribution Service 3.0
RP120: 2/12/2010 12:08:25 PM - System Checkpoint
RP121: 2/13/2010 1:48:21 PM - System Checkpoint
RP122: 2/14/2010 1:55:52 PM - System Checkpoint
RP123: 2/15/2010 2:10:23 PM - System Checkpoint
RP124: 2/16/2010 2:50:23 PM - System Checkpoint
RP125: 2/17/2010 3:50:22 PM - System Checkpoint
RP126: 2/18/2010 4:50:22 PM - System Checkpoint
RP127: 2/19/2010 5:14:19 PM - System Checkpoint
RP128: 2/20/2010 6:14:20 PM - System Checkpoint
RP129: 2/21/2010 7:14:19 PM - System Checkpoint
RP130: 2/22/2010 8:14:19 PM - System Checkpoint
RP131: 2/23/2010 9:11:47 PM - System Checkpoint
RP132: 2/24/2010 3:00:14 AM - Software Distribution Service 3.0
RP133: 2/25/2010 3:31:04 AM - System Checkpoint
RP134: 2/26/2010 4:31:06 AM - System Checkpoint
RP135: 2/27/2010 5:01:51 AM - System Checkpoint
RP136: 2/28/2010 5:31:04 AM - System Checkpoint
RP137: 3/1/2010 6:31:04 AM - System Checkpoint
RP138: 3/2/2010 7:45:24 AM - System Checkpoint
RP139: 3/3/2010 8:13:46 AM - System Checkpoint
RP140: 3/4/2010 8:51:15 AM - System Checkpoint
RP141: 3/4/2010 9:37:48 PM - Installed Digital Photo Navigator 1.0
RP142: 3/6/2010 12:20:00 AM - System Checkpoint
RP143: 3/7/2010 12:47:24 AM - System Checkpoint
RP144: 3/8/2010 1:03:55 AM - System Checkpoint
RP145: 3/9/2010 1:21:07 AM - System Checkpoint
RP146: 3/10/2010 1:57:48 AM - System Checkpoint
RP147: 3/10/2010 3:00:19 AM - Software Distribution Service 3.0
RP148: 3/11/2010 4:34:28 AM - System Checkpoint
RP149: 3/12/2010 6:04:03 AM - System Checkpoint
RP150: 3/13/2010 6:20:05 AM - System Checkpoint
RP151: 3/14/2010 7:22:50 AM - System Checkpoint
RP152: 3/14/2010 4:26:37 PM - Installed Windows XP KB942288-v3.
RP153: 3/14/2010 4:30:35 PM - Installed DirectX
RP154: 3/15/2010 3:00:17 AM - Software Distribution Service 3.0
RP155: 3/16/2010 4:26:00 AM - System Checkpoint
RP156: 3/17/2010 6:03:55 AM - System Checkpoint
RP157: 3/18/2010 6:22:27 AM - System Checkpoint
RP158: 3/19/2010 7:45:47 AM - System Checkpoint
RP159: 3/20/2010 8:22:31 AM - System Checkpoint
RP160: 3/21/2010 4:39:35 PM - Installed TurboTax 2009 wrapper
RP161: 3/21/2010 4:39:50 PM - Installed TurboTax 2009 WinPerReleaseEngine
RP162: 3/21/2010 4:40:59 PM - Installed TurboTax 2009 WinPerFedFormset
RP163: 3/21/2010 4:41:42 PM - Installed TurboTax 2009 WinPerTaxSupport
RP164: 3/21/2010 4:42:00 PM - Installed iSEEK AnswerWorks English Runtime
RP165: 3/22/2010 10:24:43 PM - System Checkpoint
RP166: 3/23/2010 11:38:34 PM - System Checkpoint
RP167: 3/25/2010 4:24:16 AM - System Checkpoint
RP168: 3/26/2010 4:37:36 AM - System Checkpoint
RP169: 3/27/2010 5:15:16 AM - System Checkpoint
RP170: 3/28/2010 2:58:10 AM - Software Distribution Service 3.0
RP171: 3/29/2010 3:33:09 AM - System Checkpoint
RP172: 3/30/2010 4:48:18 AM - System Checkpoint
RP173: 3/31/2010 5:32:39 AM - System Checkpoint
RP174: 4/1/2010 3:00:14 AM - Software Distribution Service 3.0
RP175: 4/2/2010 3:23:56 AM - System Checkpoint
RP176: 4/3/2010 9:03:29 PM - System Checkpoint

==== Installed Programs ======================


Acrobat.com
Adobe Acrobat 9 Pro
Adobe Acrobat 9.3.1 - CPSID_50570
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advanced Audio FX Engine
ATI Catalyst Control Center
ATI Display Driver
AutoCAD 2010 - English
AutoCAD 2010 Language Pack - English
Banctec Service Agreement
BitComet 1.15
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCleaner
Choice Guard
Connect
Dell DataSafe Online
Dell Digital Jukebox Driver
Dell DJ Explorer
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Central
Digital Photo Navigator 1.0
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Integrated Webcam Driver (1.05.01.0713)
iSEEK AnswerWorks English Runtime
Java™ 6 Update 13
Junk Mail filter update
kuler
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
MpcStar 4.1
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
OGA Notifier 2.0.0048.0
PDF Settings CS4
Photoshop Camera Raw
PowerDVD DX
QuickSet
RocketDock 1.3.5
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Segoe UI
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb981433)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

4/17/2010 2:05:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
4/17/2010 2:05:57 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/17/2010 2:05:57 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/17/2010 2:05:57 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/17/2010 2:05:57 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/17/2010 2:05:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/17/2010 1:55:33 AM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
4/17/2010 1:55:25 AM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/17/2010 1:55:22 AM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
4/17/2010 1:55:11 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
4/17/2010 1:55:01 AM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/14/2010 5:52:13 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
4/14/2010 10:34:25 PM, error: Service Control Manager [7000] - The Dock Login Service service failed to start due to the following error: The system cannot find the path specified.
4/14/2010 10:34:06 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/14/2010 10:34:06 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/11/2010 9:18:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
4/11/2010 9:18:07 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/11/2010 9:18:06 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
4/11/2010 9:15:58 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
4/11/2010 4:02:19 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/11/2010 4:02:18 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
4/11/2010 2:07:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
4/11/2010 2:07:14 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
4/11/2010 2:02:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm mfehidk SASDIFSV SASKUTIL

==== End Of File ===========================









DDS.txt Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by ChiNO at 13:13:06.56 on Sun 04/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2152 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\ChiNO\My Documents\Downloads\dds.exe

============== Pseudo HJT Report ===============

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\mpcstar\codecs\quicktime\qtsystem\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: tapeyeni.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: rekafujag - {be2d38a3-0f94-4c51-b2b7-7842a6f5ec4d} - No File
STS: {be2d38a3-0f94-4c51-b2b7-7842a6f5ec4d} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli tapeyeni.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chino\applic~1\mozilla\firefox\profiles\m67ts2qp.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {0BD4F0F2-3795-41ED-A2ED-95502E477B4D} - c:\documents and settings\chino\local settings\application data\{0BD4F0F2-3795-41ED-A2ED-95502E477B4D}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-29 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\McProxy.exe [2009-9-29 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-29 144704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-9-29 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-9-29 143840]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-9-29 176640]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-29 40552]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [2009-9-29 133632]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [2009-9-29 274112]
S2 DockLoginService;Dock Login Service; [x]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2009-9-29 1656960]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-29 34248]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-04-06 15:32:29 0 d--h--w- c:\windows\PIF
2010-04-06 15:19:08 0 d-----w- c:\program files\Free Window Registry Repair
2010-04-06 08:06:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-06 08:06:13 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 08:06:13 0 d-----w- c:\docume~1\chino\applic~1\SUPERAntiSpyware.com
2010-04-06 08:06:00 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-06 07:51:33 0 d-----w- c:\program files\CCleaner
2010-04-06 04:13:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-05 19:46:38 0 d-----w- c:\windows\pss
2010-04-05 04:09:17 0 d-----w- c:\program files\Trend Micro
2010-04-04 23:16:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 23:16:32 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 23:16:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 22:35:36 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-04-04 22:35:36 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-04-04 22:35:36 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-04-04 22:35:36 16244 ----a-w- c:\windows\system32\rrt_is.wav
2010-04-02 21:48:01 5746 ----a-w- c:\windows\system32\tmp.reg
2010-03-29 02:50:48 0 d-----w- c:\docume~1\chino\applic~1\Office Genuine Advantage
2010-03-21 20:42:03 0 d-----w- c:\docume~1\chino\applic~1\Intuit
2010-03-21 20:42:01 0 d-----w- c:\program files\common files\AnswerWorks 5.0
2010-03-21 20:39:24 0 d-----w- c:\program files\common files\Intuit
2010-03-21 20:38:57 0 d-----w- c:\program files\TurboTax
2010-03-21 20:38:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-03-21 20:37:36 0 d-sh--w- c:\documents and settings\chino\PrivacIE

==================== Find3M ====================

2010-04-12 06:12:32 324120 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-09-29 04:20:14 75 --sh--r- c:\windows\CT4CET.bin

============= FINISH: 13:14:07.34 ===============



Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:49 PM, on 4/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/USCON/1
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [lazudisava] Rundll32.exe "zenajoso.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [lazudisava] Rundll32.exe "zenajoso.dll",s (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: tapeyeni.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: rekafujag - {be2d38a3-0f94-4c51-b2b7-7842a6f5ec4d} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {be2d38a3-0f94-4c51-b2b7-7842a6f5ec4d} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11182 bytes

Edited by Budapest, 18 April 2010 - 10:22 PM.
Moved from AII ~BP


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:42 PM

Posted 23 April 2010 - 04:08 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

There's still some Vundo on the PC


Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#3 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 23 April 2010 - 11:10 PM

Hey m0le,

Thanks for replying. I installed combo fix and let the scan run, the first time it had to reboot because it detected a root kit. It was able to complete the scan on the second try so here is the log, I also attached it just in case. Let me know what you think.

Thanks


ComboFix Log:



ComboFix 10-04-21.01 - ChiNO 04/23/2010 23:45:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2459 [GMT -4:00]
Running from: c:\documents and settings\ChiNO\Desktop\ComoFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\ChiNO\Local Settings\Application Data\{0BD4F0F2-3795-41ED-A2ED-95502E477B4D}
c:\documents and settings\ChiNO\Local Settings\Application Data\{0BD4F0F2-3795-41ED-A2ED-95502E477B4D}\chrome.manifest
c:\documents and settings\ChiNO\Local Settings\Application Data\{0BD4F0F2-3795-41ED-A2ED-95502E477B4D}\chrome\content\_cfg.js
c:\documents and settings\ChiNO\Local Settings\Application Data\{0BD4F0F2-3795-41ED-A2ED-95502E477B4D}\chrome\content\overlay.xul
c:\documents and settings\ChiNO\Local Settings\Application Data\{0BD4F0F2-3795-41ED-A2ED-95502E477B4D}\install.rdf
c:\windows\system32\4F3X
c:\windows\system32\dumphive.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS


((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-24 03:36 . 2010-04-24 03:38 -------- d-----w- C:\ComoFix
2010-04-20 05:32 . 2010-04-20 05:32 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-20 04:24 . 2010-04-20 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 04:24 . 2010-04-20 04:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-15 05:18 . 2010-04-15 05:18 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-04-15 05:18 . 2010-04-15 05:18 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-04-15 05:18 . 2010-04-15 05:18 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-04-15 02:44 . 2010-04-15 02:44 -------- d-----w- c:\documents and settings\HelpAssistant\LocalLow
2010-04-15 02:44 . 2010-04-15 02:44 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-04-07 22:42 . 2010-04-10 10:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 15:32 . 2010-04-06 15:32 -------- d--h--w- c:\windows\PIF
2010-04-06 15:19 . 2010-04-18 15:13 -------- d-----w- c:\program files\Free Window Registry Repair
2010-04-06 08:06 . 2010-04-06 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 08:06 . 2010-04-06 08:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 08:06 . 2010-04-06 08:06 -------- d-----w- c:\documents and settings\ChiNO\Application Data\SUPERAntiSpyware.com
2010-04-06 08:06 . 2010-04-06 08:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-06 07:51 . 2010-04-06 07:51 -------- d-----w- c:\program files\CCleaner
2010-04-06 04:13 . 2010-04-06 08:00 -------- d-----w- c:\program files\Alwil Software
2010-04-06 04:13 . 2010-04-06 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-05 04:09 . 2010-04-05 04:09 -------- d-----w- c:\program files\Trend Micro
2010-04-05 02:34 . 2010-04-05 02:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-04 23:16 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 23:16 . 2010-04-06 09:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 23:16 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-03 13:05 . 2010-04-03 20:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-29 02:50 . 2010-03-29 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-29 02:50 . 2010-03-29 02:50 -------- d-----w- c:\documents and settings\ChiNO\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 12:18 . 2009-10-07 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-12 06:12 . 2009-09-29 06:56 324120 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-11 10:31 . 2010-01-18 02:29 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 02:00 . 2009-10-12 05:40 -------- d-----w- c:\program files\BitComet
2010-04-04 22:55 . 2009-10-06 20:56 105352 ----a-w- c:\documents and settings\ChiNO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-01 11:24 . 2009-09-29 04:26 -------- d-----w- c:\program files\McAfee
2010-03-29 06:28 . 2010-03-14 21:05 599960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-21 20:42 . 2010-03-21 20:42 -------- d-----w- c:\documents and settings\ChiNO\Application Data\Intuit
2010-03-21 20:42 . 2010-03-21 20:42 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2010-03-21 20:41 . 2010-03-21 20:39 -------- d-----w- c:\program files\Common Files\Intuit
2010-03-21 20:40 . 2010-03-21 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-03-21 20:38 . 2010-03-21 20:38 -------- d-----w- c:\program files\TurboTax
2010-03-15 00:16 . 2009-09-29 04:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-14 22:41 . 2010-03-14 22:04 -------- d-----w- c:\documents and settings\ChiNO\Application Data\Download Manager
2010-03-14 21:54 . 2009-09-29 04:21 102032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 21:03 . 2010-03-14 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-03-14 20:51 . 2010-03-14 20:31 -------- d-----w- c:\program files\AutoCAD 2010
2010-03-14 20:41 . 2010-03-14 20:31 -------- d-----w- c:\documents and settings\ChiNO\Application Data\Autodesk
2010-03-14 20:40 . 2009-10-07 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-14 20:35 . 2010-03-14 20:31 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-14 20:31 . 2010-03-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-03-10 06:15 . 2008-04-25 16:16 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 02:41 . 2010-03-05 02:37 -------- d-----w- c:\program files\Digital Photo Navigator 1.0
2010-03-05 02:37 . 2009-09-29 04:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-28 06:40 . 2010-02-28 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-02-28 06:39 . 2010-02-28 06:39 -------- d-----w- c:\documents and settings\ChiNO\Application Data\CyberLink
2010-02-25 06:24 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-25 16:16 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 01:11 . 2010-01-24 15:22 120 ----a-w- c:\windows\Kbovofowaceh.dat
2010-02-19 01:10 . 2010-01-24 15:22 0 ----a-w- c:\windows\Oduritulobom.bin
2010-02-16 14:08 . 2008-04-25 16:16 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-25 16:16 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-25 16:16 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-09-29 04:20 . 2009-09-29 04:20 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-20 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-14 61440]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2009-10-12 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Dell DataSafe Online\\DataSafeUpdater.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\BTTray.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\BTStackServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13875:TCP"= 13875:TCP:BitComet 13875 TCP
"13875:UDP"= 13875:UDP:BitComet 13875 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7382:TCP"= 7382:TCP:Services
"7383:TCP"= 7383:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4819:TCP"= 4819:TCP:Services
"8138:TCP"= 8138:TCP:Services
"7209:TCP"= 7209:TCP:Services
"7210:TCP"= 7210:TCP:Services

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/29/2009 2:56 AM 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [9/29/2009 12:19 AM 143840]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [9/29/2009 2:56 AM 176640]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [9/29/2009 2:56 AM 133632]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [9/29/2009 2:56 AM 274112]
S2 DockLoginService;Dock Login Service; [x]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [9/29/2009 2:56 AM 1656960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-04-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-12-04 03:18]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\ChiNO\Application Data\Mozilla\Firefox\Profiles\m67ts2qp.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{be2d38a3-0f94-4c51-b2b7-7842a6f5ec4d} - (no file)
SSODL-rekafujag-{be2d38a3-0f94-4c51-b2b7-7842a6f5ec4d} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 23:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WININET.dll
c:\program files\RocketDock\RocketDock.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\drivers\audio\r214424\STacSV.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-24 00:02:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-24 04:02

Pre-Run: 301,037,432,832 bytes free
Post-Run: 301,053,034,496 bytes free

- - End Of File - - F7056ED33D5D880D7563CFCB6CC5D266

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:42 PM

Posted 24 April 2010 - 08:27 AM

One more run to clear up

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\Kbovofowaceh.dat
c:\windows\Oduritulobom.bin

Driver::
DockLoginService


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then go online and scan with ESET

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Then let me know how the PC is behaving smile.gif
Posted Image
m0le is a proud member of UNITE

#5 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 25 April 2010 - 08:08 AM

m0le is it normal that the ComboFix icon disappeared after my original scan and again after this second one? So far symptoms seem to be gone my Google searches aren't redirecting, and I haven't heard random windows error sound bite. Other then that here are my logs.



ComboFix log #2:



ComboFix 10-04-21.01 - ChiNO 04/24/2010 21:02:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2434 [GMT -4:00]
Running from: c:\documents and settings\ChiNO\Desktop\ComoFix.exe
Command switches used :: c:\documents and settings\ChiNO\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Kbovofowaceh.dat"
"c:\windows\Oduritulobom.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Kbovofowaceh.dat
c:\windows\Oduritulobom.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOCKLOGINSERVICE
-------\Service_DockLoginService


((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.

2010-04-24 03:36 . 2010-04-24 03:38 -------- d-----w- C:\ComoFix
2010-04-20 05:32 . 2010-04-20 05:32 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-20 04:24 . 2010-04-20 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 04:24 . 2010-04-20 04:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-15 05:18 . 2010-04-15 05:18 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-04-15 05:18 . 2010-04-15 05:18 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-04-15 05:18 . 2010-04-15 05:18 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-04-15 02:44 . 2010-04-15 02:44 -------- d-----w- c:\documents and settings\HelpAssistant\LocalLow
2010-04-15 02:44 . 2010-04-15 02:44 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-04-07 22:42 . 2010-04-10 10:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 15:32 . 2010-04-06 15:32 -------- d--h--w- c:\windows\PIF
2010-04-06 15:19 . 2010-04-18 15:13 -------- d-----w- c:\program files\Free Window Registry Repair
2010-04-06 08:06 . 2010-04-06 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 08:06 . 2010-04-06 08:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 08:06 . 2010-04-06 08:06 -------- d-----w- c:\documents and settings\ChiNO\Application Data\SUPERAntiSpyware.com
2010-04-06 08:06 . 2010-04-06 08:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-06 07:51 . 2010-04-06 07:51 -------- d-----w- c:\program files\CCleaner
2010-04-06 04:13 . 2010-04-06 08:00 -------- d-----w- c:\program files\Alwil Software
2010-04-06 04:13 . 2010-04-06 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-05 04:09 . 2010-04-05 04:09 -------- d-----w- c:\program files\Trend Micro
2010-04-05 02:34 . 2010-04-05 02:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-04 23:16 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 23:16 . 2010-04-06 09:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 23:16 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-03 13:05 . 2010-04-03 20:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-29 02:50 . 2010-03-29 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-03-29 02:50 . 2010-03-29 02:50 -------- d-----w- c:\documents and settings\ChiNO\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 03:51 . 2010-04-06 08:06 117760 ----a-w- c:\documents and settings\ChiNO\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-15 12:18 . 2009-10-07 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-12 06:12 . 2009-09-29 06:56 324120 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-11 10:31 . 2010-01-18 02:29 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 02:00 . 2009-10-12 05:40 -------- d-----w- c:\program files\BitComet
2010-04-06 08:06 . 2010-04-06 08:06 52224 ----a-w- c:\documents and settings\ChiNO\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-04 22:55 . 2009-10-06 20:56 105352 ----a-w- c:\documents and settings\ChiNO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-01 11:24 . 2009-09-29 04:26 -------- d-----w- c:\program files\McAfee
2010-03-29 06:28 . 2010-03-14 21:05 599960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-21 20:42 . 2010-03-21 20:42 -------- d-----w- c:\documents and settings\ChiNO\Application Data\Intuit
2010-03-21 20:42 . 2010-03-21 20:42 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2010-03-21 20:41 . 2010-03-21 20:39 -------- d-----w- c:\program files\Common Files\Intuit
2010-03-21 20:40 . 2010-03-21 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-03-21 20:38 . 2010-03-21 20:38 -------- d-----w- c:\program files\TurboTax
2010-03-15 00:16 . 2009-09-29 04:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-14 22:41 . 2010-03-14 22:04 -------- d-----w- c:\documents and settings\ChiNO\Application Data\Download Manager
2010-03-14 21:54 . 2009-09-29 04:21 102032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 21:03 . 2010-03-14 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-03-14 20:51 . 2010-03-14 20:31 -------- d-----w- c:\program files\AutoCAD 2010
2010-03-14 20:41 . 2010-03-14 20:31 -------- d-----w- c:\documents and settings\ChiNO\Application Data\Autodesk
2010-03-14 20:40 . 2010-03-14 20:40 36864 ----a-w- c:\documents and settings\ChiNO\Application Data\Autodesk\AutoCAD 2010\R18.0\enu\ContextualTabSelectorRules.dll
2010-03-14 20:40 . 2009-10-07 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-14 20:35 . 2010-03-14 20:31 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-14 20:31 . 2010-03-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-03-10 06:15 . 2008-04-25 16:16 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 02:41 . 2010-03-05 02:37 -------- d-----w- c:\program files\Digital Photo Navigator 1.0
2010-03-05 02:37 . 2009-09-29 04:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-28 06:40 . 2010-02-28 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-02-28 06:39 . 2010-02-28 06:39 -------- d-----w- c:\documents and settings\ChiNO\Application Data\CyberLink
2010-02-25 06:24 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-25 16:16 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-25 16:16 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-25 16:16 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-25 16:16 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-09-29 04:20 . 2009-09-29 04:20 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2010-04-24_03.55.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-25 01:11 . 2010-04-25 01:11 16384 c:\windows\Temp\Perflib_Perfdata_acc.dat
+ 2009-10-06 20:48 . 2010-04-25 00:56 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-06 20:48 . 2010-04-24 03:04 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-17 08:42 . 2010-04-25 00:56 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-01-17 08:42 . 2010-04-24 03:04 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-04-24 05:50 . 2010-04-25 00:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-06 20:48 . 2010-04-25 00:56 1179648 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-06 20:48 . 2010-04-24 03:04 1179648 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-20 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-14 61440]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2009-10-12 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Dell DataSafe Online\\DataSafeUpdater.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\BTTray.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\BTStackServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13875:TCP"= 13875:TCP:BitComet 13875 TCP
"13875:UDP"= 13875:UDP:BitComet 13875 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7382:TCP"= 7382:TCP:Services
"7383:TCP"= 7383:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4819:TCP"= 4819:TCP:Services
"8138:TCP"= 8138:TCP:Services
"7209:TCP"= 7209:TCP:Services
"7210:TCP"= 7210:TCP:Services

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/29/2009 2:56 AM 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [9/29/2009 12:19 AM 143840]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [9/29/2009 2:56 AM 176640]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [9/29/2009 2:56 AM 133632]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [9/29/2009 2:56 AM 274112]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [9/29/2009 2:56 AM 1656960]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-04-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-04-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-12-04 03:18]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\ChiNO\Application Data\Mozilla\Firefox\Profiles\m67ts2qp.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-24 21:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2088)
c:\windows\system32\WININET.dll
c:\program files\RocketDock\RocketDock.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\drivers\audio\r214424\STacSV.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-24 21:16:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-25 01:16
ComboFix2.txt 2010-04-24 04:02

Pre-Run: 301,301,878,784 bytes free
Post-Run: 301,251,981,312 bytes free

- - End Of File - - 126160D5D350E096FA336021C0EC9339








ESET log:




C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache2444235361716033836.tmp probably a variant of Win32/Agent trojan deleted - quarantined




I paused the scan by accident and it had detected 6 other Win32 variants and removed them so I'm posting them manually because I didn't generate a log before trying to run the scan again

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip

Attached Files



#6 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 25 April 2010 - 08:29 AM

Oh i forgot I restarted the computer just to check, got an windows error STacSV.exe - Application Error "The instruction at "0x0040e75b" referenced memory at "0x00000000". The memory could not be 'read'." Don't know if that's anything. Also I'm still not able to access system restore I get a pop up "System restore is not able to protect your computer. Please restart your computer and then run system restore again."

The last couple days when my McAfee has been running it has quarantined a few Exploit-PDF.ci (Trojans), and several Generic.dx!rcd (Trojan), It has also had detection of PrcViewer which is located in my C:\ System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP175\A0067247.exe

I've been getting a pop up also for an Adobe Acrobat Updater just want to know a legit update came out recently


Again thanks for the help

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:42 PM

Posted 25 April 2010 - 09:02 AM

QUOTE(8eight @ Apr 25 2010, 02:29 PM) View Post
Oh i forgot I restarted the computer just to check, got an windows error STacSV.exe - Application Error "The instruction at "0x0040e75b" referenced memory at "0x00000000". The memory could not be 'read'." Don't know if that's anything.


Not malware but it may be that you will need to reinstall the program associated with this, IDT Audio.

QUOTE(8eight @ Apr 25 2010, 02:29 PM) View Post
Also I'm still not able to access system restore I get a pop up "System restore is not able to protect your computer. Please restart your computer and then run system restore again."


Combofix has removed the previous restore points and set a new one

QUOTE(8eight @ Apr 25 2010, 02:29 PM) View Post
The last couple days when my McAfee has been running it has quarantined a few Exploit-PDF.ci (Trojans), and several Generic.dx!rcd (Trojan), It has also had detection of PrcViewer which is located in my C:\ System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP175\A0067247.exe


System restore items have now been removed. There's nothing to worry about there.

QUOTE(8eight @ Apr 25 2010, 02:29 PM) View Post
I've been getting a pop up also for an Adobe Acrobat Updater just want to know a legit update came out recently


Yes, that's a legit update.


The Combofix log looks good. Please run ESET's online scan next

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.

Posted Image
m0le is a proud member of UNITE

#8 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 26 April 2010 - 07:46 AM

here is what ESET picked up


ESET log #2:



C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP175\A0066985.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP175\A0067247.exe multiple threats deleted - quarantined
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP175\A0067267.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined


Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:42 PM

Posted 26 April 2010 - 12:51 PM

ESET just removed the system restore items. They would have been removed at the end of the fix anyway. The end of the fix is where we are...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it 8eight, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#10 8eight

8eight
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 26 April 2010 - 08:00 PM

As far as Combofix goes, like is said the desktop icon disappeared on its own. Typing "Combofix \Uninstall" windows didn't find the it, so I just found the folder on the C: drive and deleted the folder. I appreciate all the help m0le thumbup2.gif

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:42 PM

Posted 30 April 2010 - 06:58 PM

You're welcome 8eight thumbup2.gif

-----------------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users