Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Security gone, Malwarebytes wont run.


  • This topic is locked This topic is locked
12 replies to this topic

#1 babahu

babahu

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 20 April 2010 - 10:47 PM

Had Desktop Security 2010 horrible malware. Rkill worked but Malwarebytes would not run. Just a short hourglass and then nothing.

Ran sysclean (Trend) in safe mode and it found a few things that seemed to be stuff that Desktop Security 2010 created. Sysclean's rootkit driver would not run. Desktop Security 2010 still there.
Ran AVIRA scan in normal mode and it found 24 things and cleaned them. Ran FixAV2 multiple times. Still mbam would not run. (It would install but at the end it would not launch.)

Did manual removal steps with files and registry, but it was unsuccessfull; missed something I guess and it came back. Finally did HijackThis and "fixed" the same registry entries that I had done manually. This time Desktop Security 2010 did not come back. FixAV2.reg ran but still MBAM will not run. Uninstalled lots of stuff. Malwarebytes (mbam) still will not run.

Uninstalled Adaware, Spybot and Avira but still Mbam will not run.

Have done all the steps you ask. Disabled CD emulation, done the scans.

DDS.TXT

DDS (Ver_10-03-17.01) - NTFSx86
Run by Susan at 15:36:22.66 on Tue 04/20/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639.277 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\Common Files\AOL\1134966769\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Susan\Desktop\desktop security 2010 spam\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\ycomp5_5_7_0.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\ycomp5_5_7_0.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Getdo] rundll32.exe "c:\documents and settings\localservice\application data\adobe\update\flacor.dat""
uRun: [Helper] c:\documents and settings\susan\application data\helper\bin\liveu.exe
mRun: [Airlink101 WLAN Monitor] c:\program files\airlink101\airlink101 wlan monitor\WLANmon.exe
mRun: [HostManager] c:\program files\common files\aol\1134966769\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [launchSystraylaunchSystray] c:\program files\common files\aol\1134966769\ee\services\aolsystrayservice\applicationlaunchsystray.exe
mRun: [QuickenWindows] c:\program files\quicken\microsoftqwibill.exe
mRun: [QuickTimeResourcesQuickTime] c:\program files\quicktime\qtsystem\quicktimestreamingextras.resources\fi.lproj\quicktimequicktimeresources.exe
mRun: [ApplicationlaunchSystray] c:\program files\common files\aol\1134966769\ee\services\aolsystrayservice\applicationlaunchsystray.exe
mRun: [ViewWindows16.1.5.7] c:\program files\quicken\microsoftqwibill.exe
mRun: [QuickTimeQuickTimeResources] c:\program files\quicktime\qtsystem\quicktimeqd3d.resources\es.lproj\quicktimeresourcesquicktimeresources.exe
mRun: [khihgdsys] rundll32.exe "geefed.dll",DllRegisterServer
mRunServices: [iTunesiTunesHelperLocalized6.0.0.7] c:\program files\itunes\ituneshelper.resources\fi.lproj\ituneshelperlocalizedituneshelperlocalized.exe
mRunServices: [BackgroundImagei] c:\program files\adobe\photoshop 7.0\presets\optimized output settings\imageibackground14148.exe
mRunServices: [QuickTimeQuickTimeResources] c:\program files\quicktime\qtsystem\quicktimeqd3d.resources\es.lproj\quicktimeresourcesquicktimeresources.exe
mRunServices: [ApplicationlaunchSystray] c:\program files\common files\aol\1134966769\ee\services\aolsystrayservice\applicationlaunchsystray.exe
mRunServices: [WindowsWindows] c:\program files\quicken\microsoftqwibill.exe
mRunServices: [QuickTimeResourcesQuickTime7.0.37] c:\program files\quicktime\qtsystem\quicktimeqd3d.resources\es.lproj\quicktimeresourcesquicktimeresources.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [xxxvvwsys] rundll32.exe "geefed.dll",DllRegisterServer
uPolicies-explorer: rightsTest = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - c:\docume~1\susan\locals~1\temp\13.tmp
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 geefed.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\susan\applic~1\mozilla\firefox\profiles\vmo7xbeu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
FF - component: c:\documents and settings\susan\application data\mozilla\firefox\profiles\vmo7xbeu.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MUsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\MUsbFltr.sys [2007-10-9 9088]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2004-5-21 114944]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S2 hpopar03;hpopar03;c:\windows\system32\drivers\hpopar03.sys --> c:\windows\system32\drivers\hpopar03.SYS [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\documents and settings\susan\desktop\medalion of redoo\nexon\kartrider\gameguard\dump_wmimmc.sys --> c:\documents and settings\susan\desktop\medalion of redoo\nexon\kartrider\gameguard\dump_wmimmc.sys [?]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [2006-11-3 467040]

=============== Created Last 30 ================

2010-04-20 22:33:45 0 ----a-w- c:\documents and settings\susan\defogger_reenable
2010-04-20 19:28:13 0 d-----w- c:\docume~1\susan\applic~1\Malwarebytes
2010-04-16 21:36:10 0 d-----w- C:\INSTALL
2010-04-15 21:24:56 0 d-----w- c:\docume~1\susan\applic~1\Desktop Security 2010
2010-04-15 21:24:24 88576 ---ha-w- c:\windows\system32\geefed1.dll
2010-04-15 21:24:24 88576 ---ha-w- c:\windows\system32\geefed.dll
2010-03-31 07:57:02 54156 ---ha-w- c:\windows\QTFont.qfn
2010-03-31 07:57:02 1409 ----a-w- c:\windows\QTFont.for
2010-03-24 14:48:34 259 ----a-w- c:\windows\msacm32.drv
2010-03-24 14:48:20 0 d-----w- c:\docume~1\susan\applic~1\Helper
2010-03-24 08:33:24 0 d-----w- c:\docume~1\susan\applic~1\Foxit Software

==================== Find3M ====================

2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 05:26:38 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 15:37:05.20 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 20 April 2010 - 10:59 PM

Hi, babahu smile.gif

welcome.gif

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 babahu

babahu
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 25 April 2010 - 12:14 AM

Steps performed. Did it find a rootkit? Can you tell me what it found? The desktop picture returned.
Here is combofix.txt


ComboFix 10-04-21.01 - Susan 04/21/2010 16:54:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639.460 [GMT -7:00]
Running from: c:\documents and settings\Susan\Desktop\Virus killer\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Susan\Application Data\Desktop Security 2010
c:\documents and settings\Susan\Application Data\Desktop Security 2010\Desktop Security 2010.exe
c:\documents and settings\Susan\Application Data\Desktop Security 2010\mfc71.dll
c:\documents and settings\Susan\Application Data\Desktop Security 2010\MFC71ENU.DLL
c:\documents and settings\Susan\Application Data\Desktop Security 2010\msvcp71.dll
c:\documents and settings\Susan\Application Data\Desktop Security 2010\msvcr71.dll
c:\documents and settings\Susan\Application Data\Desktop Security 2010\securitycenter.exe
c:\documents and settings\Susan\Application Data\Desktop Security 2010\securityhelper.exe
c:\documents and settings\Susan\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.lnk
c:\documents and settings\Susan\Start Menu\Programs\Desktop Security 2010
c:\documents and settings\Susan\Start Menu\Programs\Desktop Security 2010.lnk
c:\documents and settings\Susan\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk
c:\documents and settings\Susan\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk
c:\documents and settings\Susan\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk
c:\documents and settings\Susan\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-1343024091-1292428093-839522115-1003
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\msacm32.drv
c:\windows\system32\geefed.dll

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-20 19:28 . 2010-04-20 19:28 -------- d-----w- c:\documents and settings\Susan\Application Data\Malwarebytes
2010-04-16 21:36 . 2010-04-16 22:03 -------- d-----w- C:\INSTALL
2010-04-15 21:24 . 2010-04-15 21:24 88576 ---ha-w- c:\windows\system32\geefed1.dll
2010-04-01 07:28 . 2010-04-01 07:28 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-04-01 07:28 . 2010-04-01 07:28 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-03-24 14:48 . 2010-03-24 14:48 -------- d-----w- c:\documents and settings\Susan\Application Data\Helper
2010-03-24 08:33 . 2010-03-24 08:33 -------- d-----w- c:\documents and settings\Susan\Application Data\Foxit Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 19:57 . 2005-12-18 21:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 19:25 . 2005-12-18 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-18 23:35 . 2007-07-11 03:05 -------- d-----w- c:\program files\Quicken
2010-03-10 08:02 . 2004-08-04 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 07:02 . 2005-12-19 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-03-04 11:16 . 2010-03-04 11:16 -------- d-----w- c:\program files\MSXML 6.0
2010-03-04 05:26 . 2005-12-18 20:56 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-26 06:12 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 20:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"HostManager"="c:\program files\Common Files\AOL\1134966769\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-18 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"rightsTest"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Labtec Mouse Settings.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Labtec Mouse Settings.lnk
backup=c:\windows\pss\Labtec Mouse Settings.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniMavis.lnk
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Susan^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Susan\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Susan^Start Menu^Programs^Startup^TDK Launcher.lnk]
path=c:\documents and settings\Susan\Start Menu\Programs\Startup\TDK Launcher.lnk
backup=c:\windows\pss\TDK Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-02-23 16:37 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-30 01:34 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-19 01:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1134966769\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 19:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-04-19 19:26 7700480 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-04-19 19:26 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-04-19 19:26 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-18 21:52 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-12-19 04:34 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-07-15 19:38 319488 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-12-01 21:46 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 01:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 10:23 75520 ----a-w- c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134966769\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134966769\\EE\\aolsoftware.exe"=
"c:\\Program Files\\America Online 9.0\\aol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bullfrog\\Populous\\popTB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\World Editor.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1:TCP"= 1:TCP:waol.exe
"2:TCP"= 2:TCP:aoltpspd.exe
"3:TCP"= 3:TCP:AOLacsd.exe
"4:TCP"= 4:TCP:AOLDial.exe
"6112:TCP"= 6112:TCP:Warcraft III - Hosting 6112
"6114:TCP"= 6114:TCP:warcraft
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2698:TCP"= 2698:TCP:Services
"3896:TCP"= 3896:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 MUsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\MUsbFltr.sys [10/9/2007 8:06 PM 9088]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [5/21/2004 2:30 AM 114944]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 hpopar03;hpopar03;c:\windows\system32\drivers\hpopar03.SYS --> c:\windows\system32\drivers\hpopar03.SYS [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\documents and settings\Susan\Desktop\Medalion of Redoo\Nexon\KartRider\GameGuard\dump_wmimmc.sys --> c:\documents and settings\Susan\Desktop\Medalion of Redoo\Nexon\KartRider\GameGuard\dump_wmimmc.sys [?]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [11/3/2006 4:30 PM 467040]
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-02 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
FF - ProfilePath - c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vmo7xbeu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
FF - component: c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vmo7xbeu.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Helper - c:\documents and settings\Susan\Application Data\Helper\bin\liveu.exe
HKLM-Run-launchSystraylaunchSystray - c:\program files\common files\aol\1134966769\ee\services\aolsystrayservice\applicationlaunchsystray.exe
HKLM-Run-QuickenWindows - c:\program files\quicken\microsoftqwibill.exe
HKLM-Run-QuickTimeResourcesQuickTime - c:\program files\quicktime\qtsystem\quicktimestreamingextras.resources\fi.lproj\quicktimequicktimeresources.exe
HKLM-Run-ApplicationlaunchSystray - c:\program files\common files\aol\1134966769\ee\services\aolsystrayservice\applicationlaunchsystray.exe
HKLM-Run-ViewWindows16.1.5.7 - c:\program files\quicken\microsoftqwibill.exe
HKLM-Run-QuickTimeQuickTimeResources - c:\program files\quicktime\qtsystem\quicktimeqd3d.resources\es.lproj\quicktimeresourcesquicktimeresources.exe
HKLM-Run-khihgdsys - geefed.dll
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
HKU-Default-Run-xxxvvwsys - geefed.dll
MSConfigStartUp-GhostStartTrayApp - c:\program files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
AddRemove-GhostMouse 2.0 - c:\gmouse20\DeIsL1.isu
AddRemove-Desktop Security 2010 - c:\documents and settings\Susan\Application Data\Desktop Security 2010\securityhelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 17:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(820)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\ssoftsrv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2010-04-21 17:13:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 00:13

Pre-Run: 60,254,892,032 bytes free
Post-Run: 60,629,422,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 724477BA9DA8F6097FF7628724804209


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 25 April 2010 - 01:51 AM

You had the effects of a Rouge Antivirus program and an MBR Rootkit. We still have remnants to work out. When you refer to the desktop picture, what picture?
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
QUOTE
File::
c:\windows\system32\geefed1.dll

Driver::
sptd
hpopar03
dump_wmimmc




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Note! To use this tool read the following instructions thoroughly first. Dell users pay attention to the last note.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
    From here there are two different routes
  1. If the tool detects an mbr infection
    • Please allow it to run mbr -f and shutdown your computer.
    • Upon restarting, please wait about 5 minutes
    • Click Start>Run and type the following bolded command, then hit Enter.
      Note! Make sure you leave a space between helpasst and -mbrt
      helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.

  2. In the event the tool does not detect an mbr infection and completes
    • click Start>Run and type the following bolded command, then hit Enter.
      Note! Make sure you leave a space between mbr and -f
      mbr -f
    • Now, please do the command a second time. Click Start>Run and type the following bolded command, then hit Enter.
      Note! Make sure you leave a space between mbr and -f
      mbr -f
    • Now shut down the computer (do not restart, but shut it down),
    • Wait a few minutes then start it back up.
    • Wait about 5 minutes
    • Click Start>Run and type the following bolded command, then hit Enter.
      Note! Make sure you leave a space between helpasst and -mbrt
      helpasst -mbrt
    • When it completes, a log will open.
    • Please post the contents of that log.


**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 babahu

babahu
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 25 April 2010 - 06:38 PM

The desktop picture is jpg photo (100_0415.jpg) I put on my desktop. Before ComboFix the picture was not there, it had disappeared during my attempts to kill the virus. Now it is showing.
Here is the ComboFix log: (after it is the mbr fixer log)


ComboFix 10-04-21.01 - Susan 04/25/2010 15:55:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639.399 [GMT -7:00]
Running from: c:\documents and settings\Susan\Desktop\Virus killer\ComboFix.exe
Command switches used :: c:\documents and settings\Susan\Desktop\Virus killer\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\system32\geefed1.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\geefed1.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DUMP_WMIMMC
-------\Legacy_HPOPAR03
-------\Legacy_SPTD
-------\Service_dump_wmimmc
-------\Service_hpopar03
-------\Service_sptd


((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.

2010-04-25 22:51 . 2010-04-25 22:51 5120 ----a-w- C:\mbr john dell.bin
2010-04-20 19:28 . 2010-04-20 19:28 -------- d-----w- c:\documents and settings\Susan\Application Data\Malwarebytes
2010-04-16 21:36 . 2010-04-16 22:03 -------- d-----w- C:\INSTALL
2010-04-01 07:28 . 2010-04-01 07:28 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-04-01 07:28 . 2010-04-01 07:28 -------- d-----w- c:\documents and settings\HelpAssistant\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 19:57 . 2005-12-18 21:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 19:25 . 2005-12-18 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-18 23:35 . 2007-07-11 03:05 -------- d-----w- c:\program files\Quicken
2010-03-24 14:48 . 2010-03-24 14:48 -------- d-----w- c:\documents and settings\Susan\Application Data\Helper
2010-03-24 08:33 . 2010-03-24 08:33 -------- d-----w- c:\documents and settings\Susan\Application Data\Foxit Software
2010-03-10 08:02 . 2004-08-04 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 07:02 . 2005-12-19 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-03-04 11:16 . 2010-03-04 11:16 -------- d-----w- c:\program files\MSXML 6.0
2010-03-04 05:26 . 2005-12-18 20:56 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-26 06:12 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 20:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"HostManager"="c:\program files\Common Files\AOL\1134966769\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-18 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"rightsTest"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Labtec Mouse Settings.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Labtec Mouse Settings.lnk
backup=c:\windows\pss\Labtec Mouse Settings.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniMavis.lnk
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Susan^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Susan\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Susan^Start Menu^Programs^Startup^TDK Launcher.lnk]
path=c:\documents and settings\Susan\Start Menu\Programs\Startup\TDK Launcher.lnk
backup=c:\windows\pss\TDK Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-02-23 16:37 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-30 01:34 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-19 01:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1134966769\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 19:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-04-19 19:26 7700480 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-04-19 19:26 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-04-19 19:26 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-18 21:52 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-12-19 04:34 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-07-15 19:38 319488 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-12-01 21:46 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 01:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 10:23 75520 ----a-w- c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134966769\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134966769\\EE\\aolsoftware.exe"=
"c:\\Program Files\\America Online 9.0\\aol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bullfrog\\Populous\\popTB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\World Editor.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1:TCP"= 1:TCP:waol.exe
"2:TCP"= 2:TCP:aoltpspd.exe
"3:TCP"= 3:TCP:AOLacsd.exe
"4:TCP"= 4:TCP:AOLDial.exe
"6112:TCP"= 6112:TCP:Warcraft III - Hosting 6112
"6114:TCP"= 6114:TCP:warcraft
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2698:TCP"= 2698:TCP:Services
"3896:TCP"= 3896:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 MUsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\MUsbFltr.sys [10/9/2007 8:06 PM 9088]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [5/21/2004 2:30 AM 114944]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [11/3/2006 4:30 PM 467040]
.
Contents of the 'Scheduled Tasks' folder

2010-04-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-02 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
FF - ProfilePath - c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vmo7xbeu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
FF - component: c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vmo7xbeu.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 16:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\ssoftsrv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2010-04-25 16:11:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-25 23:11
ComboFix2.txt 2010-04-22 00:13

Pre-Run: 60,659,994,624 bytes free
Post-Run: 60,630,388,736 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 8E032208E2D516D66523DCC01B49E04B

=======================================================
Here is mbr fixer log: (HelpAsst.log)
ComboFix 10-04-21.01 - Susan 04/25/2010 15:55:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639.399 [GMT -7:00]
Running from: c:\documents and settings\Susan\Desktop\Virus killer\ComboFix.exe
Command switches used :: c:\documents and settings\Susan\Desktop\Virus killer\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\system32\geefed1.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\geefed1.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DUMP_WMIMMC
-------\Legacy_HPOPAR03
-------\Legacy_SPTD
-------\Service_dump_wmimmc
-------\Service_hpopar03
-------\Service_sptd


((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.

2010-04-25 22:51 . 2010-04-25 22:51 5120 ----a-w- C:\mbr john dell.bin
2010-04-20 19:28 . 2010-04-20 19:28 -------- d-----w- c:\documents and settings\Susan\Application Data\Malwarebytes
2010-04-16 21:36 . 2010-04-16 22:03 -------- d-----w- C:\INSTALL
2010-04-01 07:28 . 2010-04-01 07:28 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-04-01 07:28 . 2010-04-01 07:28 -------- d-----w- c:\documents and settings\HelpAssistant\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 19:57 . 2005-12-18 21:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 19:25 . 2005-12-18 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-18 23:35 . 2007-07-11 03:05 -------- d-----w- c:\program files\Quicken
2010-03-24 14:48 . 2010-03-24 14:48 -------- d-----w- c:\documents and settings\Susan\Application Data\Helper
2010-03-24 08:33 . 2010-03-24 08:33 -------- d-----w- c:\documents and settings\Susan\Application Data\Foxit Software
2010-03-10 08:02 . 2004-08-04 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 07:02 . 2005-12-19 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-03-04 11:16 . 2010-03-04 11:16 -------- d-----w- c:\program files\MSXML 6.0
2010-03-04 05:26 . 2005-12-18 20:56 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-26 06:12 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2004-08-04 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2004-08-04 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 20:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"HostManager"="c:\program files\Common Files\AOL\1134966769\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-18 155648]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"rightsTest"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Labtec Mouse Settings.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Labtec Mouse Settings.lnk
backup=c:\windows\pss\Labtec Mouse Settings.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniMavis.lnk
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Susan^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Susan\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Susan^Start Menu^Programs^Startup^TDK Launcher.lnk]
path=c:\documents and settings\Susan\Start Menu\Programs\Startup\TDK Launcher.lnk
backup=c:\windows\pss\TDK Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-02-23 16:37 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-30 01:34 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-19 01:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1134966769\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 19:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-04-19 19:26 7700480 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-04-19 19:26 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-04-19 19:26 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-04-05 21:33 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-18 21:52 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-12-19 04:34 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-07-15 19:38 319488 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-12-01 21:46 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 01:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 10:23 75520 ----a-w- c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134966769\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134966769\\EE\\aolsoftware.exe"=
"c:\\Program Files\\America Online 9.0\\aol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bullfrog\\Populous\\popTB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\World Editor.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1:TCP"= 1:TCP:waol.exe
"2:TCP"= 2:TCP:aoltpspd.exe
"3:TCP"= 3:TCP:AOLacsd.exe
"4:TCP"= 4:TCP:AOLDial.exe
"6112:TCP"= 6112:TCP:Warcraft III - Hosting 6112
"6114:TCP"= 6114:TCP:warcraft
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2698:TCP"= 2698:TCP:Services
"3896:TCP"= 3896:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 MUsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\MUsbFltr.sys [10/9/2007 8:06 PM 9088]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [5/21/2004 2:30 AM 114944]
S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [11/3/2006 4:30 PM 467040]
.
Contents of the 'Scheduled Tasks' folder

2010-04-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-02 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
FF - ProfilePath - c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vmo7xbeu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
FF - component: c:\documents and settings\Susan\Application Data\Mozilla\Firefox\Profiles\vmo7xbeu.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 16:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\ssoftsrv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2010-04-25 16:11:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-25 23:11
ComboFix2.txt 2010-04-22 00:13

Pre-Run: 60,659,994,624 bytes free
Post-Run: 60,630,388,736 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 8E032208E2D516D66523DCC01B49E04B




#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 25 April 2010 - 06:58 PM

You posted the Combofix twice. Need to see the HelpAsst_mebroot_fix report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 babahu

babahu
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 26 April 2010 - 01:21 PM

Sorry, here is HelpAsst.log
==========================

C:\Documents and Settings\Susan\Desktop\Virus killer\HelpAsst_mebroot_fix.exe
Sun 04/25/2010 at 16:14:58.89

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2698:TCP"=-
"3896:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2698:TCP"=-
"3896:TCP"=-
"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1060284298-507921405-1708537768-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 26 April 2010 - 01:59 PM

Lets perform a status check, then continue.

Cleanup:

Click Start>Run, copy and paste helpasst -cleanup then hit Enter.

Perform a Status check:

Click Start>Run, copy and paste "%userprofile%\desktop\HelpAssistant_mebroot_fix.exe" -mbrt (including the quotation marks) then hit Enter. Paste the results in your next reply.

Scan for remnants:

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please run the F-Secure Online Scanner
  • For information click Here.
  • Allow the installation of the Add-ons and Accept the License Agreement.
  • Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 babahu

babahu
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 27 April 2010 - 04:59 PM

Cleanup:

thumbup2.gif Okay


Perform a Status Check:

mad.gif Could not do it. Got message that Windows could not find 'C:\Documents and Settings\Susan\desktop\HelpAssistant_mebroot_fix.exe'



Scan for remnants:

thumbup2.gif

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4043

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/27/2010 11:26:03 AM
mbam-log-2010-04-27 (11-26-03).txt

Scan type: Quick scan
Objects scanned: 109974
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



F-Secure Online Scanner

thumbup2.gif

Scanning Report
Tuesday, April 27, 2010 11:53:19 - 14:22:06

Computer name: SUSAN-A4225EF88
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\
40 malware found
TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Revsci (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Xiti (spyware)

* System (Disinfected)

TrackingCookie.Mediaplex (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

* C:\WINDOWS\SWSC.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\WINDOWS\SWREG.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP45\A0017920.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP45\A0017938.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP45\A0018287.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP45\A0018563.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0016180.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0016463.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0016467.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0017589.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0017595.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0017594.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0017672.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0017766.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP44\A0017770.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP43\A0015265.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP43\A0015591.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP43\A0015883.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP40\A0014625.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F90D9C24-E13C-4316-8625-4FFBC0B21E57}\RP39\A0014296.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\CONDITIONAL MODE CHANGE.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\AGED PHOTO.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\CONSTRAIN TO 300 PIXELS.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\CONSTRAIN TO 64 PIXELS.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\DROP SHADOW FRAME.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\MAKE BUTTON.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\MAKE SEPIA TONE.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\SAVE AS JPEG MEDIUM.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\SAMPLES\DROPLETS\PHOTOSHOP DROPLETS\SAVE AS PHOTOSHOP PDF.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\REQUIRED\DROPLET TEMPLATE.EXE (Not cleaned & Submitted)

Statistics
Scanned:

* Files: 55071
* System: 3561
* Not scanned: 9

Actions:

* Disinfected: 10
* Renamed: 0
* Deleted: 0
* Not cleaned: 30
* Submitted: 28

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\SUSAN\LOCAL SETTINGS\TEMP\HSPERFDATA_SUSAN\2580
* C:\DOCUMENTS AND SETTINGS\SUSAN\LOCAL SETTINGS\TEMP\HSPERFDATA_SUSAN\1404
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AMERICA ONLINE 9.0\ORGANIZE\COACHHARGIS

Options
Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics

Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 27 April 2010 - 06:51 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 babahu

babahu
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 28 April 2010 - 04:41 PM

A conference has gotten in the way -- will get back to it tomorrow.
BUT, am I supposed to worry about the F scan showing the
GEMINI (virus) thing? Or is this a false positive?

p.s. I will do the status check later.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 28 April 2010 - 06:23 PM

http://www.f-secure.com/v-descs/suspicious...33;gemini.shtml

The files in the C:\SYSTEM VOLUME INFORMATION, will be removed once we reset System Restore. Concerning the files in the ADOBE PHOTOSHOP folder, I believe they are false positives. As explained in the F-Secure site, the detection is a proactive Heuristic Detection, which may be triggered by a file that behaves in a suspicious manner indicative of malware infection.

That does not necessary mean it is a virus, however, for your peace of mind, you can always remove and reinstall Adobe Photoshop.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix to Uninstall and click on it. That should remove the application.
Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

Edited by JSntgRvr, 28 April 2010 - 06:26 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:56 PM

Posted 15 May 2010 - 12:59 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users