Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijack


  • This topic is locked This topic is locked
33 replies to this topic

#1 Melvinoftheapes

Melvinoftheapes

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 19 May 2010 - 01:09 PM

Hi friends,
My Dell PC with Windows XP Home 2002 SP3 is quite sick.
Search Engines are redirected to useless sites. I use IE8
I get errors like jucheck.exe - Entry Point Not Found
Warning message from "Data Protection" says my MalwareBytes is "Uncertified ..." and should be removed.
When I "x" the little windows, a "Data Protection Installer" pops up with a moving status bar. I kill it a few times and it goes away.
Super slow.
Explorer crashes frequently when I open folders.
There are now porn shortcuts on the desk top.

I have run McAfee and a few others to no avail.


So...
I ran Defogger, then DDS.pif. I enclose the logs
My PC reboots after about 40 minutes of GNER - So I have no log....

I hope you can help. I have been trying to fix this for quite some time.

Thanks!
John


DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 10:45:39.53 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.510 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Corel\Standby\Standby.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\John\LOCALS~1\Temp\dmadmin.exe
C:\DOCUME~1\John\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\cidaemon.exe
G:\V324\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: AutorunsDisabled - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1308.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1308.0\msneshellx.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [dmadmin.exe] c:\docume~1\john\locals~1\temp\dmadmin.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://pbskids.org/arthur/games/artstudio/paint.html"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [POINTER] point32.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: LEGO Stormrunner - hxxp://mindstorms.lego.com/stormrunner/stormrunner1-1-0.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - hxxp://www.cult3d.com/newuser/index.html
DPF: {380BBEC2-4CAE-4ECE-8AFF-36CDE7916386} - hxxp://ni-us.demoservers.com/URA/URA/lib/LocalProxyActiveX.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://ccon.futuremark.com/global/msc34.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} - hxxp://216.249.24.60/code/iPIX-ImageWell-ipix.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\riwazaku.dll turazapu.dll c:\windows\system32\rohitelu.dll c:\windows\system32\rewuvafu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: dazubuker - {1c61c5c7-8336-482c-8883-1407a1767d46} - No File
STS: {1c61c5c7-8336-482c-8883-1407a1767d46} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli turazapu.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-20 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-12 214664]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2008-12-17 78104]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-12 144704]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-6-3 92008]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-12 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-12 35272]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-19 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-10 38224]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-12 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-12 40552]
S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2008-10-13 219648]
S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2008-10-14 475264]

============== File Associations ===============

.scr=

=============== Created Last 30 ================

2010-05-19 13:18:49 0 ----a-w- c:\documents and settings\john\defogger_reenable
2010-05-18 01:31:21 0 d-----w- c:\windows\PRAGMAppfpxpkhoi
2010-05-17 01:04:20 0 d-----w- c:\windows\PRAGMAseqximcrit
2010-05-16 23:48:56 0 d-----w- c:\windows\PRAGMAidxbvornmb
2010-05-16 12:06:07 0 d-----w- c:\program files\Data Protection
2010-05-16 11:58:14 0 d-----w- c:\windows\PRAGMAoqmccdiemn
2010-04-30 14:34:32 0 d-----w- c:\docume~1\john\applic~1\Malwarebytes
2010-04-28 18:10:44 0 d-----w- c:\program files\scdata
2010-04-28 18:06:13 36 ----a-w- c:\program files\skynet.dat
2010-04-28 18:06:03 0 d-----w- c:\program files\AKM Antivirus 2010 Pro

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 00:10:37 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-29 00:10:37 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-04 21:01:32 70416 ---ha-w- c:\windows\system32\mlfcache.dat
2006-03-18 13:12:02 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-02-26 11:37:15 744 ----a-w- c:\program files\Civilization3.Ini
2006-02-26 11:33:16 0 ----a-w- c:\program files\logfile.txt
2004-08-02 00:54:24 16 ----a-w- c:\program files\HighScores.cv3
2003-08-27 18:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
2003-07-19 21:38:36 1409 ----a-w- c:\program files\LSANS.fot
2010-01-26 20:04:37 34816 --sha-w- c:\windows\system32\detukimi.exe
2008-10-13 14:08:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101320081014\index.dat

============= FINISH: 10:50:36.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 20 May 2010 - 10:35 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


=================================


One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.



=================================


You can proceed with the next instruction if you do not wish to reformat.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Melvinoftheapes

Melvinoftheapes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 May 2010 - 01:34 PM

Thanks Sempai,
Thanks for the VERY fast response!
But I feel very bad about something and must confess... I ran combofix on my own after reading millions of responses. I was frustrated desperate and I just got weak.
But I did exactly what you describe in your response.

If you are not too upset with my impetuous behavior, I would like to continue the process...


I ran Combofix and was riveted to my computer cheering as it crushed invaders - this problem has really had me beat down.
I redirects have not returned after multiple reboots.

I will uninstall whatever SW I need to. My kids have downloaded "mods" to many of their games and that could be a source. They will not be doing that any more...

I understand that machine cannot be trusted until a reformat.
Here is the combofix log file.
Thanks!!!! John


ComboFix 10-05-19.02 - John 05/19/2010 16:55:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.606 [GMT -4:00]
Running from: g:\cleanup\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Amanda\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
c:\program files\AKM Antivirus 2010 Pro
c:\program files\Data Protection
c:\program files\Data Protection\about.ico
c:\program files\Data Protection\activate.ico
c:\program files\Data Protection\buy.ico
c:\program files\Data Protection\dat.db
c:\program files\Data Protection\datext.dll
c:\program files\Data Protection\dathook.dll
c:\program files\Data Protection\help.ico
c:\program files\Data Protection\scan.ico
c:\program files\Data Protection\settings.ico
c:\program files\Data Protection\Uninstall.exe
c:\program files\Data Protection\update.ico
c:\program files\iWin Games\iWinGamesHookIE.dll
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\PAV
c:\program files\PAV\pav.exe.tmp1
c:\program files\scdata
c:\program files\scdata\images\i1.gif
c:\program files\scdata\images\i2.gif
c:\program files\scdata\images\i3.gif
c:\program files\scdata\images\j1.gif
c:\program files\scdata\images\j2.gif
c:\program files\scdata\images\j3.gif
c:\program files\scdata\images\jj1.gif
c:\program files\scdata\images\jj2.gif
c:\program files\scdata\images\jj3.gif
c:\program files\scdata\images\l1.gif
c:\program files\scdata\images\l2.gif
c:\program files\scdata\images\l3.gif
c:\program files\scdata\images\pix.gif
c:\program files\scdata\images\t1.gif
c:\program files\scdata\images\t2.gif
c:\program files\scdata\images\Thumbs.db
c:\program files\scdata\images\up1.gif
c:\program files\scdata\images\up2.gif
c:\program files\scdata\images\w1.gif
c:\program files\scdata\images\w11.gif
c:\program files\scdata\images\w2.gif
c:\program files\scdata\images\w3.jpg
c:\program files\scdata\images\word.doc
c:\program files\scdata\images\wt1.gif
c:\program files\scdata\images\wt2.gif
c:\program files\scdata\images\wt3.gif
c:\program files\scdata\wispex.html
c:\program files\skynet.dat
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\eSellerateEngine.dll
c:\windows\Fonts\acrsec.fon
c:\windows\install.exe
c:\windows\MailSwitch.ocx
c:\windows\PRAGMAidxbvornmb
c:\windows\PRAGMAoqmccdiemn
c:\windows\PRAGMAppfpxpkhoi
c:\windows\PRAGMAseqximcrit
c:\windows\PRAGMAylbdibccpx
c:\windows\system32\detukimi.exe
c:\windows\system32\drivers\fad.sys
c:\windows\Tasks.\dcnyktvr.job
c:\windows\Tasks.\dcnyktvr.job . . . . failed to delete

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD
-------\Legacy_PRAGMAidxbvornmb
-------\Legacy_PRAGMAoqmccdiemn
-------\Legacy_PRAGMAppfpxpkhoi
-------\Legacy_PRAGMAseqximcrit
-------\Legacy_PRAGMAylbdibccpx
-------\Legacy_TDSSSERV.SYS
-------\Service_PRAGMAidxbvornmb
-------\Service_PRAGMAoqmccdiemn
-------\Service_PRAGMAppfpxpkhoi
-------\Service_PRAGMAseqximcrit
-------\Service_PRAGMAylbdibccpx


((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-19 13:34 . 2010-05-19 13:34 -------- d-sh--w- c:\documents and settings\Amanda\PrivacIE
2010-05-19 13:34 . 2010-05-19 13:34 -------- d-----w- c:\documents and settings\Amanda\Application Data\Apple Computer
2010-05-19 12:04 . 2010-05-19 12:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-08 11:49 . 2010-05-08 11:49 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-28 18:09 . 2010-05-17 15:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-04-26 20:07 . 2010-04-26 20:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 21:15 . 2009-01-18 00:31 -------- d-----w- c:\program files\iWin Games
2010-05-19 01:45 . 2008-08-01 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-17 15:15 . 2004-02-14 13:51 -------- d-----w- c:\program files\Google
2010-05-15 18:52 . 2009-02-13 03:52 -------- d-----w- c:\program files\McAfee
2010-04-30 17:48 . 2007-09-29 12:07 -------- d-----w- c:\program files\CCleaner
2010-04-30 17:15 . 2010-03-31 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ac9a10b
2010-04-30 14:34 . 2010-04-10 13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:39 . 2010-04-10 13:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-04-10 13:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 00:10 . 2002-08-29 06:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-10 13:04 . 2010-04-10 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 12:38 . 2010-02-09 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-04 21:01 . 2009-02-10 18:59 70416 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-02 01:56 . 2009-08-02 13:08 -------- d-----w- c:\program files\TomTom HOME 2
2010-03-31 15:54 . 2010-03-31 15:54 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGPSWMBD
2010-03-31 00:54 . 2010-03-31 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 00:54 . 2006-03-03 08:08 -------- d-----w- c:\program files\iTunes
2010-03-31 00:49 . 2004-08-24 02:04 -------- d-----w- c:\program files\iPod
2010-03-31 00:49 . 2007-07-02 07:25 -------- d-----w- c:\program files\Common Files\Apple
2010-03-31 00:35 . 2010-03-31 00:32 -------- d-----w- c:\program files\QuickTime
2010-03-31 00:15 . 2010-03-31 00:15 -------- d-----w- c:\program files\Bonjour
2010-03-28 14:41 . 2004-11-29 00:18 263 ----a-w- c:\windows\popcinfo.dat
2010-03-28 11:44 . 2003-07-12 15:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2006-03-18 13:12 . 2006-03-18 13:12 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-02-26 11:37 . 2003-07-19 21:38 744 ----a-w- c:\program files\Civilization3.Ini
2006-02-26 11:33 . 2003-07-19 21:38 0 ----a-w- c:\program files\logfile.txt
2004-08-02 00:54 . 2004-08-02 00:54 16 ----a-w- c:\program files\HighScores.cv3
2003-08-27 18:19 . 2004-08-28 03:32 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2003-07-19 21:38 . 2003-07-19 21:38 1409 ----a-w- c:\program files\LSANS.fot
2007-02-08 15:48 . 2007-02-08 15:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-24 68856]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2006-11-14 121640]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-07-12 151597]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2009-12-17 105632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\AutorunsDisabled\1]
FriendlyName= J-Track: Satellite Tracking

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
2009-07-09 00:22 5134864 ----a-w- c:\program files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2009-02-03 15:46 323216 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-06-03 12:46 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Games\\Combat Flight Simulator 3\\cfs3.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Freaky Freezeday\\Freezeday.exe"=
"f:\\Program Files\\FiraxisGames\\Civ4\\Civilization4.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/20/2009 7:11 PM 64160]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [12/17/2008 6:00 PM 78104]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/3/2009 8:46 AM 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/19/2009 3:52 PM 135664]
S3 usbvm328;HP Camera;c:\windows\SYSTEM32\DRIVERS\usbvm326.sys [10/13/2008 11:59 PM 219648]
S3 vmfilter323;VC0326 filter service for Serome;c:\windows\SYSTEM32\DRIVERS\vmfilter323.sys [10/14/2008 12:04 AM 475264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 00:01]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 19:52]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 19:52]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 16:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 16:22]

2010-02-26 c:\windows\Tasks\{7B7C8A57-E12B-42AA-9D17-7590F4C8F84F}_DELBERT_John.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: LEGO Stormrunner - hxxp://mindstorms.lego.com/stormrunner/stormrunner1-1-0.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {380BBEC2-4CAE-4ECE-8AFF-36CDE7916386} - hxxp://ni-us.demoservers.com/URA/URA/lib/LocalProxyActiveX.cab
.
.
------- File Associations -------
.
.scr=
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-POINTER - point32.exe
SharedTaskScheduler-{1c61c5c7-8336-482c-8883-1407a1767d46} - (no file)
SSODL-dazubuker-{1c61c5c7-8336-482c-8883-1407a1767d46} - (no file)
AddRemove-Data Protection - c:\program files\Data Protection\Pklkvqdii+`}`
AddRemove-Microsoft_World_of_Flight - d:\data\00Setup\App\Uninstal.exe
AddRemove-Scooby-Doo™, Jinx At The Sphinx™ - c:\program files\The Learning Company\Scooby-Doo™
AddRemove-Sonic R - c:\sega\SonicR\directx\setup
AddRemove-{2460923D-1AA6-47FE-A375-76308780D20F} - c:\program files\InstallShield Installation Information\{2460923D-1AA6-47FE-A375-76308780D20F}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-19 17:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(408)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\UAService7.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-05-19 17:44:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-19 21:43

Pre-Run: 4,049,002,496 bytes free
Post-Run: 4,110,741,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - EAA1A2A5C885BB667F7BC0648B09A3F5

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 20 May 2010 - 09:53 PM

Hi John,

Thanks for the info's, they are really helpful. thumbup2.gif


====================================


1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
KillAll::

Rootkit::
c:\windows\Tasks.\dcnyktvr.job
c:\windows\system32\mlfcache.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

DDS::
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

Folder::
C:\Program Files\Common Files\Symantec Shared

DirLook::
c:\documents and settings\All Users\Application Data\ac9a10b
c:\documents and settings\All Users\Application Data\SGPSWMBD


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by sempai, 20 May 2010 - 09:57 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Melvinoftheapes

Melvinoftheapes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 21 May 2010 - 10:08 AM

Thanks Sempai,
I shall do this when I get home tonight.
Cheers,
John

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 21 May 2010 - 10:49 AM

Hi John,

No worries, take your time. smile.gif

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Melvinoftheapes

Melvinoftheapes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 21 May 2010 - 06:53 PM

Hi Sempai,
When I got home tonight, the kids, wife, and entire neighborhood were using the computer. Not good... mad.gif
Kids and wife reprted no isues and I am sure that my godfather in Nigeria is enjoying my credit cards.

No joy on the virscan. I could not link to the site. Eventually I could but the file was no longer on my machine...
I ran the combofix script and have locked down the computer until it is fixed.

Is it ok if I run it from my thumb drive? I downloaded combofix fresh to my laptop which is very stable.
Thanks,
John

ComboFix 10-05-20.A4 - John 05/21/2010 18:47:18.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.566 [GMT -4:00]
Running from: g:\cleanup\ComboFix.exe
Command switches used :: g:\cleanup\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
c:\program files\Common Files\Symantec Shared\Help\LUALL.CHM
c:\program files\Common Files\Symantec Shared\Help\LuMuiHelp\09\01\LUALL.chm
c:\program files\Common Files\Symantec Shared\Help\LuMuiHelp\fallback.dat
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertUi.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\dcGlobal.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\dcmhSvar.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\dcProd.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\Languages\09\01\AlertEng.loc
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\Languages\fallback.dat
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\lun.ico
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\mhDSA.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\mhSched.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\mhUpgr.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifCrawl.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifPep06.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifPep07.dll
c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollMgr.dll
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\readme.txt
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\SymHTML.dll
c:\program files\Common Files\Symantec Shared\SPManifests\AlertEng.grd
c:\program files\Common Files\Symantec Shared\SPManifests\AlertEng.sig
c:\program files\Common Files\Symantec Shared\SPManifests\AlertEng.spm
c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.grd
c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.sig
c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.spm
c:\program files\Common Files\Symantec Shared\SPManifests\PifCore.grd
c:\program files\Common Files\Symantec Shared\SPManifests\PifCore.sig
c:\program files\Common Files\Symantec Shared\SPManifests\PifCore.spm
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\Catalog.dat
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\full-webauth.sql.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\Identifiers.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\Indicators.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\nppw.zip
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\PopularSites.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\Redirectors.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\Resources.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\SafeList.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\SearchServices.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\Throttle.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\TrustedDomains.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\URLAnalysis.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\v.grd
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\v.sig
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\virscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080120.004\WebHostingSites.xml.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080406.005\Catalog.dat
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20080406.005\full-webauth.sql.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\tmp3e3d.tmp\cur.enc
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\tmp4248.tmp\cur.enc
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\tmpbd.tmp\cur.enc
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090110.003\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\ERASER.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\ERASER.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\ERASER.SPM
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\ERASER.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\HH
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\hub.scr
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\NAVEX15.SYS
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\NCSACERT.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\SCRAUTH.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\SYMAVENG.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\SYMAVENG.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\SYMERASE.CAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\SYMERASE.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TCDEFS.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TCSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TCSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TCSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TECHNOTE.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TINF.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TINFIDX.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TINFL.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\TSCAN1HD.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\V.GRD
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\V.SIG
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN.INF
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN1.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN2.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN3.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN4.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN5.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN6.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN7.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN8.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCAN9.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\VIRSCANT.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\WHATSNEW.TXT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\20090111.004\ZDONE.DAT
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\catalog.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.spm
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\esrdef.bin
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\hh
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\naveng32.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex15.sys
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\navex32a.dll
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\ncsacert.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\scrauth.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\symaveng.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.cat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\SymErase.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcdefs.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tcscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\technote.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinf.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfidx.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tinfl.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\tscan1hd.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.grd
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\v.sig
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan.inf
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan1.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan2.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan3.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan4.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan5.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan6.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan7.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan8.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\virscan9.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\whatsnew.txt
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\BinHub\zdone.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\definfo.dat
c:\program files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\usage.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LiveUpdate_Notice_Service
-------\Legacy_CLTNetCnService
-------\Legacy_LiveUpdate_Notice_Ex
-------\Legacy_LiveUpdate_Notice_Service
-------\Service_LiveUpdate Notice Service
-------\Service_CLTNetCnService
-------\Service_LiveUpdate Notice Ex
-------\Service_LiveUpdate Notice Service


((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-20 13:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-20 13:17 . 2010-05-20 13:17 -------- d-----w- c:\windows\ShellNew
2010-05-19 22:27 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-19 22:27 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-19 13:34 . 2010-05-19 13:34 -------- d-sh--w- c:\documents and settings\Amanda\PrivacIE
2010-05-19 13:34 . 2010-05-19 13:34 -------- d-----w- c:\documents and settings\Amanda\Application Data\Apple Computer
2010-05-19 12:04 . 2010-05-19 12:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-08 11:49 . 2010-05-08 11:49 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-30 14:34 . 2010-04-30 14:34 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2010-04-28 18:09 . 2010-05-17 15:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-04-26 20:07 . 2010-04-26 20:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 23:16 . 2008-04-08 10:58 -------- d-----w- c:\documents and settings\John\Application Data\Skype
2010-05-21 23:15 . 2008-04-08 11:10 -------- d-----w- c:\documents and settings\John\Application Data\skypePM
2010-05-21 18:07 . 2009-12-07 21:28 -------- d-----w- c:\program files\PBS KIDS PLAY
2010-05-21 18:05 . 2010-02-09 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-21 11:24 . 2007-07-20 01:31 -------- d-----w- c:\program files\LEGO Company
2010-05-21 11:21 . 2003-07-29 22:16 -------- d-----w- c:\program files\LEGO Media
2010-05-21 11:18 . 2004-11-29 00:18 -------- d-----w- c:\program files\PopCap Games
2010-05-21 11:17 . 2003-07-26 13:01 -------- d-----w- c:\program files\JumpStart
2010-05-21 11:16 . 2007-07-05 16:05 -------- d-----w- c:\program files\Nick Arcade
2010-05-21 11:14 . 2009-11-08 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\National Instruments
2010-05-21 11:13 . 2009-11-08 14:59 -------- d-----w- c:\program files\National Instruments
2010-05-21 11:09 . 2008-01-11 20:37 -------- d-----w- c:\program files\Paint.NET
2010-05-21 11:06 . 2010-02-17 15:23 -------- d-----w- c:\program files\Porrasturvat - Stair Dismount
2010-05-21 11:04 . 2006-02-05 12:54 -------- d-----w- c:\program files\Three Rings Design
2010-05-21 11:04 . 2007-02-27 01:56 -------- d-----w- c:\program files\Shadows 2.2
2010-05-21 10:59 . 2004-12-01 11:56 -------- d-----w- c:\program files\LEGO Software
2010-05-21 10:59 . 2003-07-19 12:57 -------- d-----w- c:\program files\Infogrames Interactive
2010-05-21 10:58 . 2010-02-17 15:26 -------- d-----w- c:\program files\Truck Dismount
2010-05-21 10:58 . 2008-04-23 21:35 -------- d-----w- c:\program files\Yahoo! Games
2010-05-21 10:47 . 2008-08-01 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-21 10:44 . 2003-07-12 15:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-21 10:39 . 2006-11-21 00:51 -------- d-----w- c:\program files\iWin
2010-05-21 10:38 . 2004-01-17 11:54 -------- d-----w- c:\program files\Cartoon Network
2010-05-21 10:33 . 2009-11-09 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\5Spice Analysis
2010-05-20 23:22 . 2004-04-01 03:15 96000 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-20 13:40 . 2006-01-14 16:31 -------- d-----w- c:\program files\Common Files\Java
2010-05-20 13:36 . 2006-01-14 16:32 -------- d-----w- c:\program files\Java
2010-05-20 13:17 . 2003-07-12 15:21 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-05-19 22:27 . 2010-04-10 13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 21:15 . 2009-01-18 00:31 -------- d-----w- c:\program files\iWin Games
2010-05-17 15:15 . 2004-02-14 13:51 -------- d-----w- c:\program files\Google
2010-05-15 18:52 . 2009-02-13 03:52 -------- d-----w- c:\program files\McAfee
2010-04-30 17:48 . 2007-09-29 12:07 -------- d-----w- c:\program files\CCleaner
2010-04-30 17:15 . 2010-03-31 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ac9a10b
2010-04-29 00:10 . 2002-08-29 06:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-10 13:04 . 2010-04-10 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-02 01:56 . 2009-08-02 13:08 -------- d-----w- c:\program files\TomTom HOME 2
2010-03-31 15:54 . 2010-03-31 15:54 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGPSWMBD
2010-03-31 00:54 . 2010-03-31 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 00:54 . 2006-03-03 08:08 -------- d-----w- c:\program files\iTunes
2010-03-31 00:49 . 2004-08-24 02:04 -------- d-----w- c:\program files\iPod
2010-03-31 00:49 . 2007-07-02 07:25 -------- d-----w- c:\program files\Common Files\Apple
2010-03-31 00:35 . 2010-03-31 00:32 -------- d-----w- c:\program files\QuickTime
2010-03-31 00:15 . 2010-03-31 00:15 -------- d-----w- c:\program files\Bonjour
2010-03-28 14:41 . 2004-11-29 00:18 263 ----a-w- c:\windows\popcinfo.dat
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2006-03-18 13:12 . 2006-03-18 13:12 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-02-26 11:37 . 2003-07-19 21:38 744 ----a-w- c:\program files\Civilization3.Ini
2006-02-26 11:33 . 2003-07-19 21:38 0 ----a-w- c:\program files\logfile.txt
2004-08-02 00:54 . 2004-08-02 00:54 16 ----a-w- c:\program files\HighScores.cv3
2003-08-27 18:19 . 2004-08-28 03:32 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2003-07-19 21:38 . 2003-07-19 21:38 1409 ----a-w- c:\program files\LSANS.fot
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\ac9a10b ----


---- Directory of c:\documents and settings\All Users\Application Data\SGPSWMBD ----

2010-03-31 15:54 . 2010-04-18 21:40 185 --sh--w- c:\documents and settings\All Users\Application Data\SGPSWMBD\SGUHD.cfg


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-24 68856]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2006-11-14 121640]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-07-12 151597]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2009-12-17 105632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\AutorunsDisabled\1]
FriendlyName= J-Track: Satellite Tracking

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
2009-07-09 00:22 5134864 ----a-w- c:\program files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2009-02-03 15:46 323216 ----a-w- c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-06-03 12:46 251240 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Games\\Combat Flight Simulator 3\\cfs3.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"f:\\Program Files\\FiraxisGames\\Civ4\\Civilization4.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2/20/2009 7:11 PM 64160]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [12/17/2008 6:00 PM 78104]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/3/2009 8:46 AM 92008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/19/2009 3:52 PM 135664]
S3 usbvm328;HP Camera;c:\windows\SYSTEM32\DRIVERS\usbvm326.sys [10/13/2008 11:59 PM 219648]
S3 vmfilter323;VC0326 filter service for Serome;c:\windows\SYSTEM32\DRIVERS\vmfilter323.sys [10/14/2008 12:04 AM 475264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 00:01]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 19:52]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 19:52]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 16:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-13 16:22]

2010-02-26 c:\windows\Tasks\{7B7C8A57-E12B-42AA-9D17-7590F4C8F84F}_DELBERT_John.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: LEGO Stormrunner - hxxp://mindstorms.lego.com/stormrunner/stormrunner1-1-0.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {380BBEC2-4CAE-4ECE-8AFF-36CDE7916386} - hxxp://ni-us.demoservers.com/URA/URA/lib/LocalProxyActiveX.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 19:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\UAService7.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-05-21 19:29:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-21 23:29
ComboFix2.txt 2010-05-20 01:05
ComboFix3.txt 2010-05-19 21:44

Pre-Run: 13,061,545,984 bytes free
Post-Run: 13,043,064,832 bytes free

- - End Of File - - 6AFBBA44E5CCC41A1EF40A56EBEE27D9


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 21 May 2010 - 09:55 PM

Hi John,

I can't discuss the details of combofix in public but it is important that you run it on your desktop. Anyway the log is healthy and I am expecting that the computer is running fine now.



=======================================



Let's look for possible remnants if any. The following scans may take time to complete, but they are important to make sure that your computer is clean so please be patient.


1. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.



2. Download (if you already deleted it) GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.


3. Please run another DDS scan and post the latest DDS.txt report for my final review. No need to attach the attach.txt.



Thanks for your patience,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Melvinoftheapes

Melvinoftheapes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 21 May 2010 - 11:11 PM

SemperFi!
Hi friend,
Kaspersky gets stuck at "Requires Java Runtime Environment 1.5 or higher.
Java site says I have most recent update....
What should I do?
jf
And thanks! This is much less painfull than I thought it would be.
You are like "Doctors without borders" Maybe there is a Nobel prize in your future? OR Saint hood!

#10 Melvinoftheapes

Melvinoftheapes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 21 May 2010 - 11:12 PM

I misstype. Java Framework version 1.5...

#11 Melvinoftheapes

Melvinoftheapes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 21 May 2010 - 11:19 PM

OK,
Kaspersky is running now!
I will post when done if I am still awake.
Thanks!
jf

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 21 May 2010 - 11:25 PM

Hi,

Kaspersky online scan may take time to complete, you can take a nap. tongue.gif

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Melvinoftheapes

Melvinoftheapes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 22 May 2010 - 10:09 AM

Right you are.
It looks like it has 15 hours to go.
Hey Sempai, this whole experience has been great!
You guys are alright!
I'll send the files when they are ready.
Cheers,
jf

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 22 May 2010 - 10:49 AM

Hi,

QUOTE
It looks like it has 15 hours to go.

The Kaspersky online scan? Oh my!!!! That is way too long... wacko.gif You can stop the scan and we will use different online scanner.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Melvinoftheapes

Melvinoftheapes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 23 May 2010 - 08:52 AM

Good (fill in proper time of day for your time-zone) Sempai,
I let Kaspersky run its course since since I was busy all day and night anyway.
A few minutes ago GMER bluescreened after a afew hours.
I will run DDS, and try GMER again.
jf

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, May 23, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, May 22, 2010 02:55:01
Records in database: 4160011
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 287009
Threats found: 7
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 17:35:17


File name / Threat / Threats count
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.bak Infected: Email-Worm.Win32.Bagle.ct 1
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Bagle.ct 1
C:\Qoobox\Quarantine\C\Program Files\scdata\wispex.html.vir Infected: Trojan.HTML.Fraud.bb 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2187\A0350267.dll Infected: Trojan.Win32.Tdss.bdmx 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2188\A0351163.dll Infected: Trojan.Win32.Tdss.bdti 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2189\A0351216.exe Infected: Trojan.Win32.Tdss.bdvy 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2189\A0351269.exe Infected: Trojan.Win32.Tdss.bdwe 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2189\A0351321.exe Infected: Trojan.Win32.Tdss.bdwe 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2189\A0351354.exe Infected: Trojan.Win32.Tdss.bdwe 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2189\A0351483.exe Infected: Trojan.Win32.Tdss.bdwe 1
C:\WINDOWS\SYSTEM32\Clifford Uninstall.exe Infected: Virus.Win9x.CIH.dam 1

Selected area has been scanned.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users