Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Security Engine / ToggleEN Toolbar


  • Please log in to reply
4 replies to this topic

#1 mrwmnhtr

mrwmnhtr

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tucson, Az.
  • Local time:03:15 AM

Posted 05 June 2010 - 06:44 PM

Hey Geeks,

Thank you for this opportunity. The computer that I am requesting help with is not mine nor am I using it to post this information. I'm using a Sandisk flash drive to transfer files needed. (DDS & GMER etc)

When I received this computer it had been infected with My Security Engine. I used your information on how to uninstall it. I had a few problems with the removal process but after 3 attempts I thought I had finally removed it.

This computer had an icon for Avast but it didn't open when I tried and it wasn't present in the Add/ Remove Programs folder.

So this computer actually had no anti virus protection so I downloaded and installed AVG free and ran a scan but it told me that I needed to remove My Security Engine or conflicts would arise.

Next I downloaded and installed Ad-Aware SE free. I ran a scan and it only found some cookies which were removed.

I ran Malwarebytes Antimalware again and it came up clean.

The reason I'm here is because AVG shouldn't have known that My Security Engine was on my computer if it had been completely removed.

Also I uninstalled something called ToggleEN Toolbar. I read that it could be a problem and I thought it could have come from something that My Security Engine installed. Just guessing.

I hope I've done everything correctly. Thanks again.

R



DDS (Ver_09-06-26.01) - NTFSx86
Run by John Boland at 14:33:38.56 on Sat 06/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.572 [GMT -7:00]

AV: My Security Engine *On-access scanning enabled* (Updated) {33944281-5DFD-41D9-8E0D-547F5608D3C8}
FW: My Security Engine *enabled* {24E4FBC8-8778-4181-B0FF-966D04DF58E3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\skeys.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
F:\Documents\Software\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = ${URL_SEARCHPAGE}
mSearch Page = ${URL_SEARCHPAGE}
mWinlogon: Userinit=c:\windows\system32\userinit.exe,SKEYS /I,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickCare] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272309778281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272651115890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnbo~1\applic~1\mozilla\firefox\profiles\97qpk9ex.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", "-1");
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); // now unused
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.delay", 50);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-4 64288]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-6-4 54760]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-4-24 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-4-24 185640]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

=============== Created Last 30 ================

2010-06-04 21:21 15,880 a------- c:\windows\system32\lsdelete.exe
2010-06-04 21:21 200 a---h--- C:\aaw7boot.cmd
2010-06-04 19:40 64,288 a------- c:\windows\system32\drivers\Lbd.sys
2010-06-04 19:40 95,024 a------- c:\windows\system32\drivers\SBREDrv.sys
2010-06-04 18:56 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-04 18:56 <DIR> --d----- c:\program files\Lavasoft
2010-06-04 14:39 <DIR> --d----- c:\program files\Free Window Registry Repair
2010-06-04 08:23 <DIR> --d----- c:\docume~1\johnbo~1\applic~1\Windows Search
2010-06-04 01:48 <DIR> --d----- c:\documents and settings\john boland\Tracing
2010-06-04 00:37 54,760 a------- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-06-04 00:36 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2010-06-04 00:35 <DIR> --d----- c:\program files\Microsoft
2010-06-04 00:34 <DIR> --d----- c:\program files\Windows Live SkyDrive
2010-06-04 00:13 <DIR> --d----- c:\program files\common files\Windows Live
2010-06-04 00:07 <DIR> --d----- c:\docume~1\johnbo~1\applic~1\Windows Desktop Search
2010-06-04 00:07 <DIR> --d----- c:\windows\system32\GroupPolicy
2010-06-04 00:07 <DIR> --d----- c:\program files\Windows Desktop Search
2010-06-04 00:06 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2010-06-04 00:06 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2010-06-04 00:06 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2010-06-03 15:23 <DIR> --d----- c:\docume~1\johnbo~1\applic~1\Malwarebytes
2010-06-03 15:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 15:23 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-06-03 15:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-03 14:21 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2010-06-03 14:21 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2010-06-02 13:58 <DIR> --d----- c:\windows\system32\wbem\Repository
2010-06-02 13:56 <DIR> --d----- c:\program files\LexmarkX84-X85
2010-06-02 13:55 <DIR> --d----- c:\documents and settings\john boland\Shared
2010-06-02 13:36 <DIR> --d----- c:\windows\pss
2010-05-25 22:34 <DIR> --d----- c:\program files\ffdshow
2010-05-25 22:34 <DIR> --d----- c:\program files\W3i
2010-05-25 22:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\W3i
2010-05-17 11:39 <DIR> --d----- c:\docume~1\johnbo~1\applic~1\AdobeAUM
2010-05-17 09:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-15 00:11 <DIR> --d----- c:\docume~1\johnbo~1\applic~1\NVD
2010-05-15 00:11 <DIR> --d----- c:\docume~1\johnbo~1\applic~1\SoftGrid Client
2010-05-15 00:09 <DIR> --d----- c:\program files\Microsoft Application Virtualization Client
2010-05-15 00:09 <DIR> --d----- c:\documents and settings\all users\Microsoft
2010-05-10 11:07 411,368 a------- c:\windows\system32\deployJava1.dll
2010-05-10 11:07 73,728 a------- c:\windows\system32\javacpl.cpl
2010-05-09 15:59 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\MSUEFFHE
2010-05-09 15:59 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\70fb018
2010-05-09 10:33 221,184 a------- c:\windows\system32\wmpns.dll
2010-05-09 10:33 <DIR> --d----- c:\program files\Windows Media Connect 2
2010-05-09 10:32 <DIR> --d----- c:\windows\system32\LogFiles
2010-05-08 16:36 <DIR> --d----- c:\documents and settings\john boland\Incomplete
2010-05-08 16:35 <DIR> --d----- c:\docume~1\johnbo~1\applic~1\LimeWire Music
2010-05-08 16:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LimeWire Music
2010-05-08 16:12 <DIR> --d----- c:\program files\Ask.com
2010-05-08 15:56 <DIR> --d----- c:\program files\Search Toolbar
2010-05-08 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\HBLiteSA
2010-05-07 09:41 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2010-06-04 12:07 1,744 a------- c:\windows\system32\d3d9caps.dat
2010-04-30 11:35 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2010-04-24 15:18 9,078,208 a------- c:\documents and settings\john boland\QCSetup_2_7.exe
2010-04-24 04:32 21,640 a------- c:\windows\system32\emptyregdb.dat
2010-04-17 00:04 306,032 a------- c:\windows\WLXPGSS.SCR
2010-04-16 22:12 48,464 a------- c:\windows\system32\sirenacm.dll
2010-03-09 23:15 420,352 a------- c:\windows\system32\vbscript.dll

============= FINISH: 14:33:58.26 ===============

Attached Files


____________________________________________________________

A law repugnant to the Constitution is void. ~ Supreme Court Chief Justice John Marshall
____________________________________________________________


BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 08 June 2010 - 08:17 PM

Welcome to Bleeping Computer mrwmnhtr,


Removal of malware packages does not always remove everything the malware may have added to the system. If AVG sensed that malware was enabled, if may have picked that up from some type of security center WMI setting. You chose correctly when removing that ToggleEN Toolbar, which is another of Conduit's search redirecting (hijacker) softwares. But not likely installed there as part of that other infection.

The only outright undesirable I see in the logs you have provided is the Ask Toolbar, which is adware/spyware related (see here and here). A web search suggests it will show in your Add/Remove Programs list as Search Toolbar, so when you get a chance you might want to uninstall that.

The logs also show another of the many, many Registry "speeder-upper", "optimizer" etc. etc. cleaner softwares with that Free Window Registry Repair install. None of these programs have ever had any formal analysis done to verify it actual does bring some type of improvement, and most of what they do is remove harmless remnants left in the Registry. Worse, they also give direct access to settings that are not normally seen, and provide the means to make changes to them. So can cause system damage.

Since you do indicate having that My Security Engine infection there let's run a type of repair scan. To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.



First, go here and download the avast! aswClear.exe uninstaller to your desktop, then click that to remove avast!. That way no remnants are there that may interfere with something.


Then download ComboFix.exe from here to your desktop, then click that to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Ad eundum quo no duck ante iit

#3 mrwmnhtr

mrwmnhtr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tucson, Az.
  • Local time:03:15 AM

Posted 08 June 2010 - 11:17 PM

Thank you Jintan,

I removed Avast and the Ask Toolbar. I meant to remove the Free Registry Cleaner before running this scan but I forgot and I will do it later. Are there any Registry "speeder-upper", "optimizer" etc. etc. cleaner softwares that are any good? What do you think of Advance System Care? I was considering purchasing their Pro version.

Is that computer clean?

Thanks again,

R


ComboFix 10-06-08.02 - John Boland 06/08/2010 20:44:30.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.760 [GMT -7:00]
Running from: F:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\70fb018
c:\documents and settings\All Users\Application Data\70fb018\272.mof
c:\documents and settings\All Users\Application Data\70fb018\BackUp\Acrobat Assistant.lnk
c:\documents and settings\All Users\Application Data\70fb018\BackUp\Adobe Reader Speed Launch.lnk
c:\documents and settings\All Users\Application Data\70fb018\MSE.ico
c:\documents and settings\All Users\Application Data\70fb018\MSESys\vd952342.bd

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-06-09 03:21 . 2010-06-09 03:21 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-05 04:21 . 2010-06-05 02:39 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-05 02:40 . 2010-06-05 02:25 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-05 02:40 . 2010-06-05 02:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-05 01:56 . 2010-06-05 01:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-05 01:56 . 2010-06-05 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-05 01:56 . 2010-06-05 01:56 -------- d-----w- c:\program files\Lavasoft
2010-06-04 21:39 . 2010-06-09 03:11 -------- d-----w- c:\program files\Free Window Registry Repair
2010-06-04 21:08 . 2010-06-04 21:08 0 ----a-w- c:\windows\nsreg.dat
2010-06-04 21:08 . 2010-06-04 21:08 -------- d-----w- c:\documents and settings\John Boland\Local Settings\Application Data\Mozilla
2010-06-04 15:23 . 2010-06-04 15:23 -------- d-----w- c:\documents and settings\John Boland\Application Data\Windows Search
2010-06-04 08:48 . 2010-06-09 03:03 -------- d-----w- c:\documents and settings\John Boland\Tracing
2010-06-04 07:38 . 2010-06-04 15:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 07:37 . 2010-04-28 14:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-06-04 07:37 . 2010-06-04 07:37 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-06-04 07:36 . 2006-11-29 20:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-06-04 07:35 . 2010-06-04 07:35 -------- d-----w- c:\program files\Microsoft
2010-06-04 07:34 . 2010-06-04 07:34 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-06-04 07:34 . 2010-06-04 07:37 -------- d-----w- c:\program files\Windows Live
2010-06-04 07:13 . 2010-06-04 07:13 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-04 07:07 . 2010-06-04 07:07 -------- d-----w- c:\documents and settings\John Boland\Application Data\Windows Desktop Search
2010-06-04 07:07 . 2010-06-04 20:47 -------- d-----w- c:\program files\Windows Desktop Search
2010-06-04 07:07 . 2010-06-04 07:07 -------- d-----w- c:\windows\system32\GroupPolicy
2010-06-04 07:06 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-06-04 07:06 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-06-04 07:06 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-06-03 22:23 . 2010-06-03 22:23 -------- d-----w- c:\documents and settings\John Boland\Application Data\Malwarebytes
2010-06-03 22:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 22:23 . 2010-06-04 05:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 22:23 . 2010-06-03 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-03 22:23 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 21:21 . 2001-08-17 20:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-06-03 21:21 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-06-02 20:58 . 2010-06-02 20:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-02 20:56 . 2010-06-02 20:56 -------- d-----w- c:\program files\LexmarkX84-X85
2010-06-02 20:55 . 2010-06-02 20:55 -------- d-----w- c:\documents and settings\John Boland\Shared
2010-06-02 20:53 . 2010-06-02 20:53 -------- d-----w- c:\documents and settings\Back-up Files\Chuck`s Pictures
2010-05-31 00:37 . 2010-05-31 00:40 -------- d-----w- c:\documents and settings\John Boland\Local Settings\Application Data\SuperslotsCasino
2010-05-31 00:37 . 2010-05-31 00:37 -------- d-----w- c:\program files\InstallShield Installation Information
2010-05-26 05:34 . 2010-06-02 20:54 -------- d-----w- c:\program files\ffdshow
2010-05-26 05:34 . 2010-05-26 05:34 -------- d-----w- c:\program files\W3i
2010-05-26 05:34 . 2010-05-26 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\W3i
2010-05-17 18:39 . 2010-05-17 18:39 -------- d-----w- c:\documents and settings\John Boland\Application Data\AdobeAUM
2010-05-17 18:38 . 2010-05-17 18:38 -------- d-----w- c:\documents and settings\John Boland\Application Data\Leadertech
2010-05-17 16:58 . 2010-05-17 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-15 07:16 . 2010-05-15 07:16 -------- d-----w- C:\MSOCache
2010-05-15 07:11 . 2010-05-15 07:11 -------- d-----w- c:\documents and settings\John Boland\Local Settings\Application Data\NVD
2010-05-15 07:11 . 2010-05-15 07:11 -------- d-----w- c:\documents and settings\John Boland\Application Data\NVD
2010-05-15 07:11 . 2010-05-15 07:11 -------- d-----w- c:\documents and settings\John Boland\Local Settings\Application Data\SoftGrid Client
2010-05-15 07:11 . 2010-05-27 20:35 -------- d-----w- c:\documents and settings\John Boland\Application Data\SoftGrid Client
2010-05-15 07:11 . 2010-05-15 07:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\{20140062-0062-0409-0000-0000000FF1CE}
2010-05-15 07:10 . 2010-06-02 20:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SoftGrid Client
2010-05-15 07:09 . 2010-06-02 20:59 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2010-05-15 07:09 . 2010-05-15 07:09 -------- d-----w- c:\documents and settings\All Users\Microsoft
2010-05-10 18:07 . 2010-05-10 18:07 -------- d-----w- c:\program files\Common Files\Java
2010-05-10 18:07 . 2010-05-10 18:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-10 18:06 . 2010-05-10 18:06 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 00:14 . 2010-04-24 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-04 21:44 . 2010-04-25 01:36 -------- d-----w- c:\documents and settings\John Boland\Application Data\Lavasoft
2010-06-04 21:04 . 2010-04-24 12:03 18544 ----a-w- c:\documents and settings\John Boland\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-04 19:07 . 2010-05-02 09:57 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-09 23:54 . 2010-05-09 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-09 22:59 . 2010-05-09 22:59 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSUEFFHE
2010-05-09 20:32 . 2010-04-30 19:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-09 17:33 . 2010-05-09 17:33 -------- d-----w- c:\program files\Windows Media Connect 2
2010-05-09 00:43 . 2010-05-08 23:35 -------- d-----w- c:\documents and settings\John Boland\Application Data\LimeWire Music
2010-05-08 23:46 . 2010-05-08 23:12 -------- d-----w- c:\program files\Ask.com
2010-05-08 23:35 . 2010-05-08 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\LimeWire Music
2010-05-08 23:01 . 2010-05-08 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\HBLiteSA
2010-05-08 22:52 . 2010-04-30 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-07 16:41 . 2010-05-07 16:41 -------- d-----w- c:\program files\MSECache
2010-05-05 04:06 . 2010-05-05 04:06 503808 ----a-w- c:\documents and settings\John Boland\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-12e7b8ca-n\msvcp71.dll
2010-05-05 04:06 . 2010-05-05 04:06 499712 ----a-w- c:\documents and settings\John Boland\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-12e7b8ca-n\jmc.dll
2010-05-05 04:06 . 2010-05-05 04:06 348160 ----a-w- c:\documents and settings\John Boland\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-12e7b8ca-n\msvcr71.dll
2010-05-05 04:06 . 2010-05-05 04:06 61440 ----a-w- c:\documents and settings\John Boland\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-126a9219-n\decora-sse.dll
2010-05-05 04:06 . 2010-05-05 04:06 12800 ----a-w- c:\documents and settings\John Boland\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-126a9219-n\decora-d3d.dll
2010-05-02 08:36 . 2010-04-25 01:43 -------- d-----w- c:\program files\Ahead
2010-05-02 08:35 . 2010-04-25 01:47 -------- d-----w- c:\program files\Common Files\Ahead
2010-05-02 08:24 . 2010-04-30 17:52 -------- d-----w- c:\program files\PriceGong
2010-05-02 08:24 . 2010-04-24 12:02 -------- d-----w- c:\program files\Qwest
2010-04-30 19:24 . 2010-04-30 19:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-30 19:23 . 2010-04-30 19:23 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-30 18:35 . 2010-04-24 11:34 76487 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-04-30 17:57 . 2010-04-30 17:55 15 ----a-w- c:\windows\popcinfo.dat
2010-04-30 17:55 . 2010-04-30 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-04-30 17:52 . 2010-04-30 17:52 -------- d-----w- c:\documents and settings\John Boland\Application Data\WeatherBug
2010-04-30 17:52 . 2010-04-30 17:52 -------- d-----w- c:\program files\Atrinsic
2010-04-30 17:43 . 2010-04-30 17:33 -------- d-----w- c:\program files\RegWork
2010-04-27 19:03 . 2010-04-27 19:03 -------- d-----w- c:\documents and settings\John Boland\Application Data\AVG9
2010-04-27 05:15 . 2010-04-27 18:02 -------- d-----w- c:\program files\AviSynth 2.5
2010-04-27 03:41 . 2010-04-27 03:41 -------- d-----w- c:\program files\MSBuild
2010-04-27 03:41 . 2010-04-27 03:41 -------- d-----w- c:\program files\Reference Assemblies
2010-04-26 19:14 . 2010-04-26 19:14 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-04-26 18:20 . 2010-04-24 11:49 -------- d-----w- c:\documents and settings\John Boland\Application Data\MSN6
2010-04-26 17:04 . 2010-04-26 17:04 -------- d-----w- c:\documents and settings\John Boland\Application Data\AdobeUM
2010-04-25 02:50 . 2010-04-25 02:50 -------- d-----w- c:\documents and settings\John Boland\Application Data\Snapfish
2010-04-25 02:07 . 2010-04-25 02:07 1956808 ----a-w- c:\documents and settings\John Boland\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-04-25 01:51 . 2010-04-25 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2010-04-25 01:45 . 2010-04-25 01:43 -------- d-----w- c:\documents and settings\John Boland\Application Data\Ahead
2010-04-25 01:44 . 2010-04-25 01:44 -------- d-----w- c:\documents and settings\John Boland\Application Data\Simple Star
2010-04-25 01:40 . 2010-04-25 01:40 -------- d-----w- c:\program files\MSI
2010-04-25 01:32 . 2010-04-25 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-24 22:28 . 2010-04-24 12:02 -------- d-----w- c:\program files\Common Files\supportsoft
2010-04-24 22:28 . 2010-04-24 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-04-24 22:18 . 2010-04-24 22:18 9078208 ----a-w- c:\documents and settings\John Boland\QCSetup_2_7.exe
2010-04-24 22:02 . 2010-04-24 22:02 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-24 22:01 . 2010-04-24 22:01 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-24 21:30 . 2010-04-24 21:30 -------- d-----w- c:\program files\AVG
2010-04-24 12:05 . 2010-04-24 12:05 -------- d-----w- c:\documents and settings\John Boland\Application Data\MSNInstaller
2010-04-24 12:03 . 2010-04-24 12:03 134 ----a-w- c:\documents and settings\John Boland\Local Settings\Application Data\fusioncache.dat
2010-04-24 12:02 . 2010-04-24 12:02 -------- d-----w- c:\program files\2Wire
2010-04-24 12:02 . 2010-04-24 12:02 -------- d-----w- c:\program files\Actiontec
2010-04-24 11:49 . 2010-04-24 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2010-04-24 11:35 . 2010-04-24 11:35 -------- d-----w- c:\program files\microsoft frontpage
2010-04-24 11:32 . 2010-04-24 11:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-17 07:04 . 2010-04-17 07:04 306032 ----a-w- c:\windows\WLXPGSS.SCR
2010-04-17 05:12 . 2010-04-17 05:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-19 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 05:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare]
2010-01-16 20:30 206120 ----a-w- c:\program files\Qwest\Quickcare\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"tgsrvc_quickcare"=2 (0x2)
"sprtsvc_quickcare"=2 (0x2)
"sprtlisten"=2 (0x2)
"SeaPort"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"idsvc"=3 (0x3)
"fsssvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/4/2010 7:40 PM 64288]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352320]
S4 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
S4 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [4/24/2010 3:28 PM 206120]
S4 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [4/24/2010 3:28 PM 185640]
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:19]

2010-06-09 c:\windows\Tasks\User_Feed_Synchronization-{01419B28-1BC2-4440-BDA6-07EBBA949A87}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\John Boland\Application Data\Mozilla\Firefox\Profiles\97qpk9ex.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 20:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(520)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\skeys.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-08 21:00:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-09 03:59

Pre-Run: 42,477,535,232 bytes free
Post-Run: 42,920,902,656 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - DF0C36D4343730486BAE3A9CCD429C50

____________________________________________________________

A law repugnant to the Constitution is void. ~ Supreme Court Chief Justice John Marshall
____________________________________________________________


#4 mrwmnhtr

mrwmnhtr
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tucson, Az.
  • Local time:03:15 AM

Posted 11 June 2010 - 02:47 PM

Jintan,

My Security Engine is no longer recognized by Windows Security Center. I installed AVG with no problem. Consider this one SOLVED.

Thank you and everyone at BleepingComputer.com for all the information and your personal help.

R

____________________________________________________________

A law repugnant to the Constitution is void. ~ Supreme Court Chief Justice John Marshall
____________________________________________________________


#5 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 11 June 2010 - 06:50 PM

ComboFix did a good job of removing some of the malware files and folders. Much better than my staying on top of my open threads here, so I do apologize for this late response. Good you do have improvements there, but I would recommend we still do a few other steps to ensure things are clean. If you would like to do that just let me know here and we will move forward.
Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users