Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gmer shuts down


  • This topic is locked This topic is locked
34 replies to this topic

#31 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:20 PM

Posted 17 September 2010 - 01:40 PM

Hi there,

Close any open browsers, and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the codebox below into it:

CODE
Driver::
ougqhivl

File::
c:\windows\system32\drivers\felite.sys
  • Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


BC AdBot (Login to Remove)

 


#32 MsTerrie

MsTerrie
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:El Paso Texas
  • Local time:04:20 PM

Posted 19 September 2010 - 09:49 PM

ComboFix 10-09-19.01 - HP_Administrator 09/19/2010 21:31:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1126 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FILE ::
"c:\windows\system32\drivers\felite.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Application Data\PriceGong
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\z.xml
C:\test.txt
c:\windows\system32\config\systemprofile\Application Data\PriceGong

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ougqhivl


((((((((((((((((((((((((( Files Created from 2010-08-20 to 2010-09-20 )))))))))))))))))))))))))))))))
.

2010-09-16 17:38 . 2010-09-16 17:38 75264 ----a-w- c:\windows\system32\drivers\IPSEC.SYS
2010-09-16 12:44 . 2010-09-16 17:47 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-16 00:54 . 2010-09-16 00:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-11 15:09 . 2010-09-11 15:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-09-11 15:01 . 2010-06-17 19:49 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2010-09-11 15:01 . 2010-06-17 19:49 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2010-09-11 15:01 . 2010-06-17 19:49 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2010-09-11 14:59 . 2010-08-26 14:41 3209240 -c--a-w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}\WRInstall.exe
2010-09-11 14:59 . 2010-09-11 14:59 -------- d-----w- c:\program files\Webroot
2010-09-11 14:59 . 2010-09-11 14:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}
2010-09-11 14:58 . 2010-09-19 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-09-11 14:58 . 2010-09-11 14:58 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\PackageAware
2010-09-11 14:58 . 2010-08-26 14:39 385928 -c--a-w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}\OFFLINE\54E229FA\DE0A17F3\WRInstallProgressHelper.dll
2010-09-11 14:58 . 2010-08-26 14:36 50984 -c--a-w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}\OFFLINE\C3BEFA\DE0A17F3\WRConsumerServicePS.dll
2010-09-11 14:58 . 2010-08-26 14:27 121856 -c--a-w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}\OFFLINE\EA369C90\DE0A17F3\xmllite.dll
2010-09-11 14:58 . 2009-07-02 01:51 101888 -c--a-w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}\OFFLINE\mIDEFunc.dll\mEXEFunc.dll
2010-09-11 14:58 . 2010-08-26 14:38 433072 -c--a-w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}\OFFLINE\FA6F4296\DE0A17F3\WRSvcAssist.exe
2010-09-11 14:58 . 2010-08-26 14:38 1277672 -c--a-w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}\OFFLINE\B2785152\DE0A17F3\WRTray.exe
2010-09-11 14:58 . 2010-08-26 14:33 3050048 -c--a-w- c:\documents and settings\All Users\Application Data\{5D7316EC-0EDC-4C87-A589-9244C286BC92}\OFFLINE\E3131F5C\DE0A17F3\WRConsumerService.exe
2010-09-09 17:23 . 2010-09-09 17:26 -------- d-----w- C:\Microsoft
2010-09-07 22:04 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-07 21:58 . 2010-09-07 21:58 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-09-04 14:41 . 2010-09-04 14:41 -------- d-----w- c:\program files\ESET
2010-09-04 00:40 . 2010-09-04 00:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-09-03 19:10 . 2010-09-03 19:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-02 12:48 . 2010-09-02 12:48 -------- d-----w- C:\_OTL
2010-09-02 12:44 . 2010-09-02 12:45 -------- d-----w- C:\drivers
2010-08-25 18:48 . 2010-08-25 18:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sonic
2010-08-25 18:48 . 2010-08-25 18:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Leadertech
2010-08-25 18:07 . 2010-08-25 18:07 -------- d-----w- C:\backup
2010-08-24 11:54 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-24 11:54 . 2010-08-24 11:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-24 11:54 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-24 11:47 . 2010-08-24 11:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-24 10:49 . 2010-08-24 11:47 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\PriceGong(2)
2010-08-23 20:13 . 2010-08-23 20:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-23 20:06 . 2010-08-23 20:06 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-23 19:39 . 2010-09-08 16:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-23 19:38 . 2010-08-23 19:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-08-23 18:49 . 2010-08-23 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 02:15 . 2009-10-22 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-15 12:51 . 2010-03-24 00:54 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-09 17:16 . 2010-05-09 11:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-06 14:00 . 2008-09-26 15:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-06 13:51 . 2006-08-24 19:20 -------- d-----w- c:\program files\Java
2010-09-02 12:45 . 2010-01-21 04:38 226592 ----a-w- c:\windows\system32\RaCoInst.dll
2010-09-02 12:45 . 2010-01-21 04:38 13931 ----a-w- c:\windows\system32\RaCoInst.dat
2010-09-02 12:45 . 2009-07-28 00:12 816672 ----a-w- c:\windows\system32\drivers\rt2870.sys
2010-08-24 13:15 . 2010-08-05 13:03 -------- d-----w- c:\program files\Alwil Software
2010-08-24 12:01 . 2010-07-29 22:39 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2010-08-24 11:50 . 2010-07-29 22:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2010-08-23 21:11 . 2010-08-23 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-23 13:07 . 2010-08-23 13:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FCTB000060497
2010-08-17 13:17 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-09 11:43 . 2006-08-24 19:20 -------- d-----w- c:\program files\Common Files\Java
2010-08-09 11:43 . 2010-08-09 11:43 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-656f4352-n\msvcp71.dll
2010-08-09 11:43 . 2010-08-09 11:43 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-656f4352-n\jmc.dll
2010-08-09 11:43 . 2010-08-09 11:43 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-656f4352-n\msvcr71.dll
2010-08-09 11:43 . 2010-08-09 11:43 61440 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-45b3fc1b-n\decora-sse.dll
2010-08-09 11:43 . 2010-08-09 11:43 12800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-45b3fc1b-n\decora-d3d.dll
2010-08-05 13:05 . 2010-08-05 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-05 00:07 . 2010-08-05 00:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPQ
2010-07-29 22:40 . 2010-07-29 22:40 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-29 22:38 . 2010-07-29 22:38 -------- d-----r- c:\program files\Skype
2010-07-29 22:38 . 2010-07-29 22:38 -------- d-----w- c:\program files\Common Files\Skype
2010-07-29 22:38 . 2010-07-29 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-22 15:49 . 2004-08-10 04:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 11:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-10 04:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-10 04:00 1851904 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{96b985b7-3cf9-456a-9db6-791710e60f5f}"= "c:\program files\MyPoints Point Finder\Helper.dll" [2010-01-26 242688]

[HKEY_CLASSES_ROOT\clsid\{96b985b7-3cf9-456a-9db6-791710e60f5f}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{9FEBEA6D-4801-4D23-97E7-A771B698E442}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
2010-03-28 19:47 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
2010-01-26 01:40 1445888 ----a-w- c:\program files\MyPoints Point Finder\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Point Finder\Toolbar.dll" [2010-01-26 1445888]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Point Finder\Toolbar.dll" [2010-01-26 1445888]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2009-10-07 81920]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2009-10-10 167936]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-08-10 2349776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-08-26 1277672]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-1-21 98304]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 16:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-06-23 19:44 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-06-23 19:40 81920 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 05:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 09:23 663552 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-06-14 03:05 16239616 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpareSetup]
2006-11-10 22:47 851968 ----a-w- c:\program files\Spare Backup\Preinstall\SparePreinstallLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-08-24 19:43 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
2008-04-14 00:12 10752 ------w- c:\windows\system32\dumprep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2007-01-22 01:31 339968 ----a-w- c:\windows\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=3 (0x3)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MyPoints Point Finder\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Point Finder\\ToolbarUpdate.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [9/11/2010 10:01 AM 45072]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/26/2010 9:33 AM 3050048]
R2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe [11/11/2007 2:29 PM 53307]
.
Contents of the 'Scheduled Tasks' folder

2010-09-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: basa.net\www
Trusted Zone: comcast.net\sz0111.ev.mail
Trusted Zone: coupons.com\www
Trusted Zone: democraticmatch.com\www
Trusted Zone: democraticsingles.net\www
Trusted Zone: dominicks.com\www
Trusted Zone: evite.com\www
Trusted Zone: kaspersky.com\www
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\tqmicm1i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101054100&s=
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\tqmicm1i.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\PriceGong\2.1.0\FF\components\PriceGongFF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101054100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 21:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\SEP82.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2096)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Linksys\WUSB300N\WUSB300N.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\hp\KBD\KBD.EXE
.
**************************************************************************
.
Completion time: 2010-09-19 21:47:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-20 02:47
ComboFix2.txt 2010-09-16 19:15

Pre-Run: 281,947,320,320 bytes free
Post-Run: 281,908,359,168 bytes free

- - End Of File - - 072C6B9EE220FF5499E8BCBFDE744512


#33 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:20 PM

Posted 20 September 2010 - 06:36 AM

Any improvement?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#34 MsTerrie

MsTerrie
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:El Paso Texas
  • Local time:04:20 PM

Posted 27 September 2010 - 03:34 PM

smile.gif yes now I can access the updates from the MS website.

Thanks
Ms Terrie

#35 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:20 PM

Posted 28 September 2010 - 08:07 AM

Any other problems?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users