Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 Bryan O' Connor

Bryan O' Connor

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 12 October 2010 - 05:36 AM

Okay,this may be nothing,but my computer has been acting up lately.It's being awful slow on start up,and while this may be nothing,what really has me worrying is that it always starts up with a message telling me that my firewall is turned off.Secondly,whenever I try to open My Documents,I instantly get an error message,telling me explorer has encountered a problem and needs to close.Every single time.Now,like I said,this could be nothing,but it's got be worrying.I'd be appreciative of any help that can be offered,one way or another.


DDS (Ver_10-10-10.03) - NTFSx86
Run by Brain at 15:46:06.82 on 10/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1145 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FileHippo.com\UpdateChecker.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Songbird\songbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Brain\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = 127.0.0.1:8118
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} -
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} -
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} -
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} -
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [FileHippo.com] "c:\program files\filehippo.com\UpdateChecker.exe" /background
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [CreativeMouse ] c:\program files\mouse driver\MouseDrv.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2D06158FAC79A790.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
Handler: AutorunsDisabled\skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: AutorunsDisabled\skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brain\applic~1\mozilla\firefox\profiles\5ya678ur.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\brain\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-10 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-10 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-10 40384]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-10 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-10 40384]
R3 EMVSCARD;EMVSCARD;c:\windows\system32\drivers\EMVSCARD.sys [2010-1-30 20178]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-9-22 14424]
S0 ltgnu;ltgnu;c:\windows\system32\drivers\mcbjhb.sys --> c:\windows\system32\drivers\mcbjhb.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

=============== Created Last 30 ================

2010-10-10 03:02:15 -------- d-----w- c:\program files\ESET
2010-10-10 02:28:21 -------- d-sha-r- C:\cmdcons
2010-10-10 02:03:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-10-10 02:03:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA
2010-10-10 01:41:33 38848 ----a-w- c:\windows\avastSS.scr
2010-10-09 16:59:19 -------- d-----w- C:\5c412219ca3bc5f148dc9ad7aa
2010-09-23 15:33:03 -------- d-----w- c:\docume~1\brain\applic~1\.minecraft
2010-09-23 14:15:37 -------- d-----w- c:\windows\pss
2010-09-22 19:32:04 -------- d-----w- c:\program files\PeerBlock
2010-09-20 23:54:24 -------- d-----w- C:\Hotspot Shield
2010-09-20 23:54:21 -------- d-----w- c:\program files\Hotspot Shield
2010-09-19 02:05:49 -------- d-----w- c:\program files\Ad Muncher
2010-09-19 02:05:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Ad Muncher
2010-09-15 17:41:53 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-09-15 17:41:45 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-09-15 17:40:29 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2010-09-14 19:10:46 -------- d-----w- c:\docume~1\brain\locals~1\applic~1\Western Digital
2010-09-14 18:08:15 -------- d-----w- c:\program files\Defraggler
2010-09-13 16:18:33 -------- d-----w- c:\program files\NCH Software
2010-09-13 15:55:41 -------- d-----w- c:\program files\Audio Edit
2010-09-13 15:46:01 -------- d-----w- c:\program files\Audacity
2010-09-10 16:00:41 -------- d-----w- c:\program files\Intelore

==================== Find3M ====================

2010-08-27 00:34:25 220 --sh--w- c:\windows\dwin.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\shell32(3)(2).dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-13 04:10:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-13 04:10:52 423656 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 15:46:49.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:54 AM

Posted 12 October 2010 - 12:00 PM

Hello Bryan O' Connor ,




Please download Malwarebytes Anti-Malware and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Bryan O' Connor

Bryan O' Connor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 12 October 2010 - 12:23 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4803

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/10/2010 18:18:46
mbam-log-2010-10-12 (18-18-46).txt

Scan type: Quick scan
Objects scanned: 146278
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:54 AM

Posted 12 October 2010 - 12:32 PM

Hello,

Thanks for that....while it didn't show anything, it DID run. With the nasty stuff out there, this is a good sign. thumbup2.gif

I couldn't find anything on this file, so it needs to be analysed. It could be associated with a rootkit:

Please visit the online Jotti Virus Scanner <--link
  • Copy and paste the following filepath in the box:

    c:\windows\system32\drivers\mcbjhb.sys

  • Click on the button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Bryan O' Connor

Bryan O' Connor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 12 October 2010 - 01:25 PM

I can't copy and paste it into the box for some reason,and I can't find the file in the system32 folder.Thanks for the help though.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:54 AM

Posted 12 October 2010 - 01:39 PM

That's okay....it may be hiding from you. Let's do this:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to baugherfam.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Bryan O' Connor

Bryan O' Connor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 12 October 2010 - 02:04 PM

ComboFix 10-10-11.05 - Brain 12/10/2010 19:48:10.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.875 [GMT 1:00]
Running from: c:\documents and settings\Brain\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
.

2010-10-10 03:02 . 2010-10-10 03:02 -------- d-----w- c:\program files\ESET
2010-10-10 02:03 . 2010-10-10 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-10-10 02:03 . 2010-10-10 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-10-10 01:41 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-10 01:41 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-10 01:41 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-10 01:41 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-10 01:41 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-10 01:41 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-10 01:41 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-10 01:41 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-10 01:41 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-09 18:34 . 2010-10-10 02:01 -------- d-----w- c:\documents and settings\Administrator
2010-10-09 16:59 . 2010-10-09 17:28 -------- d-----w- C:\5c412219ca3bc5f148dc9ad7aa
2010-10-03 15:59 . 2010-10-03 15:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-26 18:16 . 2010-10-12 18:48 -------- d-----w- c:\documents and settings\Brain\Application Data\vlc
2010-09-23 15:33 . 2010-09-23 15:33 -------- d-----w- c:\documents and settings\Brain\Application Data\.minecraft
2010-09-22 19:32 . 2010-10-12 18:53 -------- d-----w- c:\program files\PeerBlock
2010-09-22 17:10 . 2010-09-22 17:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 17:10 . 2010-09-22 17:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-09-20 23:54 . 2010-09-20 23:55 -------- d-----w- C:\Hotspot Shield
2010-09-20 23:54 . 2010-09-20 23:55 -------- d-----w- c:\program files\Hotspot Shield
2010-09-19 11:41 . 2010-09-19 11:41 -------- d-----w- c:\documents and settings\Brain\Application Data\DivX
2010-09-19 02:05 . 2010-09-21 01:35 -------- d-----w- c:\program files\Ad Muncher
2010-09-19 02:05 . 2010-09-20 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad Muncher
2010-09-15 17:41 . 2010-08-17 13:17 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-09-15 17:41 . 2010-06-18 17:45 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-09-15 17:40 . 2010-04-16 15:36 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2010-09-14 19:10 . 2010-09-14 19:10 -------- d-----w- c:\documents and settings\Brain\Local Settings\Application Data\Western Digital
2010-09-14 18:08 . 2010-09-14 18:08 -------- d-----w- c:\program files\Defraggler
2010-09-13 16:18 . 2010-09-13 16:18 -------- d-----w- c:\program files\NCH Software
2010-09-13 16:12 . 2010-09-13 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-09-13 15:55 . 2010-09-14 01:43 -------- d-----w- c:\program files\Audio Edit
2010-09-13 15:46 . 2010-09-14 01:42 -------- d-----w- c:\program files\Audacity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-04 39408]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2010-08-09 248832]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"CreativeMouse "="c:\program files\Mouse Driver\MouseDrv.exe" [2004-06-27 503808]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-29 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v3 Smart Wizard.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\r.u.s.e. free week end\\Ruse.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Eidos\\Batman Arkham Asylum\\Binaries\\ShippingPC-BmGame.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/10/2010 02:41 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/10/2010 02:41 17744]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [09/10/2007 14:13 38144]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [04/05/2010 12:07 503080]
R3 EMVSCARD;EMVSCARD;c:\windows\system32\drivers\EMVSCARD.sys [30/01/2010 00:34 20178]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [22/09/2010 20:32 14424]
S0 ltgnu;ltgnu;c:\windows\system32\drivers\mcbjhb.sys --> c:\windows\system32\drivers\mcbjhb.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2010 00:56 135664]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [28/12/2007 16:02 287232]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/04/2010 12:42 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-04 23:56]

2010-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-04 23:56]

2010-10-12 c:\windows\Tasks\User_Feed_Synchronization-{42AC4DC1-D5A6-4C8E-BEFF-7A82CD7D3DCE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 127.0.0.1:8118
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2D06158FAC79A790.dll/cmsidewiki.html
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Brain\Application Data\Mozilla\Firefox\Profiles\5ya678ur.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Brain\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-776561741-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f0,82,15,6f,88,77,ad,1d,4c,ac,80,0e,23,6a,2d,46,e0,84,7a,6f,3f,ff,19,
18,6f,85,93,b9,1e,13,6a,06,75,91,96,e7,b9,d7,3a,90,d6,3a,97,70,b8,41,d0,79,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1229272821-776561741-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:68,07,4c,e8,61,ae,0e,d1,99,90,7e,e7,9a,08,d0,11,1d,55,62,8b,a2,
a4,cd,e0,54,7b,cc,24,bf,6a,98,22,4b,80,c0,fa,fb,c4,62,1d,3e,b8,8d,db,72,0e,\
"rkeysecu"=hex:ac,96,c6,5f,4c,c8,3a,26,c7,23,05,6a,4c,e8,fa,03

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1516)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1888)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-12 19:54:15
ComboFix-quarantined-files.txt 2010-10-12 18:54

Pre-Run: 95,399,473,152 bytes free
Post-Run: 95,392,428,032 bytes free

- - End Of File - - 98B721E9E15DAA20311DC0C4C9F1CF76


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:54 AM

Posted 12 October 2010 - 02:28 PM

Well.....nothing there, BUT! This one might be giving you some problems, and I would recommend uninstalling it to see if some of it stops : Hotspot Shield

QUOTE
This freeware program promises to encrypt all your Internet connections, but since most public wi-fi access points in the U.S. are open, it's a bit hard to gauge Hotspot Shield's effectiveness. However, the connection itself is a bit wonky.

Once the program is installed, it creates an HTML link on your desktop. Double-clicking on it will open the application in your Web browser, and you'll be taken to a page detailing your Connection Status, IP Address, Server Address, Bytes sent and received, and the duration of the connection. Hotspot Shield is ad supported, so you'll get a big banner ad that lives at the top of every Web page, too. Closing the tab with the app's control panel doesn't disconnect the shield, though: for that, or to reload the control panel, you have to go through the green shield icon that gets loaded into your system tray. Also, there's a 5 GB transfer limit.

Overall, we can't give Hotspot Shield a strong recommendation, but as a last resort it might be worth trying out.


Please uninstall ComboFix by doing the following :

Click Start> type in, or copy and paste, Combofix /Uninstall and click OK.

Let me know if that helps or not. smile.gif

Thanks,
tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Bryan O' Connor

Bryan O' Connor
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 12 October 2010 - 02:42 PM

...Wouldn't you know it?Something I've been meaning to get rid of for weeks,because I stopped using it,is the problem.I'd originally installed it when I found out that my university halls didn't let me connect to Steam,and thought it might help.I uninstalled it,and restarted the computer.It seems back to its old self now,so thank you.No error messages so far,and a much quicker start up.Although,for some reason I don't think Avast is running on start up,but I'm sure I can fix that on my own. Thank you smile.gif

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:54 AM

Posted 12 October 2010 - 03:01 PM

You're most welcome, and I'm really glad it was that rather than malware!! thumbup2.gif

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:54 AM

Posted 18 October 2010 - 10:26 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users