Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is My Computer All Clear?


  • This topic is locked This topic is locked
7 replies to this topic

#1 2nafish

2nafish

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 18 March 2011 - 05:27 PM

Hi, I originally posted this thread...

http://www.bleepingcomputer.com/forums/topic385600.html/page__p__2173547__fromsearch__1#entry2173547

... and was advised to start a new thread in this topic. As stated in the original post, I had previously run Malwarebytes' Anti-malware software and removed files infected by adware.180solutions. I am currently seeking assurance that the system is now completely clean of anything nasty.


Please find attached files as requested **EDIT** also attached is the log produced by Malwarebytes when it removed the infected files **EDIT**.

My DDS log is as follows:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by David at 18:38:46.60 on 18/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3039.2180 [GMT 0:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\GEARSEC.EXE
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\David\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\David\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [EPSON Stylus Photo RX685 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticje.exe /fu "c:\windows\temp\E_SC9.tmp" /EF "HKCU"
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08c1 -f video -m logitech -d 11.0.0.1217
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bbc.co.uk\www
Trusted Zone: motive.com\pbttbc.bt
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-03-16 16:17:09 1039360 ----a-w- c:\windows\system32\msjet35.dll
2011-03-16 16:17:08 403216 ----a-w- c:\windows\system32\msrepl35.dll
2011-03-16 16:17:08 37136 ----a-w- c:\windows\system32\msjint35.dll
2011-03-16 16:17:08 251664 ----a-w- c:\windows\system32\msrd2x35.dll
2011-03-16 16:17:08 24336 ----a-w- c:\windows\system32\msjter35.dll
2011-03-16 16:17:07 582144 ----a-w- c:\program files\common files\microsoft shared\dao\dao350.dll
2011-03-16 16:17:07 25600 ----a-w- c:\program files\common files\microsoft shared\dao\remove.exe
2011-03-14 22:52:38 -------- d-----w- c:\docume~1\david\locals~1\applic~1\NPE
2011-03-14 14:30:40 -------- d-----w- c:\program files\eRightSoft
2011-03-14 13:05:40 -------- d-----w- c:\docume~1\david\locals~1\applic~1\Audible
2011-03-14 13:05:07 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2011-03-08 17:11:00 -------- d-----w- c:\docume~1\david\applic~1\Malwarebytes
2011-03-08 17:10:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-08 17:10:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-08 17:10:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 17:10:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-08 15:22:03 -------- d-----w- c:\docume~1\david\applic~1\MSNInstaller
2011-03-07 22:30:15 -------- d-----w- c:\program files\SpywareBlaster
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2008-09-22 13:39:13 1283912 ----a-w- c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
2006-06-16 18:44:04 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-10-11 19:46:32 205312 ----a-w- c:\program files\ltefx13n.dll
2004-01-19 14:31:00 153600 ----a-w- c:\program files\ltfil13n.DLL
2004-01-19 13:31:06 27648 ----a-w- c:\program files\lfiff13n.dll
2004-01-19 13:31:06 20480 ----a-w- c:\program files\lfCUT13n.dll
2004-01-19 12:31:50 453120 ----a-w- c:\program files\ltkrn13n.dll
2004-01-19 12:12:00 89600 ----a-w- c:\program files\Lfcgm13n.dll
2004-01-19 11:49:52 278016 ----a-w- c:\program files\LFJ2K13n.dll
2004-01-19 11:49:08 180736 ----a-w- c:\program files\Lfpng13n.dll
2004-01-19 11:47:36 76800 ----a-w- c:\program files\Lfwmf13n.dll
2004-01-19 11:47:04 509440 ----a-w- c:\program files\LFCMW13n.dll
2004-01-19 11:45:38 420352 ----a-w- c:\program files\LFCMP13n.DLL
2004-01-19 11:44:52 143872 ----a-w- c:\program files\lftif13n.dll
2004-01-19 11:36:48 56832 ----a-w- c:\program files\lfpsd13n.dll
2004-01-19 11:36:36 19968 ----a-w- c:\program files\lfpcd13n.dll
2004-01-19 11:36:32 26624 ----a-w- c:\program files\lfpcx13n.dll
2004-01-19 11:36:24 65536 ----a-w- c:\program files\Lfpct13n.dll
2004-01-19 11:36:18 18944 ----a-w- c:\program files\lfmsp13n.dll
2004-01-19 11:35:56 18944 ----a-w- c:\program files\lfmac13n.dll
2004-01-19 11:35:34 20992 ----a-w- c:\program files\lfimg13n.dll
2004-01-19 11:34:50 31744 ----a-w- c:\program files\lfclp13n.dll
2004-01-19 11:34:42 30208 ----a-w- c:\program files\lfbmp13n.dll
2004-01-19 11:33:48 444928 ----a-w- c:\program files\ltimg13n.dll
2004-01-19 11:32:18 265216 ----a-w- c:\program files\LTDIS13n.dll
2000-05-02 04:17:00 212480 ----a-w- c:\program files\PCDLIB32.DLL
1999-11-18 23:00:00 284032 ----a-w- c:\program files\XceedZip.dll
2006-05-03 11:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 18:40:30.85 ===============

Attached Files


Edited by 2nafish, 18 March 2011 - 06:12 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:33 AM

Posted 19 March 2011 - 04:11 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 2nafish

2nafish
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 20 March 2011 - 04:21 PM

Hi Noviciate, please find below details of the ComboFix scan. PC is behaving fine.
Thanks,
2nafish


ComboFix 11-03-19.04 - David 20/03/2011 21:01:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3039.2232 [GMT 0:00]
Running from: c:\documents and settings\David\My Documents\Downloads\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc103.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc11.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc13.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc14.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc16.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc17.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc18.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc19.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc1A.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc1B.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc1C.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc1D.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc1E.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc1F.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc20.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc21.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc22.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc5.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc6.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc7.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc8.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc9.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mcc93.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mccA.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mccB.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mccC.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mccE.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mccF.tmp
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\mccF5.tmp
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-16 16:17 . 1996-12-16 18:30 1039360 ----a-w- c:\windows\system32\msjet35.dll
2011-03-16 16:17 . 1997-01-13 13:42 37136 ----a-w- c:\windows\system32\msjint35.dll
2011-03-16 16:17 . 1996-12-03 13:07 403216 ----a-w- c:\windows\system32\msrepl35.dll
2011-03-16 16:17 . 1996-12-02 18:44 251664 ----a-w- c:\windows\system32\msrd2x35.dll
2011-03-16 16:17 . 1996-12-02 18:44 24336 ----a-w- c:\windows\system32\msjter35.dll
2011-03-16 16:17 . 1996-12-02 18:44 582144 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\dao350.dll
2011-03-16 16:17 . 1996-11-12 07:50 25600 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\remove.exe
2011-03-14 22:52 . 2011-03-17 11:07 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\NPE
2011-03-14 14:30 . 2011-03-14 14:30 -------- d-----w- c:\program files\eRightSoft
2011-03-14 13:05 . 2011-03-14 15:01 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Audible
2011-03-14 13:05 . 2011-03-14 13:05 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2011-03-12 18:23 . 2011-03-12 18:23 -------- d-----w- c:\documents and settings\Sue\Application Data\Malwarebytes
2011-03-09 11:36 . 2011-03-09 11:36 -------- d-----w- c:\documents and settings\David\Application Data\Viewpoint
2011-03-08 17:11 . 2011-03-08 17:11 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2011-03-08 17:10 . 2011-03-08 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-08 17:10 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-08 17:10 . 2011-03-08 17:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-08 17:10 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 15:22 . 2011-03-08 15:22 -------- d-----w- c:\documents and settings\David\Application Data\MSNInstaller
2011-03-07 22:30 . 2011-03-08 16:18 -------- d-----w- c:\program files\SpywareBlaster
2011-03-07 18:57 . 2011-03-07 18:57 -------- d-sh--w- c:\documents and settings\Sue\IECompatCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-10 15:38 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 15:37 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40 . 2010-04-17 19:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2007-04-17 19:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2004-08-10 15:54 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-10 15:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 15:38 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 15:37 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 15:38 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-10 15:37 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-10 15:38 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-10 15:37 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-10 15:37 1469440 ------w- c:\windows\system32\inetcpl.cpl
2008-09-22 13:39 . 2008-07-09 11:53 1283912 ----a-w- c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
2006-06-16 18:44 . 2006-06-16 18:44 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-10-11 19:46 . 2004-10-11 19:46 205312 ----a-w- c:\program files\ltefx13n.dll
2004-01-19 14:31 . 2004-01-19 14:31 153600 ----a-w- c:\program files\ltfil13n.DLL
2004-01-19 13:31 . 2004-01-19 13:31 27648 ----a-w- c:\program files\lfiff13n.dll
2004-01-19 13:31 . 2004-01-19 13:31 20480 ----a-w- c:\program files\lfCUT13n.dll
2004-01-19 12:31 . 2004-01-19 12:31 453120 ----a-w- c:\program files\ltkrn13n.dll
2004-01-19 12:12 . 2004-01-19 12:12 89600 ----a-w- c:\program files\Lfcgm13n.dll
2004-01-19 11:49 . 2004-01-19 11:49 278016 ----a-w- c:\program files\LFJ2K13n.dll
2004-01-19 11:49 . 2004-01-19 11:49 180736 ----a-w- c:\program files\Lfpng13n.dll
2004-01-19 11:47 . 2004-01-19 11:47 76800 ----a-w- c:\program files\Lfwmf13n.dll
2004-01-19 11:47 . 2004-01-19 11:47 509440 ----a-w- c:\program files\LFCMW13n.dll
2004-01-19 11:45 . 2004-01-19 11:45 420352 ----a-w- c:\program files\LFCMP13n.DLL
2004-01-19 11:44 . 2004-01-19 11:44 143872 ----a-w- c:\program files\lftif13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 56832 ----a-w- c:\program files\lfpsd13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 19968 ----a-w- c:\program files\lfpcd13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 26624 ----a-w- c:\program files\lfpcx13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 65536 ----a-w- c:\program files\Lfpct13n.dll
2004-01-19 11:36 . 2004-01-19 11:36 18944 ----a-w- c:\program files\lfmsp13n.dll
2004-01-19 11:35 . 2004-01-19 11:35 18944 ----a-w- c:\program files\lfmac13n.dll
2004-01-19 11:35 . 2004-01-19 11:35 20992 ----a-w- c:\program files\lfimg13n.dll
2004-01-19 11:34 . 2004-01-19 11:34 31744 ----a-w- c:\program files\lfclp13n.dll
2004-01-19 11:34 . 2004-01-19 11:34 30208 ----a-w- c:\program files\lfbmp13n.dll
2004-01-19 11:33 . 2004-01-19 11:33 444928 ----a-w- c:\program files\ltimg13n.dll
2004-01-19 11:32 . 2004-01-19 11:32 265216 ----a-w- c:\program files\LTDIS13n.dll
2000-05-02 04:17 . 2000-05-02 04:17 212480 ----a-w- c:\program files\PCDLIB32.DLL
1999-11-18 23:00 . 1999-11-18 23:00 284032 ----a-w- c:\program files\XceedZip.dll
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-14 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-17 202256]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Andrew.048288820252\Start Menu\Programs\Startup\
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Yahoo! Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Yahoo! Help.lnk
backup=c:\windows\pss\BT Yahoo! Help.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-05-04 16:05 311296 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2009-09-14 16:56 1584640 ----a-w- c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
2006-07-31 19:00 19857408 ----a-w- c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 15:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lycosInside]
2007-01-10 19:04 332840 ----a-w- c:\program files\lycos\Lyc_SysTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2005-01-28 10:10 110740 ----a-w- c:\apps\Powercinema\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-05-17 17:48 77824 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-02 12:49 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-17 10:42 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\RpcAgentSrv.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Entropia Universe\\bin32\\Entropia.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP3c\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [24/09/2010 11:21 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [24/09/2010 11:21 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [11/03/2011 10:18 800376]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [24/09/2010 11:21 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [24/09/2010 11:21 116784]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [24/09/2010 11:21 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [08/09/2010 16:34 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20110317.002\IDSXpx86.sys [18/03/2011 10:26 341944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/01/2010 17:34 135664]
S3 ELANUSB;ELAN USB IO driver;c:\windows\system32\drivers\elanusb.sys [15/02/2011 13:36 18688]
S3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [09/06/2006 22:23 30371]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP3c\RpcAgentSrv.exe [27/07/2009 09:55 98488]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 17:34]
.
2011-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 17:34]
.
2011-03-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2496243053-941473252-4010413603-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2496243053-941473252-4010413603-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2496243053-941473252-4010413603-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2496243053-941473252-4010413603-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2496243053-941473252-4010413603-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2496243053-941473252-4010413603-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2496243053-941473252-4010413603-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2496243053-941473252-4010413603-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
.
2011-03-20 c:\windows\Tasks\User_Feed_Synchronization-{44F0B432-2145-4C2D-B871-1DA212FE0084}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
Trusted Zone: bbc.co.uk\www
Trusted Zone: motive.com\pbttbc.bt
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} - hxxp://www.virgindigital.co.uk/activeX/VirginWMA.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game12.zylom.com/activex/zylomgamesplayer.cab
DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} - hxxp://f008.mail.lycos.co.uk/app/uploader/FileUploader.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {D05F33E0-3F75-11D3-A176-006008944486} - hxxp://download.audible.com/AM36/awrdscdc.cab
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\17thskuc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKU-Default-RunOnce-WUAppSetup - c:\program files\Common Files\logishrd\WUApp32.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-kdx - c:\program files\Kontiki\KHost.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
MSConfigStartUp-YBrowser - c:\progra~1\Yahoo!\browser\ybrwicon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 21:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'winlogon.exe'(244)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2011-03-20 21:11:22
ComboFix-quarantined-files.txt 2011-03-20 21:11
.
Pre-Run: 77,932,625,920 bytes free
Post-Run: 78,156,947,456 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9145C4B3F44BCA467D8C782140FB415A

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:33 AM

Posted 20 March 2011 - 04:53 PM

Good evening. :)

A second opinion online scan and then a tidy-up and that's that - assuming nothing bad shows up or happens in the mean time.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#5 2nafish

2nafish
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 21 March 2011 - 04:34 AM

ESET found one threat....

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip Win32/Bagle.gen.zip worm


Attached are the new reports produced by DDS.

PC still running fine.

Regards,

2nafish

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by David at 9:28:01.47 on 21/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3039.2247 [GMT 0:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\GEARSEC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Documents and Settings\David\Desktop\dds(2).scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bbc.co.uk\www
Trusted Zone: motive.com\pbttbc.bt
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} - hxxp://www.virgindigital.co.uk/activeX/VirginWMA.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/3/d/83d1fe15-fe0f-4bdf-b09c-4e3c49808ec7/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://davidsmee1980.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://games.bigfishgames.com/en_dream-chronicles/online/dreamweb.1.0.0.9.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game12.zylom.com/activex/zylomgamesplayer.cab
DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} - hxxp://f008.mail.lycos.co.uk/app/uploader/FileUploader.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://help.broadbandassist.com/bbdesktop/PreQual/files/MotivePreQual.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D05F33E0-3F75-11D3-A176-006008944486} - hxxp://download.audible.com/AM36/awrdscdc.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\17thskuc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\coFFPlgn
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-9-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-9-24 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-11 800376]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-9-24 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-9-24 116784]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-17 54752]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-9-24 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-8 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20110317.002\IDSXpx86.sys [2011-3-18 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20110320.003\NAVENG.SYS [2011-3-20 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20110320.003\NAVEX15.SYS [2011-3-20 1360760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-1 135664]
S3 ELANUSB;ELAN USB IO driver;c:\windows\system32\drivers\elanusb.sys [2011-2-15 18688]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2006-6-9 30371]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-24 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-24 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-5-24 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-5-24 40552]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp3c\RpcAgentSrv.exe [2009-7-27 98488]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-20 22:02:33 -------- d-----w- c:\program files\ESET
2011-03-20 20:58:59 -------- d-sha-r- C:\cmdcons
2011-03-20 20:51:59 98816 ----a-w- c:\windows\sed.exe
2011-03-20 20:51:59 89088 ----a-w- c:\windows\MBR.exe
2011-03-20 20:51:59 256512 ----a-w- c:\windows\PEV.exe
2011-03-20 20:51:59 161792 ----a-w- c:\windows\SWREG.exe
2011-03-16 16:17:09 1039360 ----a-w- c:\windows\system32\msjet35.dll
2011-03-16 16:17:08 403216 ----a-w- c:\windows\system32\msrepl35.dll
2011-03-16 16:17:08 37136 ----a-w- c:\windows\system32\msjint35.dll
2011-03-16 16:17:08 251664 ----a-w- c:\windows\system32\msrd2x35.dll
2011-03-16 16:17:08 24336 ----a-w- c:\windows\system32\msjter35.dll
2011-03-16 16:17:07 582144 ----a-w- c:\program files\common files\microsoft shared\dao\dao350.dll
2011-03-16 16:17:07 25600 ----a-w- c:\program files\common files\microsoft shared\dao\remove.exe
2011-03-14 22:52:38 -------- d-----w- c:\docume~1\david\locals~1\applic~1\NPE
2011-03-14 14:30:40 -------- d-----w- c:\program files\eRightSoft
2011-03-14 13:05:40 -------- d-----w- c:\docume~1\david\locals~1\applic~1\Audible
2011-03-14 13:05:07 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2011-03-09 12:01:11 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2011-03-08 17:11:00 -------- d-----w- c:\docume~1\david\applic~1\Malwarebytes
2011-03-08 17:10:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-08 17:10:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-08 17:10:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-08 17:10:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-08 15:22:03 -------- d-----w- c:\docume~1\david\applic~1\MSNInstaller
2011-03-07 22:30:15 -------- d-----w- c:\program files\SpywareBlaster
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 21:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2008-09-22 13:39:13 1283912 ----a-w- c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
2006-06-16 18:44:04 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-10-11 19:46:32 205312 ----a-w- c:\program files\ltefx13n.dll
2004-01-19 14:31:00 153600 ----a-w- c:\program files\ltfil13n.DLL
2004-01-19 13:31:06 27648 ----a-w- c:\program files\lfiff13n.dll
2004-01-19 13:31:06 20480 ----a-w- c:\program files\lfCUT13n.dll
2004-01-19 12:31:50 453120 ----a-w- c:\program files\ltkrn13n.dll
2004-01-19 12:12:00 89600 ----a-w- c:\program files\Lfcgm13n.dll
2004-01-19 11:49:52 278016 ----a-w- c:\program files\LFJ2K13n.dll
2004-01-19 11:49:08 180736 ----a-w- c:\program files\Lfpng13n.dll
2004-01-19 11:47:36 76800 ----a-w- c:\program files\Lfwmf13n.dll
2004-01-19 11:47:04 509440 ----a-w- c:\program files\LFCMW13n.dll
2004-01-19 11:45:38 420352 ----a-w- c:\program files\LFCMP13n.DLL
2004-01-19 11:44:52 143872 ----a-w- c:\program files\lftif13n.dll
2004-01-19 11:36:48 56832 ----a-w- c:\program files\lfpsd13n.dll
2004-01-19 11:36:36 19968 ----a-w- c:\program files\lfpcd13n.dll
2004-01-19 11:36:32 26624 ----a-w- c:\program files\lfpcx13n.dll
2004-01-19 11:36:24 65536 ----a-w- c:\program files\Lfpct13n.dll
2004-01-19 11:36:18 18944 ----a-w- c:\program files\lfmsp13n.dll
2004-01-19 11:35:56 18944 ----a-w- c:\program files\lfmac13n.dll
2004-01-19 11:35:34 20992 ----a-w- c:\program files\lfimg13n.dll
2004-01-19 11:34:50 31744 ----a-w- c:\program files\lfclp13n.dll
2004-01-19 11:34:42 30208 ----a-w- c:\program files\lfbmp13n.dll
2004-01-19 11:33:48 444928 ----a-w- c:\program files\ltimg13n.dll
2004-01-19 11:32:18 265216 ----a-w- c:\program files\LTDIS13n.dll
2000-05-02 04:17:00 212480 ----a-w- c:\program files\PCDLIB32.DLL
1999-11-18 23:00:00 284032 ----a-w- c:\program files\XceedZip.dll
2006-05-03 11:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 9:29:22.85 ===============

Attached Files


Edited by Noviciate, 21 March 2011 - 05:28 PM.
Added log.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:33 AM

Posted 21 March 2011 - 05:56 PM

Good evening. :)

The detection looks like a Spybot Quarantine file, so not of any real interest. Given that the PC is playing nicely, i'd say run away now while you still can!

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As I see that you have recently removed a number of older versions of Java, and they don't always tidy up after themselves as well as they might:

Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#7 2nafish

2nafish
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 21 March 2011 - 06:26 PM

Hi Noviciate, that is good news. System is running better than it has in a long time so I am pretty confident that all is well. I'll uninstall combofix like you say in a few days and hopefully you won't hear from me again for a long while :P .

Thank you for your assistance in this matter.

2nafish

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:33 AM

Posted 22 March 2011 - 03:34 PM

hopefully you won't hear from me again for a long while :P .

I have that effect on people! :crazy: As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users