Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Diagnostic virus?


  • This topic is locked This topic is locked
16 replies to this topic

#1 jfp2150

jfp2150

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 25 March 2011 - 03:46 PM

I am having a problem with the "windows diagnostic" virus. I call it that because that was the fake program that claimed I had issues when, in fact, it was the program itself. I did a system restore and that did not solve. I then downloaded and scanned my system with various programs that did not find it. McAfee, as well as three others that came in the Google gadget bundle. I ran Rootkill and Malwarebytes with the same outcome. I also tried Hitman.

I have now come here hoping for assistance. I will be attached all that has been requested.

Thank you.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Susan Fitzpatrick at 12:15:47.77 on Fri 03/25/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.322 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Fitbit\fitbit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\lotus\organize\easyclip.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Susan Fitzpatrick\Local Settings\Temporary Internet Files\Content.IE5\6N4LGXNO\Defogger[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan Fitzpatrick\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Page = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
mSearch Bar = hxxp://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
uSearchURL,(Default) = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
mSearchAssistant = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Fitbit Service Monitor] c:\program files\fitbit\fitbit-tray.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\susanf~1\startm~1\programs\startup\organi~1.lnk - c:\lotus\organize\org5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuso~1.lnk - c:\lotus\organize\easyclip.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.09/uploader2.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - hxxp://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 192.168.1.104 PCM2J3
Hosts: 192.168.1.100 J3M2Top
.
============= SERVICES / DRIVERS ===============
.
R2 Fitbit;Fitbit Data Uploader;c:\program files\fitbit\fitbit.exe [2011-3-12 779896]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-10-28 627072]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-12-30 18560]
S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;c:\windows\system32\drivers\i2220ntx.sys --> c:\windows\system32\drivers\i2220ntx.sys [?]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2011-3-12 14848]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
.
=============== Created Last 30 ================
.
2032-07-24 18:31:35 -------- d-----w- c:\docume~1\susanf~1\applic~1\Webshots
2032-07-24 14:52:40 -------- d-----w- c:\windows\system32\Dell
2032-07-20 22:35:55 12560 ----a-w- c:\windows\system32\bbchk.exe
2011-03-25 15:52:58 4350 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-25 15:44:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-25 15:44:40 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 15:42:58 -------- d-----w- c:\windows\system\sounds
2011-03-25 15:42:58 -------- d-----w- c:\windows\system\logs
2011-03-25 15:42:58 -------- d-----w- c:\windows\system\download
2011-03-25 15:41:50 -------- d-----w- c:\windows\system32\MpEngineStore
2011-03-25 15:34:36 -------- d-----w- c:\program files\JumpStart
2011-03-24 12:40:37 -------- d-----w- c:\program files\McAfee Online Backup
2011-03-24 12:37:06 -------- d-----w- c:\program files\common files\Mcafee
2011-03-24 12:36:55 -------- d-----w- c:\program files\McAfee.com
2011-03-23 20:02:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-03-23 16:28:41 -------- d-----w- c:\program files\common files\PC Tools
2011-03-23 15:54:50 -------- d-----w- c:\documents and settings\all users\Immunet
2011-03-23 12:25:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-22 20:02:21 54016 ----a-w- c:\windows\system32\drivers\nxpa.sys
2011-03-22 16:03:45 -------- d--h--w- c:\documents and settings\susan fitzpatrick\Recent(2)
2011-03-21 13:09:20 -------- d-----w- c:\docume~1\susanf~1\applic~1\Malwarebytes
2011-03-21 13:09:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-21 13:09:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-12 21:21:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Fitbit
2011-03-12 21:21:00 18944 ----a-w- c:\windows\system32\drivers\SiLib.sys
2011-03-12 21:21:00 14848 ----a-w- c:\windows\system32\drivers\SiUSBXp.sys
2011-03-12 21:20:39 -------- d-----w- c:\windows\system32\Silabs
2011-03-12 21:20:37 -------- d-----w- c:\program files\Fitbit
2011-03-04 17:05:33 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-02-27 20:12:42 -------- d-----w- c:\documents and settings\susan fitzpatrick\.gconfd
2011-02-27 20:12:42 -------- d-----w- c:\documents and settings\susan fitzpatrick\.gconf
2011-02-27 20:12:38 -------- d-----w- c:\documents and settings\susan fitzpatrick\.gnucash
.
==================== Find3M ====================
.
2009-11-02 13:42:49 33228008 ----a-w- c:\program files\Quicken_Legal_Business_Pro_2010.exe
.
============= FINISH: 12:17:18.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:28 PM

Posted 25 March 2011 - 04:48 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 jfp2150

jfp2150
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 25 March 2011 - 06:16 PM

Thank you so much for helping me! I have included the Combofix log.


ComboFix 11-03-24.06 - Susan Fitzpatrick 03/25/2011 18:25:08.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.742 [GMT -4:00]
Running from: c:\documents and settings\Susan Fitzpatrick\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common
c:\program files\INSTALL.LOG
c:\windows\system\aliases.ini
c:\windows\system\control.ini
c:\windows\system\download
c:\windows\system\logs
c:\windows\system\mirc.ico
c:\windows\system\mirc.ini
c:\windows\system\remote.ini
c:\windows\system\servers.ini
c:\windows\system\sounds
c:\windows\system\users.ini
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-02-25 to 2011-03-25 )))))))))))))))))))))))))))))))
.
.
2032-07-24 18:31 . 2008-05-11 20:24 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\Application Data\Webshots
2032-07-24 14:52 . 2032-07-24 14:52 -------- d-----w- c:\windows\system32\Dell
2032-07-20 22:35 . 2004-02-09 14:24 12560 ----a-w- c:\windows\system32\bbchk.exe
2011-03-25 15:44 . 2011-03-25 15:44 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 15:41 . 2011-03-25 15:41 -------- d-----w- c:\windows\system32\MpEngineStore
2011-03-25 15:34 . 2011-03-25 15:34 -------- d-----w- c:\program files\JumpStart
2011-03-24 18:49 . 2011-03-24 18:49 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2011-03-24 12:40 . 2011-03-25 15:47 -------- d-----w- c:\program files\McAfee Online Backup
2011-03-24 12:37 . 2011-03-25 15:32 -------- d-----w- c:\program files\Common Files\Mcafee
2011-03-24 12:36 . 2011-03-24 12:36 -------- d-----w- c:\program files\McAfee.com
2011-03-23 22:28 . 2011-03-23 22:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-23 20:02 . 2011-03-25 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-03-23 16:28 . 2011-03-25 15:37 -------- d-----w- c:\program files\Common Files\PC Tools
2011-03-23 15:54 . 2011-03-23 16:26 -------- d-----w- c:\documents and settings\All Users\Immunet
2011-03-23 15:49 . 2011-03-25 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2011-03-23 12:25 . 2011-03-25 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-22 20:02 . 2011-03-22 20:02 54016 ----a-w- c:\windows\system32\drivers\nxpa.sys
2011-03-21 13:09 . 2011-03-21 13:09 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\Application Data\Malwarebytes
2011-03-21 13:09 . 2011-03-21 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-21 13:09 . 2011-03-25 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-12 21:21 . 2011-03-12 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Fitbit
2011-03-12 21:21 . 2010-06-19 17:16 18944 ----a-w- c:\windows\system32\drivers\SiLib.sys
2011-03-12 21:21 . 2010-06-19 17:16 14848 ----a-w- c:\windows\system32\drivers\SiUSBXp.sys
2011-03-12 21:20 . 2011-03-12 21:21 -------- d-----w- c:\windows\system32\Silabs
2011-03-12 21:20 . 2011-03-12 21:20 -------- d-----w- c:\program files\Fitbit
2011-03-04 17:05 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-02-27 20:12 . 2011-02-27 20:13 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\.gconf
2011-02-27 20:12 . 2011-03-01 00:54 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\.gnucash
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 13:42 . 2009-11-02 13:42 33228008 ----a-w- c:\program files\Quicken_Legal_Business_Pro_2010.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-09-19 294912]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-13 122368]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2001-11-06 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-17 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
.
c:\documents and settings\Susan Fitzpatrick\Start Menu\Programs\Startup\
Organizer.lnk - c:\lotus\organize\org5.exe [2002-8-8 3890688]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Lotus Organizer EasyClip.lnk - c:\lotus\organize\easyclip.exe [2002-8-8 87040]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
.
R2 Fitbit;Fitbit Data Uploader;c:\program files\Fitbit\fitbit.exe [3/12/2011 5:20 PM 779896]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\WUSB54GCv3.sys [10/28/2009 2:39 PM 627072]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 11:17 AM 135664]
S3 FlyUsb;FLY Fusion;c:\windows\SYSTEM32\DRIVERS\FlyUsb.sys [12/30/2010 10:28 AM 18560]
S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;c:\windows\system32\DRIVERS\i2220ntx.sys --> c:\windows\system32\DRIVERS\i2220ntx.sys [?]
S3 SIUSBXP;SIUSBXP;c:\windows\SYSTEM32\DRIVERS\SiUSBXp.sys [3/12/2011 5:21 PM 14848]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-02-01 13:19]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 15:17]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 15:17]
.
2011-03-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-514505703-2870628022-252619601-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-514505703-2870628022-252619601-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-25 c:\windows\Tasks\{64794983-C651-4841-9546-CE2F7C02EA1F}_SUZYFITZ_Susan Fitzpatrick.job
- c:\windows\system32\MOBSYNC.EXE [2002-08-28 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
uSearchURL,(Default) = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-FITBIT&10C4&84C4 - c:\windows\system32\Silabs\DriverUninstaller.exe USBXpress\FITBIT&10C4&84C4
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-25 18:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???X???????????x???????????????????H???P???? ?w? ?w)??p????????(????????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\program files\Funk Software\Odyssey Client\odLogin.dll
.
Completion time: 2011-03-25 18:39:56
ComboFix-quarantined-files.txt 2011-03-25 22:39
.
Pre-Run: 3,714,895,872 bytes free
Post-Run: 3,977,932,800 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - F9EA4BD711F41E99F08E4311BD4F0533

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:28 PM

Posted 25 March 2011 - 07:02 PM

Hi

Please do the following:

submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\windows\system32\bbchk.exe
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 jfp2150

jfp2150
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2011 - 10:19 AM

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: bbchk.exe
Submission date: 2011-03-26 12:05:21 (UTC)
Current status: queued (#13) queued analysing finished


Result: 3/ 41 (7.3%)
VT Community

not reviewed
Safety score: -

Compact Print results AntivirusVersionLast UpdateResult
AhnLab-V32011.03.23.012011.03.23-
AntiVir7.11.5.432011.03.23-
Antiy-AVL2.0.3.72011.03.22-
Avast4.8.1351.02011.03.23-
Avast55.0.677.02011.03.23-
AVG10.0.0.11902011.03.23-
BitDefender7.22011.03.23-
CAT-QuickHeal11.002011.03.23-
ClamAV0.96.4.02011.03.23Adware.BBuddy-19
Commtouch5.2.11.52011.03.22-
Comodo80732011.03.23-
DrWeb5.0.2.033002011.03.23-
eSafe7.0.17.02011.03.22-
eTrust-Vet36.1.82312011.03.23-
F-Prot4.6.2.1172011.03.22-
F-Secure9.0.16440.02011.03.23-
Fortinet4.2.254.02011.03.23-
GData212011.03.23-
IkarusT3.1.1.97.02011.03.23-
Jiangmin13.0.9002011.03.23-
K7AntiVirus9.94.41882011.03.23-
McAfee5.400.0.11582011.03.23-
McAfee-GW-Edition2010.1C2011.03.23-
Microsoft1.66032011.03.23-
NOD3259772011.03.23-
Norman6.07.032011.03.22-
nProtect2011-02-10.012011.02.15-
Panda10.0.3.52011.03.22-
PCTools7.0.3.52011.03.21-
Prevx3.02011.03.26Medium Risk Malware
Rising23.50.01.062011.03.22-
Sophos4.63.02011.03.23-
SUPERAntiSpyware4.40.0.10062011.03.23-
Symantec20101.3.0.1032011.03.23-
TheHacker6.7.0.1.1552011.03.23Adware/Exact
TrendMicro9.200.0.10122011.03.23-
TrendMicro-HouseCall9.200.0.10122011.03.23-
VBA323.12.14.32011.03.23-
VIPRE87902011.03.23-
ViRobot2011.3.23.43722011.03.23-
VirusBuster13.6.264.02011.03.22-
Additional informationShow all
MD5 : 68d9018bcfa92be76496c143ce4f9dce
SHA1 : 6f48c0d1910bc6c0b6ed005fc1c540de002e6c6e
SHA256: 55640c5d5611894e5ca968f0d14e428b86a6f664a8336593b93bea61d48abda2

#2 - Malwarebytes log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6173
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
3/26/2011 8:47:03 AM
mbam-log-2011-03-26 (08-47-03).txt
Scan type: Quick scan
Objects scanned: 161348
Time elapsed: 7 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4767C447-EF15-42F2-8809-68ADB7FA76F1} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4438A5DC-E00B-41A0-B0E6-B63FD3B86EEE} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3} (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564EA119} (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{78429873-F771-11D3-AE1D-0050DAC24E8F} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{10125C2D-6821-4070-B24E-2E992501AD55} (Adware.iWon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Apuc.UrlCatcher (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Apuc.UrlCatcher.1 (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MP.MediaPops (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MP.MediaPops.1 (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CLASSES_ROOT\AppID\main.DLL\AppID (Adware.DeepDive) -> Value: AppID -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.BHO.1\CLSID\(default) (Adware.DeepDive) -> Value: (default) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

#3 - ESET Scan -
Attaching file

Thank you!!!!

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:28 PM

Posted 26 March 2011 - 12:54 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic387107.html/page__view__findpost__p__2182970

Collect::
c:\windows\system32\bbchk.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT


Posted Image Your Java is out of date.
Java™ 6 Update 16 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 jfp2150

jfp2150
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 26 March 2011 - 04:34 PM

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.

I think I have. I honestly have no idea what half of the processes are running on this laptop at any given time? I think I have stopped them in the settings for each program.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:28 PM

Posted 26 March 2011 - 05:16 PM

then you should be fine :)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 jfp2150

jfp2150
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 27 March 2011 - 09:42 AM

ComboFix 11-03-24.06 - Susan Fitzpatrick 03/25/2011 18:25:08.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.742 [GMT -4:00]
Running from: c:\documents and settings\Susan Fitzpatrick\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common
c:\program files\INSTALL.LOG
c:\windows\system\aliases.ini
c:\windows\system\control.ini
c:\windows\system\download
c:\windows\system\logs
c:\windows\system\mirc.ico
c:\windows\system\mirc.ini
c:\windows\system\remote.ini
c:\windows\system\servers.ini
c:\windows\system\sounds
c:\windows\system\users.ini
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-02-25 to 2011-03-25 )))))))))))))))))))))))))))))))
.
.
2032-07-24 18:31 . 2008-05-11 20:24 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\Application Data\Webshots
2032-07-24 14:52 . 2032-07-24 14:52 -------- d-----w- c:\windows\system32\Dell
2032-07-20 22:35 . 2004-02-09 14:24 12560 ----a-w- c:\windows\system32\bbchk.exe
2011-03-25 15:44 . 2011-03-25 15:44 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 15:41 . 2011-03-25 15:41 -------- d-----w- c:\windows\system32\MpEngineStore
2011-03-25 15:34 . 2011-03-25 15:34 -------- d-----w- c:\program files\JumpStart
2011-03-24 18:49 . 2011-03-24 18:49 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2011-03-24 12:40 . 2011-03-25 15:47 -------- d-----w- c:\program files\McAfee Online Backup
2011-03-24 12:37 . 2011-03-25 15:32 -------- d-----w- c:\program files\Common Files\Mcafee
2011-03-24 12:36 . 2011-03-24 12:36 -------- d-----w- c:\program files\McAfee.com
2011-03-23 22:28 . 2011-03-23 22:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-23 20:02 . 2011-03-25 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-03-23 16:28 . 2011-03-25 15:37 -------- d-----w- c:\program files\Common Files\PC Tools
2011-03-23 15:54 . 2011-03-23 16:26 -------- d-----w- c:\documents and settings\All Users\Immunet
2011-03-23 15:49 . 2011-03-25 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2011-03-23 12:25 . 2011-03-25 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-22 20:02 . 2011-03-22 20:02 54016 ----a-w- c:\windows\system32\drivers\nxpa.sys
2011-03-21 13:09 . 2011-03-21 13:09 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\Application Data\Malwarebytes
2011-03-21 13:09 . 2011-03-21 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-21 13:09 . 2011-03-25 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-12 21:21 . 2011-03-12 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Fitbit
2011-03-12 21:21 . 2010-06-19 17:16 18944 ----a-w- c:\windows\system32\drivers\SiLib.sys
2011-03-12 21:21 . 2010-06-19 17:16 14848 ----a-w- c:\windows\system32\drivers\SiUSBXp.sys
2011-03-12 21:20 . 2011-03-12 21:21 -------- d-----w- c:\windows\system32\Silabs
2011-03-12 21:20 . 2011-03-12 21:20 -------- d-----w- c:\program files\Fitbit
2011-03-04 17:05 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-02-27 20:12 . 2011-02-27 20:13 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\.gconf
2011-02-27 20:12 . 2011-03-01 00:54 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\.gnucash
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 13:42 . 2009-11-02 13:42 33228008 ----a-w- c:\program files\Quicken_Legal_Business_Pro_2010.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-09-19 294912]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-13 122368]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2001-11-06 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-17 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
.
c:\documents and settings\Susan Fitzpatrick\Start Menu\Programs\Startup\
Organizer.lnk - c:\lotus\organize\org5.exe [2002-8-8 3890688]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Lotus Organizer EasyClip.lnk - c:\lotus\organize\easyclip.exe [2002-8-8 87040]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
.
R2 Fitbit;Fitbit Data Uploader;c:\program files\Fitbit\fitbit.exe [3/12/2011 5:20 PM 779896]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\WUSB54GCv3.sys [10/28/2009 2:39 PM 627072]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 11:17 AM 135664]
S3 FlyUsb;FLY Fusion;c:\windows\SYSTEM32\DRIVERS\FlyUsb.sys [12/30/2010 10:28 AM 18560]
S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;c:\windows\system32\DRIVERS\i2220ntx.sys --> c:\windows\system32\DRIVERS\i2220ntx.sys [?]
S3 SIUSBXP;SIUSBXP;c:\windows\SYSTEM32\DRIVERS\SiUSBXp.sys [3/12/2011 5:21 PM 14848]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-02-01 13:19]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 15:17]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 15:17]
.
2011-03-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-514505703-2870628022-252619601-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-514505703-2870628022-252619601-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-25 c:\windows\Tasks\{64794983-C651-4841-9546-CE2F7C02EA1F}_SUZYFITZ_Susan Fitzpatrick.job
- c:\windows\system32\MOBSYNC.EXE [2002-08-28 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
uSearchURL,(Default) = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-FITBIT&10C4&84C4 - c:\windows\system32\Silabs\DriverUninstaller.exe USBXpress\FITBIT&10C4&84C4
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-25 18:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???X???????????x???????????????????H???P???? ?w? ?w)??p????????(????????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\program files\Funk Software\Odyssey Client\odLogin.dll
.
Completion time: 2011-03-25 18:39:56
ComboFix-quarantined-files.txt 2011-03-25 22:39
.
Pre-Run: 3,714,895,872 bytes free
Post-Run: 3,977,932,800 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - F9EA4BD711F41E99F08E4311BD4F0533


You did it! I don't seem to be affected by the search redirects anymore. The issue with my hidden files/read only files is still present. I have gone into my folder properties and unticked the hidden and read only boxes but now it ishowing everything - including system files. I suppose I'll have to just live with it : (

I can't thank you enough for all your time. One more thing...I believe I was infected by a "drive-by download" and I'm not sure what could have prevented it? Do you know of a good anti-virus (real-time) that does not significantly slow down my system? It seems everything I try brings my system to a crawl speed.

THANK YOU!!!

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:28 PM

Posted 27 March 2011 - 10:56 AM

Hi

The hidden attributes should have been resolved, reboot the computer, after running the next scans, if they are still hidden when they shouldn't be, delete the copy of combofix that you have, download a fresh copy and run it again (it has been updated to deal with this issue)

please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 jfp2150

jfp2150
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 28 March 2011 - 07:46 AM

My file folders settings are still displaying incorrectly. Some are still set to 'hidden' while others are showing all files (including system files.)

I followed the above steps and reinstalled Combofix?

Here are the requested logs:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6186

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/27/2011 6:12:51 PM
mbam-log-2011-03-27 (18-12-51).txt

Scan type: Quick scan
Objects scanned: 163802
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET SCAN:

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM\mirc.ini.vir IRC/Zapchast trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP407\A0046070.exe a variant of Win32/Kryptik.LVS trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP407\A0046071.exe a variant of Win32/Kryptik.LVS trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP407\A0046104.ini IRC/Zapchast trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP410\A0046628.ini IRC/Zapchast trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP415\A0051611.ini IRC/Zapchast trojan

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:28 PM

Posted 28 March 2011 - 08:06 AM

can you please re-run the updated ComboFix and post the resulting log

First please reset the defaults back to hidden files and folders for all the system files, then see what attributes still remain hidden on files that shouldn't have them hidden after re-running ComboFix

Edited by CatByte, 28 March 2011 - 08:07 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 jfp2150

jfp2150
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 28 March 2011 - 09:11 AM

Sorry, I failed to include the Combofix results from last night. The folder properties are a mess. Now, I have everything showing and when I change the attributes and click on apply, they don't seem to save that way?

Here is the Combofix I ran after the update.

ComboFix 11-03-27.01 - Susan Fitzpatrick 03/27/2011 20:53:59.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.654 [GMT -4:00]
Running from: c:\documents and settings\Susan Fitzpatrick\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
2032-07-24 18:31 . 2008-05-11 20:24 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\Application Data\Webshots
2032-07-24 14:52 . 2032-07-24 14:52 -------- d-----w- c:\windows\system32\Dell
2011-03-26 23:49 . 2011-03-26 23:49 -------- d-----w- c:\program files\Common Files\Java
2011-03-26 23:49 . 2011-02-03 01:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-26 23:28 . 2011-03-26 23:28 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-03-26 12:51 . 2011-03-26 12:51 -------- d-----w- c:\program files\ESET
2011-03-26 12:35 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 12:35 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-25 15:44 . 2011-03-25 15:44 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 15:41 . 2011-03-25 15:41 -------- d-----w- c:\windows\system32\MpEngineStore
2011-03-25 15:34 . 2011-03-25 15:34 -------- d-----w- c:\program files\JumpStart
2011-03-24 18:49 . 2011-03-24 18:49 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2011-03-24 12:40 . 2011-03-25 15:47 -------- d-----w- c:\program files\McAfee Online Backup
2011-03-24 12:37 . 2011-03-25 15:32 -------- d-----w- c:\program files\Common Files\Mcafee
2011-03-24 12:36 . 2011-03-24 12:36 -------- d-----w- c:\program files\McAfee.com
2011-03-23 22:28 . 2011-03-23 22:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-03-23 20:02 . 2011-03-25 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-03-23 16:28 . 2011-03-25 15:37 -------- d-----w- c:\program files\Common Files\PC Tools
2011-03-23 15:54 . 2011-03-23 16:26 -------- d-----w- c:\documents and settings\All Users\Immunet
2011-03-23 15:49 . 2011-03-25 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2011-03-23 12:25 . 2011-03-25 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-22 20:02 . 2011-03-22 20:02 54016 ----a-w- c:\windows\system32\drivers\nxpa.sys
2011-03-21 13:09 . 2011-03-21 13:09 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\Application Data\Malwarebytes
2011-03-21 13:09 . 2011-03-21 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-21 13:09 . 2011-03-26 12:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-12 21:21 . 2011-03-12 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Fitbit
2011-03-12 21:21 . 2010-06-19 17:16 18944 ----a-w- c:\windows\system32\drivers\SiLib.sys
2011-03-12 21:21 . 2010-06-19 17:16 14848 ----a-w- c:\windows\system32\drivers\SiUSBXp.sys
2011-03-12 21:20 . 2011-03-12 21:21 -------- d-----w- c:\windows\system32\Silabs
2011-03-12 21:20 . 2011-03-12 21:20 -------- d-----w- c:\program files\Fitbit
2011-03-04 17:05 . 1998-06-18 05:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2011-02-27 20:12 . 2011-02-27 20:13 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\.gconf
2011-02-27 20:12 . 2011-03-01 00:54 -------- d-----w- c:\documents and settings\Susan Fitzpatrick\.gnucash
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 23:19 . 2007-11-27 23:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-02 13:42 . 2009-11-02 13:42 33228008 ----a-w- c:\program files\Quicken_Legal_Business_Pro_2010.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-25_22.35.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-28 00:41 . 2011-03-28 00:41 16384 c:\windows\Temp\Perflib_Perfdata_104.dat
+ 2003-02-23 21:33 . 2011-03-26 22:56 68290 c:\windows\SYSTEM32\PERFC009.DAT
- 2003-02-23 21:33 . 2011-03-25 22:18 68290 c:\windows\SYSTEM32\PERFC009.DAT
+ 2011-03-26 23:28 . 2011-03-26 23:28 28160 c:\windows\Installer\225a75.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
- 2003-02-23 21:33 . 2011-03-25 22:18 434240 c:\windows\SYSTEM32\PERFH009.DAT
+ 2003-02-23 21:33 . 2011-03-26 22:56 434240 c:\windows\SYSTEM32\PERFH009.DAT
+ 2011-03-26 23:49 . 2011-02-03 01:40 157472 c:\windows\SYSTEM32\javaws.exe
- 2009-09-23 19:38 . 2009-09-23 19:38 145184 c:\windows\SYSTEM32\javaw.exe
+ 2011-03-26 23:49 . 2011-02-03 01:40 145184 c:\windows\SYSTEM32\javaw.exe
+ 2011-03-26 23:49 . 2011-02-03 01:40 145184 c:\windows\SYSTEM32\java.exe
- 2009-09-23 19:38 . 2009-09-23 19:38 145184 c:\windows\SYSTEM32\java.exe
+ 2011-03-26 23:49 . 2011-03-26 23:49 180224 c:\windows\Installer\34aeab.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
+ 2011-03-26 23:33 . 2011-03-26 23:33 2283008 c:\windows\Installer\225b7c.msi
+ 2010-11-10 16:49 . 2010-11-10 16:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
+ 2010-11-10 16:49 . 2010-11-10 16:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-10 16:49 . 2010-11-10 16:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\225b7d.msp
+ 2010-11-10 16:49 . 2010-11-10 16:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-09-19 294912]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-13 122368]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2001-11-06 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-17 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\Susan Fitzpatrick\Start Menu\Programs\Startup\
Organizer.lnk - c:\lotus\organize\org5.exe [2002-8-8 3890688]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Lotus Organizer EasyClip.lnk - c:\lotus\organize\easyclip.exe [2002-8-8 87040]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
.
R2 Fitbit;Fitbit Data Uploader;c:\program files\Fitbit\fitbit.exe [3/12/2011 5:20 PM 779896]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\WUSB54GCv3.sys [10/28/2009 2:39 PM 627072]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 11:17 AM 135664]
S3 FlyUsb;FLY Fusion;c:\windows\SYSTEM32\DRIVERS\FlyUsb.sys [12/30/2010 10:28 AM 18560]
S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;c:\windows\system32\DRIVERS\i2220ntx.sys --> c:\windows\system32\DRIVERS\i2220ntx.sys [?]
S3 SIUSBXP;SIUSBXP;c:\windows\SYSTEM32\DRIVERS\SiUSBXp.sys [3/12/2011 5:21 PM 14848]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-02-01 13:19]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 15:17]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 15:17]
.
2011-03-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-514505703-2870628022-252619601-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-514505703-2870628022-252619601-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-27 c:\windows\Tasks\{64794983-C651-4841-9546-CE2F7C02EA1F}_SUZYFITZ_Susan Fitzpatrick.job
- c:\windows\system32\MOBSYNC.EXE [2002-08-28 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
uSearchURL,(Default) = hxxp://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 21:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???X???????????x???????????????????H???P???? ?w? ?w)??p????????(????????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(964)
c:\program files\Funk Software\Odyssey Client\odLogin.dll
.
- - - - - - - > 'explorer.exe'(600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-27 21:12:47
ComboFix-quarantined-files.txt 2011-03-28 01:12
ComboFix2.txt 2011-03-26 23:10
ComboFix3.txt 2011-03-25 22:39
.
Pre-Run: 3,606,560,768 bytes free
Post-Run: 3,675,385,856 bytes free
.
- - End Of File - - 4D157B99094DD9FDF7FEE10075417FA6

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:28 PM

Posted 28 March 2011 - 09:50 AM

Click Start > My Computer > Tools > Folder Options > Under the General Tab, click the Restore Defaults Button, then hit Apply > now click the View tab > Click the reset all Folders button then click the Restore defaults Button > then hit Apply > reboot your computer.

If things haven't changed go to the following Microsoft site and use the FixIt button

http://support.microsoft.com/mats/windows_file_and_folder_diag/

Let me know in as much detail as possible how things are now:

if they are still messed up export these registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam



Open Notepad and copy/paste the contents in the code box below, into Notepad.

regedit /e peek1.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell"
regedit /e peek2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
start notepad look.txt
del peek*.txt

Save this as help.bat on your desktop. Choose to "Save type as - All Files"

It should look like this:Posted Image
Double-click help.bat to run it.
look.txt will be created on your desktop. Kindly attach that file in your next reply.

It may be large, so you may need to zip it up and attach it

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 jfp2150

jfp2150
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 29 March 2011 - 09:18 AM

Success! Everything is back to normal. My favorites are still missing but, they were a mess and needed to be cleaned up anyway. Now, I'll be starting with a clean slate : )

I really can't thank you enough for what you have done and the amount of time you have generously allowed me. Thank you so much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users