Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection


  • This topic is locked This topic is locked
4 replies to this topic

#1 MegaSlimeGod

MegaSlimeGod

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 03 January 2012 - 03:48 PM

MS Security Essentials identified FakeScanti and Sirefef.P and claimed to remove them. This was done pretty quick. I also killed a process with a weird name like ~2423#.tmp or something. Things went back to normal, but I noticed that it had changed the proxy settings on my Chrome Browser to use a Proxy Server (although no proxy set), so the browser didn't work until I changed this back. I also noticed tonight (a day later) that when I started Firefox (yes I use both browsers) that too had it's proxy changed but this time with the proxy set to localhost and some port.

I subsequently did scans with Spybot, Malwarebytes, and MS SE. Only a few tracking cookies deleted.

So, then I was advised to run ComboFix, and ran it before I got the advice on here. The log is below. Did I get a virus? Can I be sure I got rid of it?


ComboFix 12-01-02.01 - Rob 02/01/2012 23:05:38.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.786 [GMT 0:00]
Running from: c:\users\Rob\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\Microsoft\corecon\1.0\1033\NonSDKAddonLangVer.dll
c:\programdata\Microsoft\corecon\1.0\1033\SDKAddonLangVer.dll
c:\programdata\Microsoft\corecon\1.0\addons\NonSDKAddonVer.dll
c:\programdata\Microsoft\corecon\1.0\addons\SDKAddonVer.dll
c:\programdata\Microsoft\corecon\1.0\SDKFilesVer.dll
c:\users\Default\AppData\Local\assembly\tmp
c:\users\Rob\AppData\Local\assembly\tmp
c:\windows\jestertb.dll
c:\windows\sqliteodbc2009.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\html
c:\windows\system32\html\calendar.html
c:\windows\system32\html\calendarbottom.html
c:\windows\system32\html\calendartop.html
c:\windows\system32\html\crystalexportdialog.htm
c:\windows\system32\html\crystalprinthost.html
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 23:28 . 2012-01-02 23:28 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4404B1A-39DC-43C5-A237-D07C7133D398}\MpKsl20e85abd.sys
2012-01-02 23:28 . 2012-01-02 23:28 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4404B1A-39DC-43C5-A237-D07C7133D398}\offreg.dll
2012-01-02 23:25 . 2012-01-02 23:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 23:25 . 2012-01-02 23:25 -------- d-----w- c:\users\Ange\AppData\Local\temp
2012-01-02 23:25 . 2012-01-02 23:28 -------- d-----w- c:\users\Rob\AppData\Local\temp
2012-01-02 21:46 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4404B1A-39DC-43C5-A237-D07C7133D398}\mpengine.dll
2012-01-02 21:36 . 2012-01-02 21:36 102912 ----a-w- c:\users\Rob\AppData\Roaming\Microsoft\83CC\8739.tmp
2012-01-02 21:36 . 2012-01-02 21:36 -------- d-----w- c:\users\Rob\AppData\Roaming\2A9D7
2012-01-02 21:36 . 2012-01-02 21:36 292864 ----a-w- c:\users\Rob\AppData\Roaming\Microsoft\83CC\9D1.exe
2012-01-02 21:36 . 2012-01-02 21:36 -------- d-----w- c:\users\Rob\AppData\Roaming\CE42A
2012-01-02 15:32 . 2012-01-02 15:32 -------- d-----w- c:\program files\iPod
2012-01-02 15:32 . 2012-01-02 15:33 -------- d-----w- c:\program files\iTunes
2012-01-02 09:55 . 2012-01-02 09:56 -------- d-----w- c:\program files\FileZilla FTP Client
2011-12-14 23:40 . 2011-11-03 23:16 141112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-12-14 23:40 . 2011-11-03 22:31 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-14 23:39 . 2011-11-03 22:39 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 23:39 . 2011-11-03 22:37 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2011-12-14 23:39 . 2011-11-03 22:47 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 23:39 . 2011-11-03 22:42 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-12-14 23:39 . 2011-11-03 22:40 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 20:11 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 20:11 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 20:11 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 20:11 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 20:11 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-14 20:11 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 20:11 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-06 19:32 . 2011-09-17 08:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 10:47 . 2010-04-26 17:55 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-11 08:22 . 2011-10-11 08:22 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E37E9971-442D-4C15-A258-430B627D0ED6}\gapaengine.dll
2008-08-16 17:42 . 2008-08-16 17:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 17:42 . 2008-08-16 17:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 17:42 . 2008-08-16 17:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 17:42 . 2008-08-16 17:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 17:43 . 2008-08-16 17:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 17:42 . 2008-08-16 17:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 17:42 . 2008-08-16 17:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 08:41 . 2008-05-21 08:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 08:41 . 2008-05-21 08:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 08:41 . 2008-05-21 08:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2010-03-31 09:09 . 2010-03-31 09:09 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2010-04-08 11:36 . 2010-04-08 11:36 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-06-05 13:58 . 2008-06-05 13:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 17:42 . 2008-08-16 17:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-11-21 04:21 . 2011-12-03 13:19 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-11-09 15:05 . 2010-11-09 15:05 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\COSDriveOverlayIcon]
@="{5FDACB62-6B7B-4116-9403-C5E0D3852A57}"
[HKEY_CLASSES_ROOT\CLSID\{5FDACB62-6B7B-4116-9403-C5E0D3852A57}]
2011-06-02 08:04 626480 ----a-w- c:\program files\COMODO\COMODO BackUp\ShellExtension_3.0.171317.133.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2008-11-07 197856]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Creative Element Power Tools Startup.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creative Element Power Tools Startup.lnk
backup=c:\windows\pss\Creative Element Power Tools Startup.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=c:\windows\pss\SDK Tray Menu.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9D1.exe]
2012-01-02 21:36 292864 ----a-w- c:\users\Rob\AppData\Roaming\Microsoft\83CC\9D1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 23:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-11-09 15:05 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-07 17:58 133104 ----atw- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 11:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 11:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 01:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 13:48 647216 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-09-17 08:07 8497696 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-09-17 08:07 81920 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-09-17 08:07 86016 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 17:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 09:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 11:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-11-22 22:56 303104 ----a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl1ebaf6cd;MpKsl1ebaf6cd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D11154A-2B05-4A85-AEF6-890A303388B3}\MpKsl1ebaf6cd.sys [x]
R1 MpKsl1fbe6f60;MpKsl1fbe6f60;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CB57334D-B041-4C1D-BD25-4E5F9D7F1827}\MpKsl1fbe6f60.sys [x]
R1 MpKsl2b2eb99c;MpKsl2b2eb99c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6BBC5A1D-CD38-41C7-833A-3748F86D514F}\MpKsl2b2eb99c.sys [x]
R1 MpKsl38628331;MpKsl38628331;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2DFA37A2-8385-483E-9406-26B8A5AE8419}\MpKsl38628331.sys [x]
R1 MpKsl38fd302a;MpKsl38fd302a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F7AAAFE8-838B-441E-B8E8-3243F9628BF4}\MpKsl38fd302a.sys [x]
R1 MpKsl44832583;MpKsl44832583;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1AB02774-A8CA-4147-8706-A3EE6BF9222B}\MpKsl44832583.sys [x]
R1 MpKsl4e56f83e;MpKsl4e56f83e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{43E84832-CC4E-4ACC-BAA5-2906D6DDFF5D}\MpKsl4e56f83e.sys [x]
R1 MpKsl4f14fac1;MpKsl4f14fac1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4404B1A-39DC-43C5-A237-D07C7133D398}\MpKsl4f14fac1.sys [x]
R1 MpKsl5553b4c2;MpKsl5553b4c2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{78934151-72B2-4209-A1F3-07CF6902F8E3}\MpKsl5553b4c2.sys [x]
R1 MpKsl62bfe0f9;MpKsl62bfe0f9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B5F1BD95-43B0-4DC1-B517-DDB45D6F3E35}\MpKsl62bfe0f9.sys [x]
R1 MpKsl63c187be;MpKsl63c187be;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{684A34B6-2C04-474F-9514-991D12799AEF}\MpKsl63c187be.sys [x]
R1 MpKsl7f89c275;MpKsl7f89c275;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E47061E1-5613-45A0-AD3D-1630B5E22CFF}\MpKsl7f89c275.sys [x]
R1 MpKslaae511aa;MpKslaae511aa;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2F39FD3E-D1DD-4DB4-A878-9AA821066593}\MpKslaae511aa.sys [x]
R1 MpKsld406235a;MpKsld406235a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{913A4504-69A3-44F8-9EF3-F49413A16217}\MpKsld406235a.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 135664]
R2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [2008-08-17 217088]
R3 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2010-07-30 24645]
R3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe [2009-05-06 104272]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-11-09 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 135664]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-19 18432]
R3 reparse;reparse;c:\windows\system32\DRIVERS\cbreparse.sys [2011-06-02 429480]
R3 TfBulk;TfBulk;c:\windows\system32\DRIVERS\TfBulk.sys [2007-05-31 13312]
S0 bdisk;COMODO Disk Raw Access Filter;c:\windows\system32\drivers\bdisk.sys [2011-06-02 75160]
S0 CBUfs;CBUfs;c:\windows\system32\drivers\CBUFS.sys [2011-06-02 125624]
S0 cbvd;Comodo Encrypted Virtual Disk;c:\windows\system32\DRIVERS\cbvd.sys [2011-06-02 430528]
S1 MpKsl20e85abd;MpKsl20e85abd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4404B1A-39DC-43C5-A237-D07C7133D398}\MpKsl20e85abd.sys [2012-01-02 29904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-03-06 20376]
S2 COSService.exe;Comodo Online Storage Service;c:\program files\COMODO\COMODO BackUp\COSService.exe [2011-06-02 579888]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [2008-11-07 25824]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SynchronizationService.exe;Comodo BackUp Service;c:\program files\COMODO\COMODO BackUp\SynchronizationService.exe [2011-06-02 1359664]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME\TomTomHOMEService.exe [2009-04-08 92008]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]
S3 AVMNgBasM779;AVerMedia M779 Base Driver;c:\windows\system32\DRIVERS\AVerBas.sys [2007-02-13 49280]
S3 AVMNgCapM779;AVerMedia M779 Audio/Video Capture Driver;c:\windows\system32\DRIVERS\AVerCap.sys [2007-02-13 219648]
S3 AVMNgTunM779;AVerMedia M779 TVTuner Driver;c:\windows\system32\DRIVERS\AVerTun.sys [2007-02-13 147584]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbusflt.sys [2011-08-19 22176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys [2009-04-23 73368]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
S3 vdbus;Virtual Disk Bus Enumerator;c:\windows\system32\DRIVERS\vdbus.sys [2011-06-02 570584]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL20E85ABD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2008-12-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 17:12]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 17:12]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-938342807-2987780974-2459138358-1000Core.job
- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-07 17:58]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-938342807-2987780974-2459138358-1000UA.job
- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-07 17:58]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-938342807-2987780974-2459138358-1001Core.job
- c:\users\Ange\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 01:17]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-938342807-2987780974-2459138358-1001UA.job
- c:\users\Ange\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 01:17]
.
2011-01-11 c:\windows\Tasks\NSSstub.job
- c:\windows\System32\Adobe\Shockwave 11\nssstub.exe [2009-08-25 17:10]
.
2011-12-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
2012-01-02 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:57212
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: visionapp.net
TCP: DhcpNameServer = 87.194.255.155
FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\lrjycxvd.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-fssui - c:\program files\Windows Live\Family Safety\fssui.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
AddRemove-Java Platform, Enterprise Edition 5 SDK - c:\sun\SDK\uninstall.exe
AddRemove-MSC - c:\program files\McAfee\MSC\mcuninst.exe
AddRemove-Ruby-186-25 - c:\ruby\uninstall.exe
AddRemove-{11233A17-BFFC-434A-8FC8-2E93369AF008}_is1 - c:\ruby191\unins000.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,17,70,9f,32,fb,94,43,ab,35,aa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,17,70,9f,32,fb,94,43,ab,35,aa,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3160)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\COMODO\COMODO BackUp\ShellExtension_3.0.171317.133.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
c:\program files\FileZilla FTP Client\fzshellext.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2012-01-02 23:39:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-02 23:38
.
Pre-Run: 52,132,597,760 bytes free
Post-Run: 55,243,878,400 bytes free
.
- - End Of File - - 44ABB1EAFDBC97012BE08D72DCF88433

Edited by boopme, 03 January 2012 - 04:02 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:05 PM

Posted 09 January 2012 - 10:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Open notepad and copy/paste the text in the quote box below into it:

File::
c:\users\Rob\AppData\Roaming\Microsoft\83CC\8739.tmp
c:\users\Rob\AppData\Roaming\Microsoft\83CC\9D1.exe

Driver::
MpKsl1ebaf6cd
MpKsl1fbe6f60
MpKsl2b2eb99c
MpKsl38628331
MpKsl38fd302a
MpKsl44832583
MpKsl4e56f83e
MpKsl4f14fac1
MpKsl5553b4c2
MpKsl62bfe0f9
MpKsl63c187be
MpKsl7f89c275
MpKslaae511aa
MpKsld406235a

DirLook::
c:\users\Rob\AppData\Roaming\CE42A
c:\users\Rob\AppData\Roaming\2A9D7
c:\users\Rob\AppData\Roaming\Microsoft\83CC



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Let me know what problem persists.

#3 MegaSlimeGod

MegaSlimeGod
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 09 January 2012 - 06:00 PM

See logs below as requests. One thing I have notice is that the Mozilla proxy settings keep changing to point to a local proxy even if I change to no-proxy it changes back. I use Chrome now, but I had been using Mozilla for development. Very suspicious, I thought.


Combo Fix Log
=============

ComboFix 12-01-09.03 - Rob 09/01/2012 22:23:29.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.874 [GMT 0:00]
Running from: c:\users\Rob\Desktop\ComboFix.exe
Command switches used :: c:\users\Rob\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Rob\AppData\Roaming\Microsoft\83CC\8739.tmp"
"c:\users\Rob\AppData\Roaming\Microsoft\83CC\9D1.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL1FBE6F60
-------\Legacy_MPKSL2B2EB99C
-------\Legacy_MPKSL4F14FAC1
-------\Legacy_MPKSL5553B4C2
-------\Legacy_MPKSLAAE511AA
-------\Service_MpKsl1ebaf6cd
-------\Service_MpKsl1fbe6f60
-------\Service_MpKsl2b2eb99c
-------\Service_MpKsl38628331
-------\Service_MpKsl38fd302a
-------\Service_MpKsl44832583
-------\Service_MpKsl4e56f83e
-------\Service_MpKsl4f14fac1
-------\Service_MpKsl5553b4c2
-------\Service_MpKsl62bfe0f9
-------\Service_MpKsl63c187be
-------\Service_MpKsl7f89c275
-------\Service_MpKslaae511aa
-------\Service_MpKsld406235a
.
.
((((((((((((((((((((((((( Files Created from 2011-12-09 to 2012-01-09 )))))))))))))))))))))))))))))))
.
.
2012-01-09 22:41 . 2012-01-09 22:41 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F52406D2-2C35-47F3-9C5E-5A111FDCD6A2}\offreg.dll
2012-01-09 22:39 . 2012-01-09 22:41 -------- d-----w- c:\users\Rob\AppData\Local\temp
2012-01-09 22:39 . 2012-01-09 22:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-09 22:39 . 2012-01-09 22:39 -------- d-----w- c:\users\Ange\AppData\Local\temp
2012-01-09 22:13 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F52406D2-2C35-47F3-9C5E-5A111FDCD6A2}\mpengine.dll
2012-01-02 21:36 . 2012-01-02 21:36 -------- d-----w- c:\users\Rob\AppData\Roaming\2A9D7
2012-01-02 21:36 . 2012-01-02 21:36 -------- d-----w- c:\users\Rob\AppData\Roaming\CE42A
2012-01-02 15:32 . 2012-01-02 15:32 -------- d-----w- c:\program files\iPod
2012-01-02 15:32 . 2012-01-02 15:33 -------- d-----w- c:\program files\iTunes
2012-01-02 09:55 . 2012-01-02 09:56 -------- d-----w- c:\program files\FileZilla FTP Client
2011-12-14 23:40 . 2011-11-03 23:16 141112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-12-14 23:40 . 2011-11-03 22:31 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-14 23:39 . 2011-11-03 22:39 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 23:39 . 2011-11-03 22:37 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2011-12-14 23:39 . 2011-11-03 22:47 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 23:39 . 2011-11-03 22:42 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-12-14 23:39 . 2011-11-03 22:40 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 20:11 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 20:11 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 20:11 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 20:11 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 20:11 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-14 20:11 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 20:11 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2010-12-05 23:58 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 19:32 . 2011-09-17 08:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 10:47 . 2010-04-26 17:55 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2008-08-16 17:42 . 2008-08-16 17:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 17:42 . 2008-08-16 17:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 17:42 . 2008-08-16 17:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 17:42 . 2008-08-16 17:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 17:43 . 2008-08-16 17:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 17:42 . 2008-08-16 17:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 17:42 . 2008-08-16 17:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 08:41 . 2008-05-21 08:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 08:41 . 2008-05-21 08:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 08:41 . 2008-05-21 08:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2010-03-31 09:09 . 2010-03-31 09:09 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2010-04-08 11:36 . 2010-04-08 11:36 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-06-05 13:58 . 2008-06-05 13:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 17:42 . 2008-08-16 17:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-11-09 15:05 . 2010-11-09 15:05 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Rob\AppData\Roaming\2A9D7 ----
.
.
---- Directory of c:\users\Rob\AppData\Roaming\CE42A ----
.
2012-01-02 21:36 . 2012-01-02 21:39 3826 ----a-w- c:\users\Rob\AppData\Roaming\CE42A\A9D7.E42
.
---- Directory of c:\users\Rob\AppData\Roaming\Microsoft\83CC ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\COSDriveOverlayIcon]
@="{5FDACB62-6B7B-4116-9403-C5E0D3852A57}"
[HKEY_CLASSES_ROOT\CLSID\{5FDACB62-6B7B-4116-9403-C5E0D3852A57}]
2011-06-02 08:04 626480 ----a-w- c:\program files\COMODO\COMODO BackUp\ShellExtension_3.0.171317.133.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2008-11-07 197856]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Creative Element Power Tools Startup.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creative Element Power Tools Startup.lnk
backup=c:\windows\pss\Creative Element Power Tools Startup.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SDK Tray Menu.lnk
backup=c:\windows\pss\SDK Tray Menu.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 23:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-18 01:40 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-11-09 15:05 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-07 17:58 133104 ----atw- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 11:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 11:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 01:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 13:48 647216 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-09-17 08:07 8497696 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-09-17 08:07 81920 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-09-17 08:07 86016 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 17:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 09:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 11:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-11-22 22:56 303104 ----a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2008-12-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 17:12]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 17:12]
.
2012-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-938342807-2987780974-2459138358-1000Core.job
- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-07 17:58]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-938342807-2987780974-2459138358-1000UA.job
- c:\users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-07 17:58]
.
2012-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-938342807-2987780974-2459138358-1001Core.job
- c:\users\Ange\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 01:17]
.
2012-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-938342807-2987780974-2459138358-1001UA.job
- c:\users\Ange\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 01:17]
.
2011-12-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
2012-01-09 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-12-14 04:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:57212
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: visionapp.net
TCP: DhcpNameServer = 87.194.255.155
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-9D1 - c:\users\Rob\AppData\Roaming\Microsoft\83CC\9D1.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 22:42
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,17,70,9f,32,fb,94,43,ab,35,aa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,17,70,9f,32,fb,94,43,ab,35,aa,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2540)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\COMODO\COMODO BackUp\ShellExtension_3.0.171317.133.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
c:\program files\FileZilla FTP Client\fzshellext.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\atashost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\COMODO\COMODO BackUp\COSService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\COMODO\COMODO BackUp\SynchronizationService.exe
c:\program files\TomTom HOME\TomTomHOMEService.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2012-01-09 22:49:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-09 22:49
ComboFix2.txt 2012-01-02 23:39
.
Pre-Run: 55,599,828,992 bytes free
Post-Run: 57,880,018,944 bytes free
.
- - End Of File - - DF8F819B18150001197EA001BB519AAE

Security Essentials Log

Results of screen317's Security Check version 0.99.30
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
CCleaner
Java™ 6 Update 29
Java™ SE Runtime Environment 6
Java™ 6 Update 7
Java version out of date!
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.1)
Mozilla Firefox (Firefox,.. Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Spybot Teatimer.exe is disabled!
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:05 PM

Posted 10 January 2012 - 10:53 AM

Open notepad and copy/paste the text in the quote box below into it:

Folder::
c:\users\Rob\AppData\Roaming\2A9D7
c:\users\Rob\AppData\Roaming\CE42A
c:\users\Rob\AppData\Roaming\Microsoft\83CC

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:57212
uInternet Settings,ProxyOverride = *.local;<local>

ClearJavaCache::


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 29
Java™ SE Runtime Environment 6
Java™ 6 Update 7


Let me know what problem persists.

Edited by nasdaq, 10 January 2012 - 10:54 AM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:05 PM

Posted 16 January 2012 - 10:28 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users