Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Checking to See if My System is Clean after Trojan Attack


  • Please log in to reply
13 replies to this topic

#1 JcbsDa

JcbsDa

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 01 April 2013 - 08:14 PM

Hello-

I have recently recovered (I think) from an infection that caused my screen to go to white.  I was able to eventually get Malware Bytes to run and discover the virus, which I believe has been cleaned. 

 

I also do not have the ability to go to Safe Mode, but this occurred before this last infection.   Before I try to address the Safe Mode issue, it has been suggested by others at Bleeping that I make sure there are no lingering effects from the infection.  I'm attaching a link to that conversation:

 

http://www.bleepingcomputer.com/forums/t/489668/possible-malware-fbi-notification/ 

 

I am also including the log from the DDS scan I completed for this topic.

 

Please let me know if there are additional things I should do to clean my system if necessary before I move on to my next issue with Safe Mode.

 

Thank you!

 

JcbsDa

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by Owner at 10:42:35 on 2013-04-01
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1790.1015 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uProxyOverride = <local>
uURLSearchHooks: SearchHook Class: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ant.com browser helper (video detector): {346FDE31-DFF9-418A-90C8-BA31DC9FF2EF} - c:\program files\ant.com\ie add-on\Download.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Browese2ssaaviee: {697E0E24-6C37-930E-C1F4-B0C27BF41D83} - c:\documents and settings\all users\application data\browese2ssaaviee\51395d5de6926.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
TB: Ant.com Download Toolbar: {2E924F4F-67F0-4BD8-9560-49F468E843D2} - c:\program files\ant.com\ie add-on\AntToolbar.dll
TB: Ant.com Download Toolbar: {2E924F4F-67F0-4BD8-9560-49F468E843D2} - c:\program files\ant.com\ie add-on\AntToolbar.dll
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\mssece~2.lnk - c:\program files\microsoft security client\msseces.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\mssece~1.lnk - c:\program files\microsoft security client\msseces.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {70AF6C9F-0818-4cf7-924A-BBDBB24211D3} - {70AF6C9F-0818-4cf7-924A-BBDBB24211D3} - c:\program files\ant.com\ie add-on\Download.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1285836946546
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15118/CTPID.cab
TCP: NameServer = 192.168.0.1 216.170.153.146
TCP: Interfaces\{6A139B5E-C783-4D02-AEA8-C2AB64D3AD00} : DHCPNameServer = 192.168.0.1 216.170.153.146
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\n7sp74mj.default-1362532316218\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Delta Search
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-03-07 21:57; uyyer10evsj@yad.co.uk; c:\documents and settings\owner\application data\mozilla\firefox\profiles\n7sp74mj.default-1362532316218\extensions\uyyer10evsj@yad.co.uk
.
---- FIREFOX POLICIES ----
.
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 4014bb720000000000006cf049dafbb7
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15781
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.09:16:31
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 195296]
R1 MpKsl8a96cb73;MpKsl8a96cb73;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41169a48-55df-42fd-a0f5-795d0615c5f7}\MpKsl8a96cb73.sys [2013-3-31 29904]
R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2009-10-15 223464]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-9-15 88576]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-5-30 3048136]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-12-6 1691480]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2012-1-23 18560]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-9-27 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-10-24 27064]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2010-12-4 11232]
.
=============== File Associations ===============
.
ShellExec: switch.exe: open="c:\program files\nch software\switch\switch" "%L"
.
=============== Created Last 30 ================
.
2013-04-01 15:38:17    60872    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41169a48-55df-42fd-a0f5-795d0615c5f7}\offreg.dll
2013-04-01 00:47:43    29904    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41169a48-55df-42fd-a0f5-795d0615c5f7}\MpKsl8a96cb73.sys
2013-03-31 07:10:07    7108640    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{41169a48-55df-42fd-a0f5-795d0615c5f7}\mpengine.dll
2013-03-31 04:56:47    7108640    ------w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-03-29 04:21:00    --------    d-----w-    c:\program files\Silver Kite
2013-03-29 04:21:00    --------    d-----w-    c:\documents and settings\owner\application data\Silver Kite
2013-03-21 23:18:22    12928    -c----w-    c:\windows\system32\dllcache\usb8023x.sys
2013-03-21 23:18:22    12928    -c----w-    c:\windows\system32\dllcache\usb8023.sys
2013-03-17 14:15:40    --------    d-----w-    c:\documents and settings\all users\application data\Tarma Installer
2013-03-17 14:15:32    --------    d-----w-    c:\documents and settings\owner\application data\GoforFiles
2013-03-16 03:01:38    --------    d-----w-    c:\program files\DVDVideoSoft
2013-03-16 03:01:38    --------    d-----w-    c:\program files\common files\DVDVideoSoft
2013-03-16 03:01:38    --------    d-----w-    c:\documents and settings\owner\application data\DVDVideoSoft
2013-03-08 03:41:24    --------    d-----w-    c:\documents and settings\all users\application data\Browese2ssaaviee
2013-03-08 02:19:45    17248    ----a-w-    c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
2013-03-08 02:19:45    103904    ----a-w-    c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-03-13 01:06:16    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 01:06:16    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-02-12 00:32:23    12928    ----a-w-    c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32:23    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-08 03:36:35    86016    ------w-    c:\windows\system32\pxwma.dll
2013-02-08 03:36:35    20368    ------w-    c:\windows\system32\drivers\PxHelp20.sys
2013-02-08 03:36:35    105472    ------w-    c:\windows\system32\pxcpyi64.exe
2013-02-08 03:36:35    103936    ------w-    c:\windows\system32\pxinsi64.exe
2013-02-06 10:48:44    81920    ----a-w-    c:\windows\system32\ieencode.dll
2013-02-06 10:48:44    667136    ----a-w-    c:\windows\system32\wininet.dll
2013-02-06 10:48:44    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-02-05 06:38:31    369664    ----a-w-    c:\windows\system32\html.iec
2013-01-26 03:55:44    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-20 21:59:04    195296    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-01-17 07:28:58    232336    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-07 01:19:45    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01    2027520    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-01-02 06:49:10    148992    ----a-w-    c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10    1292288    ----a-w-    c:\windows\system32\quartz.dll
2011-04-09 16:21:22    7866472    ----a-w-    c:\program files\mseinstall.exe
2010-12-29 14:43:38    38808920    ----a-w-    c:\program files\FileFormatConverters.exe
2010-12-15 21:59:08    19985265    ----a-w-    c:\program files\vlc-1.1.5-win32.exe
2010-12-05 00:09:54    18734784    ----a-w-    c:\program files\WDM_A406.exe
2010-11-26 19:41:28    955784    ----a-w-    c:\program files\SkypeSetup.exe
2010-11-22 14:50:53    11398968    ----a-w-    c:\program files\Firefox Setup 4.0 Beta 7.exe
2010-10-04 02:47:09    6153352    ----a-w-    c:\program files\mbam-setup.exe
2010-10-04 02:10:32    16883056    ----a-w-    c:\program files\IE8-WindowsXP-x86-ENU.exe
2010-10-01 14:24:59    8534336    ----a-w-    c:\program files\Firefox Setup 3.6.10.exe
2010-05-12 00:16:45    320064    ----a-w-    c:\program files\Image Resizer Powertoy for Windows XP.msi
2010-02-20 13:47:41    16409960    ----a-w-    c:\program files\spybotsd162.exe
2004-01-21 19:47:52    442368    ----a-w-    c:\program files\HPUSBFW.EXE
2003-11-13 17:00:00    450560    ----a-w-    c:\program files\HPUSBF.EXE
.
============= FINISH: 10:43:53.00 ===============
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:23 PM

Posted 03 April 2013 - 09:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 JcbsDa

JcbsDa
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 06 April 2013 - 10:34 AM

Hello-Thank you for your assistance!  Please let me  know how you would like me to proceed-

Here are the logs:

 

ComboFix 13-04-06.01 - Owner 04/06/2013  10:06:04.4.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1790.1150 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Browese2ssaaviee
c:\documents and settings\All Users\Application Data\Browese2ssaaviee\51395d5de6926.tlb
c:\documents and settings\All Users\Application Data\Browese2ssaaviee\data\Browese2ssaaviee.dat
c:\documents and settings\All Users\Application Data\Browese2ssaaviee\settings.ini
c:\documents and settings\All Users\Application Data\Browese2ssaaviee\uninstall.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\Application Data\vso_ts_preview.xml
c:\documents and settings\Owner\Start Menu\Programs\Startup\msseces.exe.lnk
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-06 to 2013-04-06  )))))))))))))))))))))))))))))))
.
.
2013-04-06 03:04 . 2013-03-15 07:21    7108640    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C7855384-9839-431A-A522-A5FA6B16DB04}\mpengine.dll
2013-04-05 02:26 . 2013-04-05 02:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\SoftSafe
2013-04-05 00:10 . 2013-03-15 07:21    7108640    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-29 04:21 . 2013-03-29 04:21    --------    d-----w-    c:\program files\Silver Kite
2013-03-29 04:21 . 2013-03-29 04:21    --------    d-----w-    c:\documents and settings\Owner\Application Data\Silver Kite
2013-03-21 23:18 . 2013-02-12 00:32    12928    -c----w-    c:\windows\system32\dllcache\usb8023x.sys
2013-03-21 23:18 . 2013-02-12 00:32    12928    -c----w-    c:\windows\system32\dllcache\usb8023.sys
2013-03-17 14:15 . 2013-03-18 23:28    --------    d-----w-    c:\documents and settings\All Users\Application Data\Tarma Installer
2013-03-17 14:15 . 2013-03-17 14:15    --------    d-----w-    c:\documents and settings\Owner\Application Data\GoforFiles
2013-03-16 03:01 . 2013-03-16 03:05    --------    d-----w-    c:\documents and settings\Owner\Application Data\DVDVideoSoft
2013-03-16 03:01 . 2013-03-16 03:04    --------    d-----w-    c:\program files\DVDVideoSoft
2013-03-16 03:01 . 2013-03-16 03:01    --------    d-----w-    c:\program files\Common Files\DVDVideoSoft
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-02 10:33 . 2010-10-02 11:00    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-13 01:06 . 2012-07-20 01:25    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-13 01:06 . 2011-07-16 02:14    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-12 00:32 . 2008-04-13 18:56    12928    ----a-w-    c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-04 12:00    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-08 03:36 . 2013-02-08 03:36    86016    ------w-    c:\windows\system32\pxwma.dll
2013-02-08 03:36 . 2013-02-08 03:36    20368    ------w-    c:\windows\system32\drivers\PxHelp20.sys
2013-02-08 03:36 . 2013-02-08 03:36    105472    ------w-    c:\windows\system32\pxcpyi64.exe
2013-02-08 03:36 . 2013-02-08 03:36    103936    ------w-    c:\windows\system32\pxinsi64.exe
2013-02-06 10:48 . 2004-08-04 12:00    81920    ----a-w-    c:\windows\system32\ieencode.dll
2013-02-06 10:48 . 2004-08-04 12:00    667136    ----a-w-    c:\windows\system32\wininet.dll
2013-02-06 10:48 . 2004-08-04 12:00    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-02-05 06:38 . 2004-08-04 12:00    369664    ----a-w-    c:\windows\system32\html.iec
2013-01-26 03:55 . 2004-08-04 12:00    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-20 21:59 . 2012-08-31 04:03    195296    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-01-07 01:19 . 2004-08-04 12:00    2148864    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2004-08-03 22:59    2027520    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2011-04-09 16:21 . 2011-04-09 16:21    7866472    ----a-w-    c:\program files\mseinstall.exe
2010-12-29 14:43 . 2010-12-29 14:42    38808920    ----a-w-    c:\program files\FileFormatConverters.exe
2010-12-15 21:59 . 2010-12-15 21:57    19985265    ----a-w-    c:\program files\vlc-1.1.5-win32.exe
2010-12-05 00:09 . 2009-07-03 01:37    18734784    ----a-w-    c:\program files\WDM_A406.exe
2010-11-26 19:41 . 2010-11-26 19:41    955784    ----a-w-    c:\program files\SkypeSetup.exe
2010-11-22 14:50 . 2010-11-22 14:49    11398968    ----a-w-    c:\program files\Firefox Setup 4.0 Beta 7.exe
2010-10-04 02:47 . 2010-10-02 13:17    6153352    ----a-w-    c:\program files\mbam-setup.exe
2010-10-04 02:10 . 2010-10-04 02:10    16883056    ----a-w-    c:\program files\IE8-WindowsXP-x86-ENU.exe
2010-10-01 14:24 . 2010-10-01 14:24    8534336    ----a-w-    c:\program files\Firefox Setup 3.6.10.exe
2010-05-12 00:16 . 2010-11-20 14:51    320064    ----a-w-    c:\program files\Image Resizer Powertoy for Windows XP.msi
2010-02-20 13:47 . 2010-10-02 13:17    16409960    ----a-w-    c:\program files\spybotsd162.exe
2004-01-21 19:47 . 2011-01-01 17:51    442368    ----a-w-    c:\program files\HPUSBFW.EXE
2003-11-13 17:00 . 2011-01-01 17:51    450560    ----a-w-    c:\program files\HPUSBF.EXE
2013-03-07 14:31 . 2013-03-18 23:23    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-15 375000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-12-10 363752]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
msseces.exe (2).lnk - c:\program files\Microsoft Security Client\msseces.exe [2013-1-27 947152]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCU]
2009-10-15 21:06    375000    ----a-w-    c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-10-31 15:51    57344    ----a-w-    c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-27 17:17    1381376    ----a-w-    c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2013-01-27 17:11    947152    ----a-w-    c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-03-16 10:37    13670504    ----a-w-    c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
1998-07-25 07:00    36352    ----a-w-    e:\program files\System\REMINDER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-04-30 09:22    19523616    ----a-w-    c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07    2260480    ----a-w-    c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\BitTorrent-7.1.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=
.
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/15/2009 4:06 PM 223464]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [9/15/2011 1:06 PM 88576]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [5/30/2012 1:56 PM 3048136]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [9/18/2011 7:05 PM 47360]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/6/2010 10:37 PM 1691480]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/23/2012 4:34 PM 18560]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [9/27/2011 10:27 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [10/24/2012 8:28 PM 27064]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [12/4/2010 6:47 PM 11232]
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-20 01:06]
.
2013-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2013-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 02:40]
.
2013-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 02:40]
.
2013-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1202660629-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:39]
.
2013-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1202660629-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:39]
.
2013-04-06 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 17:11]
.
2013-03-16 c:\windows\Tasks\SwitchDowngrade.job
- c:\program files\NCH Software\Switch\switch.exe [2013-01-19 22:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Delta Search
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2013-03-07 21:57; uyyer10evsj@yad.co.uk; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\extensions\uyyer10evsj@yad.co.uk
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 4014bb720000000000006cf049dafbb7
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15781
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.09:16
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
AddRemove-SP_48c708f2 - c:\program files\BrowseToSave\uninstall.exe
AddRemove-{40AFACC8-65A3-F39C-0799-C97FA42FDBDD} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{AE08E~1\Setup.exe
AddRemove-{8879000A-931E-B875-1BD1-7E4B5D59B497} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{CB198~1\Setup.exe
AddRemove-{899059EF-86E3-416E-A385-CEC152737B19} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{89905~1\Setup.exe
AddRemove-{AB4E4564-EC98-46EE-A405-A4BA70AD6792} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{AB4E4~1\Setup.exe
AddRemove-{BA638ADF-0DCA-43DE-A135-45E86180A829} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{BA638~1\Setup.exe
AddRemove-{F259A2AF-A7DF-105E-D958-30B77BA570B6} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{FA33A~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-06 10:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(6640)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2013-04-06  10:22:44 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-06 15:22
ComboFix2.txt  2012-10-24 02:23
ComboFix3.txt  2012-10-22 05:45
ComboFix4.txt  2012-10-19 04:35
.
Pre-Run: 57,583,869,952 bytes free
Post-Run: 86,926,655,488 bytes free
.
- - End Of File - - 763227AFB468BC26C43AD0E874C24075
 

 Results of screen317's Security Check version 0.99.62  
 Windows XP Service Pack 3 x86   
 Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 Microsoft Security Essentials    
`````````Anti-malware/Other Utilities Check:`````````
 WinPatrol
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.70.0.1100  
 CCleaner     
 Adobe Flash Player     11.6.602.180  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox 19.0.2 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 WinPatrol winpatrol.exe
 BillP Studios WinPatrol winpatrol.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

# AdwCleaner v2.200 - Logfile created 04/06/2013 at 10:26:59
# Updated 02/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - VALUED-C443F67D
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\BleepingComp\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\DeviceVM
File Deleted : C:\Documents and Settings\All Users\Desktop\iLivid.lnk
File Deleted : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\searchplugins\BrowserProtect.xml
File Deleted : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\searchplugins\delta.xml
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\psvn0tfe.default\extensions\crossriderapp3491@crossrider.com
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users\Application Data\SoftSafe
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\i1z4g3gt.default\extensions\crossriderapp3491@crossrider.com
Folder Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\Owner\Start Menu\Programs\Freeze.com
Folder Deleted : C:\Program Files\1ClickDownload
Folder Deleted : C:\Program Files\Coupon Companion Plugin
Folder Deleted : C:\Program Files\fbphotozoom
Folder Deleted : C:\Program Files\Freeze.com
Folder Deleted : C:\Program Files\Mozilla Firefox\Extensions\ffxtlbr@babylon.com

***** [Registry] *****

Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\5f6dfdde66eeb43
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\5f6dfdde66eeb43
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{20E7BC40-33F6-4A81-9D52-B58349326206}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C3F3165C-74D3-6FDB-3274-14FDA8698CFA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\1ClickDownload
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Vid-Saver
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKLM\Software\TENCENT

***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.5512

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\28rj05ip.default-1362502967312\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\28rj05ip.default-1362502967312\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7xn916ii.default-1362502825218\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7xn916ii.default-1362502825218\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hzhypufk.default-1362506943312\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hzhypufk.default-1362506943312\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\i1z4g3gt.default\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\i1z4g3gt.default\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("extensions.crossriderapp21804.21804.InstallationTime", 1358618296);
Deleted : user_pref("extensions.crossriderapp21804.21804.active", true);
Deleted : user_pref("extensions.crossriderapp21804.21804.addressbar", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.addressbarenhanced", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.backgroundjs", "\n\n//\n");
Deleted : user_pref("extensions.crossriderapp21804.21804.backgroundver", 32);
Deleted : user_pref("extensions.crossriderapp21804.21804.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp21804.21804.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.InstallationTime.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.InstallationTime.value", "1358618296");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_aoi.value", "1358618296");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_arbitrary_code.expiration", "Tue Mar 05 2[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_arbitrary_code.value", "%22%28function%28[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_blocklist.expiration", "Tue Mar 05 2013 1[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_blocklist.value", "%22nonexistantdomain.c[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_cf_ab_cap1.expiration", "Fri Feb 01 2030 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_cf_ab_cap1.value", "%22lbcmmpmjjaockhkcof[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_cf_bu1.expiration", "Fri Feb 01 2030 00:0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_cf_bu1.value", "1361239702");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_country_code.expiration", "Sun Mar 10 201[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_country_code.value", "%22US%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_crr.value", "1362502543");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_currenttime.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_currenttime.value", "%221361906413%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_hotfix20111102645.value", "%221%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installer_params.expiration", "Fri Feb 01[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installer_params.value", "%7B%22source_id[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installtime.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_installtime.value", "%221357677859%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_parent_zoneid.value", "%2214019%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_pc_20120828.value", "1358618521751");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_product_id.value", "%221175%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[adultfriendfinder.com].expiration", "F[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[adultfriendfinder.com].value", "136220[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[fling.com].expiration", "Wed Mar 06 20[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[fling.com].value", "1362031109");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[xdating.com].expiration", "Tue Mar 05 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_sr[xdating.com].value", "1362461081");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:0[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie._GPL_zoneid.value", "%22133176%22");
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.cookie.dbtest.value", "1358618299294");
Deleted : user_pref("extensions.crossriderapp21804.21804.description", "Coupon Companion");
Deleted : user_pref("extensions.crossriderapp21804.21804.domain", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.group", 0);
Deleted : user_pref("extensions.crossriderapp21804.21804.homepage", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.iframe", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_appVer.expiration", "Fri Feb 01 [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_appVer.value", "46");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_lastVersion.expiration", "Fri Fe[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_lastVersion.value", "1");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_meta.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_nextCheck.expiration", "Tue Mar [...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_queue.expiration", "Fri Feb 01 2[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_remote_resources.expiration", "F[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.internaldb.Resources_remote_resources.value", "%7B%22[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.name", "Coupon Companion Plugin");
Deleted : user_pref("extensions.crossriderapp21804.21804.newtab", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.opensearch", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.code", "appAPI._cr_config={appID:fun[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.name", "base");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1.ver", 4);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.code", "Array.prototype.indexO[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000014.ver", 15);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.code", "var a=appAPI.db.getLis[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.name", "GPL Background (BG)");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_1000015.ver", 34);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.code", "(function(a){a.selectedText[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.code", "if(typeof(appAPI)===\"undef[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.code", "if((typeof isBackground===\[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_16.ver", 5);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.code", "if(typeof window!==\"undefi[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.code", "var CrossriderDebugManager=[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.name", "debug");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_21.ver", 3);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.code", "(function(a){appAPI.queueMa[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.name", "resources");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_22.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.code", "var CrossriderInitializerPl[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.name", "initializer");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_28.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.code", "var jQuery = $jquery_171 = $[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.name", "jquery_1_7_1");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_4.ver", 3);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.code", "(function(){appAPI.ready=fu[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.code", "(function(){var h=\"__CR_EM[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.name", "appApiMessage");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_64.ver", 1);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.code", "if(appAPI.__should_activate[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.name", "appApiValidation");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_72.ver", 1);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.code", "if(typeof jQuery!==\"undefi[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.name", "CrossriderInfo");
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins.plugin_78.ver", 2);
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_0", "4,14,78,16,64,47,72,100001[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_1", "17,14,78,13,16,64,4,1,21,2[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.plugins_lists.plugins_5", "4,14,78,13,16,64,47,72");
Deleted : user_pref("extensions.crossriderapp21804.21804.pluginsurl", "hxxp://app-static.crossrider.com/plugin[...]
Deleted : user_pref("extensions.crossriderapp21804.21804.pluginsversion", 43);
Deleted : user_pref("extensions.crossriderapp21804.21804.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp21804.21804.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp21804.21804.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp21804.21804.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.thankyou", "");
Deleted : user_pref("extensions.crossriderapp21804.21804.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp21804.21804.ver", 46);
Deleted : user_pref("extensions.crossriderapp21804.adsOldValue", -1);
Deleted : user_pref("extensions.crossriderapp21804.apps", "21804");
Deleted : user_pref("extensions.crossriderapp21804.bic", "13c53f60091490f41c64634b95ca3f69");
Deleted : user_pref("extensions.crossriderapp21804.cid", 21804);
Deleted : user_pref("extensions.crossriderapp21804.firstrun", false);
Deleted : user_pref("extensions.crossriderapp21804.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp21804.installationdate", 1358618296);
Deleted : user_pref("extensions.crossriderapp21804.lastcheck", 22708149);
Deleted : user_pref("extensions.crossriderapp21804.lastcheckitem", 22708380);
Deleted : user_pref("extensions.crossriderapp21804.modetype", "production");
Deleted : user_pref("extensions.crossriderapp21804.reportInstall", true);
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ko9dbtuq.default-1362503039312\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ko9dbtuq.default-1362503039312\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("browser.search.selectedEngine", "Delta Search");
Deleted : user_pref("extensions.51395d5de685f.scode", "(function(){try{if('aol.com,mail.google.com,premiumrepo[...]
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("extensions.delta.admin", false);
Deleted : user_pref("extensions.delta.aflt", "babsst");
Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Deleted : user_pref("extensions.delta.autoRvrt", "false");
Deleted : user_pref("extensions.delta.dfltLng", "en");
Deleted : user_pref("extensions.delta.excTlbr", false);
Deleted : user_pref("extensions.delta.id", "4014bb720000000000006cf049dafbb7");
Deleted : user_pref("extensions.delta.instlDay", "15781");
Deleted : user_pref("extensions.delta.instlRef", "sst");
Deleted : user_pref("extensions.delta.newTab", false);
Deleted : user_pref("extensions.delta.prdct", "delta");
Deleted : user_pref("extensions.delta.prtnrId", "delta");
Deleted : user_pref("extensions.delta.rvrt", "false");
Deleted : user_pref("extensions.delta.smplGrp", "none");
Deleted : user_pref("extensions.delta.tlbrId", "base");
Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Deleted : user_pref("extensions.delta.vrsn", "1.8.10.0");
Deleted : user_pref("extensions.delta.vrsnTs", "1.8.10.09:16:31");
Deleted : user_pref("extensions.delta.vrsni", "1.8.10.0");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nf04fi5a.default-1362503095203\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\nf04fi5a.default-1362503095203\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\z1pobup1.default-1362528383750\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\z1pobup1.default-1362528383750\user.js ... Deleted !

Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Deleted : user_pref("aol_toolbar.default.search.check", false);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\psvn0tfe.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.43

File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [11533 octets] - [18/10/2012 21:03:39]
AdwCleaner[S2].txt - [28889 octets] - [06/04/2013 10:26:59]

########## EOF - C:\AdwCleaner[S2].txt - [28950 octets] ##########
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:23 PM

Posted 06 April 2013 - 12:49 PM

Get the latest version of the Adobe Reader.
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
 
When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
 
===
 
You may not use it but for your Added security I suggest you get Internet Explorer 7
===
 
Defrag your Hardrive. This may take some 2 to 3hr, do it when you will not need the computer.
 
===
 
Please run ComboFix one more time and submit the log for my review.
 
Let me know what problem persists.


#5 JcbsDa

JcbsDa
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 08 April 2013 - 10:02 PM

Thank you Nasdaq.
I will post my log below.


I am finding, however, that I am now getting a notification fairly frequently (every 10 minutes) regarding "Running a DLL as an app." I have always declined the change that is requested and I'm not sure if this is the right thing to do.  Can I send you a personal email that will allow me to send you a screen shot of the notification?

 

Here is my most recent log from ComboFix-Thank you!

 

ComboFix 13-04-06.01 - Owner 04/08/2013  20:29:18.6.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1790.1327 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-09 to 2013-04-09  )))))))))))))))))))))))))))))))
.
.
2013-04-08 04:08 . 2013-03-15 07:21    7108640    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4D5BE3A3-B65C-463C-B90C-60905FE0C567}\mpengine.dll
2013-04-07 23:29 . 2013-04-07 23:29    --------    d-----w-    c:\program files\Common Files\Adobe
2013-04-06 15:30 . 2013-03-15 07:21    7108640    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-29 04:21 . 2013-03-29 04:21    --------    d-----w-    c:\program files\Silver Kite
2013-03-29 04:21 . 2013-03-29 04:21    --------    d-----w-    c:\documents and settings\Owner\Application Data\Silver Kite
2013-03-21 23:18 . 2013-02-12 00:32    12928    -c----w-    c:\windows\system32\dllcache\usb8023x.sys
2013-03-21 23:18 . 2013-02-12 00:32    12928    -c----w-    c:\windows\system32\dllcache\usb8023.sys
2013-03-17 14:15 . 2013-03-17 14:15    --------    d-----w-    c:\documents and settings\Owner\Application Data\GoforFiles
2013-03-16 03:01 . 2013-03-16 03:05    --------    d-----w-    c:\documents and settings\Owner\Application Data\DVDVideoSoft
2013-03-16 03:01 . 2013-03-16 03:04    --------    d-----w-    c:\program files\DVDVideoSoft
2013-03-16 03:01 . 2013-03-16 03:01    --------    d-----w-    c:\program files\Common Files\DVDVideoSoft
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-02 10:33 . 2010-10-02 11:00    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-13 01:06 . 2012-07-20 01:25    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-13 01:06 . 2011-07-16 02:14    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-12 00:32 . 2008-04-13 18:56    12928    ----a-w-    c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-04 12:00    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-08 03:36 . 2013-02-08 03:36    86016    ------w-    c:\windows\system32\pxwma.dll
2013-02-08 03:36 . 2013-02-08 03:36    20368    ------w-    c:\windows\system32\drivers\PxHelp20.sys
2013-02-08 03:36 . 2013-02-08 03:36    105472    ------w-    c:\windows\system32\pxcpyi64.exe
2013-02-08 03:36 . 2013-02-08 03:36    103936    ------w-    c:\windows\system32\pxinsi64.exe
2013-02-06 10:48 . 2004-08-04 12:00    81920    ----a-w-    c:\windows\system32\ieencode.dll
2013-02-06 10:48 . 2004-08-04 12:00    667136    ----a-w-    c:\windows\system32\wininet.dll
2013-02-06 10:48 . 2004-08-04 12:00    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-02-05 06:38 . 2004-08-04 12:00    369664    ----a-w-    c:\windows\system32\html.iec
2013-01-26 03:55 . 2004-08-04 12:00    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-20 21:59 . 2012-08-31 04:03    195296    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2011-04-09 16:21 . 2011-04-09 16:21    7866472    ----a-w-    c:\program files\mseinstall.exe
2010-12-29 14:43 . 2010-12-29 14:42    38808920    ----a-w-    c:\program files\FileFormatConverters.exe
2010-12-15 21:59 . 2010-12-15 21:57    19985265    ----a-w-    c:\program files\vlc-1.1.5-win32.exe
2010-12-05 00:09 . 2009-07-03 01:37    18734784    ----a-w-    c:\program files\WDM_A406.exe
2010-11-26 19:41 . 2010-11-26 19:41    955784    ----a-w-    c:\program files\SkypeSetup.exe
2010-11-22 14:50 . 2010-11-22 14:49    11398968    ----a-w-    c:\program files\Firefox Setup 4.0 Beta 7.exe
2010-10-04 02:47 . 2010-10-02 13:17    6153352    ----a-w-    c:\program files\mbam-setup.exe
2010-10-04 02:10 . 2010-10-04 02:10    16883056    ----a-w-    c:\program files\IE8-WindowsXP-x86-ENU.exe
2010-10-01 14:24 . 2010-10-01 14:24    8534336    ----a-w-    c:\program files\Firefox Setup 3.6.10.exe
2010-05-12 00:16 . 2010-11-20 14:51    320064    ----a-w-    c:\program files\Image Resizer Powertoy for Windows XP.msi
2010-02-20 13:47 . 2010-10-02 13:17    16409960    ----a-w-    c:\program files\spybotsd162.exe
2004-01-21 19:47 . 2011-01-01 17:51    442368    ----a-w-    c:\program files\HPUSBFW.EXE
2003-11-13 17:00 . 2011-01-01 17:51    450560    ----a-w-    c:\program files\HPUSBF.EXE
2013-03-07 14:31 . 2013-03-18 23:23    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-12-10 363752]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
msseces.exe (2).lnk - c:\program files\Microsoft Security Client\msseces.exe [2013-1-27 947152]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-10-31 15:51    57344    ----a-w-    c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-27 17:17    1381376    ----a-w-    c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2013-01-27 17:11    947152    ----a-w-    c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-03-16 10:37    13670504    ----a-w-    c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
1998-07-25 07:00    36352    ----a-w-    e:\program files\System\REMINDER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-04-30 09:22    19523616    ----a-w-    c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07    2260480    ----a-w-    c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\BitTorrent-7.1.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=
.
R1 MpKsl84bbc73f;MpKsl84bbc73f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4D5BE3A3-B65C-463C-B90C-60905FE0C567}\MpKsl84bbc73f.sys [4/8/2013 8:59 AM 29904]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/15/2009 4:06 PM 223464]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [9/15/2011 1:06 PM 88576]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [9/18/2011 7:05 PM 47360]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [5/30/2012 1:56 PM 3048136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/6/2010 10:37 PM 1691480]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/23/2012 4:34 PM 18560]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [9/27/2011 10:27 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [10/24/2012 8:28 PM 27064]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [12/4/2010 6:47 PM 11232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL84BBC73F
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-20 01:06]
.
2013-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2013-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 02:40]
.
2013-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 02:40]
.
2013-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1202660629-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:39]
.
2013-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1202660629-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:39]
.
2013-04-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 17:11]
.
2013-03-16 c:\windows\Tasks\SwitchDowngrade.job
- c:\program files\NCH Software\Switch\switch.exe [2013-01-19 22:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2013-03-07 21:57; uyyer10evsj@yad.co.uk; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\extensions\uyyer10evsj@yad.co.uk
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-BCU - c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe
MSConfigStartUp-BCU - c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe
AddRemove-{7C4A1726-C378-C4E9-A536-65E2128ABE53} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{27A27~1\Setup.exe
AddRemove-{A38B9B85-DDEA-6A01-0794-165C7D006177} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{C7DA7~1\Setup.exe
AddRemove-{A62F9CD0-B2E0-4F2A-88F2-79254A3C8539} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{A62F9~1\Setup.exe
AddRemove-{DC99E7A5-A3C5-D33F-12AB-BFBFC490F60E} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~2\{176FC~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-08 20:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3924)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-04-08  20:38:14
ComboFix-quarantined-files.txt  2013-04-09 01:38
ComboFix2.txt  2013-04-06 15:22
ComboFix3.txt  2012-10-24 02:23
ComboFix4.txt  2012-10-22 05:45
ComboFix5.txt  2013-04-08 03:58
.
Pre-Run: 87,568,367,616 bytes free
Post-Run: 87,877,390,336 bytes free
.
- - End Of File - - B56B210B190280AB3E0C0FF0F870204F
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:23 PM

Posted 09 April 2013 - 07:23 AM

The error is probably caused by this unkown Firefox Extension.

Open notepad and copy/paste the text in the quote box below into it:
Firefox::
FF - ExtSQL: 2013-03-07 21:57; uyyer10evsj@yad.co.uk; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\extensions\uyyer10evsj@yad.co.uk
Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know if the problem persists.

#7 JcbsDa

JcbsDa
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 09 April 2013 - 10:05 PM

Thank you Nasdaq-

Here is the log for the last Combofix-Thank you!

 

ComboFix 13-04-06.01 - Owner 04/09/2013  21:48:18.7.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1790.1218 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-10 to 2013-04-10  )))))))))))))))))))))))))))))))
.
.
2013-04-09 02:19 . 2013-03-15 07:21    7108640    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3FB09779-6292-424A-8F83-701B6EF6E417}\mpengine.dll
2013-04-09 02:08 . 2013-03-15 07:21    7108640    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-07 23:29 . 2013-04-07 23:29    --------    d-----w-    c:\program files\Common Files\Adobe
2013-03-29 04:21 . 2013-03-29 04:21    --------    d-----w-    c:\program files\Silver Kite
2013-03-29 04:21 . 2013-03-29 04:21    --------    d-----w-    c:\documents and settings\Owner\Application Data\Silver Kite
2013-03-21 23:18 . 2013-02-12 00:32    12928    -c----w-    c:\windows\system32\dllcache\usb8023x.sys
2013-03-21 23:18 . 2013-02-12 00:32    12928    -c----w-    c:\windows\system32\dllcache\usb8023.sys
2013-03-17 14:15 . 2013-03-17 14:15    --------    d-----w-    c:\documents and settings\Owner\Application Data\GoforFiles
2013-03-16 03:01 . 2013-03-16 03:05    --------    d-----w-    c:\documents and settings\Owner\Application Data\DVDVideoSoft
2013-03-16 03:01 . 2013-03-16 03:04    --------    d-----w-    c:\program files\DVDVideoSoft
2013-03-16 03:01 . 2013-03-16 03:01    --------    d-----w-    c:\program files\Common Files\DVDVideoSoft
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-02 10:33 . 2010-10-02 11:00    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-13 01:06 . 2012-07-20 01:25    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-13 01:06 . 2011-07-16 02:14    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-12 00:32 . 2008-04-13 18:56    12928    ----a-w-    c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-04 12:00    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2013-02-08 03:36 . 2013-02-08 03:36    86016    ------w-    c:\windows\system32\pxwma.dll
2013-02-08 03:36 . 2013-02-08 03:36    20368    ------w-    c:\windows\system32\drivers\PxHelp20.sys
2013-02-08 03:36 . 2013-02-08 03:36    105472    ------w-    c:\windows\system32\pxcpyi64.exe
2013-02-08 03:36 . 2013-02-08 03:36    103936    ------w-    c:\windows\system32\pxinsi64.exe
2013-02-06 10:48 . 2004-08-04 12:00    81920    ----a-w-    c:\windows\system32\ieencode.dll
2013-02-06 10:48 . 2004-08-04 12:00    667136    ----a-w-    c:\windows\system32\wininet.dll
2013-02-06 10:48 . 2004-08-04 12:00    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-02-05 06:38 . 2004-08-04 12:00    369664    ----a-w-    c:\windows\system32\html.iec
2013-01-26 03:55 . 2004-08-04 12:00    552448    ----a-w-    c:\windows\system32\oleaut32.dll
2013-01-20 21:59 . 2012-08-31 04:03    195296    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2011-04-09 16:21 . 2011-04-09 16:21    7866472    ----a-w-    c:\program files\mseinstall.exe
2010-12-29 14:43 . 2010-12-29 14:42    38808920    ----a-w-    c:\program files\FileFormatConverters.exe
2010-12-15 21:59 . 2010-12-15 21:57    19985265    ----a-w-    c:\program files\vlc-1.1.5-win32.exe
2010-12-05 00:09 . 2009-07-03 01:37    18734784    ----a-w-    c:\program files\WDM_A406.exe
2010-11-26 19:41 . 2010-11-26 19:41    955784    ----a-w-    c:\program files\SkypeSetup.exe
2010-11-22 14:50 . 2010-11-22 14:49    11398968    ----a-w-    c:\program files\Firefox Setup 4.0 Beta 7.exe
2010-10-04 02:47 . 2010-10-02 13:17    6153352    ----a-w-    c:\program files\mbam-setup.exe
2010-10-04 02:10 . 2010-10-04 02:10    16883056    ----a-w-    c:\program files\IE8-WindowsXP-x86-ENU.exe
2010-10-01 14:24 . 2010-10-01 14:24    8534336    ----a-w-    c:\program files\Firefox Setup 3.6.10.exe
2010-05-12 00:16 . 2010-11-20 14:51    320064    ----a-w-    c:\program files\Image Resizer Powertoy for Windows XP.msi
2010-02-20 13:47 . 2010-10-02 13:17    16409960    ----a-w-    c:\program files\spybotsd162.exe
2004-01-21 19:47 . 2011-01-01 17:51    442368    ----a-w-    c:\program files\HPUSBFW.EXE
2003-11-13 17:00 . 2011-01-01 17:51    450560    ----a-w-    c:\program files\HPUSBF.EXE
2013-03-07 14:31 . 2013-03-18 23:23    263064    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-12-10 363752]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
msseces.exe (2).lnk - c:\program files\Microsoft Security Client\msseces.exe [2013-1-27 947152]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-10-31 15:51    57344    ----a-w-    c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-27 17:17    1381376    ----a-w-    c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2013-01-27 17:11    947152    ----a-w-    c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-03-16 10:37    13670504    ----a-w-    c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
1998-07-25 07:00    36352    ----a-w-    e:\program files\System\REMINDER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-04-30 09:22    19523616    ----a-w-    c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07    2260480    ----a-w-    c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\BitTorrent-7.1.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=
.
R1 MpKsle540ab4c;MpKsle540ab4c;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3FB09779-6292-424A-8F83-701B6EF6E417}\MpKsle540ab4c.sys [4/9/2013 6:21 PM 29904]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/15/2009 4:06 PM 223464]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [9/15/2011 1:06 PM 88576]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [9/18/2011 7:05 PM 47360]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [5/30/2012 1:56 PM 3048136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/6/2010 10:37 PM 1691480]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/23/2012 4:34 PM 18560]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [9/27/2011 10:27 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 6:01 PM 21248]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [10/24/2012 8:28 PM 27064]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [12/4/2010 6:47 PM 11232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLE540AB4C
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-20 01:06]
.
2013-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2013-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 02:40]
.
2013-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 02:40]
.
2013-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1202660629-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:39]
.
2013-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1202660629-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-22 16:39]
.
2013-04-09 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 17:11]
.
2013-03-16 c:\windows\Tasks\SwitchDowngrade.job
- c:\program files\NCH Software\Switch\switch.exe [2013-01-19 22:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 216.170.153.146
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2013-03-07 21:57; uyyer10evsj@yad.co.uk; c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n7sp74mj.default-1362532316218\extensions\uyyer10evsj@yad.co.uk
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-09 21:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3248)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-04-09  21:57:05
ComboFix-quarantined-files.txt  2013-04-10 02:57
ComboFix2.txt  2013-04-09 01:38
ComboFix3.txt  2013-04-06 15:22
ComboFix4.txt  2012-10-24 02:23
ComboFix5.txt  2013-04-10 02:47
.
Pre-Run: 87,434,895,360 bytes free
Post-Run: 87,883,001,856 bytes free
.
- - End Of File - - 4DC22A434B2C5A225B1E9C22790F192B



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:23 PM

Posted 10 April 2013 - 07:35 AM

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#9 JcbsDa

JcbsDa
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 15 April 2013 - 09:43 PM

Thank you for all your help Nasdaq!

If I am clean, I would like to ask the board about my inability to get safe mode to properly work.  Should I bring that up as separate issue?

Thank you!

JcbsDa



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:23 PM

Posted 21 April 2013 - 08:23 AM

Sorry for this delay. I remember seeing your post but may have forgotten to answer.
Try this

; Save this text in bold as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"


; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

Delete the Fix.reg file when done.

Restart the computer normally.

How is it now?

#11 JcbsDa

JcbsDa
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 26 April 2013 - 11:38 PM

Thank you  Nasdaq, but this doesn't seem to change my inability to access safe mode.  It goes right to the Welcome screen as I described in an earlier post.

 

http://www.bleepingcomputer.com/forums/t/487270/safe-mode-3/

 

JcbsDa


Edited by JcbsDa, 26 April 2013 - 11:39 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:23 PM

Posted 27 April 2013 - 07:41 AM

From your previous topic.

Heres what happens when I turn on my computer:
1. The Bios screen comes up, goes to black.

2. The next screen comes up. It states:

"Loading Operating System...
Boot from CD/DVD:"


I think you need to change to boot sequence to direct your computer to boot from the C:\ hard drive were the operating system is installed.

How to here.

http://helpdeskgeek.com/how-to/change-boot-order-xp-vista/

Keep me posted.

#13 JcbsDa

JcbsDa
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 02 May 2013 - 09:29 PM

nasdaq-

When the Bios screen comes up, it directs to click delete to enter Bios setup.  I have tried this multiple times. My clicking "delete" does nothing and the process continues as I described above.

Thank you for any additional suggestions you can provide!

JcbsDa



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:23 PM

Posted 03 May 2013 - 07:10 AM

Try some other keys as suggested in this article.

http://pcsupport.about.com/od/fixtheproblem/a/biosaccess_bios.htm




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users