Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Fake Security Alert

This is a discussion on Fake Security Alert within the Resolved HJT Threads forums, part of the Tech Support Forum category.


 
 
Thread Tools Search this Thread
Old 02-18-2010, 10:43 PM   #1
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



This past week, Security Alerts started popping up. The alerts appear to be a windows based warning and when you click ok or close, it opens up an internet explorer window that appears to be performing a scan of my system. I'm able to close out the window, but the processor stays at 100% with svchost processes using the majority of the percentage.

We've also started getting a ton of just random pop-up adds and internet windows.

I've had Norton anti-virus installed on this PC, but it appears to have expired. This is the family pc and I don't really use it so I don't have a good idea how long ago it expired. When I try to open the internet web site to re-subscribe, I get an error saying that my internet is not connected, but I'm able to visit all other sites without issue. When I try the McAfee site, it redirects me to some other anti virus software.

Thanks in advance for the help.
bigB



DDS (Ver_09-12-01.01) - NTFSx86
Run by Brian at 13:56:38.71 on Tue 02/16/2010
Internet Explorer: 7.0.6000.16982
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1527.829 [GMT -7:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\USB Disk Win98 Driver\Res.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SkyGolf\SkyCaddie Desktop\CaddieSyncLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\windows\freddy101.exe
C:\Windows\sYSteM32\SvchOst.eXE -k okogrp
c:\windows\pp14.exe
C:\Windows\System32\mobsync.exe
C:\Users\Brian\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [P2kAutostart]
uRun: [cdloader] "c:\users\brian\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [hpqSRMon] c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [DPService] "c:\program files\hp\dvdplay\DPService.exe"
mRun: [USB Storage Toolbox] c:\program files\usb disk win98 driver\Res.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [CaddieSyncLauncher] c:\program files\skygolf\skycaddie desktop\CaddieSyncLauncher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysldtray] c:\windows\ld16.exe
mRun: [pp] c:\windows\pp14.exe
mRun: [sysfbtray] c:\windows\freddy101.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Kashi/Coupons.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\brian\appdata\roaming\mozilla\firefox\profiles\kc0xtzmj.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\users\brian\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080407.003\IDSvix86.sys [2008-4-8 261680]
R1 oko6;oko6;c:\windows\system32\drivers\oko6.sys [2010-2-16 32768]
R2 okosrv;okosrv;c:\windows\system32\SvchOst.eXE -k okogrp [2006-11-2 22016]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-11-1 1252232]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-9 38200]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-18 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-1-22 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-5-7 42112]

=============== Created Last 30 ================

2010-02-16 19:46:29 32 ----a-w- c:\windows\bk20856.dat
2010-02-16 19:45:10 33792 ---h--w- c:\windows\pp14.exe
2010-02-16 19:45:10 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2010-02-16 19:44:53 32768 ----a-w- c:\windows\system32\drivers\oko6.sys
2010-02-16 19:44:53 102400 ----a-w- c:\windows\system32\oko6.dll
2010-02-16 19:44:39 2 ----a-w- c:\windows\010112010146114101.xxe
2010-02-16 19:44:39 1 ---h--w- c:\windows\bk23567.dat
2010-02-16 19:44:37 54272 ----a-w- c:\windows\freddy101.exe
2010-02-16 19:44:03 38912 ----a-w- c:\windows\ld16.exe
2010-02-15 05:31:20 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-15 05:31:20 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-15 05:31:01 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-15 05:31:01 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-02-15 05:31:01 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-02-15 05:30:56 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-02-15 05:30:56 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-15 05:30:56 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-15 05:30:56 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-15 05:30:56 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-15 05:30:56 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-15 05:30:56 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-02-15 05:30:56 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-15 05:30:56 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-15 05:30:55 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-15 05:30:45 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-15 05:30:45 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-14 22:12:54 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-14 22:12:54 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 22:09:47 0 d-----w- c:\users\brian\appdata\roaming\Sammsoft
2010-02-14 22:08:41 0 d-----w- c:\program files\Advanced Registry Optimizer
2010-02-14 22:08:19 0 d-----w- c:\program files\AskBarDis
2010-01-20 16:16:50 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-01-20 16:16:40 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-20 16:16:40 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-01-20 16:16:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-19 10:17:03 494592 ----a-w- c:\windows\system32\kerberos.dll
2010-01-19 10:17:02 272384 ----a-w- c:\windows\system32\schannel.dll

==================== Find3M ====================

2010-01-14 18:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-18 12:52:36 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48:23 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:46:10 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18:14 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45:07 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-11-03 15:15:59 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-03 15:15:58 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-11-03 15:15:58 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-10 10:17:24 174 --sha-w- c:\program files\desktop.ini
2008-06-11 09:19:01 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-04 16:40:04 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-03-04 16:40:04 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-03-04 16:40:04 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:57:33.84 ===============
Attached Files
File Type: zip Attach.zip (2.8 KB, 6 views)

__________________
bntwatson is offline  
Old 02-20-2010, 09:11 AM   #2
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords to any and all online accounts should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 02-20-2010, 08:02 PM   #3
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



Ran Combofix. Here is the log...

ComboFix 10-02-20.03 - Brian 02/20/2010 19:35:18.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1527.585 [GMT -7:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\$recycle.bin\S-1-5-21-3723227331-2298914610-977807560-500
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
c:\program files\Mozilla Firefox\plc4.dll
c:\windows\010112010146111103.xxe
c:\windows\010112010146114101.xxe
c:\windows\01011201014650115.xxe
c:\windows\bk23567.dat
c:\windows\fdgg34353edfgdfdf
c:\windows\freddy101.exe
c:\windows\ld16.exe
c:\windows\pp14.exe
c:\windows\rdr_1266365400.exe
c:\windows\rdr_1266395099.exe
c:\windows\rdr_1266414621.exe
c:\windows\rdr_1266519348.exe
c:\windows\rdr_1266555054.exe
c:\windows\rdr_1266556666.exe
c:\windows\rdr_1266558865.exe
c:\windows\rdr_1266623169.exe
c:\windows\rdr_1266633451.exe
c:\windows\rdr_1266637325.exe
c:\windows\rdr_1266682937.exe
c:\windows\rdr_1266718557.exe
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\drivers\oko6.sys
c:\windows\system32\oko6.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OKO6
-------\Service_oko6
-------\Service_okosrv


((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-21 02:44 . 2010-02-21 02:50 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-02-21 02:44 . 2010-02-21 02:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-21 02:23 . 2010-02-21 02:23 -------- d-----w- C:\32788R22FWJFW
2010-02-16 19:46 . 2010-02-19 23:50 32 ----a-w- c:\windows\bk20856.dat
2010-02-15 05:31 . 2009-12-11 12:15 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-15 05:31 . 2009-12-11 12:15 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-15 05:31 . 2009-12-08 20:19 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-02-15 05:31 . 2009-12-08 17:58 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-15 05:31 . 2009-12-08 17:57 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-02-15 05:30 . 2009-12-28 12:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-15 05:30 . 2009-12-28 12:35 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-02-15 05:30 . 2009-12-28 12:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-15 05:30 . 2009-12-28 12:34 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-15 05:30 . 2009-12-28 12:34 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-15 05:30 . 2009-12-28 12:34 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-15 05:30 . 2009-12-28 12:33 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-15 05:30 . 2009-12-28 12:32 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-15 05:30 . 2009-12-28 12:30 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-02-15 05:30 . 2009-12-28 12:30 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-15 05:30 . 2009-12-04 16:27 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-15 05:30 . 2009-12-04 16:27 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-14 22:12 . 2010-02-14 22:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 22:12 . 2010-02-14 22:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-14 22:09 . 2010-02-14 22:09 -------- d-----w- c:\users\Brian\AppData\Roaming\Sammsoft
2010-02-14 22:08 . 2010-02-14 22:08 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-02-14 22:08 . 2010-02-14 22:08 -------- d-----w- c:\program files\AskBarDis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 19:02 . 2007-07-26 14:11 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-16 20:49 . 2007-03-21 08:05 -------- d-----w- c:\program files\LimeWire
2010-02-16 20:48 . 2009-05-07 00:35 -------- d-----w- c:\program files\Coupons
2010-02-16 20:47 . 2008-12-18 20:26 -------- d-----w- c:\program files\AVS4YOU
2010-02-15 14:55 . 2009-04-03 14:24 -------- d-----w- c:\users\Brian\AppData\Roaming\mjusbsp
2010-02-15 10:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-26 00:48 . 2007-03-01 06:04 -------- d-----w- c:\program files\Roxio
2010-01-25 00:30 . 2007-10-17 14:14 680 ----a-w- c:\users\Brian\AppData\Local\d3d9caps.dat
2010-01-20 10:22 . 2009-11-18 16:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 18:12 . 2009-10-02 16:36 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-02-15 14:55 6515976 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\setup.exe
2009-12-24 16:58 . 2010-01-04 23:53 6515976 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\Upgrade\setup1.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-02-15 14:55 730032 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\ar00000\install.exe
2009-12-24 16:54 . 2010-01-04 23:53 730032 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\Upgrade\install1.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\cdloader2.exe
2009-12-18 12:52 . 2010-01-22 11:08 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 11:08 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 11:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 11:08 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 11:08 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 11:08 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 11:08 48128 ----a-w- c:\windows\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-11 218032]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"cdloader"="c:\users\Brian\AppData\Roaming\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-11 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-28 221184]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-15 65536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"CaddieSyncLauncher"="c:\program files\SkyGolf\SkyCaddie Desktop\CaddieSyncLauncher.exe" [2009-09-18 91648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.003\IDSvix86.sys [4/8/2008 12:25 PM 261680]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 3:32 PM 38200]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [6/18/2007 2:19 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 6:33 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [5/7/2007 2:11 PM 42112]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
okogrp REG_MULTI_SZ okosrv
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Brian.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Kashi/Coupons.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
HKCU-Run-P2kAutostart - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5792)
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-02-20 19:59:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 02:59

Pre-Run: 37,704,019,968 bytes free
Post-Run: 37,384,364,032 bytes free

- - End Of File - - F50CF214CDDABCB1F4A99E6AC78589FB
__________________
bntwatson is offline  
Old 02-20-2010, 08:36 PM   #4
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



Good job...next steps...

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------


Quote:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
This indicates Windows Vista's User Account Control is disabled. Sometimes, malware disables it, sometimes the end user does.

By default, the User Account Control is enabled. Many people find it to be a nuisance, (and it is at times), but it is quite effective at protecting Vista. Many people disable it not realizing that when they do, they've essentially brought Vista down to the vulnerabilities of XP.

Vista UAC does protect

Here's another explanation - http://www.dcr.net/~w-clayton/Vista/...ualization.htm

Please re-enable UAC.
  1. Click on Start > Control Panel.
  2. Double click on User Accounts.
  3. Under Make changes to your user account, click on Turn User Account Control on or off.
  4. Check (tick) this box: Use User Account Control (UAC) to help protect the computer.
  5. Click OK.

These indicate some settings have been changed

These are "Change the way Security Center Alerts Me" in Control Panel > Security Center.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

This means they are turned off. If that's your choice, that's fine, otherwise turn the notifications back on.


---------------------------------------------------------------------------------------------
  1. Disable your protection applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/462932-fake-security-alert.html#post2605671
    Folder::
    c:\users\Brian\AppData\Roaming\Sammsoft
    c:\Program Files\Advanced Registry Optimizer
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "okogrp"=-
    Collect::
    c:\windows\bk20856.dat


    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    **Note**

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

    Please let me know if the file was successfully submitted . Thanks.

    ------------------------------------------------------
  6. Ensure your protection applications are re-enabled.

    ---------------------------------------------------------------------------------------------


Is your Norton subscription current? It shows as outdated in the logs.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 02-21-2010, 11:22 AM   #5
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



I turned on the UAC. After having to click ok several times, I realized it was probably me that turned it off in the first place.

I also turned on notifications, but I'm not sure it's on for everything as I could only find one place to change it to notify.

My Norton is out of date. This is the family pc and I don't use it much so I don't know how long it's been like that. My wife says a 'few months' so I'm guessing a year. I'm planning to renew as soon as we're clean. Is there a better anti virus software you recommend?

Thanks again for your help.

Here's the combofix log...

ComboFix 10-02-20.04 - Brian 02/21/2010 10:59:38.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1527.605 [GMT -7:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\bk20856.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
c:\program files\Advanced Registry Optimizer
c:\program files\Advanced Registry Optimizer\install_left_image.bmp
c:\program files\Advanced Registry Optimizer\unins000.dat
c:\users\Brian\AppData\Roaming\Sammsoft
c:\users\Brian\AppData\Roaming\Sammsoft\Advanced Registry Optimizer\Version 2010\ExcludeList.aro
c:\users\Brian\AppData\Roaming\Sammsoft\Advanced Registry Optimizer\Version 2010\Partial Backups\00000001.rmx
c:\users\Brian\AppData\Roaming\Sammsoft\Advanced Registry Optimizer\Version 2010\Partial Backups\00000001.rxb
c:\users\Brian\AppData\Roaming\Sammsoft\Advanced Registry Optimizer\Version 2010\results.aro
c:\users\Brian\AppData\Roaming\Sammsoft\Advanced Registry Optimizer\Version 2010\TempHLList.aro
c:\windows\bk20856.dat

.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-21 18:09 . 2010-02-21 18:09 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-02-21 18:09 . 2010-02-21 18:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-21 18:09 . 2010-02-21 18:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-21 18:09 . 2010-02-21 18:09 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-02-21 17:53 . 2010-02-21 17:53 -------- d-----w- C:\32788R22FWJFW
2010-02-15 14:55 . 2009-12-24 16:58 6515976 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-02-15 14:55 . 2009-12-24 16:54 730032 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-02-15 05:31 . 2009-12-11 12:15 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-15 05:31 . 2009-12-11 12:15 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-15 05:31 . 2009-12-08 20:19 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-02-15 05:31 . 2009-12-08 17:58 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-15 05:31 . 2009-12-08 17:57 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-02-15 05:30 . 2009-12-28 12:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-15 05:30 . 2009-12-28 12:35 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-02-15 05:30 . 2009-12-28 12:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-15 05:30 . 2009-12-28 12:34 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-15 05:30 . 2009-12-28 12:34 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-15 05:30 . 2009-12-28 12:34 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-15 05:30 . 2009-12-28 12:33 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-15 05:30 . 2009-12-28 12:32 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-15 05:30 . 2009-12-28 12:30 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-02-15 05:30 . 2009-12-28 12:30 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-15 05:30 . 2009-12-04 16:27 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-15 05:30 . 2009-12-04 16:27 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-14 22:12 . 2010-02-14 22:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 22:12 . 2010-02-14 22:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-14 22:08 . 2010-02-14 22:08 -------- d-----w- c:\program files\AskBarDis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 19:02 . 2007-07-26 14:11 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-16 20:49 . 2007-03-21 08:05 -------- d-----w- c:\program files\LimeWire
2010-02-16 20:48 . 2009-05-07 00:35 -------- d-----w- c:\program files\Coupons
2010-02-16 20:47 . 2008-12-18 20:26 -------- d-----w- c:\program files\AVS4YOU
2010-02-15 14:55 . 2009-04-03 14:24 -------- d-----w- c:\users\Brian\AppData\Roaming\mjusbsp
2010-02-15 10:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-26 00:48 . 2007-03-01 06:04 -------- d-----w- c:\program files\Roxio
2010-01-25 00:30 . 2007-10-17 14:14 680 ----a-w- c:\users\Brian\AppData\Local\d3d9caps.dat
2010-01-20 10:22 . 2009-11-18 16:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 18:12 . 2009-10-02 16:36 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-01-04 23:53 6515976 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\Upgrade\setup1.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-01-04 23:53 730032 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\Upgrade\install1.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\cdloader2.exe
2009-12-18 12:52 . 2010-01-22 11:08 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 11:08 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 11:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 11:08 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 11:08 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 11:08 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 11:08 48128 ----a-w- c:\windows\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-11 218032]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"cdloader"="c:\users\Brian\AppData\Roaming\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-11 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-28 221184]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-15 65536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"CaddieSyncLauncher"="c:\program files\SkyGolf\SkyCaddie Desktop\CaddieSyncLauncher.exe" [2009-09-18 91648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3723227331-2298914610-977807560-1000]
"EnableNotificationsRef"=dword:00000001

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.003\IDSvix86.sys [4/8/2008 12:25 PM 261680]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 3:32 PM 38200]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [6/18/2007 2:19 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 6:33 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [5/7/2007 2:11 PM 42112]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Brian.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Kashi/Coupons.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 11:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Brian\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-21 11:11:42
ComboFix-quarantined-files.txt 2010-02-21 18:11
ComboFix2.txt 2010-02-21 02:59

Pre-Run: 35,359,932,416 bytes free
Post-Run: 35,318,607,872 bytes free

- - End Of File - - 54854BCBAC608220300F5E3EFA919315
Upload was successful
__________________
bntwatson is offline  
Old 02-21-2010, 11:48 AM   #6
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



For me, I prefer Eset's NOD32 or Kaspersky if I'm going to pay. That said, if you're comfortable with Norton, continue using it, but know that an outdated AntiVirus is almost like not having one at all, so updating it shortly will be helpful

There are comparatives here:

www.av-comparatives.org

There are also very good free AntiVirus. We'll want to resolve the outdated AV during the course of this fix, so let me know how you want to proceed on that front as we move forward.

I have a question...did you ever use Vuze on this machine?

This folder is quite odd for a Vista machine

c:\documents and settings\ReleaseEngineer.MACROVISION

Vista by default does not have "c:\documents and settings" Vista uses C:\Users\<username>

I'd like a bit more detail about what's in that folder.



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    Dirlook::
    c:\documents and settings
    c:\documents and settings\ReleaseEngineer.MACROVISION
    SkipFix::
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    If there are internet connectivity issues after running the script, restart the machine, and try again.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 02-21-2010, 05:27 PM   #7
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



Thanks for the AV comparison. I'll check them out and let you know what direction we're going to go.

As for Vuze, I don't even know what that is. I asked my wife and she didn't know either so I don't think we've been running it.

I also have no idea about the folder 'documents and settings'. When I open windows explorer, it does not show up. When I paste it into the explorer window, it tells me that access is denied.

Here's the latest log...
ComboFix 10-02-20.04 - Brian 02/21/2010 17:01:08.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1527.843 [GMT -7:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 00:02 . 2010-02-22 00:02 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-02-22 00:02 . 2010-02-22 00:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-22 00:02 . 2010-02-22 00:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-22 00:02 . 2010-02-22 00:02 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-02-21 23:52 . 2010-02-21 23:52 -------- d-----w- C:\32788R22FWJFW
2010-02-15 14:55 . 2009-12-24 16:58 6515976 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-02-15 14:55 . 2009-12-24 16:54 730032 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-02-15 05:31 . 2009-12-11 12:15 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-15 05:31 . 2009-12-11 12:15 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-15 05:31 . 2009-12-08 20:19 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-02-15 05:31 . 2009-12-08 17:58 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-15 05:31 . 2009-12-08 17:57 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-02-15 05:30 . 2009-12-28 12:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-15 05:30 . 2009-12-28 12:35 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-02-15 05:30 . 2009-12-28 12:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-15 05:30 . 2009-12-28 12:34 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-15 05:30 . 2009-12-28 12:34 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-15 05:30 . 2009-12-28 12:34 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-15 05:30 . 2009-12-28 12:33 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-15 05:30 . 2009-12-28 12:32 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-15 05:30 . 2009-12-28 12:30 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-02-15 05:30 . 2009-12-28 12:30 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-15 05:30 . 2009-12-04 16:27 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-15 05:30 . 2009-12-04 16:27 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-14 22:12 . 2010-02-14 22:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 22:12 . 2010-02-14 22:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-14 22:08 . 2010-02-14 22:08 -------- d-----w- c:\program files\AskBarDis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 19:02 . 2007-07-26 14:11 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-16 20:49 . 2007-03-21 08:05 -------- d-----w- c:\program files\LimeWire
2010-02-16 20:48 . 2009-05-07 00:35 -------- d-----w- c:\program files\Coupons
2010-02-16 20:47 . 2008-12-18 20:26 -------- d-----w- c:\program files\AVS4YOU
2010-02-15 14:55 . 2009-04-03 14:24 -------- d-----w- c:\users\Brian\AppData\Roaming\mjusbsp
2010-02-15 10:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-26 00:48 . 2007-03-01 06:04 -------- d-----w- c:\program files\Roxio
2010-01-25 00:30 . 2007-10-17 14:14 680 ----a-w- c:\users\Brian\AppData\Local\d3d9caps.dat
2010-01-20 10:22 . 2009-11-18 16:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 18:12 . 2009-10-02 16:36 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-01-04 23:53 6515976 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\Upgrade\setup1.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-01-04 23:53 730032 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\Upgrade\install1.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\cdloader2.exe
2009-12-18 12:52 . 2010-01-22 11:08 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 11:08 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 11:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 11:08 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 11:08 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 11:08 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 11:08 48128 ----a-w- c:\windows\system32\mshtmler.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings ----


---- Directory of c:\documents and settings\ReleaseEngineer.MACROVISION ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-11 218032]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"cdloader"="c:\users\Brian\AppData\Roaming\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-11 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-28 221184]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-15 65536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"CaddieSyncLauncher"="c:\program files\SkyGolf\SkyCaddie Desktop\CaddieSyncLauncher.exe" [2009-09-18 91648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3723227331-2298914610-977807560-1000]
"EnableNotificationsRef"=dword:00000001

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.003\IDSvix86.sys [4/8/2008 12:25 PM 261680]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 3:32 PM 38200]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [6/18/2007 2:19 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 6:33 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [5/7/2007 2:11 PM 42112]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Brian.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Kashi/Coupons.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 17:02
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-21 1709
ComboFix-quarantined-files.txt 2010-02-22 00:06
ComboFix2.txt 2010-02-21 18:12
ComboFix3.txt 2010-02-21 02:59

Pre-Run: 33,596,764,160 bytes free
Post-Run: 33,555,230,720 bytes free

- - End Of File - - 5979C8AD03FD19AB3AAE92404B57D5D9
__________________
bntwatson is offline  
Old 02-21-2010, 05:42 PM   #8
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



The folder seems empty now, and does not belong. Some of the items previously in it are bad characters. We'll delete the folder now.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:

    Folder::
    c:\documents and settings\ReleaseEngineer.MACROVISION
    SkipFix::
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 02-21-2010, 06:12 PM   #9
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



Just FYI. When I ran ComboFix, it said it detected some rootkit activity and all the files it detected were in that 'documents and setting' folder.

Here's the latest log...

ComboFix 10-02-21.02 - Brian 02/21/2010 17:58:24.4.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1527.606 [GMT -7:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 01:00 . 2010-02-22 01:00 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-02-22 01:00 . 2010-02-22 01:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-22 01:00 . 2010-02-22 01:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-22 01:00 . 2010-02-22 01:00 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-02-22 00:51 . 2010-02-22 00:52 -------- d-----w- C:\32788R22FWJFW
2010-02-15 05:31 . 2009-12-11 12:15 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-15 05:31 . 2009-12-11 12:15 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-15 05:31 . 2009-12-08 20:19 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-02-15 05:31 . 2009-12-08 17:58 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-15 05:31 . 2009-12-08 17:57 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-02-15 05:30 . 2009-12-28 12:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-15 05:30 . 2009-12-28 12:35 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-02-15 05:30 . 2009-12-28 12:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-15 05:30 . 2009-12-28 12:34 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-15 05:30 . 2009-12-28 12:34 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-15 05:30 . 2009-12-28 12:34 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-15 05:30 . 2009-12-28 12:33 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-15 05:30 . 2009-12-28 12:32 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-15 05:30 . 2009-12-28 12:30 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-02-15 05:30 . 2009-12-28 12:30 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-15 05:30 . 2009-12-04 16:27 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-15 05:30 . 2009-12-04 16:27 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-14 22:12 . 2010-02-14 22:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 22:12 . 2010-02-14 22:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-14 22:08 . 2010-02-14 22:08 -------- d-----w- c:\program files\AskBarDis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 19:02 . 2007-07-26 14:11 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-16 20:49 . 2007-03-21 08:05 -------- d-----w- c:\program files\LimeWire
2010-02-16 20:48 . 2009-05-07 00:35 -------- d-----w- c:\program files\Coupons
2010-02-16 20:47 . 2008-12-18 20:26 -------- d-----w- c:\program files\AVS4YOU
2010-02-15 14:55 . 2009-04-03 14:24 -------- d-----w- c:\users\Brian\AppData\Roaming\mjusbsp
2010-02-15 10:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-26 00:48 . 2007-03-01 06:04 -------- d-----w- c:\program files\Roxio
2010-01-25 00:30 . 2007-10-17 14:14 680 ----a-w- c:\users\Brian\AppData\Local\d3d9caps.dat
2010-01-20 10:22 . 2009-11-18 16:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 18:12 . 2009-10-02 16:36 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-02-15 14:55 6515976 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\setup.exe
2009-12-24 16:58 . 2010-01-04 23:53 6515976 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\Upgrade\setup1.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-02-15 14:55 730032 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\ar00000\install.exe
2009-12-24 16:54 . 2010-01-04 23:53 730032 ---ha-w- c:\users\Brian\AppData\Roaming\mjusbsp\Upgrade\install1.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\users\Brian\AppData\Roaming\mjusbsp\cdloader2.exe
2009-12-18 12:52 . 2010-01-22 11:08 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 11:08 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 11:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 11:08 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 11:08 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 11:08 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 11:08 48128 ----a-w- c:\windows\system32\mshtmler.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-09-11 218032]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"cdloader"="c:\users\Brian\AppData\Roaming\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-11 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-28 221184]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-15 65536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"CaddieSyncLauncher"="c:\program files\SkyGolf\SkyCaddie Desktop\CaddieSyncLauncher.exe" [2009-09-18 91648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3723227331-2298914610-977807560-1000]
"EnableNotificationsRef"=dword:00000001

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.003\IDSvix86.sys [4/8/2008 12:25 PM 261680]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [1/9/2007 3:32 PM 38200]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [6/18/2007 2:19 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 6:33 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [5/7/2007 2:11 PM 42112]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Brian.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Kashi/Coupons.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 18:00
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll >>UNKNOWN [0x8605E328]<< >>UNKNOWN [0x8604B298]<< Npfs.SYS
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x826dcd1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x806cd9c6
\Driver\iaStor -> iastor.sys @ 0x80729d94
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x81d96243
SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x81d96243
SecurityProcedure -> ntkrnlpa.exe @ 0x81d95467
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
__________________
bntwatson is offline  
Old 02-21-2010, 06:30 PM   #10
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



Please disable protections and double click on ComboFix.exe to run it. Post the log produced.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 02-21-2010, 08:28 PM   #11
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



When I tried to copy paste the log into the reply, it told me I had too many characters so I've attached it as a txt file...
Attached Files
File Type: txt log.txt (170.9 KB, 3 views)
__________________
bntwatson is offline  
Old 02-21-2010, 08:39 PM   #12
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



Next steps...

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser..
  • Go to Start > Control Panel, click on Uninstall a Program and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.


    J2SE Runtime Environment 5.0 Update 3
    Java(TM) 6 Update 3
    Java(TM) 6 Update 7



  • Click the Uninstall button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 02-22-2010, 08:07 AM   #13
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



Things seem to be running better. Haven't seen that Security Alarm an my pc is not locking up like it did. I deleted the old Java and installed the latest. Logs for the Malware scan and the ESET scan are posted below...

I do have a couple questions...

My UAC blocks a "System Configuration Utility" from 'Microsoft Windows'. When I click on details, it has the following code
"DIF60CCB-8329-406E-976F-660BIBDF0D97".
Is this a legit windows operation that I should allow?

Also, for AV, you mentioned that there's free software out there. Is there a drawback to using free software? Is it as good? If it's just as good, I'm never oppossed to saving some money. Could you send me some links?

If there is a difference, I think we're going to go with Kaspersky. Should I uninstall my old norton or keep it? Am I ok to download the AV now or should I wait some more?

Thanks again for all your help...

Here's the Malware log...
Malwarebytes' Anti-Malware 1.44
Database version: 3772
Windows 6.0.6000
Internet Explorer 7.0.6000.16982

2/21/2010 9:28:26 PM
mbam-log-2010-02-21 (21-28-26).txt

Scan type: Quick Scan
Objects scanned: 111416
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Here's the ESET log (seems like a really short log for such a long scan!)...
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
__________________
bntwatson is offline  
Old 02-22-2010, 09:50 AM   #14
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



I have a couple of questions in return.



Quote:
My UAC blocks a "System Configuration Utility" from 'Microsoft Windows'. When I click on details, it has the following code
"DIF60CCB-8329-406E-976F-660BIBDF0D97".
Is that the entire detail? Has it occurred more than once? The code seems totally random, so I'm not quite sure what to do with it. It would seem that UAC is reporting a block of an application by Vista's version of MSCONFIG. Have you disabled any applications from running at startup with MSCONFIG? The message should tell you what application is being blocked. I suppose this is why so many people turned off Vista's UAC. It's not user friendly.

This solution may apply:

http://itsvista.com/2007/07/itsvista...notifications/


================================

Regarding the Eset scan, is that the entire log from:

C:\Program Files\Eset\Eset Online Scanner\log.txt

It seems to be missing some information. Did you right click, run as administrator in IE? Sorry, I missed out that part of the instructions for Vista, it seems to make a difference when saving a log. If nothing was found, there's not further need for additional scans, and it's time to update your AV.

=========================

Free AV are indeed very good. One difference in using free AV vs paid is level of support. Free AV have limited support, but for many, that's not an issue. For me, it's worth the annual subscription for NOD32 knowing I have one of the top rated protection applications. Kaspersky would also be a fine choice. There are free comparisons here, though they are now a bit dated:

http://www.pcworld.com/reviews/produ...90834&p=290845

I use Avira or Microsoft's Security Essentials when cost is a factor.

Here are a few very good free Antivirus products which are available:
Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

If you decide to not upgrade, and instead uninstall Norton, also run this Norton Removal Tool before installing the new AV.

1. Download this file:

ftp://ftp.symantec.com/public/englis...moval_Tool.exe

Save the file to the Windows desktop.

2. On the Windows desktop, double-click the Norton Removal Tool icon.

3. Follow the on-screen instructions. Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.


=================

The process I would take is...decide on AV. Download the new installer file. Download the Norton Removal Tool. Disconnect from the internet. Uninstall Norton. Reboot. Run the Norton Removal Tool. Reboot. Install new AV, reconnect to the internet, update the definitions of the new AV and run a full system scan.

Once you've done all that, please post a new set of logs from DDS.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 02-23-2010, 08:50 AM   #15
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



Figured out what UAC was blocking. If I hovered over the 'Run blocked programs' option, it showed the programs. Both were things I installed so no worries.

New AV installed

Here's the latest DDS...

DDS (Ver_09-12-01.01) - NTFSx86
Run by Brian at 8:47:04.94 on Tue 02/23/2010
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1527.716 [GMT -7:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET Smart Security 4.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HpqSRmon.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Brian\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [cdloader] "c:\users\brian\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon] c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe
mRun: [DPService] "c:\program files\hp\dvdplay\DPService.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Kashi/Coupons.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\brian\appdata\roaming\mozilla\firefox\profiles\kc0xtzmj.default\
FF - plugin: c:\users\brian\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-18 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-1-22 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-5-7 42112]

=============== Created Last 30 ================

2010-02-23 02:20:35 0 d-----w- c:\users\brian\appdata\roaming\ESET
2010-02-23 02:16:41 0 d-----w- c:\programdata\ESET
2010-02-22 04:32:36 0 d-----w- c:\program files\ESET
2010-02-22 04:15:25 0 d-----w- c:\users\brian\appdata\roaming\Malwarebytes
2010-02-22 04:15:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-22 04:15:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 04:15:19 0 d-----w- c:\programdata\Malwarebytes
2010-02-22 04:15:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 04:09:51 0 d-----w- c:\programdata\Sun
2010-02-22 04:08:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-22 01:57:29 0 d-sh--w- C:\$RECYCLE.BIN
2010-02-21 18:26:44 3467848 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-21 18:26:43 3502168 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-21 02:23:44 98816 ----a-w- c:\windows\sed.exe
2010-02-21 02:23:44 77312 ----a-w- c:\windows\MBR.exe
2010-02-21 02:23:44 261632 ----a-w- c:\windows\PEV.exe
2010-02-21 02:23:44 161792 ----a-w- c:\windows\SWREG.exe
2010-02-18 18:57:09 108 ----a-w- c:\users\brian\webct_upload_applet.properties
2010-02-15 05:31:20 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-15 05:31:20 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-15 05:31:01 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-15 05:31:01 22016 ----a-w- c:\windows\system32\netiougc.exe
2010-02-15 05:31:01 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-02-15 05:30:56 88576 ----a-w- c:\windows\system32\avifil32.dll
2010-02-15 05:30:56 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-15 05:30:56 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-15 05:30:56 31232 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-15 05:30:56 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-15 05:30:56 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-15 05:30:56 1327616 ----a-w- c:\windows\system32\quartz.dll
2010-02-15 05:30:56 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-15 05:30:56 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-15 05:30:55 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-15 05:30:45 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-15 05:30:45 101888 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-14 22:12:54 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-14 22:12:54 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 22:08:19 0 d-----w- c:\program files\AskBarDis

==================== Find3M ====================

2010-02-23 02:18:10 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-02-23 02:18:10 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-23 02:18:09 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-14 18:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 15:13:12 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-12-18 12:52:36 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48:23 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:46:10 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18:14 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45:07 48128 ----a-w- c:\windows\system32\mshtmler.dll
2008-12-10 10:17:24 174 --sha-w- c:\program files\desktop.ini
2008-06-11 09:19:01 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 8:47:55.94 ===============
__________________
bntwatson is offline  
Old 02-23-2010, 08:54 AM   #16
Registered Member
 
Join Date: Nov 2004
Posts: 18
OS: XP



Forgot the 'Attach' file. Here it is...
Attached Files
File Type: zip Attach (2).zip (3.0 KB, 2 views)
__________________
bntwatson is offline  
Old 02-23-2010, 09:53 AM   #17
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



Great! Things look good from here. If there are no other issues...

We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall



This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

After malware removal, it's a good idea to flush out existing, possibly infected System Restore points, and set a new clean point with which to go forward.

Clear & Reset System Restore's Cache
  • Press the Windows key + R
  • Type or copy/paste control sysdm.cpl,,4 & press Enter
  • Click on Continue
  • Under Automatic Restore points
    • Uncheck (untick) all the boxes under Create restore points automatically on the selected disks section.
    • Click Turn System Restore Off.
    • Click Apply

    Turn System Restore back on now.

  • Check (tick) all the boxes under Create restore points automatically on the selected disks section.
  • Click OK.

============================================

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update -

    To update Windows, click on Start > Windows Update (or Start > All Programs > Windows Update if you are using the new Vista Start Menu). If the Windows Update is not found there, go to this link - http://update.microsoft.com/ .

    This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 03-01-2010, 10:45 AM   #18
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 50,041
OS: XP Pro; XP Home; Win7 x86 & x64



Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 08:49 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts