Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 42 Posts

·
Registered
Joined
·
34 Posts
Discussion Starter · #1 ·
Hello everybody.v My name is Rizwan and I have been experiencing quite a few problem with my computer. I really would like to fix all the problems. Below are the issues my computer is facing. For those taking a look at this, Thank You.

First off after everything has loaded after i on my compuer a little screen comes up and says "Error loading bwrmp.dll This specific module could not be found". I have absolutely no idea what that is and what it is related to.

Secondly Another screen comes up and says Roxio Update manager tries to install but then it says that I have an invalid H drive. Once again I have no idea what Roxio update manager is, so when I first encountered this problem I went and deleted all things associated with Roxio. Finally when it came to removing Roxio Update manager it said I had an invalid H drive.

The third problem with my computer is that whenever I right click an icon on my desktop a screen comes up and says "please wait while windows configures Adobe Acrobat 8.1.4 then a screen comes up and says error 1327. Invalid Drive: H:\" Every time I right click an icon it comes up to that.

The fourth problem is that when using internet explorer 7 Pop up adds would come on every certain minutes. It started getting real annoying so I deleted internet explorer 7 but it wont let me successfully remove the program from my system. There I times when I click a site off google and it redirects me to a pop up add. There are times when it wont even let me get to the site I want to go. It just takes me to pop adds and it is getting tiring and annoying.

The fifth problem is that there are programs that wont delete. I go to add and remove programs and they wont remove. An example of this is DivX and roxio Update manager. I tried using Ccleaner but they just do not go.

Finally the last problem is that my computer is extremely slow. Everyday after I on the computer and it has all loaded a little speaking box comes in the right bottom corner of my screen and says I have no free Space on Disk C. It says i should compress it and that what I do. I have deleted programs on add and remove programs but it doesn't make a difference. For example I delete Mavis beacon teaching Typing (not sure of the correct name) and it was 107 mb. I thought that free up a load of space but nothing happened. When I go to msconfig and click system restore it says I do not have enough space to do anything. Every time it sass "no free space on disk C"

Just to let you guys know, I have AVG Free 9.0, Spybot Search and destroy and Malware bytes' Anti Malware.

I have used all 3 and they have checked for problems but they all say nothing is there. I am pretty sure the virus or whatever problem is there is going unnoticed. I am in serious need of help so if anyone out there knows what to do please help. I would be very grateful.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello rizwankassam,

I'm not sure if we can resolve all issues, but we need to start somewhere. Please follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.


**Please note this section of the forum is very busy, so be sure to familiarize yourself with the Bumping Rules also found in our sticky topic mentioned above. One of our Analysts will review your log as soon as possible.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #3 ·
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 17:19:56.92 on Thu 08/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1368 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - Ask Search Assistant BHO
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - Ask Toolbar BHO
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
TB: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [sta] rundll32 "bwrmp.dll",,Run
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\nam3sghc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {F73E24FB-882C-4327-9F0C-AFBE252C8972} - c:\documents and settings\administrator\local settings\application data\{F73E24FB-882C-4327-9F0C-AFBE252C8972}
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


I do not have access to a Windows Install disc, or a Boot CD it came with the computer
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Thank you, Rizwan.

You do have some serious problems here. It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #5 ·
ComboFix 10-08-06.01 - Administrator 08/06/2010 13:55:14.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1700 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{F73E24FB-882C-4327-9F0C-AFBE252C8972}
c:\documents and settings\Administrator\Local Settings\Application Data\{F73E24FB-882C-4327-9F0C-AFBE252C8972}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{F73E24FB-882C-4327-9F0C-AFBE252C8972}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{F73E24FB-882C-4327-9F0C-AFBE252C8972}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{F73E24FB-882C-4327-9F0C-AFBE252C8972}\install.rdf
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\chevron.xul
c:\program files\Dealio Toolbar\FF\chrome\content\login.js
c:\program files\Dealio Toolbar\FF\chrome\content\login.xul
c:\program files\Dealio Toolbar\FF\chrome\content\parser.js
c:\program files\Dealio Toolbar\FF\chrome\content\RssTickerWidget.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.js
c:\program files\Dealio Toolbar\FF\chrome\content\searchbox.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgichevron.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgicomm.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgihandling.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgilisteners.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.js
c:\program files\Dealio Toolbar\FF\chrome\content\widgitoolbarplugin.xul
c:\program files\Dealio Toolbar\FF\chrome\content\widgiui.js
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\searchbox.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\widgitoolbarplugin.dtd
c:\program files\Dealio Toolbar\FF\chrome\locale\EN-US\yahoo-search.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\apple.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\barnes.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\bestbuy.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\icon_settings.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\macys.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\newegg.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\overstock.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-button.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron-hover.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search-chevron.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_amazon.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_dealio.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_ebay.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\search_yahoo.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\searchbox.css
c:\program files\Dealio Toolbar\FF\chrome\skin\separator.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\target.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\walmart.gif
c:\program files\Dealio Toolbar\FF\chrome\skin\widgitoolbarplugin.css
c:\program files\Dealio Toolbar\FF\components\IFBHOHelperWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\components\IFBHOWidgiToolbar.xpt
c:\program files\Dealio Toolbar\FF\install.rdf
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Search Settings
c:\program files\Search Settings\FF\chrome\content\plugin.js
c:\program files\Search Settings\FF\chrome\content\plugin.xul
c:\program files\Search Settings\FF\chrome\content\protection.js
c:\program files\Search Settings\FF\chrome\content\utils.js
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
c:\program files\Search Settings\FF\install.rdf

Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-07-31 18:44 . 2010-08-04 16:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-30 13:24 . 2010-07-31 18:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-27 00:15 . 2010-08-06 17:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-26 21:00 . 2010-07-30 18:22 120 ----a-w- c:\windows\Pcohakipipadaxu.dat
2010-07-26 21:00 . 2010-07-30 13:23 0 ----a-w- c:\windows\Odipi.bin
2010-07-26 20:59 . 2010-08-06 18:02 768000 ----a-w- c:\windows\system32\drivers\sssxnuuc.sys
2010-07-25 20:44 . 2010-07-25 20:44 452104 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.12\setup.exe
2010-07-14 20:51 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 08:41 . 2010-01-13 15:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 20:54 . 2010-01-28 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-05 20:45 . 2010-04-08 19:05 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-08-05 00:46 . 2009-11-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-04 15:52 . 2008-11-04 04:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-02 05:25 . 2010-06-03 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-31 19:10 . 2009-11-10 19:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-30 20:47 . 2008-11-04 04:48 -------- d-----w- c:\program files\QuickTime
2010-07-30 20:00 . 2010-07-30 17:45 112 ----a-w- c:\documents and settings\All Users\Application Data\Uma38xp.dat
2010-07-20 16:53 . 2010-03-18 16:56 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-14 21:31 . 2010-06-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-14 21:31 . 2008-10-31 16:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-14 20:39 . 2009-01-08 01:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon
2010-06-14 14:31 . 2002-08-29 10:41 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-04 19:53 . 2010-06-03 22:37 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 19:51 . 2010-06-04 19:52 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 19:51 . 2010-06-04 19:52 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-04 19:49 . 2010-06-04 19:49 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 19:48 . 2010-06-04 19:48 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
.
Code:
<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Analog Devices\SoundMAX\DrvLsnr .exe
c:\program files\Analog Devices\SoundMAX\SMTray .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2 .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Nero\Nero 7\InCD\InCD .exe
c:\program files\Nero\Nero 7\InCD\NBHGui .exe
c:\program files\QuickTime\qttask   .exe
c:\windows\system32\rundll32 .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-06-17 4112384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"sta"="bwrmp.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-11-10 114688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"1801:TCP"= 1801:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"1074:TCP"= 1074:TCP:Akamai NetSession Interface
"1082:TCP"= 1082:TCP:Akamai NetSession Interface
"1068:TCP"= 1068:TCP:Akamai NetSession Interface
"1043:TCP"= 1043:TCP:Akamai NetSession Interface
"1063:TCP"= 1063:TCP:Akamai NetSession Interface
"1066:TCP"= 1066:TCP:Akamai NetSession Interface
"1080:TCP"= 1080:TCP:Akamai NetSession Interface
"1102:TCP"= 1102:TCP:Akamai NetSession Interface
"1136:TCP"= 1136:TCP:Akamai NetSession Interface
"1052:TCP"= 1052:TCP:Akamai NetSession Interface
"1067:TCP"= 1067:TCP:Akamai NetSession Interface
"1057:TCP"= 1057:TCP:Akamai NetSession Interface
"1051:TCP"= 1051:TCP:Akamai NetSession Interface
"1071:TCP"= 1071:TCP:Akamai NetSession Interface
"1059:TCP"= 1059:TCP:Akamai NetSession Interface
"1077:TCP"= 1077:TCP:Akamai NetSession Interface
"1039:TCP"= 1039:TCP:Akamai NetSession Interface
"1054:TCP"= 1054:TCP:Akamai NetSession Interface
"1079:TCP"= 1079:TCP:Akamai NetSession Interface
"1078:TCP"= 1078:TCP:Akamai NetSession Interface
"1053:TCP"= 1053:TCP:Akamai NetSession Interface
"1083:TCP"= 1083:TCP:Akamai NetSession Interface
"1070:TCP"= 1070:TCP:Akamai NetSession Interface
"1533:TCP"= 1533:TCP:Akamai NetSession Interface
"1172:TCP"= 1172:TCP:Akamai NetSession Interface
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"1062:TCP"= 1062:TCP:Akamai NetSession Interface
"1228:TCP"= 1228:TCP:Akamai NetSession Interface
"1598:TCP"= 1598:TCP:Akamai NetSession Interface
"1056:TCP"= 1056:TCP:Akamai NetSession Interface
"1055:TCP"= 1055:TCP:Akamai NetSession Interface
"1369:TCP"= 1369:TCP:Akamai NetSession Interface
"1040:TCP"= 1040:TCP:Akamai NetSession Interface
"1065:TCP"= 1065:TCP:Akamai NetSession Interface
"1038:TCP"= 1038:TCP:Akamai NetSession Interface
"1139:TCP"= 1139:TCP:Akamai NetSession Interface
"1046:TCP"= 1046:TCP:Akamai NetSession Interface
"1092:TCP"= 1092:TCP:Akamai NetSession Interface
"1176:TCP"= 1176:TCP:Akamai NetSession Interface
"1048:TCP"= 1048:TCP:Akamai NetSession Interface
"1521:TCP"= 1521:TCP:Akamai NetSession Interface
"1490:TCP"= 1490:TCP:Akamai NetSession Interface
"1697:TCP"= 1697:TCP:Akamai NetSession Interface
"1045:TCP"= 1045:TCP:Akamai NetSession Interface
"1072:TCP"= 1072:TCP:Akamai NetSession Interface
"1097:TCP"= 1097:TCP:Akamai NetSession Interface
"2322:TCP"= 2322:TCP:Akamai NetSession Interface
"4788:TCP"= 4788:TCP:Akamai NetSession Interface
"1322:TCP"= 1322:TCP:Akamai NetSession Interface

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 8:10 AM 135664]

--- Other Services/Drivers In Memory ---

*Deregistered* - sssxnuuc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-06 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nam3sghc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - (no file)
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 14:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sssxnuuc]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-06 14:05:20
ComboFix-quarantined-files.txt 2010-08-06 18:05

Pre-Run: 178,761,728 bytes free
Post-Run: 251,912,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 597388C0BA71F655E888B35C781FD603
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello Rizwan,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:


http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/503454-some-serious-computer-problems-i-really-need-lot-help-here.html#post2838820

Collect::
c:\windows\system32\drivers\sssxnuuc.sys

File::
c:\windows\Pcohakipipadaxu.dat
c:\windows\Odipi.bin
c:\documents and settings\All Users\Application Data\Uma38xp.dat

RenV::
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Analog Devices\SoundMAX\DrvLsnr .exe
c:\program files\Analog Devices\SoundMAX\SMTray .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VERSIO~2 .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Nero\Nero 7\InCD\InCD .exe
c:\program files\Nero\Nero 7\InCD\NBHGui .exe
c:\program files\QuickTime\qttask .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sta"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1801:TCP"=-
"1074:TCP"=-
"1082:TCP"=-
"1068:TCP"=-
"1043:TCP"=-
"1063:TCP"=-
"1066:TCP"=-
"1080:TCP"=-
"1102:TCP"=-
"1136:TCP"=-
"1052:TCP"=-
"1067:TCP"=-
"1057:TCP"=-
"1051:TCP"=-
"1071:TCP"=-
"1059:TCP"=-
"1077:TCP"=-
"1039:TCP"=-
"1054:TCP"=-
"1079:TCP"=-
"1078:TCP"=-
"1053:TCP"=-
"1083:TCP"=-
"1070:TCP"=-
"1533:TCP"=-
"1172:TCP"=-
"1069:TCP"=-
"1062:TCP"=-
"1228:TCP"=-
"1598:TCP"=-
"1056:TCP"=-
"1055:TCP"=-
"1369:TCP"=-
"1040:TCP"=-
"1065:TCP"=-
"1038:TCP"=-
"1139:TCP"=-
"1046:TCP"=-
"1092:TCP"=-
"1176:TCP"=-
"1048:TCP"=-
"1521:TCP"=-
"1490:TCP"=-
"1697:TCP"=-
"1045:TCP"=-
"1072:TCP"=-
"1097:TCP"=-
"2322:TCP"=-
"4788:TCP"=-
"1322:TCP"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, post the C:\ComboFix.txt in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #7 ·
ComboFix 10-08-08.01 - Administrator 08/08/2010 23:21:36.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1620 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\All Users\Application Data\Uma38xp.dat"
"c:\windows\Odipi.bin"
"c:\windows\Pcohakipipadaxu.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Uma38xp.dat
c:\windows\Odipi.bin
c:\windows\Pcohakipipadaxu.dat
c:\windows\system32\drivers\sssxnuuc.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sssxnuuc
-------\Service_sssxnuuc


((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-07-31 18:44 . 2010-08-04 16:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-30 13:24 . 2010-07-31 18:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-27 00:15 . 2010-08-06 17:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-25 20:44 . 2010-07-25 20:44 452104 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.12\setup.exe
2010-07-14 20:51 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 08:41 . 2010-01-13 15:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 20:54 . 2010-01-28 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-05 20:45 . 2010-04-08 19:05 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-08-05 00:46 . 2009-11-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-04 15:52 . 2008-11-04 04:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-02 05:25 . 2010-06-03 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-31 19:10 . 2009-11-10 19:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-30 20:47 . 2008-11-04 04:48 -------- d-----w- c:\program files\QuickTime
2010-07-20 16:53 . 2010-03-18 16:56 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-14 21:31 . 2010-06-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-14 21:31 . 2008-10-31 16:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-14 20:39 . 2009-01-08 01:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon
2010-06-14 14:31 . 2002-08-29 10:41 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-04 19:53 . 2010-06-03 22:37 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 19:51 . 2010-06-04 19:52 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 19:51 . 2010-06-04 19:52 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-04 19:49 . 2010-06-04 19:49 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 19:48 . 2010-06-04 19:48 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
.
Code:
<pre>
c:\program files\QuickTime\qttask   .exe
c:\windows\system32\rundll32 .exe
</pre>
((((((((((((((((((((((((((((( [email protected]_18.02.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-09 03:26 . 2010-08-09 03:26 16384 c:\windows\Temp\Perflib_Perfdata_6a4.dat
- 2008-10-29 21:50 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2008-10-29 21:50 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
+ 2002-08-29 10:41 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\e13c1a.msp
+ 2010-05-03 20:27 . 2010-05-03 20:27 6825472 c:\windows\Installer\e13c17.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\e13c14.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\e13c11.msp
+ 2010-05-05 02:25 . 2010-05-05 02:25 7681024 c:\windows\Installer\e13c0e.msp
+ 2010-07-01 02:52 . 2010-07-01 02:52 5522944 c:\windows\Installer\e13c0b.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\e13c08.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\b08eee.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\b08ee9.msp
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\12cec53.msp
+ 2010-05-03 20:27 . 2010-05-03 20:27 6825472 c:\windows\Installer\12cec50.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\12cec4d.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\12cec4a.msp
+ 2010-05-05 02:25 . 2010-05-05 02:25 7681024 c:\windows\Installer\12cec47.msp
+ 2010-07-01 02:52 . 2010-07-01 02:52 5522944 c:\windows\Installer\12cec44.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\12cec41.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-06-17 4112384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-11-10 114688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 8:10 AM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nam3sghc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 23:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-08 23:30:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-09 03:30
ComboFix2.txt 2010-08-06 18:05

Pre-Run: 140,939,264 bytes free
Post-Run: 74,350,592 bytes free

- - End Of File - - AF710016ACD3C4B2600877B32CDDFED8
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
You're still infected and need to install an Anti Virus program. Download Avast Free AV
Install it, update definitions, and run a full system scan.

==============================

After you've done that, disable your AntiVirus and AntiSpyware applications as they will interfere with our tools. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #9 ·
ComboFix 10-08-10.03 - Administrator 08/10/2010 17:19:04.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1554 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-10 19:35 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-10 19:35 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-10 19:35 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-10 19:35 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-10 19:35 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-10 19:35 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-10 19:35 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-10 19:35 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-10 19:35 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-10 19:28 . 2010-08-10 19:35 -------- d-----w- c:\program files\Alwil Software
2010-08-10 19:28 . 2010-08-10 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-31 18:44 . 2010-08-04 16:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-30 13:24 . 2010-07-31 18:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-27 00:15 . 2010-08-06 17:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-25 20:44 . 2010-07-25 20:44 452104 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.12\setup.exe
2010-07-14 20:51 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 19:37 . 2008-11-04 04:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-10 19:16 . 2009-11-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-06 08:41 . 2010-01-13 15:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 20:54 . 2010-01-28 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-05 20:45 . 2010-04-08 19:05 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-08-02 05:25 . 2010-06-03 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-30 20:47 . 2008-11-04 04:48 -------- d-----w- c:\program files\QuickTime
2010-07-20 16:53 . 2010-03-18 16:56 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-14 21:31 . 2010-06-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-14 21:31 . 2008-10-31 16:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-14 20:39 . 2009-01-08 01:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon
2010-06-14 14:31 . 2002-08-29 10:41 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-04 19:53 . 2010-06-03 22:37 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 19:51 . 2010-06-04 19:52 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 19:51 . 2010-06-04 19:52 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-04 19:49 . 2010-06-04 19:49 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 19:48 . 2010-06-04 19:48 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
.
Code:
<pre>
c:\program files\QuickTime\qttask   .exe
c:\windows\system32\rundll32 .exe
</pre>
((((((((((((((((((((((((((((( [email protected]_18.02.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 04:02 . 2009-07-12 04:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-08-10 17:49 . 2010-08-10 17:49 16384 c:\windows\Temp\Perflib_Perfdata_6ac.dat
- 2008-10-29 21:50 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2008-10-29 21:50 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2010-08-10 19:35 . 2010-08-10 19:35 219648 c:\windows\Installer\5d92a3.msi
+ 2009-07-12 04:02 . 2009-07-12 04:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2002-08-29 10:41 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\e13c1a.msp
+ 2010-05-03 20:27 . 2010-05-03 20:27 6825472 c:\windows\Installer\e13c17.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\e13c14.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\e13c11.msp
+ 2010-05-05 02:25 . 2010-05-05 02:25 7681024 c:\windows\Installer\e13c0e.msp
+ 2010-07-01 02:52 . 2010-07-01 02:52 5522944 c:\windows\Installer\e13c0b.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\e13c08.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\b08eee.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\b08ee9.msp
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\afe6ee.msp
+ 2010-05-03 20:27 . 2010-05-03 20:27 6825472 c:\windows\Installer\afe6eb.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\afe6e8.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\afe6e5.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\afe6e2.msp
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\821773.msp
+ 2010-05-03 20:27 . 2010-05-03 20:27 6825472 c:\windows\Installer\821770.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\82176d.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\82176a.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\821767.msp
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\168fd41.msp
+ 2010-05-03 20:27 . 2010-05-03 20:27 6825472 c:\windows\Installer\168fd3e.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\168fd3b.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\168fd38.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\168fd35.msp
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\12cec53.msp
+ 2010-05-03 20:27 . 2010-05-03 20:27 6825472 c:\windows\Installer\12cec50.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\12cec4d.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\12cec4a.msp
+ 2010-05-05 02:25 . 2010-05-05 02:25 7681024 c:\windows\Installer\12cec47.msp
+ 2010-07-01 02:52 . 2010-07-01 02:52 5522944 c:\windows\Installer\12cec44.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\12cec41.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-06-17 4112384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-11-10 114688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/10/2010 3:35 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/10/2010 3:35 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 8:10 AM 135664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-10 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nam3sghc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-10 17:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(352)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-08-10 17:25:49
ComboFix-quarantined-files.txt 2010-08-10 21:25
ComboFix2.txt 2010-08-09 03:30
ComboFix3.txt 2010-08-06 18:05

Pre-Run: 271,876,096 bytes free
Post-Run: 260,108,288 bytes free

- - End Of File - - B46DF4019744149E9CC5205E89C564D4


I was removing some programs too free up space to do update definitions and when I went to add/remove programs roxio update manager was still there so I tried to remove it but again it said I had an invalid drive H. It doesn't affect me when i on the computer anymore because it doesn't pop up but I was still a little worried because it is still there
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Open notepad and copy/paste the text in the code box below into it:

Code:
File::
c:\program files\QuickTime\qttask   .exe
c:\windows\system32\rundll32 .exe
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, post the C:\ComboFix.txt

============================

Regarding Roxio Update Manager, download and install Revo Uninstaller Free Version and see if that takes care of it for you.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #11 ·
ComboFix 10-08-11.05 - Administrator 08/12/2010 12:27:24.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1605 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\QuickTime\qttask .exe"
"c:\windows\system32\rundll32 .exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\QuickTime\qttask .exe
c:\windows\system32\rundll32 .exe

.
((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-08-12 16:27 . 2010-08-12 16:27 -------- d-----w- c:\windows\LastGood
2010-08-10 19:35 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-10 19:35 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-10 19:35 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-10 19:35 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-10 19:35 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-10 19:35 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-10 19:35 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-10 19:35 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-10 19:35 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-10 19:28 . 2010-08-10 19:35 -------- d-----w- c:\program files\Alwil Software
2010-08-10 19:28 . 2010-08-10 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-31 18:44 . 2010-08-04 16:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-30 13:24 . 2010-07-31 18:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-27 00:15 . 2010-08-06 17:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-25 20:44 . 2010-07-25 20:44 452104 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.12\setup.exe
2010-07-14 20:51 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 16:32 . 2008-11-04 04:48 -------- d-----w- c:\program files\QuickTime
2010-08-10 19:37 . 2008-11-04 04:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-10 19:16 . 2009-11-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-06 08:41 . 2010-01-13 15:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 20:54 . 2010-01-28 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-05 20:45 . 2010-04-08 19:05 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-08-02 05:25 . 2010-06-03 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-20 16:53 . 2010-03-18 16:56 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-30 12:31 . 2002-08-29 10:41 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2002-08-29 09:14 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03 . 2001-08-18 05:36 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 21:31 . 2010-06-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-14 21:31 . 2008-10-31 16:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-14 20:39 . 2009-01-08 01:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon
2010-06-14 14:31 . 2002-08-29 10:41 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-04 19:53 . 2010-06-03 22:37 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 19:51 . 2010-06-04 19:52 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 19:51 . 2010-06-04 19:52 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-04 19:49 . 2010-06-04 19:49 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 19:48 . 2010-06-04 19:48 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-08-10_21.23.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-12 14:46 . 2010-08-12 14:46 16384 c:\windows\Temp\Perflib_Perfdata_3fc.dat
- 2010-06-12 05:53 . 2010-06-12 05:53 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-08-12 02:07 . 2010-08-12 02:07 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
- 2003-05-19 20:27 . 2010-06-12 14:49 1542320 c:\windows\system32\FNTCACHE.DAT
+ 2003-05-19 20:27 . 2010-08-12 14:44 1542320 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-29 20:57 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys
- 2010-03-10 17:49 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2010-03-10 17:49 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\21812eb.msp
+ 2010-06-28 20:01 . 2010-06-28 20:01 7677952 c:\windows\Installer\21812e8.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\21812e5.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\21812e2.msp
+ 2010-06-29 02:53 . 2010-06-29 02:53 6819840 c:\windows\Installer\21812df.msp
+ 2010-07-26 21:02 . 2010-07-26 21:02 5519360 c:\windows\Installer\21812d8.msp
+ 2010-07-11 00:14 . 2010-07-11 00:14 2850816 c:\windows\Installer\21812d6.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\21812cd.msp
+ 2008-10-29 21:48 . 2010-08-03 18:09 35962312 c:\windows\system32\MRT.exe
+ 2010-05-19 17:08 . 2010-05-19 17:08 11408896 c:\windows\Installer\21812db.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-06-17 4112384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-11-10 114688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/10/2010 3:35 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/10/2010 3:35 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 8:10 AM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nam3sghc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-12 12:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-12 12:35:34
ComboFix-quarantined-files.txt 2010-08-12 16:35
ComboFix2.txt 2010-08-10 21:25
ComboFix3.txt 2010-08-09 03:30
ComboFix4.txt 2010-08-06 18:05

Pre-Run: 164,884,480 bytes free
Post-Run: 203,026,432 bytes free

- - End Of File - - 8BF8720CFB09CF76B2910B67308414D8
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
How did the Revo Uninstaller work for you? Were you able to get rid of Roxio Update Manager?

It's important to run an online scan to search for remnants that may be lying about. Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #13 ·
The first time I did the scanner it said error, and now when i try to redo the scan it says its doing the initialization and it's at 52%. It stops at 52% and then says "Can not get update. Is proxy configured". Under that it says "ESET online scanner has already been run on this computer in the past. Only files necessary to updateto the current version will be downloaded"

When doing the scan I unticked Remove found threats. I then clicked advanced settings and "scan for potentially unwanted applications" was ticked but "enable Anti-stealth technology was also ticked. I disabled avast until my computer restarts so I don't think that is the problem.

Regarding Revo I did uninstall roxio update manager. The problem that is still happening is that whenever I right click an icon on my desktop a screen comes up and says "please wait while windows configures Adobe Acrobat 8.1.4 then a screen comes up and says error 1327. Invalid Drive: H:\" Every time I right click an icon it comes up to that.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #14 ·
Sorry forgot to mention that I did a search for ESET online scanner on my computer and this log file came up

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=36887
esets_scanner_update returned -1 esets_gle=36887
esets_scanner_update returned -1 esets_gle=36887
esets_scanner_update returned -1 esets_gle=36887
esets_scanner_update returned -1 esets_gle=36887
esets_scanner_update returned -1 esets_gle=36887
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Regarding Revo I did uninstall roxio update manager. The problem that is still happening is that whenever I right click an icon on my desktop a screen comes up and says "please wait while windows configures Adobe Acrobat 8.1.4 then a screen comes up and says error 1327. Invalid Drive: H:\" Every time I right click an icon it comes up to that.
How did you first install Adobe Acrobat 8.1.4? Was it from a flash drive? What is typically your H:\ drive?

Try this online scanner:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #16 ·
I tried to do the Kaspersky Online Scanner several times but it kept failing saying i needed a stable internet connection. My internet connection never failed once. Regarding my Drive H don't have one. I clicked my computer and under hard disk drives it said only local disk (C:) Another problem that keeps occurring and i think is because of the virus is that it keeps saying i have no space on my local disk C. I have deleted numerous programs like adobe and the only free disk space I have is 83.1 MB. This is a little weird because just 30 minutes ago it said I had 131MB. I don't have any idea why it is like that.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #17 ·
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 18, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 18, 2010 08:15:14
Records in database: 4138402
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 142352
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 03:13:49


File name / Threat / Threats count
C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul Infected: Trojan-Spy.JS.Agent.a 1

Selected area has been scanned.


After a few tries it finally worked and here is the report. There is only one threat and it is called Trojan-Spy.JS.Agent.a The only 2 problems I seem to be having is the acrobat one and I think the virus is taking up a lot of space. I have deleted so many things but it says I have barely any free space on my local disk C.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
That particular extension did not show up in previous scans, which indicates to me that it is a new arrival.

Run ComboFix.exe again.

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on combofix.exe & follow the prompts. You will be prompted to update ComboFix - please allow it to do so.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #19 ·
ComboFix 10-08-18.04 - Administrator 08/19/2010 21:01:38.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1573 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.

2010-08-19 01:13 . 2010-08-19 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-08-19 01:13 . 2010-08-19 15:49 -------- d-----w- c:\program files\McAfee Security Scan
2010-08-16 05:28 . 2010-08-16 05:28 -------- d-----w- C:\636f054e8a09ffd597518c54
2010-08-13 20:29 . 2010-08-13 20:29 -------- d-----w- c:\program files\ESET
2010-08-13 20:23 . 2010-08-13 20:23 -------- d-----w- c:\program files\VS Revo Group
2010-08-13 05:11 . 2010-08-13 05:11 -------- d-----w- C:\3c338c4143b3e209eef585dc3e
2010-08-10 19:35 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-10 19:35 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-10 19:35 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-10 19:35 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-10 19:35 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-10 19:35 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-10 19:35 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-10 19:35 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-10 19:35 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-10 19:28 . 2010-08-10 19:35 -------- d-----w- c:\program files\Alwil Software
2010-08-10 19:28 . 2010-08-10 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-31 18:44 . 2010-08-04 16:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-30 13:24 . 2010-07-31 18:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-27 00:15 . 2010-08-06 17:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-25 20:44 . 2010-07-25 20:44 452104 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.12\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 20:52 . 2009-09-15 19:48 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-08-12 16:32 . 2008-11-04 04:48 -------- d-----w- c:\program files\QuickTime
2010-08-10 19:37 . 2008-11-04 04:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-08-10 19:16 . 2009-11-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-06 08:41 . 2010-01-13 15:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-05 20:54 . 2010-01-28 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-05 20:45 . 2010-04-08 19:05 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-08-02 05:25 . 2010-06-03 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-20 16:53 . 2010-03-18 16:56 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-30 12:31 . 2002-08-29 10:41 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2002-08-29 10:41 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2001-08-18 05:36 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2002-08-29 09:14 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2001-08-18 05:24 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2001-08-18 05:36 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2002-08-29 10:41 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2002-08-29 10:41 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-04 19:53 . 2010-06-03 22:37 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 19:51 . 2010-06-04 19:52 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 19:51 . 2010-06-04 19:52 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-06-04 19:49 . 2010-06-04 19:49 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 19:48 . 2010-06-04 19:48 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-08-10_21.23.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-19 15:44 . 2010-08-19 15:44 16384 c:\windows\Temp\Perflib_Perfdata_2f0.dat
- 2002-08-29 10:41 . 2010-05-04 17:20 44544 c:\windows\system32\pngfilt.dll
+ 2002-08-29 10:41 . 2010-06-24 12:15 44544 c:\windows\system32\pngfilt.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 52224 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54 . 2010-05-04 17:20 52224 c:\windows\system32\msfeedsbs.dll
+ 2001-08-18 05:36 . 2010-06-24 12:15 27648 c:\windows\system32\jsproxy.dll
- 2001-08-18 05:36 . 2010-05-04 17:20 27648 c:\windows\system32\jsproxy.dll
- 2007-08-13 23:39 . 2010-05-04 12:39 13824 c:\windows\system32\ieudinit.exe
+ 2007-08-13 23:39 . 2010-06-23 12:06 13824 c:\windows\system32\ieudinit.exe
+ 2001-08-18 05:36 . 2010-06-24 12:15 44544 c:\windows\system32\iernonce.dll
- 2001-08-18 05:36 . 2010-05-04 17:20 44544 c:\windows\system32\iernonce.dll
+ 2002-08-29 10:41 . 2010-06-23 12:06 70656 c:\windows\system32\ie4uinit.exe
- 2002-08-29 10:41 . 2010-05-04 12:39 70656 c:\windows\system32\ie4uinit.exe
- 2007-08-13 23:36 . 2010-05-04 17:20 63488 c:\windows\system32\icardie.dll
+ 2007-08-13 23:36 . 2010-06-24 12:15 63488 c:\windows\system32\icardie.dll
+ 2007-08-13 23:36 . 2010-06-24 12:15 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-08-13 23:36 . 2010-05-04 17:20 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-08-26 07:24 . 2010-06-24 12:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-08-26 07:24 . 2010-05-04 17:20 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2001-08-18 05:36 . 2010-05-04 17:20 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2001-08-18 05:36 . 2010-06-24 12:15 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2008-08-25 08:38 . 2010-05-04 12:39 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2008-08-25 08:38 . 2010-06-23 12:06 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2001-08-18 05:36 . 2010-06-24 12:15 44544 c:\windows\system32\dllcache\iernonce.dll
- 2001-08-18 05:36 . 2010-05-04 17:20 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2010-06-24 12:15 78336 c:\windows\system32\dllcache\ieencode.dll
- 2009-02-20 18:09 . 2010-05-04 17:20 78336 c:\windows\system32\dllcache\ieencode.dll
- 2007-08-13 23:39 . 2010-05-04 12:39 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-13 23:39 . 2010-06-23 12:06 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-08-26 07:24 . 2010-06-24 12:15 63488 c:\windows\system32\dllcache\icardie.dll
- 2008-08-26 07:24 . 2010-05-04 17:20 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-29 16:12 . 2010-06-24 12:15 17408 c:\windows\system32\dllcache\corpol.dll
- 2009-06-29 16:12 . 2010-05-04 17:20 17408 c:\windows\system32\dllcache\corpol.dll
+ 2010-08-12 02:07 . 2010-08-12 02:07 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2010-06-12 05:53 . 2010-06-12 05:53 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-08-17 18:10 . 2010-05-04 17:20 44544 c:\windows\ie7updates\KB2183461-IE7\pngfilt.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 52224 c:\windows\ie7updates\KB2183461-IE7\msfeedsbs.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 27648 c:\windows\ie7updates\KB2183461-IE7\jsproxy.dll
+ 2010-08-17 18:10 . 2010-05-04 12:39 13824 c:\windows\ie7updates\KB2183461-IE7\ieudinit.exe
+ 2010-08-17 18:10 . 2010-05-04 17:20 44544 c:\windows\ie7updates\KB2183461-IE7\iernonce.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 78336 c:\windows\ie7updates\KB2183461-IE7\ieencode.dll
+ 2010-08-17 18:10 . 2010-05-04 12:39 70656 c:\windows\ie7updates\KB2183461-IE7\ie4uinit.exe
+ 2010-08-17 18:10 . 2010-05-04 17:20 63488 c:\windows\ie7updates\KB2183461-IE7\icardie.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 17408 c:\windows\ie7updates\KB2183461-IE7\corpol.dll
- 2002-08-29 10:41 . 2010-05-04 17:20 233472 c:\windows\system32\webcheck.dll
+ 2002-08-29 10:41 . 2010-06-24 12:15 233472 c:\windows\system32\webcheck.dll
- 2002-08-29 10:41 . 2010-05-04 17:20 105984 c:\windows\system32\url.dll
+ 2002-08-29 10:41 . 2010-06-24 12:15 105984 c:\windows\system32\url.dll
- 2001-08-18 05:36 . 2010-05-04 17:20 102912 c:\windows\system32\occache.dll
+ 2001-08-18 05:36 . 2010-06-24 12:15 102912 c:\windows\system32\occache.dll
+ 2002-08-29 10:41 . 2010-06-24 12:15 671232 c:\windows\system32\mstime.dll
- 2002-08-29 10:41 . 2010-05-04 17:20 671232 c:\windows\system32\mstime.dll
- 2002-08-29 10:41 . 2010-05-04 17:20 193024 c:\windows\system32\msrating.dll
+ 2002-08-29 10:41 . 2010-06-24 12:15 193024 c:\windows\system32\msrating.dll
+ 2002-08-29 10:41 . 2010-06-24 12:15 477696 c:\windows\system32\mshtmled.dll
- 2002-08-29 10:41 . 2010-05-04 17:20 477696 c:\windows\system32\mshtmled.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 459264 c:\windows\system32\msfeeds.dll
- 2007-08-13 23:54 . 2010-05-04 17:20 459264 c:\windows\system32\msfeeds.dll
+ 2010-08-19 01:13 . 2010-08-19 01:13 232912 c:\windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe
+ 2010-08-19 01:13 . 2010-08-19 01:13 311760 c:\windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.dll
+ 2007-08-13 23:34 . 2010-06-24 12:15 268288 c:\windows\system32\iertutil.dll
- 2007-08-13 23:34 . 2010-05-04 17:20 268288 c:\windows\system32\iertutil.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 192512 c:\windows\system32\iepeers.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 192512 c:\windows\system32\iepeers.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 385024 c:\windows\system32\iedkcs32.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 385024 c:\windows\system32\iedkcs32.dll
- 2007-07-11 17:27 . 2010-05-04 17:20 380928 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 17:27 . 2010-06-24 12:15 380928 c:\windows\system32\ieapfltr.dll
+ 2001-08-18 05:34 . 2010-06-17 15:11 161792 c:\windows\system32\ieakui.dll
- 2001-08-18 05:34 . 2010-04-16 11:43 161792 c:\windows\system32\ieakui.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 230400 c:\windows\system32\ieaksie.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 230400 c:\windows\system32\ieaksie.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 153088 c:\windows\system32\ieakeng.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 07:56 . 2010-06-24 12:15 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 07:56 . 2010-05-04 17:20 133120 c:\windows\system32\extmgr.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 214528 c:\windows\system32\dxtrans.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 214528 c:\windows\system32\dxtrans.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 347136 c:\windows\system32\dxtmsft.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 347136 c:\windows\system32\dxtmsft.dll
- 2007-08-13 23:54 . 2010-05-04 17:20 832512 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 832512 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-13 23:54 . 2010-05-04 17:20 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-13 23:44 . 2010-05-04 17:20 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-13 23:44 . 2010-06-24 12:15 105984 c:\windows\system32\dllcache\url.dll
+ 2008-10-29 20:57 . 2010-06-21 15:27 354304 c:\windows\system32\dllcache\srv.sys
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
+ 2007-08-13 23:44 . 2010-06-24 12:15 102912 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 23:44 . 2010-05-04 17:20 102912 c:\windows\system32\dllcache\occache.dll
+ 2002-08-29 10:41 . 2010-06-24 12:15 671232 c:\windows\system32\dllcache\mstime.dll
- 2002-08-29 10:41 . 2010-05-04 17:20 671232 c:\windows\system32\dllcache\mstime.dll
- 2007-08-13 23:44 . 2010-05-04 17:20 193024 c:\windows\system32\dllcache\msrating.dll
+ 2007-08-13 23:44 . 2010-06-24 12:15 193024 c:\windows\system32\dllcache\msrating.dll
- 2007-08-13 23:54 . 2010-05-04 17:20 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-08-26 07:24 . 2010-06-24 12:15 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2008-08-26 07:24 . 2010-05-04 17:20 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-08-13 23:43 . 2010-04-16 11:43 634656 c:\windows\system32\dllcache\iexplore.exe
+ 2007-08-13 23:43 . 2010-06-17 15:12 634656 c:\windows\system32\dllcache\iexplore.exe
- 2008-08-26 07:24 . 2010-05-04 17:20 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2008-08-26 07:24 . 2010-06-24 12:15 268288 c:\windows\system32\dllcache\iertutil.dll
- 2007-08-13 23:54 . 2010-05-04 17:20 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 23:39 . 2010-06-24 12:15 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-13 23:39 . 2010-05-04 17:20 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2008-08-26 07:24 . 2010-05-04 17:20 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-08-26 07:24 . 2010-06-24 12:15 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2001-08-18 05:34 . 2010-06-17 15:11 161792 c:\windows\system32\dllcache\ieakui.dll
- 2001-08-18 05:34 . 2010-04-16 11:43 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-13 23:54 . 2010-05-04 17:20 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 133120 c:\windows\system32\dllcache\extmgr.dll
- 2007-08-13 23:35 . 2010-05-04 17:20 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2007-08-13 23:35 . 2010-06-24 12:15 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2007-08-13 23:35 . 2010-05-04 17:20 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-13 23:35 . 2010-06-24 12:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-13 23:39 . 2010-06-24 12:15 124928 c:\windows\system32\dllcache\advpack.dll
- 2007-08-13 23:39 . 2010-05-04 17:20 124928 c:\windows\system32\dllcache\advpack.dll
- 2002-08-29 10:40 . 2010-05-04 17:20 124928 c:\windows\system32\advpack.dll
+ 2002-08-29 10:40 . 2010-06-24 12:15 124928 c:\windows\system32\advpack.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 832512 c:\windows\ie7updates\KB2183461-IE7\wininet.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 233472 c:\windows\ie7updates\KB2183461-IE7\webcheck.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 105984 c:\windows\ie7updates\KB2183461-IE7\url.dll
+ 2010-08-17 18:10 . 2010-02-22 14:23 382840 c:\windows\ie7updates\KB2183461-IE7\spuninst\updspapi.dll
+ 2010-08-17 18:10 . 2010-02-22 14:23 231288 c:\windows\ie7updates\KB2183461-IE7\spuninst\spuninst.exe
+ 2010-08-17 18:10 . 2010-05-04 17:20 102912 c:\windows\ie7updates\KB2183461-IE7\occache.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 671232 c:\windows\ie7updates\KB2183461-IE7\mstime.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 193024 c:\windows\ie7updates\KB2183461-IE7\msrating.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 477696 c:\windows\ie7updates\KB2183461-IE7\mshtmled.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 459264 c:\windows\ie7updates\KB2183461-IE7\msfeeds.dll
+ 2010-08-17 18:10 . 2010-04-16 11:43 634656 c:\windows\ie7updates\KB2183461-IE7\iexplore.exe
+ 2010-08-17 18:10 . 2010-05-04 17:20 268288 c:\windows\ie7updates\KB2183461-IE7\iertutil.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 192512 c:\windows\ie7updates\KB2183461-IE7\iepeers.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 385024 c:\windows\ie7updates\KB2183461-IE7\iedkcs32.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 380928 c:\windows\ie7updates\KB2183461-IE7\ieapfltr.dll
+ 2010-08-17 18:10 . 2010-04-16 11:43 161792 c:\windows\ie7updates\KB2183461-IE7\ieakui.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 230400 c:\windows\ie7updates\KB2183461-IE7\ieaksie.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 153088 c:\windows\ie7updates\KB2183461-IE7\ieakeng.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 133120 c:\windows\ie7updates\KB2183461-IE7\extmgr.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 214528 c:\windows\ie7updates\KB2183461-IE7\dxtrans.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 347136 c:\windows\ie7updates\KB2183461-IE7\dxtmsft.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 124928 c:\windows\ie7updates\KB2183461-IE7\advpack.dll
- 2003-10-18 03:15 . 2010-05-04 17:20 1168384 c:\windows\system32\urlmon.dll
+ 2003-10-18 03:15 . 2010-06-24 12:15 1168384 c:\windows\system32\urlmon.dll
+ 2002-08-29 09:03 . 2010-04-28 02:25 2189952 c:\windows\system32\ntoskrnl.exe
- 2002-08-29 09:03 . 2010-02-17 13:10 2189952 c:\windows\system32\ntoskrnl.exe
- 2003-03-31 09:00 . 2010-02-16 13:25 2066816 c:\windows\system32\ntkrnlpa.exe
+ 2003-03-31 09:00 . 2010-04-27 13:05 2066816 c:\windows\system32\ntkrnlpa.exe
+ 2003-10-16 21:34 . 2010-06-24 12:15 3600896 c:\windows\system32\mshtml.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 6067200 c:\windows\system32\ieframe.dll
- 2007-08-13 23:54 . 2010-05-04 17:20 6067200 c:\windows\system32\ieframe.dll
- 2003-05-19 20:27 . 2010-06-12 14:49 1542320 c:\windows\system32\FNTCACHE.DAT
+ 2003-05-19 20:27 . 2010-08-12 14:44 1542320 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-29 20:57 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys
- 2007-08-13 23:54 . 2010-05-04 17:20 1168384 c:\windows\system32\dllcache\urlmon.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 1168384 c:\windows\system32\dllcache\urlmon.dll
- 2008-10-29 20:57 . 2010-02-17 13:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-29 20:57 . 2010-04-28 02:25 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-29 20:57 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-29 20:57 . 2010-04-27 13:05 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-29 20:57 . 2010-04-27 13:05 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-29 20:57 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-29 20:57 . 2010-04-27 13:59 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-29 20:57 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-11-12 20:22 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2008-11-12 20:22 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2007-08-13 23:54 . 2010-06-24 12:15 3600896 c:\windows\system32\dllcache\mshtml.dll
+ 2010-03-10 17:49 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2010-03-10 17:49 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2008-10-03 17:41 . 2010-05-04 17:20 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-03 17:41 . 2010-06-24 12:15 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2010-06-29 02:53 . 2010-06-29 02:53 6819840 c:\windows\Installer\f1a8.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\f1a5.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\9f025c.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\778ae9b.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\309a6.msp
+ 2010-06-29 02:53 . 2010-06-29 02:53 6819840 c:\windows\Installer\2b79f4f.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\2b79f48.msp
+ 2010-06-29 02:53 . 2010-06-29 02:53 6819840 c:\windows\Installer\2b235e0.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\2b235d9.msp
+ 2010-07-26 21:02 . 2010-07-26 21:02 5519360 c:\windows\Installer\27f031.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\27f02e.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\24137.msp
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\21812eb.msp
+ 2010-06-28 20:01 . 2010-06-28 20:01 7677952 c:\windows\Installer\21812e8.msp
+ 2010-02-04 22:11 . 2010-02-04 22:11 5526528 c:\windows\Installer\21812e5.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\21812e2.msp
+ 2010-06-29 02:53 . 2010-06-29 02:53 6819840 c:\windows\Installer\21812df.msp
+ 2010-07-26 21:02 . 2010-07-26 21:02 5519360 c:\windows\Installer\21812d8.msp
+ 2010-07-11 00:14 . 2010-07-11 00:14 2850816 c:\windows\Installer\21812d6.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\21812cd.msp
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\1a87506.msp
+ 2010-06-28 20:01 . 2010-06-28 20:01 7677952 c:\windows\Installer\1a87503.msp
+ 2010-05-03 20:11 . 2010-05-03 20:11 4149760 c:\windows\Installer\1a87500.msp
+ 2010-06-29 02:53 . 2010-06-29 02:53 6819840 c:\windows\Installer\1a874fd.msp
+ 2010-07-26 21:02 . 2010-07-26 21:02 5519360 c:\windows\Installer\1a874f6.msp
+ 2010-05-03 20:06 . 2010-05-03 20:06 5053952 c:\windows\Installer\1a874f3.msp
+ 2010-08-17 18:10 . 2010-05-04 17:20 1168384 c:\windows\ie7updates\KB2183461-IE7\urlmon.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 3600384 c:\windows\ie7updates\KB2183461-IE7\mshtml.dll
+ 2010-08-17 18:10 . 2010-05-04 17:20 6067200 c:\windows\ie7updates\KB2183461-IE7\ieframe.dll
- 2008-10-29 20:57 . 2010-02-17 13:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-29 20:57 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-29 20:57 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-29 20:57 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-29 20:57 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-29 20:57 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-29 20:57 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2008-10-29 20:57 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-29 21:48 . 2010-08-03 18:09 35962312 c:\windows\system32\MRT.exe
+ 2010-05-19 17:08 . 2010-05-19 17:08 11408896 c:\windows\Installer\9f025f.msp
+ 2010-05-19 17:08 . 2010-05-19 17:08 11408896 c:\windows\Installer\778ae9e.msp
+ 2010-05-19 17:08 . 2010-05-19 17:08 11408896 c:\windows\Installer\2b79f4b.msp
+ 2010-05-19 17:08 . 2010-05-19 17:08 11408896 c:\windows\Installer\2b235dc.msp
+ 2010-05-19 17:08 . 2010-05-19 17:08 11408896 c:\windows\Installer\27f034.msp
+ 2010-05-19 17:08 . 2010-05-19 17:08 11408896 c:\windows\Installer\21812db.msp
+ 2010-05-19 17:08 . 2010-05-19 17:08 11408896 c:\windows\Installer\1a874f9.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-06-17 4112384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/10/2010 3:35 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/10/2010 3:35 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 8:10 AM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-01-24 17:30 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:10]

2010-08-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-31 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nam3sghc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-19 21:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5120)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-08-19 21:13:08
ComboFix-quarantined-files.txt 2010-08-20 01:13
ComboFix2.txt 2010-08-12 16:35
ComboFix3.txt 2010-08-10 21:25
ComboFix4.txt 2010-08-09 03:30
ComboFix5.txt 2010-08-20 01:00

Pre-Run: 4,259,840 bytes free
Post-Run: 169,779,200 bytes free

- - End Of File - - 2964065C003B787B03054CC923F509A9
 

·
Registered
Joined
·
34 Posts
Discussion Starter · #20 ·
Sorry I forgot to mentino that in the middle of combo fix this came up

"PEV.cfexxe

PEV.cfxxe has encountered a problem and needs to close we are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost"
 
1 - 20 of 42 Posts
Status
Not open for further replies.
Top