Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Malware on my computer...


(!)

carlsbiz1's Avatar
carlsbiz1 carlsbiz1 is offline
Computer Specs
Member with 27 posts.
THREAD STARTER
 
Join Date: Oct 2010
Location: New York
Experience: Beginner
26-Oct-2010, 02:56 PM #16
"C:\ComboFix.txt"
Hello Byteman; I hope you had a good trip/vacation.

In reference to your question about Java, yes, I updated to Java per your recommendations.

I have also just deleted the Freeze program, and the FixCleaner registry scanner.

I have the combofix file below:


ComboFix 10-10-25.04 - Carl Babers 10/26/2010 13:39:09.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1214 [GMT -5:00]
Running from: c:\documents and settings\Carl Babers\Desktop\combat.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((( Files Created from 2010-09-26 to 2010-10-26 )))))))))))))))))))))))))))))))
.
2010-10-22 22:10 . 2010-10-22 22:10 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\AdobeUM
2010-10-22 22:07 . 2010-10-22 22:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-22 21:49 . 2010-10-22 21:49 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\ABBYY
2010-10-22 21:12 . 2010-10-22 21:12 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\ICS
2010-10-22 20:24 . 2010-10-22 20:24 -------- d-----w- c:\program files\Microsoft.NET
2010-10-22 20:21 . 2010-10-22 20:21 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-22 18:43 . 2010-10-22 21:06 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\FixCleaner
2010-10-22 18:42 . 2010-10-26 17:41 -------- d-----w- c:\program files\FixCleaner
2010-10-22 16:20 . 2010-10-22 16:20 -------- d-----w- c:\windows\Sun
2010-10-22 16:19 . 2010-10-22 16:19 -------- d-----w- c:\program files\Common Files\Java
2010-10-22 16:18 . 2010-10-22 16:18 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-22 16:18 . 2010-10-22 16:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-22 16:18 . 2010-10-22 16:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-22 16:18 . 2010-10-22 16:18 -------- d-----w- c:\program files\Java
2010-10-22 14:39 . 2010-10-22 14:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-10-22 14:10 . 2010-10-22 14:10 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\Symantec
2010-10-19 15:19 . 2010-10-19 15:19 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Malwarebytes
2010-10-19 15:19 . 2010-10-19 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-17 12:00 . 2010-10-17 12:00 -------- d-----w- c:\program files\Microsoft Corporation
2010-10-17 12:00 . 2010-10-17 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\msat
2010-10-17 11:59 . 2010-10-17 11:59 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-10-17 11:59 . 2010-10-17 11:59 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-10-14 23:56 . 2010-10-14 23:56 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Tific
2010-10-13 01:56 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 01:56 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 01:50 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 01:04 . 2010-10-21 06:45 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\WMTools Downloaded Files
2010-10-11 19:59 . 2010-10-11 19:59 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Apple Computer
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2010-10-11 16:42 . 2010-10-11 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack
2010-10-11 16:41 . 2010-10-11 17:12 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\magicJack
2010-10-09 00:42 . 2007-08-21 18:32 98304 ----a-w- c:\windows\system32\redmonnt.dll
2010-10-09 00:41 . 2010-10-09 00:41 -------- d-----w- c:\program files\Babylon
2010-10-07 03:49 . 2010-10-07 03:49 -------- d-----w- c:\program files\7-Zip
2010-10-07 01:59 . 2010-10-07 01:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-07 00:25 . 2010-10-24 18:22 -------- d-----w- c:\program files\CamStudio
2010-10-06 19:52 . 2010-10-06 19:52 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\YCanPDF
2010-10-06 19:52 . 2010-10-08 04:16 -------- dc----w- C:\output
2010-10-06 19:52 . 2010-10-06 19:52 -------- dc----w- C:\tmp
2010-10-06 19:51 . 2010-10-08 19:22 -------- dc----w- C:\PDF2JPG
2010-10-06 17:11 . 2010-10-06 17:11 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\skypePM
2010-10-06 17:10 . 2010-10-12 22:52 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Skype
2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----w- c:\program files\Common Files\Skype
2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----r- c:\program files\Skype
2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-10-05 22:11 . 2010-10-05 21:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-05 21:51 . 2010-10-05 21:51 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\MSNInstaller
2010-10-05 21:42 . 2010-10-05 21:42 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\ElevatedDiagnostics
2010-10-01 23:28 . 2010-10-01 23:28 19657194 -c--a-w- C:\vlc-1.1.4-win32.exe
2010-10-01 16:50 . 2010-10-01 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-10-01 16:50 . 2010-10-01 16:50 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Office Genuine Advantage
2010-10-01 00:45 . 2010-10-01 01:19 88 --sh--r- c:\documents and settings\All Users\Application Data\98C5D76418.sys
2010-10-01 00:45 . 2010-10-01 01:36 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-09-30 21:32 . 2010-09-30 21:32 -------- d-----w- c:\program files\Common Files\Apple
2010-09-30 21:31 . 2010-09-30 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-09-30 21:30 . 2010-09-30 21:30 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\Apple Computer
2010-09-30 21:22 . 2010-10-05 20:48 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Corel
2010-09-30 21:18 . 2010-10-05 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-09-30 21:16 . 2007-04-05 01:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-09-30 04:34 . 2010-09-30 05:13 -------- d-----w- c:\program files\Audacity
2010-09-29 15:20 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-09-29 15:20 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-09-28 16:21 . 2010-09-28 16:23 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Tidy Favorites Converter
2010-09-28 16:21 . 2010-09-28 16:21 -------- d-----w- c:\program files\Common Files\Tidy Favorites
2010-09-28 16:21 . 2010-09-28 16:21 -------- d-----w- c:\program files\Tidy Favorites Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 00:35 . 2008-10-01 00:35 65536 ----a-w- c:\windows\system32\camcodec.dll
2010-09-18 17:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-03-03 22:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-06 18:15 . 2010-09-06 18:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-06 18:15 . 2010-09-06 18:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-08-15 18:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 19:46 . 2010-08-23 19:46 18944 ----a-r- c:\documents and settings\Carl Babers\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 05:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA}]
2010-08-23 19:44 646144 ----a-w- c:\program files\Shop to Win 2\ShoppingBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
2010-01-19 22:08 361592 ----a-w- c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-04 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoThumbnailCache"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 05:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Tidy Favorites Converter\\TidyFavoritesConverter.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Carl Babers\\Application Data\\mjusbsp\\magicJack.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [9/6/2010 9:50 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [9/6/2010 9:50 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 8:57 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [9/6/2010 9:50 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [9/6/2010 9:50 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [9/6/2010 9:49 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/18/2010 10:09 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101025.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 3:35 PM 136176]
S3 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [9/9/2010 10:03 PM 1175556]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v040 0.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
2010-09-16 c:\windows\Tasks\broadcamShakeIcon.job
- c:\program files\NCH Software\BroadCam\broadcam.exe [2010-09-10 03:03]
2010-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 20:35]
2010-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0419
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0419
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {DC8DD02C-C44B-47EE-8558-F1C17307A79A} - c:\progra~1\COMMON~1\TIDYFA~1\AddToFav.dll
IE: {{E3CB497B-E230-4445-8B34-13476822F867} - {5AAF9669-C519-4AFF-BB6D-CCEE38D21C90} - c:\progra~1\COMMON~1\TIDYFA~1\OpenFav.dll
Trusted Zone: cnet.com\download
Trusted Zone: download.com
FF - ProfilePath - c:\documents and settings\Carl Babers\Application Data\Mozilla\Firefox\Profiles\sy51lr5x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: XULRunner: {C9A89DAC-4F33-4EFD-AB0F-AC4DE925F544} - c:\documents and settings\Carl Babers\Local Settings\Application Data\{C9A89DAC-4F33-4EFD-AB0F-AC4DE925F544}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-26 13:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_Ac tiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1040)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(2404)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-26 14:05:52
ComboFix-quarantined-files.txt 2010-10-26 19:05
ComboFix2.txt 2010-10-26 18:28
Pre-Run: 44,312,186,880 bytes free
Post-Run: 44,304,228,352 bytes free
- - End Of File - - FCFC4508874E5E2739149C054EF2234A


I am also including a copy of my new HiJackThis file in case you need it:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:30:17 PM, on 10/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\FixCleaner\FixCleaner.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carl Babers\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecause Shopping BHO - {20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA} - C:\Program Files\Shop to Win 2\ShoppingBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: NetAssistantBHO - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to Favorites - {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - C:\PROGRA~1\COMMON~1\TIDYFA~1\AddToFav.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Open Tidy Favorites - {E3CB497B-E230-4445-8B34-13476822F867} - C:\PROGRA~1\COMMON~1\TIDYFA~1\OpenFav.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.cnet.com
O15 - Trusted Zone: *.download.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting Web Starter) - https://www2.gotomeeting.com/default...ts/g2mdlax.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BroadCam Video Streaming Server (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadcam.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7904 bytes

Now, I'm in the process of running a full Norton scan to see what it shows about malware threats.
carlsbiz1's Avatar
carlsbiz1 carlsbiz1 is offline
Computer Specs
Member with 27 posts.
THREAD STARTER
 
Join Date: Oct 2010
Location: New York
Experience: Beginner
26-Oct-2010, 05:01 PM #17
Mbam logs
Hey Byteman,
I ran the Norton scan, and it cleared out two infected items.

I also believe you mentioned that you neede the MBAM logs.

Just in case, here they are:


QUICK SCAN

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4954
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
10/26/2010 3:15:48 PM
mbam-log-2010-10-26 (15-15-48).txt
Scan type: Quick scan
Objects scanned: 134488
Time elapsed: 8 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


LONG SCAN:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4954
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
10/26/2010 4:12:35 PM
mbam-log-2010-10-26 (16-12-35).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 177784
Time elapsed: 51 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL.vir (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1574EE00-9D8C-43D3-8099-A9F3A27465A1}\RP5\A0001327.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

I also still have HijackThis; do i need to discard that?
Byteman's Avatar
Byteman   (Bill) Byteman is offline Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,409 posts.
 
Join Date: Jan 2002
Location: NY
26-Oct-2010, 07:35 PM #18
Hi, Good work. Your decision about keeping HJT--- it's such a powerful utility so if there is anyone around who could out of curiosity mess things up with it, please do uninstall or delete it.

Please UNinstall Shop2Win. Before you run the fix below

Did you uninstall My Freeze after you ran Combofix? And FixCleaner??? There are some leftover folders looks like:
Will not hurt to run the fix just to check for files etc:::


Open Notepad and copy and paste the text in the code box below into it starting with the word "File":

Code:
File::
c:\program files\Shop to Win 2\ShoppingBHO.dll
c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
C:\Program Files\FixCleaner\FixCleaner.exe

Folder::
c:\documents and settings\Carl Babers\Application Data\FixCleaner
c:\program files\FixCleaner
c:\program files\Freeze.com\My.Freeze.com NetAssistant
c:\program files\Free Offers from Freeze.com
c:\program files\Shop to Win 2


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA}]
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe (you could Restore it out of the Recycle Bin if it was put there.....or, just download a new one)




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.






We need to remove all the old infected System Restore Points. In case you had to use Restore you would only put back the malware you worked hard to remove.

Right click My Computer and then open the System Restore tab at top....

Take the check mark out of the box for drive C: and any others that are checked.......we will put them back later.


When you see "Turned Off" instead of "Monitoring" close those windows. Restart. This removes all restore points.

After you are back and startup finished-

Do same steps, this time, put check back into Drive C: (I usually do not have Restore monitor a Recovery Partition, like a Dell or HP system may have, no need to) Your mileage may vary.

When you see "Monitoring" you can close that up.

Go to Start button>Accessories>System Tools>System Restore

click on "Create a new Restore Point" name the Point and windows will time and date it foryou

I usually use something like After malware cleaned for the Point.


If things stay good for the computer OK but don't hesitate to post back if something alerts about anything.
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!

Last edited by Byteman; 26-Oct-2010 at 08:30 PM..
carlsbiz1's Avatar
carlsbiz1 carlsbiz1 is offline
Computer Specs
Member with 27 posts.
THREAD STARTER
 
Join Date: Oct 2010
Location: New York
Experience: Beginner
27-Oct-2010, 05:58 PM #19
So far, so good Byteman.

In your prior post, you inquired as to whether I removed Shop to Win2,
My Freeze and the other items. As far as I know, they are no longer in
my lists of programs under Add/Remove Programs, so I assume they are.
If they exist in my file registry or folders, I don't know, because I'm not
sure how to access those. If you have instructions, I will gladly follow.

By the way, here are the log files for the ComboFix and HijackThis you
instructed me to run:


ComboFix 10-10-26.04 - Carl Babers 10/27/2010 15:04:09.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1391 [GMT -5:00]
Running from: c:\documents and settings\Carl Babers\Desktop\Combat.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.
2010-10-26 21:21 . 2010-10-26 21:38 -------- d-----w- c:\windows\system32\drivers\N360\0403000.005
2010-10-26 20:06 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 20:06 . 2010-10-26 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 20:06 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-22 22:10 . 2010-10-22 22:10 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\AdobeUM
2010-10-22 22:07 . 2010-10-22 22:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-22 21:49 . 2010-10-22 21:49 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\ABBYY
2010-10-22 21:12 . 2010-10-22 21:12 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\ICS
2010-10-22 20:24 . 2010-10-22 20:24 -------- d-----w- c:\program files\Microsoft.NET
2010-10-22 20:21 . 2010-10-22 20:21 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-22 16:20 . 2010-10-22 16:20 -------- d-----w- c:\windows\Sun
2010-10-22 16:19 . 2010-10-22 16:19 -------- d-----w- c:\program files\Common Files\Java
2010-10-22 16:18 . 2010-10-22 16:18 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-22 16:18 . 2010-10-22 16:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-22 16:18 . 2010-10-22 16:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-22 16:18 . 2010-10-22 16:18 -------- d-----w- c:\program files\Java
2010-10-22 14:39 . 2010-10-22 14:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2010-10-22 14:10 . 2010-10-22 14:10 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\Symantec
2010-10-19 15:19 . 2010-10-19 15:19 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Malwarebytes
2010-10-19 15:19 . 2010-10-19 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-17 12:00 . 2010-10-17 12:00 -------- d-----w- c:\program files\Microsoft Corporation
2010-10-17 12:00 . 2010-10-17 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\msat
2010-10-17 11:59 . 2010-10-17 11:59 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-10-17 11:59 . 2010-10-17 11:59 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-10-14 23:56 . 2010-10-14 23:56 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Tific
2010-10-13 01:56 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 01:56 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 01:50 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 01:04 . 2010-10-21 06:45 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\WMTools Downloaded Files
2010-10-11 19:59 . 2010-10-11 19:59 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Apple Computer
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2010-10-11 16:42 . 2010-10-11 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack
2010-10-11 16:41 . 2010-10-11 17:12 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\magicJack
2010-10-09 00:42 . 2007-08-21 18:32 98304 ----a-w- c:\windows\system32\redmonnt.dll
2010-10-09 00:41 . 2010-10-09 00:41 -------- d-----w- c:\program files\Babylon
2010-10-07 03:49 . 2010-10-07 03:49 -------- d-----w- c:\program files\7-Zip
2010-10-07 01:59 . 2010-10-07 01:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-07 00:25 . 2010-10-24 18:22 -------- d-----w- c:\program files\CamStudio
2010-10-06 19:52 . 2010-10-06 19:52 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\YCanPDF
2010-10-06 19:52 . 2010-10-08 04:16 -------- dc----w- C:\output
2010-10-06 19:52 . 2010-10-06 19:52 -------- dc----w- C:\tmp
2010-10-06 19:51 . 2010-10-08 19:22 -------- dc----w- C:\PDF2JPG
2010-10-06 17:11 . 2010-10-06 17:11 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\skypePM
2010-10-06 17:10 . 2010-10-12 22:52 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Skype
2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----w- c:\program files\Common Files\Skype
2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----r- c:\program files\Skype
2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-10-05 22:11 . 2010-10-05 21:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-05 21:51 . 2010-10-05 21:51 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\MSNInstaller
2010-10-05 21:42 . 2010-10-05 21:42 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\ElevatedDiagnostics
2010-10-01 23:28 . 2010-10-01 23:28 19657194 -c--a-w- C:\vlc-1.1.4-win32.exe
2010-10-01 16:50 . 2010-10-01 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-10-01 16:50 . 2010-10-01 16:50 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Office Genuine Advantage
2010-10-01 00:45 . 2010-10-01 01:19 88 --sh--r- c:\documents and settings\All Users\Application Data\98C5D76418.sys
2010-10-01 00:45 . 2010-10-01 01:36 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-09-30 21:32 . 2010-09-30 21:32 -------- d-----w- c:\program files\Common Files\Apple
2010-09-30 21:31 . 2010-09-30 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-09-30 21:30 . 2010-09-30 21:30 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\Apple Computer
2010-09-30 21:22 . 2010-10-05 20:48 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Corel
2010-09-30 21:18 . 2010-10-05 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2010-09-30 21:16 . 2007-04-05 01:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-09-30 04:34 . 2010-09-30 05:13 -------- d-----w- c:\program files\Audacity
2010-09-29 15:20 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-09-29 15:20 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-09-28 16:21 . 2010-09-28 16:23 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Tidy Favorites Converter
2010-09-28 16:21 . 2010-09-28 16:21 -------- d-----w- c:\program files\Common Files\Tidy Favorites
2010-09-28 16:21 . 2010-09-28 16:21 -------- d-----w- c:\program files\Tidy Favorites Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 00:35 . 2008-10-01 00:35 65536 ----a-w- c:\windows\system32\camcodec.dll
2010-09-18 17:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-03-03 22:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-06 18:15 . 2010-09-06 18:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-06 18:15 . 2010-09-06 18:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-08-15 18:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 19:46 . 2010-08-23 19:46 18944 ----a-r- c:\documents and settings\Carl Babers\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 05:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-10-26_18.19.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-27 17:37 . 2010-10-27 17:37 16384 c:\windows\Temp\Perflib_Perfdata_6e0.dat
+ 2010-10-27 17:39 . 2010-10-27 17:39 16384 c:\windows\Temp\Perflib_Perfdata_25c.dat
+ 2010-10-26 21:22 . 2010-04-22 02:29 43696 c:\windows\system32\drivers\N360\0403000.005\srtspx.sys
+ 2010-10-26 21:22 . 2010-05-06 04:01 339504 c:\windows\system32\drivers\N360\0403000.005\symtdiv.sys
+ 2010-10-26 21:22 . 2010-05-06 04:01 361904 c:\windows\system32\drivers\N360\0403000.005\symtdi.sys
+ 2010-10-26 21:22 . 2010-04-22 03:02 173104 c:\windows\system32\drivers\N360\0403000.005\symefa.sys
+ 2010-10-26 21:22 . 2009-10-15 03:50 328752 c:\windows\system32\drivers\N360\0403000.005\symds.sys
+ 2010-10-26 21:22 . 2010-04-22 02:29 325680 c:\windows\system32\drivers\N360\0403000.005\srtsp.sys
+ 2010-10-26 21:22 . 2010-04-29 05:03 116784 c:\windows\system32\drivers\N360\0403000.005\ironx86.sys
+ 2010-10-26 21:22 . 2010-02-26 00:22 501888 c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-04 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoThumbnailCache"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 05:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Tidy Favorites Converter\\TidyFavoritesConverter.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Carl Babers\\Application Data\\mjusbsp\\magicJack.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [10/26/2010 4:22 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [10/26/2010 4:22 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 8:57 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [10/26/2010 4:22 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [10/26/2010 4:22 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [10/26/2010 4:21 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/18/2010 10:09 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101026.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 3:35 PM 136176]
S3 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [9/9/2010 10:03 PM 1175556]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v040 0.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
2010-09-16 c:\windows\Tasks\broadcamShakeIcon.job
- c:\program files\NCH Software\BroadCam\broadcam.exe [2010-09-10 03:03]
2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 20:35]
2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0419
IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0419
IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {DC8DD02C-C44B-47EE-8558-F1C17307A79A} - c:\progra~1\COMMON~1\TIDYFA~1\AddToFav.dll
IE: {{E3CB497B-E230-4445-8B34-13476822F867} - {5AAF9669-C519-4AFF-BB6D-CCEE38D21C90} - c:\progra~1\COMMON~1\TIDYFA~1\OpenFav.dll
Trusted Zone: cnet.com\download
Trusted Zone: download.com
FF - ProfilePath - c:\documents and settings\Carl Babers\Application Data\Mozilla\Firefox\Profiles\sy51lr5x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: XULRunner: {C9A89DAC-4F33-4EFD-AB0F-AC4DE925F544} - c:\documents and settings\Carl Babers\Local Settings\Application Data\{C9A89DAC-4F33-4EFD-AB0F-AC4DE925F544}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 15:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_Ac tiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1028)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-27 15:20:31
ComboFix-quarantined-files.txt 2010-10-27 20:20
ComboFix2.txt 2010-10-27 19:58
ComboFix3.txt 2010-10-26 19:05
ComboFix4.txt 2010-10-26 18:28
Pre-Run: 44,169,719,808 bytes free
Post-Run: 44,164,317,184 bytes free
- - End Of File - - 1029273B4365C016F0524279A0C28FDB




HIJACKJTHIS LOG

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:30:14 PM, on 10/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Carl Babers\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to Favorites - {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - C:\PROGRA~1\COMMON~1\TIDYFA~1\AddToFav.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Open Tidy Favorites - {E3CB497B-E230-4445-8B34-13476822F867} - C:\PROGRA~1\COMMON~1\TIDYFA~1\OpenFav.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.cnet.com
O15 - Trusted Zone: *.download.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting Web Starter) - https://www2.gotomeeting.com/default...ts/g2mdlax.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: BroadCam Video Streaming Server (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadcam.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 7270 bytes

By the way, I didn't understand your response about whether I should keep HJT or not.
If it's beneficial, I have no problem keeping it.
Anyways, how do I avoid contracting malware in the future?
Byteman's Avatar
Byteman   (Bill) Byteman is offline Byteman is authorized to help remove malware. Byteman has a Profile Picture
Moderator & Malware Removal Specialist with 17,409 posts.
 
Join Date: Jan 2002
Location: NY
27-Oct-2010, 08:36 PM #20
How did I get infected in the first place


Hijackthis is not really beneficial, it does not protect the computer..... we advise that you do not use it to fix anything, it;s for those who are trained to use.

In the wrong hands it could create a disaster... if for example someone who visits you played around with HJT they could easily make a bad mistake. It's best if yuo uninstall it, most likely you will find it in Add/Remove Programs.

If you really want to keep it do so.

About my last post with question about if you had uninstalled Freeze and FixCleaner BEFORE or AFTER you had posted your ComboFix log>>>


I asked you that because there were items in the CF log that should not have been there....

Which is why I posted the CFScript fix for you to do. I do not see the Freeze etc entries in this last CF log so all seems to be just fine. The script you dragged onto Combofix was to get rid of the leftover entries........I am not sure how but they are gone, so no need to worry.
carlsbiz1's Avatar
carlsbiz1 carlsbiz1 is offline
Computer Specs
Member with 27 posts.
THREAD STARTER
 
Join Date: Oct 2010
Location: New York
Experience: Beginner
27-Oct-2010, 10:26 PM #21
Addtnl thanks
All I can say is that my computer is fine now, thanks to your diligent and kind efforts.

As a computer non-troubleshooter, this is a service I cannot thank you enough for!
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
rundll errors

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
Help! Some kind of malware on my computer! AaronP Virus & Other Malware Removal 0 20-Nov-2009 08:49 PM
Help, Trojan:Win32/C2Lop.gen!A found on my computer! tech1master Virus & Other Malware Removal 2 11-Mar-2009 05:17 PM
How to find out if I have malware on my computer littleprincess Virus & Other Malware Removal 0 27-Dec-2007 08:04 PM
Malware on my computer flyfisher24 Virus & Other Malware Removal 2 14-Nov-2007 08:52 PM
Malware on my computer has me stumped tangopup Virus & Other Malware Removal 16 08-May-2007 08:34 PM

WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑