1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Malware on my computer...

Discussion in 'Virus & Other Malware Removal' started by carlsbiz1, Oct 14, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. carlsbiz1

    carlsbiz1 Thread Starter

    Joined:
    Oct 14, 2010
    Messages:
    27
    Hello Byteman; I hope you had a good trip/vacation.

    In reference to your question about Java, yes, I updated to Java per your recommendations.

    I have also just deleted the Freeze program, and the FixCleaner registry scanner.

    I have the combofix file below:


    ComboFix 10-10-25.04 - Carl Babers 10/26/2010 13:39:09.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1214 [GMT -5:00]
    Running from: c:\documents and settings\Carl Babers\Desktop\combat.exe
    AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-26 to 2010-10-26 )))))))))))))))))))))))))))))))
    .
    2010-10-22 22:10 . 2010-10-22 22:10 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\AdobeUM
    2010-10-22 22:07 . 2010-10-22 22:07 -------- d-----w- c:\program files\Common Files\Adobe
    2010-10-22 21:49 . 2010-10-22 21:49 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\ABBYY
    2010-10-22 21:12 . 2010-10-22 21:12 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\ICS
    2010-10-22 20:24 . 2010-10-22 20:24 -------- d-----w- c:\program files\Microsoft.NET
    2010-10-22 20:21 . 2010-10-22 20:21 -------- d-----w- c:\windows\system32\URTTEMP
    2010-10-22 18:43 . 2010-10-22 21:06 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\FixCleaner
    2010-10-22 18:42 . 2010-10-26 17:41 -------- d-----w- c:\program files\FixCleaner
    2010-10-22 16:20 . 2010-10-22 16:20 -------- d-----w- c:\windows\Sun
    2010-10-22 16:19 . 2010-10-22 16:19 -------- d-----w- c:\program files\Common Files\Java
    2010-10-22 16:18 . 2010-10-22 16:18 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-22 16:18 . 2010-10-22 16:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-22 16:18 . 2010-10-22 16:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-22 16:18 . 2010-10-22 16:18 -------- d-----w- c:\program files\Java
    2010-10-22 14:39 . 2010-10-22 14:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
    2010-10-22 14:10 . 2010-10-22 14:10 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\Symantec
    2010-10-19 15:19 . 2010-10-19 15:19 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Malwarebytes
    2010-10-19 15:19 . 2010-10-19 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-17 12:00 . 2010-10-17 12:00 -------- d-----w- c:\program files\Microsoft Corporation
    2010-10-17 12:00 . 2010-10-17 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\msat
    2010-10-17 11:59 . 2010-10-17 11:59 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2010-10-17 11:59 . 2010-10-17 11:59 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2010-10-14 23:56 . 2010-10-14 23:56 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Tific
    2010-10-13 01:56 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-13 01:56 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-13 01:50 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-13 01:04 . 2010-10-21 06:45 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\WMTools Downloaded Files
    2010-10-11 19:59 . 2010-10-11 19:59 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Apple Computer
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
    2010-10-11 16:42 . 2010-10-11 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack
    2010-10-11 16:41 . 2010-10-11 17:12 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\magicJack
    2010-10-09 00:42 . 2007-08-21 18:32 98304 ----a-w- c:\windows\system32\redmonnt.dll
    2010-10-09 00:41 . 2010-10-09 00:41 -------- d-----w- c:\program files\Babylon
    2010-10-07 03:49 . 2010-10-07 03:49 -------- d-----w- c:\program files\7-Zip
    2010-10-07 01:59 . 2010-10-07 01:59 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-10-07 00:25 . 2010-10-24 18:22 -------- d-----w- c:\program files\CamStudio
    2010-10-06 19:52 . 2010-10-06 19:52 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\YCanPDF
    2010-10-06 19:52 . 2010-10-08 04:16 -------- dc----w- C:\output
    2010-10-06 19:52 . 2010-10-06 19:52 -------- dc----w- C:\tmp
    2010-10-06 19:51 . 2010-10-08 19:22 -------- dc----w- C:\PDF2JPG
    2010-10-06 17:11 . 2010-10-06 17:11 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\skypePM
    2010-10-06 17:10 . 2010-10-12 22:52 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Skype
    2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----w- c:\program files\Common Files\Skype
    2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----r- c:\program files\Skype
    2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-10-05 22:11 . 2010-10-05 21:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-05 21:51 . 2010-10-05 21:51 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\MSNInstaller
    2010-10-05 21:42 . 2010-10-05 21:42 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\ElevatedDiagnostics
    2010-10-01 23:28 . 2010-10-01 23:28 19657194 -c--a-w- C:\vlc-1.1.4-win32.exe
    2010-10-01 16:50 . 2010-10-01 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2010-10-01 16:50 . 2010-10-01 16:50 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Office Genuine Advantage
    2010-10-01 00:45 . 2010-10-01 01:19 88 --sh--r- c:\documents and settings\All Users\Application Data\98C5D76418.sys
    2010-10-01 00:45 . 2010-10-01 01:36 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2010-09-30 21:32 . 2010-09-30 21:32 -------- d-----w- c:\program files\Common Files\Apple
    2010-09-30 21:31 . 2010-09-30 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-09-30 21:30 . 2010-09-30 21:30 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\Apple Computer
    2010-09-30 21:22 . 2010-10-05 20:48 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Corel
    2010-09-30 21:18 . 2010-10-05 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
    2010-09-30 21:16 . 2007-04-05 01:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
    2010-09-30 04:34 . 2010-09-30 05:13 -------- d-----w- c:\program files\Audacity
    2010-09-29 15:20 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-09-29 15:20 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-09-28 16:21 . 2010-09-28 16:23 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Tidy Favorites Converter
    2010-09-28 16:21 . 2010-09-28 16:21 -------- d-----w- c:\program files\Common Files\Tidy Favorites
    2010-09-28 16:21 . 2010-09-28 16:21 -------- d-----w- c:\program files\Tidy Favorites Converter
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-07 00:35 . 2008-10-01 00:35 65536 ----a-w- c:\windows\system32\camcodec.dll
    2010-09-18 17:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2006-03-03 22:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-06 18:15 . 2010-09-06 18:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-09-06 18:15 . 2010-09-06 18:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-08-15 18:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 19:46 . 2010-08-23 19:46 18944 ----a-r- c:\documents and settings\Carl Babers\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
    2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-08-04 05:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA}]
    2010-08-23 19:44 646144 ----a-w- c:\program files\Shop to Win 2\ShoppingBHO.dll
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
    2010-01-19 22:08 361592 ----a-w- c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-04 39408]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoThumbnailCache"= 1 (0x1)
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2005-07-23 05:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dlbxcoms.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Tidy Favorites Converter\\TidyFavoritesConverter.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Carl Babers\\Application Data\\mjusbsp\\magicJack.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
    "1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [9/6/2010 9:50 PM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [9/6/2010 9:50 PM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 8:57 PM 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [9/6/2010 9:50 PM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [9/6/2010 9:50 PM 116784]
    R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [9/6/2010 9:49 PM 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/18/2010 10:09 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101025.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 3:35 PM 136176]
    S3 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [9/9/2010 10:03 PM 1175556]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-09-16 c:\windows\Tasks\broadcamShakeIcon.job
    - c:\program files\NCH Software\BroadCam\broadcam.exe [2010-09-10 03:03]
    2010-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 20:35]
    2010-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 20:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0419
    IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0419
    IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {DC8DD02C-C44B-47EE-8558-F1C17307A79A} - c:\progra~1\COMMON~1\TIDYFA~1\AddToFav.dll
    IE: {{E3CB497B-E230-4445-8B34-13476822F867} - {5AAF9669-C519-4AFF-BB6D-CCEE38D21C90} - c:\progra~1\COMMON~1\TIDYFA~1\OpenFav.dll
    Trusted Zone: cnet.com\download
    Trusted Zone: download.com
    FF - ProfilePath - c:\documents and settings\Carl Babers\Application Data\Mozilla\Firefox\Profiles\sy51lr5x.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&q=
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: XULRunner: {C9A89DAC-4F33-4EFD-AB0F-AC4DE925F544} - c:\documents and settings\Carl Babers\Local Settings\Application Data\{C9A89DAC-4F33-4EFD-AB0F-AC4DE925F544}
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-26 13:55
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(1040)
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    - - - - - - - > 'explorer.exe'(2404)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-10-26 14:05:52
    ComboFix-quarantined-files.txt 2010-10-26 19:05
    ComboFix2.txt 2010-10-26 18:28
    Pre-Run: 44,312,186,880 bytes free
    Post-Run: 44,304,228,352 bytes free
    - - End Of File - - FCFC4508874E5E2739149C054EF2234A


    I am also including a copy of my new HiJackThis file in case you need it:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:30:17 PM, on 10/26/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TechSmith\Jing\Jing.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Maxtor\Sync\SyncServices.exe
    C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
    C:\Program Files\FixCleaner\FixCleaner.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Carl Babers\Desktop\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Freecause Shopping BHO - {20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA} - C:\Program Files\Shop to Win 2\ShoppingBHO.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: NetAssistantBHO - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Add to Favorites - {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - C:\PROGRA~1\COMMON~1\TIDYFA~1\AddToFav.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Open Tidy Favorites - {E3CB497B-E230-4445-8B34-13476822F867} - C:\PROGRA~1\COMMON~1\TIDYFA~1\OpenFav.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://download.cnet.com
    O15 - Trusted Zone: *.download.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting Web Starter) - https://www2.gotomeeting.com/default/applets/g2mdlax.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: BroadCam Video Streaming Server (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadcam.exe
    O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
    O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    --
    End of file - 7904 bytes

    Now, I'm in the process of running a full Norton scan to see what it shows about malware threats.
     
  2. carlsbiz1

    carlsbiz1 Thread Starter

    Joined:
    Oct 14, 2010
    Messages:
    27
    Hey Byteman,
    I ran the Norton scan, and it cleared out two infected items.

    I also believe you mentioned that you neede the MBAM logs.

    Just in case, here they are:


    QUICK SCAN

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    Database version: 4954
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    10/26/2010 3:15:48 PM
    mbam-log-2010-10-26 (15-15-48).txt
    Scan type: Quick scan
    Objects scanned: 134488
    Time elapsed: 8 minute(s), 19 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)


    LONG SCAN:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    Database version: 4954
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    10/26/2010 4:12:35 PM
    mbam-log-2010-10-26 (16-12-35).txt
    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 177784
    Time elapsed: 51 minute(s), 18 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL.vir (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{1574EE00-9D8C-43D3-8099-A9F3A27465A1}\RP5\A0001327.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.

    I also still have HijackThis; do i need to discard that?
     
  3. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi, Good work. Your decision about keeping HJT--- it's such a powerful utility so if there is anyone around who could out of curiosity mess things up with it, please do uninstall or delete it.

    Please UNinstall Shop2Win. Before you run the fix below

    Did you uninstall My Freeze after you ran Combofix? And FixCleaner??? There are some leftover folders looks like:
    Will not hurt to run the fix just to check for files etc:::


    Open Notepad and copy and paste the text in the code box below into it starting with the word "File":

    Code:
    File::
    c:\program files\Shop to Win 2\ShoppingBHO.dll
    c:\program files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
    C:\Program Files\FixCleaner\FixCleaner.exe
    
    Folder::
    c:\documents and settings\Carl Babers\Application Data\FixCleaner
    c:\program files\FixCleaner
    c:\program files\Freeze.com\My.Freeze.com NetAssistant
    c:\program files\Free Offers from Freeze.com
    c:\program files\Shop to Win 2
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20FEC4E7-F7B7-438B-8191-33D2EFC5EBEA}]
    
    Save the file to your desktop and name it CFScript.txt

    Referring to the picture below, drag CFScript.txt into ComboFix.exe (you could Restore it out of the Recycle Bin if it was put there.....or, just download a new one)

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.






    We need to remove all the old infected System Restore Points. In case you had to use Restore you would only put back the malware you worked hard to remove.

    Right click My Computer and then open the System Restore tab at top....

    Take the check mark out of the box for drive C: and any others that are checked.......we will put them back later.


    When you see "Turned Off" instead of "Monitoring" close those windows. Restart. This removes all restore points.

    After you are back and startup finished-

    Do same steps, this time, put check back into Drive C: (I usually do not have Restore monitor a Recovery Partition, like a Dell or HP system may have, no need to) Your mileage may vary.

    When you see "Monitoring" you can close that up.

    Go to Start button>Accessories>System Tools>System Restore

    click on "Create a new Restore Point" name the Point and windows will time and date it foryou

    I usually use something like After malware cleaned for the Point.


    If things stay good for the computer OK but don't hesitate to post back if something alerts about anything.
     
  4. carlsbiz1

    carlsbiz1 Thread Starter

    Joined:
    Oct 14, 2010
    Messages:
    27
    So far, so good Byteman.

    In your prior post, you inquired as to whether I removed Shop to Win2,
    My Freeze and the other items. As far as I know, they are no longer in
    my lists of programs under Add/Remove Programs, so I assume they are.
    If they exist in my file registry or folders, I don't know, because I'm not
    sure how to access those. If you have instructions, I will gladly follow.

    By the way, here are the log files for the ComboFix and HijackThis you
    instructed me to run:


    ComboFix 10-10-26.04 - Carl Babers 10/27/2010 15:04:09.5.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1391 [GMT -5:00]
    Running from: c:\documents and settings\Carl Babers\Desktop\Combat.exe
    AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
    .
    2010-10-26 21:21 . 2010-10-26 21:38 -------- d-----w- c:\windows\system32\drivers\N360\0403000.005
    2010-10-26 20:06 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-26 20:06 . 2010-10-26 20:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-26 20:06 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-22 22:10 . 2010-10-22 22:10 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\AdobeUM
    2010-10-22 22:07 . 2010-10-22 22:07 -------- d-----w- c:\program files\Common Files\Adobe
    2010-10-22 21:49 . 2010-10-22 21:49 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\ABBYY
    2010-10-22 21:12 . 2010-10-22 21:12 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\ICS
    2010-10-22 20:24 . 2010-10-22 20:24 -------- d-----w- c:\program files\Microsoft.NET
    2010-10-22 20:21 . 2010-10-22 20:21 -------- d-----w- c:\windows\system32\URTTEMP
    2010-10-22 16:20 . 2010-10-22 16:20 -------- d-----w- c:\windows\Sun
    2010-10-22 16:19 . 2010-10-22 16:19 -------- d-----w- c:\program files\Common Files\Java
    2010-10-22 16:18 . 2010-10-22 16:18 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-22 16:18 . 2010-10-22 16:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-22 16:18 . 2010-10-22 16:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-22 16:18 . 2010-10-22 16:18 -------- d-----w- c:\program files\Java
    2010-10-22 14:39 . 2010-10-22 14:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
    2010-10-22 14:10 . 2010-10-22 14:10 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\Symantec
    2010-10-19 15:19 . 2010-10-19 15:19 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Malwarebytes
    2010-10-19 15:19 . 2010-10-19 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-17 12:00 . 2010-10-17 12:00 -------- d-----w- c:\program files\Microsoft Corporation
    2010-10-17 12:00 . 2010-10-17 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\msat
    2010-10-17 11:59 . 2010-10-17 11:59 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2010-10-17 11:59 . 2010-10-17 11:59 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2010-10-14 23:56 . 2010-10-14 23:56 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Tific
    2010-10-13 01:56 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-13 01:56 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-13 01:50 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-13 01:04 . 2010-10-21 06:45 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\WMTools Downloaded Files
    2010-10-11 19:59 . 2010-10-11 19:59 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Apple Computer
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
    2010-10-11 19:59 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
    2010-10-11 16:42 . 2010-10-11 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack
    2010-10-11 16:41 . 2010-10-11 17:12 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\magicJack
    2010-10-09 00:42 . 2007-08-21 18:32 98304 ----a-w- c:\windows\system32\redmonnt.dll
    2010-10-09 00:41 . 2010-10-09 00:41 -------- d-----w- c:\program files\Babylon
    2010-10-07 03:49 . 2010-10-07 03:49 -------- d-----w- c:\program files\7-Zip
    2010-10-07 01:59 . 2010-10-07 01:59 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-10-07 00:25 . 2010-10-24 18:22 -------- d-----w- c:\program files\CamStudio
    2010-10-06 19:52 . 2010-10-06 19:52 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\YCanPDF
    2010-10-06 19:52 . 2010-10-08 04:16 -------- dc----w- C:\output
    2010-10-06 19:52 . 2010-10-06 19:52 -------- dc----w- C:\tmp
    2010-10-06 19:51 . 2010-10-08 19:22 -------- dc----w- C:\PDF2JPG
    2010-10-06 17:11 . 2010-10-06 17:11 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\skypePM
    2010-10-06 17:10 . 2010-10-12 22:52 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Skype
    2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----w- c:\program files\Common Files\Skype
    2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----r- c:\program files\Skype
    2010-10-06 17:09 . 2010-10-06 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
    2010-10-05 22:11 . 2010-10-05 21:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-10-05 21:51 . 2010-10-05 21:51 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\MSNInstaller
    2010-10-05 21:42 . 2010-10-05 21:42 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\ElevatedDiagnostics
    2010-10-01 23:28 . 2010-10-01 23:28 19657194 -c--a-w- C:\vlc-1.1.4-win32.exe
    2010-10-01 16:50 . 2010-10-01 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2010-10-01 16:50 . 2010-10-01 16:50 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Office Genuine Advantage
    2010-10-01 00:45 . 2010-10-01 01:19 88 --sh--r- c:\documents and settings\All Users\Application Data\98C5D76418.sys
    2010-10-01 00:45 . 2010-10-01 01:36 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2010-09-30 21:33 . 2010-10-11 19:59 143360 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2010-09-30 21:32 . 2010-09-30 21:32 -------- d-----w- c:\program files\Common Files\Apple
    2010-09-30 21:31 . 2010-09-30 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-09-30 21:30 . 2010-09-30 21:30 -------- d-----w- c:\documents and settings\Carl Babers\Local Settings\Application Data\Apple Computer
    2010-09-30 21:22 . 2010-10-05 20:48 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Corel
    2010-09-30 21:18 . 2010-10-05 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
    2010-09-30 21:16 . 2007-04-05 01:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
    2010-09-30 04:34 . 2010-09-30 05:13 -------- d-----w- c:\program files\Audacity
    2010-09-29 15:20 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-09-29 15:20 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-09-28 16:21 . 2010-09-28 16:23 -------- d-----w- c:\documents and settings\Carl Babers\Application Data\Tidy Favorites Converter
    2010-09-28 16:21 . 2010-09-28 16:21 -------- d-----w- c:\program files\Common Files\Tidy Favorites
    2010-09-28 16:21 . 2010-09-28 16:21 -------- d-----w- c:\program files\Tidy Favorites Converter
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-07 00:35 . 2008-10-01 00:35 65536 ----a-w- c:\windows\system32\camcodec.dll
    2010-09-18 17:23 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-04 05:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 05:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 05:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2006-03-03 22:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-06 18:15 . 2010-09-06 18:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-09-06 18:15 . 2010-09-06 18:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-09-01 11:51 . 2004-08-04 05:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-04 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2004-08-04 05:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-04 05:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2004-08-04 05:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-08-15 18:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 19:46 . 2010-08-23 19:46 18944 ----a-r- c:\documents and settings\Carl Babers\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
    2010-08-23 16:12 . 2004-08-04 05:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2004-08-04 05:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-08-04 05:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-10-26_18.19.24 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-10-27 17:37 . 2010-10-27 17:37 16384 c:\windows\Temp\Perflib_Perfdata_6e0.dat
    + 2010-10-27 17:39 . 2010-10-27 17:39 16384 c:\windows\Temp\Perflib_Perfdata_25c.dat
    + 2010-10-26 21:22 . 2010-04-22 02:29 43696 c:\windows\system32\drivers\N360\0403000.005\srtspx.sys
    + 2010-10-26 21:22 . 2010-05-06 04:01 339504 c:\windows\system32\drivers\N360\0403000.005\symtdiv.sys
    + 2010-10-26 21:22 . 2010-05-06 04:01 361904 c:\windows\system32\drivers\N360\0403000.005\symtdi.sys
    + 2010-10-26 21:22 . 2010-04-22 03:02 173104 c:\windows\system32\drivers\N360\0403000.005\symefa.sys
    + 2010-10-26 21:22 . 2009-10-15 03:50 328752 c:\windows\system32\drivers\N360\0403000.005\symds.sys
    + 2010-10-26 21:22 . 2010-04-22 02:29 325680 c:\windows\system32\drivers\N360\0403000.005\srtsp.sys
    + 2010-10-26 21:22 . 2010-04-29 05:03 116784 c:\windows\system32\drivers\N360\0403000.005\ironx86.sys
    + 2010-10-26 21:22 . 2010-02-26 00:22 501888 c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-04 39408]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoThumbnailCache"= 1 (0x1)
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2005-07-23 05:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dlbxcoms.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Tidy Favorites Converter\\TidyFavoritesConverter.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Carl Babers\\Application Data\\mjusbsp\\magicJack.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
    "1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [10/26/2010 4:22 PM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [10/26/2010 4:22 PM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 8:57 PM 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [10/26/2010 4:22 PM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [10/26/2010 4:22 PM 116784]
    R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [10/26/2010 4:21 PM 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/18/2010 10:09 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101026.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/4/2010 3:35 PM 136176]
    S3 BroadCamService;BroadCam Video Streaming Server;c:\program files\NCH Software\BroadCam\broadcam.exe [9/9/2010 10:03 PM 1175556]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-09-16 c:\windows\Tasks\broadcamShakeIcon.job
    - c:\program files\NCH Software\BroadCam\broadcam.exe [2010-09-10 03:03]
    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 20:35]
    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 20:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503}\lang0419
    IE: {{E3CB497B-E230-4445-8B34-13476822F867}\lang0419
    IE: {{9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - {DC8DD02C-C44B-47EE-8558-F1C17307A79A} - c:\progra~1\COMMON~1\TIDYFA~1\AddToFav.dll
    IE: {{E3CB497B-E230-4445-8B34-13476822F867} - {5AAF9669-C519-4AFF-BB6D-CCEE38D21C90} - c:\progra~1\COMMON~1\TIDYFA~1\OpenFav.dll
    Trusted Zone: cnet.com\download
    Trusted Zone: download.com
    FF - ProfilePath - c:\documents and settings\Carl Babers\Application Data\Mozilla\Firefox\Profiles\sy51lr5x.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&q=
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: XULRunner: {C9A89DAC-4F33-4EFD-AB0F-AC4DE925F544} - c:\documents and settings\Carl Babers\Local Settings\Application Data\{C9A89DAC-4F33-4EFD-AB0F-AC4DE925F544}
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-27 15:14
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(1028)
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    - - - - - - - > 'explorer.exe'(3512)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-10-27 15:20:31
    ComboFix-quarantined-files.txt 2010-10-27 20:20
    ComboFix2.txt 2010-10-27 19:58
    ComboFix3.txt 2010-10-26 19:05
    ComboFix4.txt 2010-10-26 18:28
    Pre-Run: 44,169,719,808 bytes free
    Post-Run: 44,164,317,184 bytes free
    - - End Of File - - 1029273B4365C016F0524279A0C28FDB




    HIJACKJTHIS LOG

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:30:14 PM, on 10/27/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\TechSmith\Jing\Jing.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Maxtor\Sync\SyncServices.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Carl Babers\Desktop\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\IPSBHO.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Add to Favorites - {9BEF3FB8-E5E0-4494-BC59-7BAC1C9AD503} - C:\PROGRA~1\COMMON~1\TIDYFA~1\AddToFav.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Open Tidy Favorites - {E3CB497B-E230-4445-8B34-13476822F867} - C:\PROGRA~1\COMMON~1\TIDYFA~1\OpenFav.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://download.cnet.com
    O15 - Trusted Zone: *.download.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting Web Starter) - https://www2.gotomeeting.com/default/applets/g2mdlax.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: BroadCam Video Streaming Server (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadcam.exe
    O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
    O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    --
    End of file - 7270 bytes

    By the way, I didn't understand your response about whether I should keep HJT or not.
    If it's beneficial, I have no problem keeping it.
    Anyways, how do I avoid contracting malware in the future?
     
  5. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    How did I get infected in the first place


    Hijackthis is not really beneficial, it does not protect the computer..... we advise that you do not use it to fix anything, it;s for those who are trained to use.

    In the wrong hands it could create a disaster... if for example someone who visits you played around with HJT they could easily make a bad mistake. It's best if yuo uninstall it, most likely you will find it in Add/Remove Programs.

    If you really want to keep it do so.

    About my last post with question about if you had uninstalled Freeze and FixCleaner BEFORE or AFTER you had posted your ComboFix log>>>


    I asked you that because there were items in the CF log that should not have been there....

    Which is why I posted the CFScript fix for you to do. I do not see the Freeze etc entries in this last CF log so all seems to be just fine. The script you dragged onto Combofix was to get rid of the leftover entries........I am not sure how but they are gone, so no need to worry.
     
  6. carlsbiz1

    carlsbiz1 Thread Starter

    Joined:
    Oct 14, 2010
    Messages:
    27
    All I can say is that my computer is fine now, thanks to your diligent and kind efforts.

    As a computer non-troubleshooter, this is a service I cannot thank you enough for!
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/956247