19 replies to this topic

[Alberta]

I made post a week ago but still dealing with the same problem. I ran CureIt and ComboFix. ComboFix doesn't stay on my computer because it says I have a virut. Can anyone advise me what to do? Thanks.

CureIt log

tmp0050007b;C:\Documents and Settings\Alberta\Local Settings\Temp\tmp000004db;Adware.MyWay;;
971968899.exe;C:\Documents and Settings\LocalService\Application Data;Trojan.Click.origin;Incurable.Moved.;
GTDownDE_87.ocx;C:\i386;Adware.Gdown;;
NetClose.dll;C:\Program Files\DellSupport\GTCoach\dlls\main;Trojan.PWS.Wsgame.origin;Incurable.Moved.;
A0156951.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1274;Trojan.Click.origin;Incurable.Moved.;
A0157968.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1274;Trojan.Click.origin;Incurable.Moved.;
A0158980.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1275;Trojan.Click.origin;Incurable.Moved.;
A0160020.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1275;Trojan.Click.origin;Incurable.Moved.;
A0160051.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1275;Trojan.Click.origin;Incurable.Moved.;
A0161061.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1275;Trojan.Click.origin;Incurable.Moved.;
A0169152.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1302;Probably BATCH.Virus;;
A0169215.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1302;Probably BATCH.Virus;;
A0169257.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1302;Trojan.Click.origin;Incurable.Moved.;
A0169260.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1302;Trojan.PWS.Wsgame.origin;Incurable.Moved.;

====================
Malwarebytes log

Malwarebytes' Anti-Malware 1.36
Database version: 2154
Windows 5.1.2600 Service Pack 3

5/19/2009 8:49:30 PM
mbam-log-2009-05-19 (20-49-30).txt

Scan type: Quick Scan
Objects scanned: 107307
Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

====================

[Alberta]

Hello. I still need help with this issue. I need advice on how to proceed. Thanks.

[miekiemoes]

Hi,

Quote

because it says I have a virut.

Then it's unfortunately a game over situation.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

[Alberta]

Hello:

I actually used Trend Micro House Call before I read your post. It seemed to cure a few more things than Dr. Web CureIt. I did take your advice and backed up everything. But I also decided to give Combo Fix another try and it worked. Here is the log. Do you still think it's a lost cause?

==========================================================================

ComboFix 09-05-22.04 - Alberta 05/22/2009 16:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.233 [GMT -4:00]
Running from: c:\documents and settings\Alberta\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\Tasks\jvqfqzag.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ashevtsvc
-------\Legacy_new_drv
-------\Legacy_systemntmi


((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 17:44 . 2009-05-22 17:44 -------- d-----w c:\windows\system32\Service
2009-05-22 11:06 . 2009-05-22 11:06 -------- d-sh--w c:\documents and settings\Ikenna\IETldCache
2009-05-22 02:19 . 2009-05-22 02:19 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-22 01:29 . 2009-05-22 03:04 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-22 01:29 . 2009-05-22 03:04 -------- d-----w c:\program files\NOS
2009-05-21 23:21 . 2009-05-22 15:59 992 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-21 21:21 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-05-21 21:21 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-05-21 21:19 . 2009-05-21 21:35 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-05-21 21:18 . 2009-05-21 21:21 -------- d-----w c:\program files\Trend Micro
2009-05-21 21:17 . 2009-05-21 21:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-05-21 21:17 . 2009-05-21 21:17 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-05-21 21:17 . 2009-05-21 21:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-05-21 21:17 . 2009-05-21 21:17 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-05-21 21:17 . 2009-05-21 21:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-05-21 20:45 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-05-21 20:41 . 2009-05-21 20:45 -------- d-----w c:\documents and settings\Alberta\.housecall6.6
2009-05-21 19:54 . 2009-05-21 19:54 57344 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-2371c289-n\Decora-SSE.dll
2009-05-21 19:54 . 2009-05-21 19:54 24064 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-67ef44eb-n\Decora-D3D.dll
2009-05-21 19:54 . 2009-05-21 19:54 315392 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-6fd5189f-n\jogl.dll
2009-05-21 19:54 . 2009-05-21 19:54 20480 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-6fd5189f-n\jogl_awt.dll
2009-05-21 19:54 . 2009-05-21 19:54 114688 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-6fd5189f-n\jogl_cg.dll
2009-05-21 19:54 . 2009-05-21 19:54 20480 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-4851f171-n\gluegen-rt.dll
2009-05-21 19:54 . 2009-05-21 19:54 499712 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-193b273f-n\msvcp71.dll
2009-05-21 19:54 . 2009-05-21 19:54 499712 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-193b273f-n\jmc.dll
2009-05-21 19:54 . 2009-05-21 19:54 348160 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-193b273f-n\msvcr71.dll
2009-05-19 16:29 . 2009-05-19 16:30 -------- d-----w c:\program files\RealArcade
2009-05-19 16:13 . 2009-05-19 16:13 -------- d-----w c:\program files\iPod
2009-05-19 16:12 . 2009-05-19 16:14 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-19 16:12 . 2009-05-19 16:14 -------- d-----w c:\program files\iTunes
2009-05-19 16:10 . 2009-05-19 16:10 -------- d-----w c:\program files\Bonjour
2009-05-19 16:08 . 2009-05-19 16:09 -------- d-----w c:\program files\QuickTime
2009-05-19 15:59 . 2009-05-19 15:59 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-18 15:33 . 2009-05-18 15:33 -------- d-sh--w c:\documents and settings\Alberta\PrivacIE
2009-05-18 12:51 . 2009-05-18 12:51 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-18 11:52 . 2009-05-18 11:52 -------- d-sh--w c:\documents and settings\Alberta\IETldCache
2009-05-18 11:46 . 2009-05-18 11:47 -------- dc-h--w c:\windows\ie8
2009-05-04 21:21 . 2009-05-04 21:21 -------- d-----w c:\documents and settings\Alberta\DoctorWeb
2009-05-01 08:29 . 2009-05-01 08:26 816392 ----a-w c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 19:19 . 2007-11-30 20:26 -------- d-----w c:\program files\DYMO Label
2009-05-22 14:24 . 2007-02-25 01:40 3185 ----a-w c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-05-21 19:53 . 2008-12-29 12:49 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-21 19:52 . 2009-04-20 11:37 152576 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-21 03:42 . 2007-12-19 18:15 -------- d-----w c:\documents and settings\Alberta\Application Data\FileZilla
2009-05-19 17:19 . 2005-06-04 16:57 -------- d-----w c:\program files\Java
2009-05-19 16:42 . 2005-06-04 17:16 -------- d-----w c:\program files\Real
2009-05-19 16:42 . 2005-06-04 17:16 -------- d-----w c:\program files\Common Files\Real
2009-05-19 16:13 . 2008-09-12 03:09 -------- d-----w c:\program files\Common Files\Apple
2009-05-19 15:52 . 2008-06-19 17:56 -------- d-----w c:\program files\Safari
2009-05-19 15:47 . 2005-06-08 14:51 -------- d-----w c:\documents and settings\Alberta\Application Data\AdobeUM
2009-05-19 04:18 . 2007-08-15 22:24 -------- d-----w c:\documents and settings\Alberta\Application Data\gtk-2.0
2009-05-15 20:18 . 2007-05-19 19:24 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-14 13:29 . 2008-04-28 21:32 -------- d-----w c:\documents and settings\Ikenna\Application Data\StumbleUpon
2009-05-01 04:55 . 2008-01-23 05:56 -------- d-----w c:\program files\RssReader
2009-04-28 13:17 . 2008-11-14 19:07 -------- d-----w c:\program files\FileZilla FTP Client
2009-04-25 03:56 . 2005-12-26 02:27 -------- d-----w c:\program files\Citrix
2009-04-25 03:54 . 2006-01-24 01:46 -------- d-----w c:\program files\TurboTax
2009-04-25 03:51 . 2006-02-13 23:54 -------- d-----w c:\program files\ItsDeductible2005
2009-04-15 19:44 . 2009-02-07 01:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 19:43 . 2009-04-15 19:43 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-15 04:04 . 2009-04-08 10:17 0 ----a-w c:\windows\Hjolitamagab.bin
2009-04-15 02:34 . 2009-04-08 10:16 408 ----a-w c:\windows\Vmayunazilek.dat
2009-04-13 16:31 . 2009-04-13 16:31 0 ----a-w c:\windows\Hjolitamagab.binHjolitamagab.bin
2009-04-07 11:53 . 2009-04-07 11:53 -------- d-----w c:\documents and settings\Ikenna\Application Data\Malwarebytes
2009-04-06 19:32 . 2009-02-07 01:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-07 01:14 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 02:37 . 2009-03-26 02:37 57344 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-1739d940-n\Decora-SSE.dll
2009-03-26 02:37 . 2009-03-26 02:37 24064 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-5f730869-n\Decora-D3D.dll
2009-03-26 02:37 . 2009-03-26 02:37 499712 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-56ed7ead-n\msvcp71.dll
2009-03-26 02:37 . 2009-03-26 02:37 499712 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-56ed7ead-n\jmc.dll
2009-03-26 02:37 . 2009-03-26 02:37 348160 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-56ed7ead-n\msvcr71.dll
2009-03-26 02:36 . 2009-03-26 02:36 57344 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\37\3976f065-3d1426fa-n\Decora-SSE.dll
2009-03-26 02:36 . 2009-03-26 02:36 24064 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\37\2c4a0065-2b85dc2e-n\Decora-D3D.dll
2009-03-26 02:36 . 2009-03-26 02:36 315392 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-35bb2409-n\jogl.dll
2009-03-26 02:36 . 2009-03-26 02:36 20480 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-35bb2409-n\jogl_awt.dll
2009-03-26 02:36 . 2009-03-26 02:36 114688 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-35bb2409-n\jogl_cg.dll
2009-03-26 02:36 . 2009-03-26 02:36 20480 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-2a1b3bdf-n\gluegen-rt.dll
2009-03-26 02:36 . 2009-03-26 02:36 348160 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-319f8e1e-n\msvcr71.dll
2009-03-26 02:36 . 2009-03-26 02:36 503808 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-319f8e1e-n\msvcp71.dll
2009-03-26 02:36 . 2009-03-26 02:36 499712 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-319f8e1e-n\jmc.dll
2009-03-26 02:31 . 2005-06-11 20:39 115536 -c--a-w c:\documents and settings\Ikenna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-22 11:23 . 2005-06-08 15:55 115536 -c--a-w c:\documents and settings\Alberta\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-09-12 03:14 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 08:34 . 2004-08-10 17:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-10 17:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-10 17:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-10 17:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-10 17:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-10 17:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-10 17:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-10 17:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-10 17:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-10 17:51 156160 ----a-w c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-05-21 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-05-21 492808]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\CTSysVol.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R2 mbamservice;mbamservice;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/6/2009 9:14 PM 179856]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [5/21/2009 5:17 PM 36368]
R3 mbamprotector;mbamprotector;c:\windows\system32\drivers\mbam.sys [2/6/2009 9:14 PM 15504]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/21/2009 5:17 PM 335376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/21/2009 5:21 PM 50192]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [5/21/2009 5:22 PM 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/21/2009 5:22 PM 677128]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-22 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Alberta.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-02-07 19:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RssReader - c:\program files\RssReader\RssReader.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-AdobeBridge - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://bl132w.blu132.mail.live.com/mail/InboxLight.aspx?FolderID=00000000-0000-0000-0000-000000000001&n=15478420
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: turbotax.com
Trusted Zone: windowupdate.com
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Alberta\Application Data\Mozilla\Firefox\Profiles\mlt1eqm1.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 16:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe
c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqste08.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-05-22 16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 20:39

Pre-Run: 49,193,914,368 bytes free
Post-Run: 49,512,333,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

284 --- E O F --- 2009-01-15 05:01

[miekiemoes]

Hi,

I still want to be sure if this is ... or not a virut infection, so.. Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
  
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[Alberta]

Here's the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 22, 2009 22:24:12
Records in database: 2219720
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 207372
Threat name: 3
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 06:08:20


File name / Threat name / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\200.tmp Infected: Trojan.Win32.Agent.bzwu 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\207.tmp Infected: Trojan.Win32.Agent.bzwu 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\208.tmp Infected: Trojan.Win32.Agent.bzwu 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\209.tmp Infected: Trojan.Win32.Agent.bzwu 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\20F.tmp Infected: Trojan-Downloader.Win32.Hmir.vjo 1

The selected area was scanned.

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\Hjolitamagab.bin
c:\windows\Vmayunazilek.dat
c:\windows\Hjolitamagab.binHjolitamagab.bin
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
C:\Program Files\Trend Micro\Internet Security\Quarantine\200.tmp
C:\Program Files\Trend Micro\Internet Security\Quarantine\207.tmp
C:\Program Files\Trend Micro\Internet Security\Quarantine\208.tmp
C:\Program Files\Trend Micro\Internet Security\Quarantine\209.tmp
C:\Program Files\Trend Micro\Internet Security\Quarantine\20F.tmp

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[Alberta]

Sorry. I did Dr. Web CureIt scan before I saw the post on Kaspersky scan. CureIt removed ComboFix. I went to reinstall it, shut down Trend Micro but got an error message saying I can't rename ComboFix to ComboFix[1]. I will let you know if and when I get this resolved. Thanks for your help thus far. I really appreciate it.

[miekiemoes]

Hi,

You get this error when Combofix was already present. So doublecheck if Combofix is still present on your desktop.
Also, don't run combofix from the link, but download it to your desktop and run it from there.

[Alberta]

Okay. I got things figured out. Here is the ComboFix log. It's very large. Is that normal? I got an error message for trying to post the whole thing. Here is half of it.
=====================

ComboFix 09-05-23.01 - Alberta 05/23/2009 15:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.130 [GMT -4:00]
Running from: c:\documents and settings\Alberta\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alberta\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
c:\program files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz
c:\program files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
c:\program files\Trend Micro\Internet Security\Quarantine\200.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\207.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\208.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\209.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\20F.tmp
c:\windows\Hjolitamagab.bin
c:\windows\Hjolitamagab.binHjolitamagab.bin
c:\windows\Vmayunazilek.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz
c:\program files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz
c:\windows\Hjolitamagab.bin
c:\windows\Hjolitamagab.binHjolitamagab.bin
c:\windows\Vmayunazilek.dat

.
((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-23 13:04 . 2009-05-23 13:04 -------- d-----w c:\windows\system32\XPSViewer
2009-05-23 13:04 . 2009-05-23 13:04 -------- d-----w c:\program files\MSBuild
2009-05-23 13:04 . 2009-05-23 13:04 -------- d-----w c:\program files\Reference Assemblies
2009-05-23 13:02 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-23 13:02 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-23 13:02 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-23 13:02 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-23 13:02 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-23 13:02 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-23 13:02 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-23 13:02 . 2009-05-23 13:04 -------- d-----w C:\823a317c5a98e3bded7c16
2009-05-23 12:33 . 2009-05-23 12:33 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-22 23:42 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-22 23:42 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-22 23:41 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-22 23:41 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-22 23:41 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-22 23:41 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-22 23:41 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-22 23:41 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-22 23:41 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-22 23:41 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-22 23:41 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-22 17:44 . 2009-05-23 14:37 -------- d-----w c:\windows\system32\Service
2009-05-22 11:06 . 2009-05-22 11:06 -------- d-sh--w c:\documents and settings\Ikenna\IETldCache
2009-05-22 02:19 . 2009-05-22 02:19 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-22 01:29 . 2009-05-22 03:04 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-22 01:29 . 2009-05-22 03:04 -------- d-----w c:\program files\NOS
2009-05-21 23:21 . 2009-05-22 15:59 992 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-21 21:21 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-05-21 21:21 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-05-21 21:19 . 2009-05-21 21:35 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-05-21 21:18 . 2009-05-21 21:21 -------- d-----w c:\program files\Trend Micro
2009-05-21 21:17 . 2009-05-21 21:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-05-21 21:17 . 2009-05-21 21:17 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-05-21 21:17 . 2009-05-21 21:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-05-21 21:17 . 2009-05-21 21:17 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-05-21 21:17 . 2009-05-21 21:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-05-21 20:45 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-05-21 20:41 . 2009-05-21 20:45 -------- d-----w c:\documents and settings\Alberta\.housecall6.6
2009-05-21 19:54 . 2009-05-21 19:54 57344 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-2371c289-n\Decora-SSE.dll
2009-05-21 19:54 . 2009-05-21 19:54 24064 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-67ef44eb-n\Decora-D3D.dll
2009-05-21 19:54 . 2009-05-21 19:54 315392 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-6fd5189f-n\jogl.dll
2009-05-21 19:54 . 2009-05-21 19:54 20480 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-6fd5189f-n\jogl_awt.dll
2009-05-21 19:54 . 2009-05-21 19:54 114688 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-6fd5189f-n\jogl_cg.dll
2009-05-21 19:54 . 2009-05-21 19:54 20480 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-4851f171-n\gluegen-rt.dll
2009-05-21 19:54 . 2009-05-21 19:54 499712 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-193b273f-n\msvcp71.dll
2009-05-21 19:54 . 2009-05-21 19:54 499712 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-193b273f-n\jmc.dll
2009-05-21 19:54 . 2009-05-21 19:54 348160 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-193b273f-n\msvcr71.dll
2009-05-19 16:29 . 2009-05-19 16:30 -------- d-----w c:\program files\RealArcade
2009-05-19 16:13 . 2009-05-19 16:13 -------- d-----w c:\program files\iPod
2009-05-19 16:12 . 2009-05-19 16:14 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-19 16:12 . 2009-05-19 16:14 -------- d-----w c:\program files\iTunes
2009-05-19 16:10 . 2009-05-19 16:10 -------- d-----w c:\program files\Bonjour
2009-05-19 16:08 . 2009-05-19 16:09 -------- d-----w c:\program files\QuickTime
2009-05-19 15:59 . 2009-05-19 15:59 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-18 15:33 . 2009-05-18 15:33 -------- d-sh--w c:\documents and settings\Alberta\PrivacIE
2009-05-18 12:51 . 2009-05-18 12:51 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-18 11:52 . 2009-05-18 11:52 -------- d-sh--w c:\documents and settings\Alberta\IETldCache
2009-05-18 11:46 . 2009-05-18 11:47 -------- dc-h--w c:\windows\ie8
2009-05-04 21:21 . 2009-05-04 21:21 -------- d-----w c:\documents and settings\Alberta\DoctorWeb
2009-05-01 08:29 . 2009-05-01 08:26 816392 ----a-w c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 15:44 . 2007-12-19 18:15 -------- d-----w c:\documents and settings\Alberta\Application Data\FileZilla
2009-05-23 13:56 . 2005-06-08 15:55 115920 -c--a-w c:\documents and settings\Alberta\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 12:39 . 2005-06-04 17:02 -------- d-----w c:\program files\Microsoft Works
2009-05-22 19:19 . 2007-11-30 20:26 -------- d-----w c:\program files\DYMO Label
2009-05-22 14:24 . 2007-02-25 01:40 3185 ----a-w c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-05-21 19:53 . 2008-12-29 12:49 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-21 19:52 . 2009-04-20 11:37 152576 ----a-w c:\documents and settings\Alberta\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-19 17:19 . 2005-06-04 16:57 -------- d-----w c:\program files\Java
2009-05-19 16:42 . 2005-06-04 17:16 -------- d-----w c:\program files\Real
2009-05-19 16:42 . 2005-06-04 17:16 -------- d-----w c:\program files\Common Files\Real
2009-05-19 16:13 . 2008-09-12 03:09 -------- d-----w c:\program files\Common Files\Apple
2009-05-19 15:52 . 2008-06-19 17:56 -------- d-----w c:\program files\Safari
2009-05-19 15:47 . 2005-06-08 14:51 -------- d-----w c:\documents and settings\Alberta\Application Data\AdobeUM
2009-05-19 04:18 . 2007-08-15 22:24 -------- d-----w c:\documents and settings\Alberta\Application Data\gtk-2.0
2009-05-15 20:18 . 2007-05-19 19:24 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-14 13:29 . 2008-04-28 21:32 -------- d-----w c:\documents and settings\Ikenna\Application Data\StumbleUpon
2009-05-01 04:55 . 2008-01-23 05:56 -------- d-----w c:\program files\RssReader
2009-04-28 13:17 . 2008-11-14 19:07 -------- d-----w c:\program files\FileZilla FTP Client
2009-04-25 03:56 . 2005-12-26 02:27 -------- d-----w c:\program files\Citrix
2009-04-25 03:54 . 2006-01-24 01:46 -------- d-----w c:\program files\TurboTax
2009-04-25 03:51 . 2006-02-13 23:54 -------- d-----w c:\program files\ItsDeductible2005
2009-04-15 19:44 . 2009-02-07 01:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 19:43 . 2009-04-15 19:43 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-07 11:53 . 2009-04-07 11:53 -------- d-----w c:\documents and settings\Ikenna\Application Data\Malwarebytes
2009-04-06 19:32 . 2009-02-07 01:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-07 01:14 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 02:37 . 2009-03-26 02:37 57344 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-1739d940-n\Decora-SSE.dll
2009-03-26 02:37 . 2009-03-26 02:37 24064 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-5f730869-n\Decora-D3D.dll
2009-03-26 02:37 . 2009-03-26 02:37 499712 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-56ed7ead-n\msvcp71.dll
2009-03-26 02:37 . 2009-03-26 02:37 499712 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-56ed7ead-n\jmc.dll
2009-03-26 02:37 . 2009-03-26 02:37 348160 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-56ed7ead-n\msvcr71.dll
2009-03-26 02:36 . 2009-03-26 02:36 57344 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\37\3976f065-3d1426fa-n\Decora-SSE.dll
2009-03-26 02:36 . 2009-03-26 02:36 24064 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\37\2c4a0065-2b85dc2e-n\Decora-D3D.dll
2009-03-26 02:36 . 2009-03-26 02:36 315392 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-35bb2409-n\jogl.dll
2009-03-26 02:36 . 2009-03-26 02:36 20480 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-35bb2409-n\jogl_awt.dll
2009-03-26 02:36 . 2009-03-26 02:36 114688 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-35bb2409-n\jogl_cg.dll
2009-03-26 02:36 . 2009-03-26 02:36 20480 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-2a1b3bdf-n\gluegen-rt.dll
2009-03-26 02:36 . 2009-03-26 02:36 348160 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-319f8e1e-n\msvcr71.dll
2009-03-26 02:36 . 2009-03-26 02:36 503808 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-319f8e1e-n\msvcp71.dll
2009-03-26 02:36 . 2009-03-26 02:36 499712 ----a-w c:\documents and settings\Ikenna\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-319f8e1e-n\jmc.dll
2009-03-26 02:31 . 2005-06-11 20:39 115536 -c--a-w c:\documents and settings\Ikenna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2008-09-12 03:14 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 08:34 . 2004-08-10 17:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-10 17:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-10 17:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-10 17:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-10 17:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-10 17:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-10 17:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-10 17:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-10 17:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-10 17:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
.

[miekiemoes]

Hi,

The log may be long in case you've done a Windows update in between.
So I suggest you upload the log here: http://www.bleepingc...e.php?channel=8

[Alberta]

Okay. I sent the file. Thanks!

[miekiemoes]

Hi,

It was indeed a Windows update.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[Alberta]

Things seem to be okay. Does this mean I'm good to go? Or do I need to reinstall my system? Thanks.

[miekiemoes]

Hi,

Well it looks like you are OK. There are no traces of a file patching Virus present, but your computer was infected with other malware which we removed now as well.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[Alberta]

Thank you so much for all your help! I really appreciate it :-)

Take care and have a great weekend!

Alberta

[miekiemoes]

You're most welcome

[Alberta]

FYI - You were right. I have to kill my computer today.

[miekiemoes]

Eeehm, how do you mean?

[miekiemoes]

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.