12 replies to this topic

[matty b]

I am trying to get a friend's computer free of malware. Malwarebytes detected and removed many different bugs, including Trojan.Vundo.H. Once it completes scanning, MWBytes recommends a reboot to completely remove the infected DLL and registry keys. However, after reboot the files remain on the system. How can I remove these, and does anyone see other things that may have remained (perhaps from other malware) after scanning and elimination??

Thanks for any help that can be offered.

Below are copies of the MWBytes and HiJackThis logs:



Malwarebytes' Anti-Malware 1.38
Database version: 2330
Windows 5.1.2600 Service Pack 3

6/25/2009 9:59:11 AM
mbam-log-2009-06-25 (09-59-11).txt

Scan type: Quick Scan
Objects scanned: 90052
Time elapsed: 9 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79b5bf78-5d8f-4dd0-8293-2d6f7f864b56} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\usxaetwj (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{79b5bf78-5d8f-4dd0-8293-2d6f7f864b56} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\upctlut.dll (Trojan.Vundo.H) -> Delete on reboot.


------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:54 AM, on 6/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Corinne\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {79B5BF78-5D8F-4DD0-8293-2D6F7F864B56} - c:\windows\system32\upctlut.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Auto EPSON Stylus C64 Series on SLIMSPAD] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P40 "Auto EPSON Stylus C64 Series on SLIMSPAD" /O19 "\\SLIMSPAD\Printer2" /M "Stylus C64"
O4 - HKLM\..\Run: [Auto EPSON Stylus C64 Series (Copy 1) on SLIMSPAD] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P49 "Auto EPSON Stylus C64 Series (Copy 1) on SLIMSPAD" /O18 "\\SLIMSPAD\Printer" /M "Stylus C64"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: SearchScout Search - res://C:\Program Files\SearchScoutToolbar\SearchScoutToolbar.dll/SEARCHSCOUTMENUSEARCH.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...64/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_07) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Plug-in 1.4.1_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: usxaetwj - C:\WINDOWS\SYSTEM32\upctlut.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9781 bytes

Attached Files

•  mbam_log_2009_06_25__09_59_11_.txt   1.21K   32 downloads

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[matty b]

Mieke:

Thanks for the quick reply!

I will review the Combofix instructions this morning, and will hopefully have a log posted within a few hours.

-M

[miekiemoes]

That's Ok. I read you later

[matty b]

Mieke:

Below is the ComboFix log.

Thanks!

-M

---

ComboFix 09-06-26.02 - Corinne 06/26/2009 14:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.260 [GMT -5:00]
Running from: c:\documents and settings\Corinne\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Corinne\Application Data\mirnkqxm
c:\documents and settings\Corinne\Application Data\mirnkqxm\profiles.ini
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\cert8.db
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\compatibility.ini
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\compreg.dat
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\cookies.sqlite
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\formhistory.sqlite
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\key3.db
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\localstore.rdf
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\permissions.sqlite
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\places.sqlite-journal
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\places.sqlite
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\pluginreg.dat
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\prefs.js
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\secmod.db
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\webappsstore.sqlite
c:\documents and settings\Corinne\Application Data\mirnkqxm\Profiles\c15y34uk.default\xpti.dat
c:\documents and settings\Corinne\Corinne
c:\documents and settings\Corinne\Local Settings\Application Data\mirnkqxm
c:\documents and settings\Corinne\Local Settings\Application Data\mirnkqxm\Profiles\c15y34uk.default\urlclassifier3.sqlite
c:\documents and settings\Corinne\Local Settings\Application Data\mirnkqxm\Profiles\c15y34uk.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\mirnkqxm
c:\documents and settings\NetworkService\Application Data\mirnkqxm\profiles.ini
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\cert8.db
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\key3.db
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\places.sqlite-stmtjrnl
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\prefs.js
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\secmod.db
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\mirnkqxm\Profiles\d9os9iz3.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\mirnkqxm
c:\documents and settings\NetworkService\Local Settings\Application Data\mirnkqxm\Profiles\d9os9iz3.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\mirnkqxm\Profiles\d9os9iz3.default\XPC.mfl
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\pbcgvkje.sys
c:\windows\system32\drivers\qhryavdo.sys
c:\windows\system32\upctlut.dll
c:\windows\system32\vspwjvb.dll
c:\windows\system32\watkazvb.dll
c:\windows\Tasks\At1.job
E:\autorun.inf

----- BITS: Possible infected sites -----

hxxp://downloadsoftwareserver.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NNSERV
-------\Legacy_QHRYAVDO
-------\Service_NNServ
-------\Service_qhryavdo


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-25 13:26 . 2009-06-25 13:29 -------- dc----w- C:\7989e3d171d7d78dad69
2009-06-25 00:22 . 2009-06-25 00:22 -------- dc----w- c:\documents and settings\Corinne\Application Data\Leadertech
2009-06-24 21:46 . 2007-03-22 01:39 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-06-24 19:58 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 19:58 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-24 19:58 . 2009-06-24 19:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 19:57 . 2007-11-29 04:16 66560 -csha-w- c:\documents and settings\All Users\Application Data\ExtendMedia\Media Agent\ac.dll
2009-06-26 19:42 . 2003-09-22 20:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-26 19:42 . 2003-09-22 20:03 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-26 19:38 . 2003-09-22 19:54 -------- d-----w- c:\program files\Symantec
2009-06-25 00:14 . 2008-06-23 01:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-25 00:09 . 2006-03-04 20:06 -------- d-----w- c:\program files\Google
2009-06-24 22:53 . 2008-06-23 01:23 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-24 21:49 . 2009-06-24 21:49 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-24 21:49 . 2009-06-24 21:49 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-24 21:49 . 2003-09-22 20:04 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-24 21:49 . 2003-09-22 20:04 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-24 18:28 . 2007-08-27 03:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-23 03:40 . 2008-08-22 02:29 -------- dc----w- c:\documents and settings\Corinne\Application Data\EndNote
2009-05-26 14:40 . 2009-05-26 14:40 14848 -c-h--w- c:\documents and settings\Corinne\Application Data\BIT4D.tmp
2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-06 23:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2002-08-29 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-15 15:06 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-08 294912]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-08-05 151597]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-10-20 77824]
"EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE" [2003-05-27 99840]
"Auto EPSON Stylus C64 Series on SLIMSPAD"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE" [2003-05-27 99840]
"Auto EPSON Stylus C64 Series (Copy 1) on SLIMSPAD"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE" [2003-05-27 99840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]
"CARPService"="carpserv.exe" - c:\windows\SYSTEM32\carpserv.exe [2003-01-23 4608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\msiexec.exe"=
"c:\\Program Files\\NBC Direct\\StoreFrontPlayer.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"42165:TCP"= 42165:TCP:@xpsp2res.dll,-22009
"27108:TCP"= 27108:TCP:@xpsp2res.dll,-22009

R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [11/18/2007 1:57 PM 810632]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\SYSTEM32\DRIVERS\ucdnt.sys [8/19/2003 4:50 PM 728035]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - QHRYAVDO
*Deregistered* - qhryavdo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
htyxlfuq
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: SearchScout Search - c:\program files\SearchScoutToolbar\SearchScoutToolbar.dll/SEARCHSCOUTMENUSEARCH.HTM
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Corinne\Application Data\Mozilla\Firefox\Profiles\9iue5rv6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vdio5&p=
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJPI141_07.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Sotfone Tracker: No Registry Reference - c:\program files\Mozilla Firefox\extensions\sotfone-tracker@sotfone.ru
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 14:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-26 15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 20:06

Pre-Run: 6,457,843,712 bytes free
Post-Run: 7,167,012,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

219 --- E O F --- 2009-06-25 13:29

[miekiemoes]

Hi,

This is much better - almost done....

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

Dirlook::
C:\7989e3d171d7d78dad69
NetSvc::
htyxlfuq

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[matty b]

Mieke:

Got it, I will run the script this evening or tomorrow morning, and have a log posted for you then.

THanks!

-M

[miekiemoes]

That's OK.
I read you later.

[matty b]

Mieke:

Below is the new log from ComboFix.

Thanks again,

-M

ComboFix 09-06-26.02 - Corinne 06/28/2009 11:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.250 [GMT -5:00]
Running from: c:\documents and settings\Corinne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Corinne\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-26 20:04 . 2009-06-26 20:05 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-25 13:26 . 2009-06-25 13:29 -------- dc----w- C:\7989e3d171d7d78dad69
2009-06-25 00:22 . 2009-06-25 00:22 -------- dc----w- c:\documents and settings\Corinne\Application Data\Leadertech
2009-06-24 21:46 . 2007-03-22 01:39 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2009-06-24 19:58 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 19:58 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-24 19:58 . 2009-06-24 19:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 19:57 . 2007-11-29 04:16 66560 -csha-w- c:\documents and settings\All Users\Application Data\ExtendMedia\Media Agent\ac.dll
2009-06-26 19:42 . 2003-09-22 20:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-26 19:42 . 2003-09-22 20:03 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-26 19:38 . 2003-09-22 19:54 -------- d-----w- c:\program files\Symantec
2009-06-25 00:14 . 2008-06-23 01:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-25 00:09 . 2006-03-04 20:06 -------- d-----w- c:\program files\Google
2009-06-24 22:53 . 2008-06-23 01:23 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-24 21:49 . 2009-06-24 21:49 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-24 21:49 . 2009-06-24 21:49 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-24 21:49 . 2003-09-22 20:04 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-24 21:49 . 2003-09-22 20:04 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-24 18:28 . 2007-08-27 03:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-23 03:40 . 2008-08-22 02:29 -------- dc----w- c:\documents and settings\Corinne\Application Data\EndNote
2009-05-26 14:40 . 2009-05-26 14:40 14848 -c-h--w- c:\documents and settings\Corinne\Application Data\BIT4D.tmp
2009-05-07 15:32 . 2002-08-29 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-06 23:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2002-08-29 10:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-04-15 15:06 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\7989e3d171d7d78dad69 ----

2009-03-08 19:25 . 2009-03-08 19:25 10416 -c--a-w- c:\7989e3d171d7d78dad69\update\update.ver
2009-03-08 19:23 . 2009-03-08 19:23 47422 -c--a-w- c:\7989e3d171d7d78dad69\update\ie8.cat
2009-03-08 19:23 . 2009-03-08 19:23 58464 -c--a-w- c:\7989e3d171d7d78dad69\update\iecustom.dll
2009-03-08 19:23 . 2009-03-08 19:23 1113696 -c--a-w- c:\7989e3d171d7d78dad69\update\iesetup.exe
2009-03-08 19:23 . 2009-03-08 19:23 141408 -c--a-w- c:\7989e3d171d7d78dad69\update\sqmapi.dll
2009-03-08 19:22 . 2009-03-08 19:22 36864 -c--a-w- c:\7989e3d171d7d78dad69\iedvtool.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 12288 -c--a-w- c:\7989e3d171d7d78dad69\mshtml.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 1241088 -c--a-w- c:\7989e3d171d7d78dad69\ieframe.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 3584 -c--a-w- c:\7989e3d171d7d78dad69\inseng.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 5120 -c--a-w- c:\7989e3d171d7d78dad69\iernonce.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 2560 -c--a-w- c:\7989e3d171d7d78dad69\jsdebuggeride.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 7168 -c--a-w- c:\7989e3d171d7d78dad69\ieakeng.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 49152 -c--a-w- c:\7989e3d171d7d78dad69\msrating.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 2560 -c--a-w- c:\7989e3d171d7d78dad69\iertutil.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 11264 -c--a-w- c:\7989e3d171d7d78dad69\vbscript.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 2560 -c--a-w- c:\7989e3d171d7d78dad69\jsprofilercore.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 40960 -c--a-w- c:\7989e3d171d7d78dad69\webcheck.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 6144 -c--a-w- c:\7989e3d171d7d78dad69\winfxdocobj.exe.mui
2009-03-08 19:22 . 2009-03-08 19:22 3584 -c--a-w- c:\7989e3d171d7d78dad69\ieui.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 2560 -c--a-w- c:\7989e3d171d7d78dad69\mshta.exe.mui
2009-03-08 19:22 . 2009-03-08 19:22 20480 -c--a-w- c:\7989e3d171d7d78dad69\jsdbgui.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 12288 -c--a-w- c:\7989e3d171d7d78dad69\hmmapi.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 77824 -c--a-w- c:\7989e3d171d7d78dad69\iesetup.dll.mui
2009-03-08 19:22 . 2009-03-08 19:22 122880 -c--a-w- c:\7989e3d171d7d78dad69\inetcpl.cpl.mui
2009-03-08 19:22 . 2009-03-08 19:22 3584 -c--a-w- c:\7989e3d171d7d78dad69\admparse.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 53248 -c--a-w- c:\7989e3d171d7d78dad69\wininet.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 12288 -c--a-w- c:\7989e3d171d7d78dad69\iexplore.exe.mui
2009-03-08 19:21 . 2009-03-08 19:21 20480 -c--a-w- c:\7989e3d171d7d78dad69\occache.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 57344 -c--a-w- c:\7989e3d171d7d78dad69\mshtmler.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 4608 -c--a-w- c:\7989e3d171d7d78dad69\iepeers.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 2771706 -c--a-w- c:\7989e3d171d7d78dad69\inetres.adm
2009-03-08 19:21 . 2009-03-08 19:21 40960 -c--a-w- c:\7989e3d171d7d78dad69\urlmon.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 13460 -c--a-w- c:\7989e3d171d7d78dad69\inetcorp.iem
2009-03-08 19:21 . 2009-03-08 19:21 40960 -c--a-w- c:\7989e3d171d7d78dad69\ieaksie.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 2560 -c--a-w- c:\7989e3d171d7d78dad69\msfeedsbs.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 4096 -c--a-w- c:\7989e3d171d7d78dad69\licmgr10.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 10240 -c--a-w- c:\7989e3d171d7d78dad69\advpack.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 4096 -c--a-w- c:\7989e3d171d7d78dad69\ie4uinit.exe.mui
2009-03-08 19:21 . 2009-03-08 19:21 118784 -c--a-w- c:\7989e3d171d7d78dad69\ieakui.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 13312 -c--a-w- c:\7989e3d171d7d78dad69\jscript.dll.mui
2009-03-08 19:21 . 2009-03-08 19:21 37836 -c--a-w- c:\7989e3d171d7d78dad69\inetset.iem
2009-03-08 19:20 . 2009-03-08 19:20 8704 -c--a-w- c:\7989e3d171d7d78dad69\icardie.dll.mui
2009-03-08 19:20 . 2009-03-08 19:20 81920 -c--a-w- c:\7989e3d171d7d78dad69\iedkcs32.dll.mui
2009-03-08 19:20 . 2009-03-08 19:20 16384 -c--a-w- c:\7989e3d171d7d78dad69\jsprofilerui.dll.mui
2009-03-08 19:20 . 2009-03-08 19:20 10752 -c--a-w- c:\7989e3d171d7d78dad69\html.iec.mui
2009-03-08 19:09 . 2009-03-08 19:09 391536 -c--a-w- c:\7989e3d171d7d78dad69\iedkcs32.dll
2009-03-08 19:09 . 2009-03-08 19:09 638816 -c--a-w- c:\7989e3d171d7d78dad69\iexplore.exe
2009-03-08 19:08 . 2009-03-08 19:08 1474411 -c--a-w- c:\7989e3d171d7d78dad69\update\update.inf
2009-03-08 09:41 . 2009-03-08 09:41 5937152 -c--a-w- c:\7989e3d171d7d78dad69\mshtml.dll
2009-03-08 09:39 . 2009-03-08 09:39 11063808 -c--a-w- c:\7989e3d171d7d78dad69\ieframe.dll
2009-03-08 09:35 . 2009-03-08 09:35 742912 -c--a-w- c:\7989e3d171d7d78dad69\iedvtool.dll
2009-03-08 09:35 . 2009-03-08 09:35 233984 -c--a-w- c:\7989e3d171d7d78dad69\jsprofilerui.dll
2009-03-08 09:35 . 2009-03-08 09:35 385024 -c--a-w- c:\7989e3d171d7d78dad69\html.iec
2009-03-08 09:35 . 2009-03-08 09:35 144384 -c--a-w- c:\7989e3d171d7d78dad69\extexport.exe
2009-03-08 09:35 . 2009-03-08 09:35 2048 -c--a-w- c:\7989e3d171d7d78dad69\iecompat.dll
2009-03-08 09:35 . 2009-03-08 09:35 118272 -c--a-w- c:\7989e3d171d7d78dad69\jsprofilercore.dll
2009-03-08 09:35 . 2009-03-08 09:35 521216 -c--a-w- c:\7989e3d171d7d78dad69\jsdbgui.dll
2009-03-08 09:35 . 2009-03-08 09:35 121344 -c--a-w- c:\7989e3d171d7d78dad69\jsdebuggeride.dll
2009-03-08 09:34 . 2009-03-08 09:34 914944 -c--a-w- c:\7989e3d171d7d78dad69\wininet.dll
2009-03-08 09:34 . 2009-03-08 09:34 1206784 -c--a-w- c:\7989e3d171d7d78dad69\urlmon.dll
2009-03-08 09:34 . 2009-03-08 09:34 1469440 -c--a-w- c:\7989e3d171d7d78dad69\inetcpl.cpl
2009-03-08 09:34 . 2009-03-08 09:34 236544 -c--a-w- c:\7989e3d171d7d78dad69\webcheck.dll
2009-03-08 09:34 . 2009-03-08 09:34 208384 -c--a-w- c:\7989e3d171d7d78dad69\winfxdocobj.exe
2009-03-08 09:34 . 2009-03-08 09:34 43008 -c--a-w- c:\7989e3d171d7d78dad69\licmgr10.dll
2009-03-08 09:34 . 2009-03-08 09:34 105984 -c--a-w- c:\7989e3d171d7d78dad69\url.dll
2009-03-08 09:34 . 2009-03-08 09:34 193536 -c--a-w- c:\7989e3d171d7d78dad69\msrating.dll
2009-03-08 09:34 . 2009-03-08 09:34 109568 -c--a-w- c:\7989e3d171d7d78dad69\occache.dll
2009-03-08 09:33 . 2009-03-08 09:33 246784 -c--a-w- c:\7989e3d171d7d78dad69\ieproxy.dll
2009-03-08 09:33 . 2009-03-08 09:33 759296 -c--a-w- c:\7989e3d171d7d78dad69\vgx.dll
2009-03-08 09:33 . 2009-03-08 09:33 18944 -c--a-w- c:\7989e3d171d7d78dad69\corpol.dll
2009-03-08 09:33 . 2009-03-08 09:33 25600 -c--a-w- c:\7989e3d171d7d78dad69\jsproxy.dll
2009-03-08 09:33 . 2009-03-08 09:33 12288 -c--a-w- c:\7989e3d171d7d78dad69\xpshims.dll
2009-03-08 09:33 . 2009-03-08 09:33 726528 -c--a-w- c:\7989e3d171d7d78dad69\jscript.dll
2009-03-08 09:33 . 2009-03-08 09:33 229376 -c--a-w- c:\7989e3d171d7d78dad69\ieaksie.dll
2009-03-08 09:33 . 2009-03-08 09:33 420352 -c--a-w- c:\7989e3d171d7d78dad69\vbscript.dll
2009-03-08 09:33 . 2009-03-08 09:33 125952 -c--a-w- c:\7989e3d171d7d78dad69\ieakeng.dll
2009-03-08 09:32 . 2009-03-08 09:32 72704 -c--a-w- c:\7989e3d171d7d78dad69\admparse.dll
2009-03-08 09:32 . 2009-03-08 09:32 173056 -c--a-w- c:\7989e3d171d7d78dad69\ie4uinit.exe
2009-03-08 09:32 . 2009-03-08 09:32 163840 -c--a-w- c:\7989e3d171d7d78dad69\ieakui.dll
2009-03-08 09:32 . 2009-03-08 09:32 36864 -c--a-w- c:\7989e3d171d7d78dad69\ieudinit.exe
2009-03-08 09:32 . 2009-03-08 09:32 55808 -c--a-w- c:\7989e3d171d7d78dad69\iernonce.dll
2009-03-08 09:32 . 2009-03-08 09:32 71680 -c--a-w- c:\7989e3d171d7d78dad69\iesetup.dll
2009-03-08 09:32 . 2009-03-08 09:32 3072 -c--a-w- c:\7989e3d171d7d78dad69\ieudinit.exe.mui
2009-03-08 09:32 . 2009-03-08 09:32 128512 -c--a-w- c:\7989e3d171d7d78dad69\advpack.dll
2009-03-08 09:32 . 2009-03-08 09:32 94720 -c--a-w- c:\7989e3d171d7d78dad69\inseng.dll
2009-03-08 09:32 . 2009-03-08 09:32 594432 -c--a-w- c:\7989e3d171d7d78dad69\msfeeds.dll
2009-03-08 09:32 . 2009-03-08 09:32 1985024 -c--a-w- c:\7989e3d171d7d78dad69\iertutil.dll
2009-03-08 09:32 . 2009-03-08 09:32 611840 -c--a-w- c:\7989e3d171d7d78dad69\mstime.dll
2009-03-08 09:31 . 2009-03-08 09:31 183808 -c--a-w- c:\7989e3d171d7d78dad69\iepeers.dll
2009-03-08 09:31 . 2009-03-08 09:31 13312 -c--a-w- c:\7989e3d171d7d78dad69\msfeedssync.exe
2009-03-08 09:31 . 2009-03-08 09:31 59904 -c--a-w- c:\7989e3d171d7d78dad69\icardie.dll
2009-03-08 09:31 . 2009-03-08 09:31 55296 -c--a-w- c:\7989e3d171d7d78dad69\msfeedsbs.dll
2009-03-08 09:31 . 2009-03-08 09:31 348160 -c--a-w- c:\7989e3d171d7d78dad69\dxtmsft.dll
2009-03-08 09:31 . 2009-03-08 09:31 216064 -c--a-w- c:\7989e3d171d7d78dad69\dxtrans.dll
2009-03-08 09:31 . 2009-03-08 09:31 34816 -c--a-w- c:\7989e3d171d7d78dad69\imgutil.dll
2009-03-08 09:31 . 2009-03-08 09:31 46592 -c--a-w- c:\7989e3d171d7d78dad69\pngfilt.dll
2009-03-08 09:31 . 2009-03-08 09:31 66560 -c--a-w- c:\7989e3d171d7d78dad69\mshtmled.dll
2009-03-08 09:31 . 2009-03-08 09:31 48128 -c--a-w- c:\7989e3d171d7d78dad69\mshtmler.dll
2009-03-08 09:31 . 2009-03-08 09:31 45568 -c--a-w- c:\7989e3d171d7d78dad69\mshta.exe
2009-03-08 09:31 . 2009-03-08 09:31 1638912 -c--a-w- c:\7989e3d171d7d78dad69\mshtml.tlb
2009-03-08 09:30 . 2009-03-08 09:30 66560 -c--a-w- c:\7989e3d171d7d78dad69\tdc.ocx
2009-03-08 09:24 . 2009-03-08 09:24 68608 -c--a-w- c:\7989e3d171d7d78dad69\hmmapi.dll
2009-03-08 09:22 . 2009-03-08 09:22 164352 -c--a-w- c:\7989e3d171d7d78dad69\ieui.dll
2009-03-08 09:22 . 2009-03-08 09:22 156160 -c--a-w- c:\7989e3d171d7d78dad69\msls31.dll
2009-03-08 09:15 . 2009-03-08 09:15 57667 -c--a-w- c:\7989e3d171d7d78dad69\ieuinit.inf
2009-03-08 09:11 . 2009-03-08 09:11 445952 -c--a-w- c:\7989e3d171d7d78dad69\ieapfltr.dll
2009-03-08 08:45 . 2009-03-08 08:45 460 -c--a-w- c:\7989e3d171d7d78dad69\install.ins
2009-02-21 06:21 . 2009-02-21 06:21 529818 -c--a-w- c:\7989e3d171d7d78dad69\iexplore.chm
2009-02-13 03:20 . 2009-02-13 03:20 5630 -c--a-w- c:\7989e3d171d7d78dad69\update\eula.rtf
2009-02-07 02:07 . 2009-02-07 02:07 3698584 -c--a-w- c:\7989e3d171d7d78dad69\ieapfltr.dat
2009-01-12 02:05 . 2009-01-12 02:05 2649 -c--a-w- c:\7989e3d171d7d78dad69\ie8props.propdesc
2009-01-12 02:05 . 2009-01-12 02:05 12593 -c--a-w- c:\7989e3d171d7d78dad69\ieeula.chm
2009-01-12 02:05 . 2009-01-12 02:05 13874 -c--a-w- c:\7989e3d171d7d78dad69\iesupp.chm
2009-01-07 23:21 . 2009-01-07 23:21 781 -c--a-w- c:\7989e3d171d7d78dad69\update\update.exe.manifest
2009-01-07 23:21 . 2009-01-07 23:21 1876 -c--a-w- c:\7989e3d171d7d78dad69\msfeeds.mof
2009-01-07 23:21 . 2009-01-07 23:21 1938 -c--a-w- c:\7989e3d171d7d78dad69\msfeedsbs.mof
2009-01-07 23:21 . 2009-01-07 23:21 121856 -c--a-w- c:\7989e3d171d7d78dad69\support\xmllite.dll
2009-01-07 23:21 . 2009-01-07 23:21 755744 -c--a-w- c:\7989e3d171d7d78dad69\update\update.exe
2009-01-07 23:21 . 2009-01-07 23:21 382496 -c--a-w- c:\7989e3d171d7d78dad69\update\updspapi.dll
2009-01-07 23:21 . 2009-01-07 23:21 26144 -c--a-w- c:\7989e3d171d7d78dad69\spupdsvc.exe
2009-01-07 23:20 . 2009-01-07 23:20 16928 -c--a-w- c:\7989e3d171d7d78dad69\spmsg.dll
2009-01-07 23:20 . 2009-01-07 23:20 231456 -c--a-w- c:\7989e3d171d7d78dad69\spuninst.exe
2009-01-07 23:20 . 2009-01-07 23:20 134144 -c--a-w- c:\7989e3d171d7d78dad69\sqmapi.dll
2009-01-07 23:20 . 2009-01-07 23:20 1022976 -c--a-w- c:\7989e3d171d7d78dad69\browseui.dll
2009-01-07 23:20 . 2009-01-07 23:20 1497088 -c--a-w- c:\7989e3d171d7d78dad69\shdocvw.dll
2009-01-07 23:20 . 2009-01-07 23:20 474112 -c--a-w- c:\7989e3d171d7d78dad69\shlwapi.dll
2009-01-07 23:20 . 2009-01-07 23:20 24576 -c--a-w- c:\7989e3d171d7d78dad69\support\nlsdl.dll
2009-01-07 23:20 . 2009-01-07 23:20 26112 -c--a-w- c:\7989e3d171d7d78dad69\support\idndl.dll
2009-01-07 23:20 . 2009-01-07 23:20 23552 -c--a-w- c:\7989e3d171d7d78dad69\support\normaliz.dll
2009-01-07 23:20 . 2009-01-07 23:20 59342 -c--a-w- c:\7989e3d171d7d78dad69\support\normidna.nls
2009-01-07 23:20 . 2009-01-07 23:20 45794 -c--a-w- c:\7989e3d171d7d78dad69\support\normnfc.nls
2009-01-07 23:20 . 2009-01-07 23:20 39284 -c--a-w- c:\7989e3d171d7d78dad69\support\normnfd.nls
2009-01-07 23:20 . 2009-01-07 23:20 66384 -c--a-w- c:\7989e3d171d7d78dad69\support\normnfkc.nls
2009-01-07 23:20 . 2009-01-07 23:20 60294 -c--a-w- c:\7989e3d171d7d78dad69\support\normnfkd.nls
2009-01-07 23:20 . 2009-01-07 23:20 19884 -c--a-w- c:\7989e3d171d7d78dad69\feeddisc.wav
2009-01-07 23:20 . 2009-01-07 23:20 23308 -c--a-w- c:\7989e3d171d7d78dad69\infobar.wav
2009-01-07 23:20 . 2009-01-07 23:20 11340 -c--a-w- c:\7989e3d171d7d78dad69\navstart.wav
2009-01-07 23:20 . 2009-01-07 23:20 85548 -c--a-w- c:\7989e3d171d7d78dad69\popupblk.wav
2009-01-07 23:20 . 2009-01-07 23:20 8798 -c--a-w- c:\7989e3d171d7d78dad69\icrav03.rat
2009-01-07 23:20 . 2009-01-07 23:20 65 -c--a-w- c:\7989e3d171d7d78dad69\occache.ini
2009-01-07 23:20 . 2009-01-07 23:20 1988 -c--a-w- c:\7989e3d171d7d78dad69\ticrf.rat
2009-01-07 23:20 . 2009-01-07 23:20 65 -c--a-w- c:\7989e3d171d7d78dad69\webcheck.ini
2009-01-07 23:20 . 2009-01-07 23:20 54279 -c--a-w- c:\7989e3d171d7d78dad69\ieakmmc.chm
2009-01-07 23:20 . 2009-01-07 23:20 265720 -c--a-w- c:\7989e3d171d7d78dad69\msdbg2.dll
2009-01-07 23:20 . 2009-01-07 23:20 355832 -c--a-w- c:\7989e3d171d7d78dad69\pdm.dll


((((((((((((((((((((((((((((( SnapShot@2009-06-26_19.58.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-26 20:05 . 2008-10-16 20:09 51224 c:\windows\SYSTEM32\DLLCACHE\cache\wuauclt.exe
+ 2009-06-26 20:05 . 2008-04-14 00:12 82432 c:\windows\SYSTEM32\DLLCACHE\cache\ws2_32.dll
+ 2009-06-26 20:05 . 2008-04-14 00:12 26112 c:\windows\SYSTEM32\DLLCACHE\cache\userinit.exe
+ 2009-06-26 20:05 . 2008-04-14 00:12 14336 c:\windows\SYSTEM32\DLLCACHE\cache\svchost.exe
+ 2009-06-26 20:05 . 2008-04-14 00:12 57856 c:\windows\SYSTEM32\DLLCACHE\cache\spoolsv.exe
+ 2009-06-26 20:05 . 2008-04-14 00:12 17408 c:\windows\SYSTEM32\DLLCACHE\cache\powrprof.dll
+ 2009-06-26 20:05 . 2008-04-14 00:12 13312 c:\windows\SYSTEM32\DLLCACHE\cache\lsass.exe
+ 2009-06-26 20:05 . 2008-04-13 18:39 24576 c:\windows\SYSTEM32\DLLCACHE\cache\kbdclass.sys
+ 2009-06-26 20:05 . 2008-04-13 18:53 36608 c:\windows\SYSTEM32\DLLCACHE\cache\ip6fw.sys
+ 2009-06-26 20:05 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\DLLCACHE\cache\ctfmon.exe
+ 2009-06-26 20:05 . 2008-04-14 00:12 507904 c:\windows\SYSTEM32\DLLCACHE\cache\winlogon.exe
+ 2009-06-26 20:05 . 2009-04-29 04:56 827392 c:\windows\SYSTEM32\DLLCACHE\cache\wininet.dll
+ 2009-06-26 20:05 . 2008-04-14 00:12 578560 c:\windows\SYSTEM32\DLLCACHE\cache\user32.dll
+ 2009-06-26 20:05 . 2008-04-14 00:12 295424 c:\windows\SYSTEM32\DLLCACHE\cache\termsrv.dll
+ 2009-06-26 20:05 . 2008-06-20 11:51 361600 c:\windows\SYSTEM32\DLLCACHE\cache\tcpip.sys
+ 2009-06-26 20:05 . 2009-02-06 11:11 110592 c:\windows\SYSTEM32\DLLCACHE\cache\services.exe
+ 2009-06-26 20:05 . 2008-04-13 19:20 182656 c:\windows\SYSTEM32\DLLCACHE\cache\ndis.sys
+ 2009-06-26 20:05 . 2009-03-21 14:06 989696 c:\windows\SYSTEM32\DLLCACHE\cache\kernel32.dll
+ 2009-06-26 20:05 . 2008-04-14 00:11 110080 c:\windows\SYSTEM32\DLLCACHE\cache\imm32.dll
+ 2009-06-26 20:05 . 2008-04-14 00:12 1614848 c:\windows\SYSTEM32\DLLCACHE\cache\sfcfiles.dll
+ 2009-06-26 20:05 . 2009-02-06 11:08 2189056 c:\windows\SYSTEM32\DLLCACHE\cache\ntoskrnl.exe
+ 2009-06-26 20:05 . 2009-02-08 00:02 2066048 c:\windows\SYSTEM32\DLLCACHE\cache\ntkrnlpa.exe
+ 2009-06-26 20:05 . 2008-04-14 00:12 1033728 c:\windows\SYSTEM32\DLLCACHE\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-11-08 294912]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-08-05 151597]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-10-20 77824]
"EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE" [2003-05-27 99840]
"Auto EPSON Stylus C64 Series on SLIMSPAD"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE" [2003-05-27 99840]
"Auto EPSON Stylus C64 Series (Copy 1) on SLIMSPAD"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE" [2003-05-27 99840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\SYSTEM32\Ati2mdxx.exe [2001-09-04 28672]
"CARPService"="carpserv.exe" - c:\windows\SYSTEM32\carpserv.exe [2003-01-23 4608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\msiexec.exe"=
"c:\\Program Files\\NBC Direct\\StoreFrontPlayer.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"42165:TCP"= 42165:TCP:@xpsp2res.dll,-22009
"27108:TCP"= 27108:TCP:@xpsp2res.dll,-22009

R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe [11/18/2007 1:57 PM 810632]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\SYSTEM32\DRIVERS\ucdnt.sys [8/19/2003 4:50 PM 728035]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - QHRYAVDO
*Deregistered* - qhryavdo
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: SearchScout Search - c:\program files\SearchScoutToolbar\SearchScoutToolbar.dll/SEARCHSCOUTMENUSEARCH.HTM
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Corinne\Application Data\Mozilla\Firefox\Profiles\9iue5rv6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vdio5&p=
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJPI141_07.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Sotfone Tracker: No Registry Reference - c:\program files\Mozilla Firefox\extensions\sotfone-tracker@sotfone.ru
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 11:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-28 11:38
ComboFix-quarantined-files.txt 2009-06-28 16:37
ComboFix2.txt 2009-06-26 20:06

Pre-Run: 7,132,069,888 bytes free
Post-Run: 7,119,183,872 bytes free

310 --- E O F --- 2009-06-25 13:29

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[matty b]

Mieke:

It looks like that fixed everything! MalwareBytes does not report any malware on the computer whatsoever.

Thanks a lot! I could not have done this without you, and I was worried that I would have to re-format and re-install the entire computer.

Out of curiosity, could you tell me what it was that ComboFix did? I scanned through the logs, and it looks like there were lots of little nasties hidden all over the computer.

Thanks again,


-M

[miekiemoes]

Hi,

What Combofix found were mainly inactive leftovers and some useless traces.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.