Jump to content


Photo
- - - - -

Malicious Online Scan of Computer


  • This topic is locked This topic is locked
24 replies to this topic

#1 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 14 July 2011 - 09:35 AM

Good Morning,

Well, for starters, thank you ever so much for looking at my post (and hopefully also for responding as well).

I have a Dell desktop Inspiron 530 (Vista Home Basic 32-bit/Service Pack 2) that came pre-installed with McAfee Security Center. Added to harddrive were: Webroot SpySweeper with Anti-Virus & MBAM (full version).

So, for 3 years all works rather well untill MSC expired last week. MSC was replaced with Norton Internet Security 2011.

I had a Windows update (to latest version of Windows Internet Explorer), un-installed MSC (via Add/Remove programs in Control Panel), and installed NIS 2011.

Installing NIS 2011 was not a problem, yet updating definitions was however. NIS 2011 would not update, nor Java, MBAM froze, and the computer came to a grinding halt.

My ISP said either I have a software conflict of interest (internet security software) and/or plus a virus/malware.

I chose to do a System Restore to go back to the previous week (which un-installed NIS 2011) and then un-installed Webroot...

The Computer operates better, yet because the problem persisted for days and I had no anti-virus defense (software conflict?) I am HIGHLY concerned that my harddrive might be infected!

To make matters worse...

I tried to contact Norton (Symantec) regarding Norton Internet Security 2011, yet there is NO 1-800 number on the side of the box, that I bought from Best Buy, nor inside with the paperwork either. So, I Googled Symantec/Norton phone number & ended up calling a 1-800 number from a ficticious website (at the time I did not realize that the website was fake/imposter Symantec).

Whoever I spoke to (from non-Symantec/Norton, yet led me to believe that it was Symantec/Norton) listened to what I had to say (possibility of virus/malware NIS 2011 was not catching/Firewall conflict) and then offered to do remote assistance (while on the phone with me) AND a Online System Scan of my computer in Safe Mode with networking.

Afterwards I was told the worst POSSIBLE scare scenarios. No Firewall present on my Computer (big fat lie), No Windows Update(no big deal...easy as pie to fix by myself), 2,860 alerts/warnings in registry. The Registry alone would take 40 minutes to fix & had to be addressed first I was told (before the firewall issue). Since this was a seperate (non-NIS 2011, but rather Microsoft Windows) issue I would have to pay extra & should get out my credit card.

Hmmm, something smelled fishy to me (particularily how the technician kept laying on the dangers of not acting immediately...once I had paid that is). At that point, at the latest, I suspected that something was WAY wrong (and I regretted allowing the online scan in Safe Mode with networking). I said, I sadly dont have a valid credit card and hung up.

I called my ISP & explained what had happened by calling Symantec/Norton tech support in India regarding NIS 2011 & my firewall. My ISP said I spoke with the wrong people (we compared 1-800 nubers,for Symantec, over the phone) AND ioyogi or Bangor System Scan isn't Symantec, but rather a different outfit entirely (maybe ioyogi listed their 1-800 number on a website that came up in Google search rather then Symantec on purpose/listed wrong 1-800 number).

Now I am both angry at being the victim of a con (even if they did not get any money out of me...they nonetheless were able to scan my computer remotely in safe mode with networking) as well as worried as to whether-or-not THEY stole personal information of mine in the process/left malicious virus, malware, spyware behind...or made changes to the registry).

Cound he have done something to my computer, while scanning it in Safe Mode with networking, that later wont appear in scans in regular mode (when I run NIS 2011/MBAM)? In other words made changes that I cannot detect (that are NOT in my best interest).

I would be ever SO grateful for input & good advice! :o)

My latest MBAM scan (and NIS 2011) came up clean, yet STILL worried (about malicious registry changes or spyware/virus)...

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7119

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

7/13/2011 11:45:07 PM
mbam-log-2011-07-13 (23-45-05).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 296878
Time elapsed: 1 hour(s), 4 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Could a kind soul on this forum PLEASE tell me if YOU THINK there could be any infections not coming up in scans in regular Windows Mode? The reason why I ask is because I am a techno clutz with no idea as to what this person in India did to my Computer while he did a Online Scan in Safe Mode with networking! :o(

I REALLY need a second opinion as to whether-or-not my desktop is clean/secure!

#2 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 15 July 2011 - 04:22 AM

Hi and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#3 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 16 July 2011 - 02:57 AM

Hello elise025,

Thank you ever SO MUCH for having taken the time to read, and respond to, my post.

Alas since I've started this thread I had to undergo minor surgery (malignant skin tumor), hence I might not be able to do the scan just right now (and post the results here on this thread) instead it might take till maybe Tuesday. Right now I'm in bad shape & shall have to follow doctor's orders (namely bedrest).

I did, however, wish to thank you & issue an apology that my response is slower then I would like for it to be.

I hope this response finds you doing well (I shall disconnect my modem & go to bed).

Thank you & I'll post back ASAP

Bailey

#4 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 16 July 2011 - 05:38 AM

Hi Bailey, thank you for keeping me informed; the delay is not a problem at all; health is a lot more important than computer problems!

I hope you will be feeling better soon and wish you a speedy recovery! :)
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#5 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 16 July 2011 - 05:59 PM

Hello Again elise025,

Thank you for your kind regards & well wishes. This has, alas, been a really rotten week for me, yet your response is wonderful!

So, the painkillers they gave me (post surgery) are not working as well as they should, and this heatwave (plus Maryland's notorious Summertime humidty), isn't exactly helping me get the bedrest my doctor ordered (i.e., everything here is WAY TO HUMID).

Since I can't sleep I've dowloaded/installed/ran DDS.

Here are the 2 notepad pop-ups...

DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421
Run by DavidKS at 18:37:30 on 2011-07-16
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3069.1866 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.pandasecurity.com/activescan/index/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080703
uProxyServer = actsvr.comcastonline.com:8100
uProxyOverride = cdn
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\18.6.0.29\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\18.6.0.29\ips\ipsbho.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - <orphaned>
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.6.0.29\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.6.0.29\coieplg.dll
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\davidks\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: NameServer = 68.87.73.246 68.87.71.230
TCP: Interfaces\{C629A87C-0BC3-4355-932D-C4DB37BD09A5} : DHCPNameServer = 68.87.73.246 68.87.71.230
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\windows mail\WinMail.exe" OCInstallUserConfigOE
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-7-13 28552]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-7-15 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-7-15 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-5-19 810616]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-7-2 12800]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110715.032\IDSvix86.sys [2011-7-15 367736]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-7-15 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys [2011-7-15 331384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-2 565608]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-2 565608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-7-8 366640]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-7-15 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-15 105592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-7-8 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WDCFX_AT;USB Storage Adapter FX_AT (WDC);c:\windows\system32\drivers\wdcfx_at.sys [2008-7-18 33536]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
FileExt: .wsf: WSFFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-07-16 00:33:24 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-16 00:33:24 -------- d-----w- c:\program files\Symantec
2011-07-16 00:33:24 -------- d-----w- c:\program files\common files\Symantec Shared
2011-07-16 00:33:16 744568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symefa.sys
2011-07-16 00:33:16 50168 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtspx.sys
2011-07-16 00:33:16 340088 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symds.sys
2011-07-16 00:33:16 331384 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys
2011-07-16 00:33:16 296568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symnets.sys
2011-07-16 00:33:15 516216 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtsp.sys
2011-07-16 00:33:15 136312 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys
2011-07-16 00:32:14 -------- d-----w- c:\windows\system32\drivers\nis\1206000.01D
2011-07-16 00:32:02 -------- d-----w- c:\windows\system32\drivers\NIS
2011-07-16 00:32:00 -------- d-----w- c:\program files\Norton Internet Security
2011-07-16 00:07:16 -------- d-----w- c:\program files\NortonInstaller
2011-07-13 19:21:33 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-07-13 14:13:52 -------- d-----w- c:\users\davidks\appdata\local\NPE
2011-07-13 14:09:19 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-07-13 14:09:15 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-13 14:09:15 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-12 18:08:19 -------- d-----w- c:\users\davidks\appdata\roaming\Tific
2011-07-12 18:08:18 -------- d-----w- c:\users\davidks\appdata\local\Symantec
2011-07-12 17:51:10 -------- d-----w- c:\users\davidks\appdata\local\PackageAware
2011-07-12 17:20:57 -------- d-----w- c:\windows\pss
2011-07-12 05:48:42 0 ----a-w- C:\DFR9434.tmp
2011-07-11 23:11:17 -------- d-----w- c:\users\davidks\appdata\local\CrashDumps
2011-07-10 02:35:29 -------- d-----w- c:\programdata\Norton
2011-07-10 02:33:37 -------- d-----w- c:\programdata\NortonInstaller
2011-06-29 02:01:28 276992 ----a-w- c:\windows\system32\schannel.dll
.
==================== Find3M ====================
.
2011-07-16 03:27:01 161792 ----a-w- c:\windows\system32\msls31.dll
2011-07-16 03:27:01 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-16 03:27:00 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-07-16 03:27:00 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-07-16 03:27:00 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 17:16:14 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 13:25:10 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 13:25:09 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-29 13:24:50 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 13:24:42 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-29 13:24:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-21 13:58:27 273408 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 18:38:01.44 ===============

and...

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-07-14.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume3
Install Date: 7/2/2008 2:30:07 PM
System Uptime: 7/16/2011 3:37:36 AM (15 hours ago)
.
Motherboard: Dell Inc. | | 0RY007
Processor: Intel® Core™2 Duo CPU E4600 @ 2.40GHz | Socket 775 | 1200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 223 GiB total, 84.918 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 2.36 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB HS-CF Card
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.08#000006061E96&0#
Manufacturer: TEAC
Name: USB HS-CF Card
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.08#000006061E96&0#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB HS-MS Card
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.08#000006061E96&2#
Manufacturer: TEAC
Name: USB HS-MS Card
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.08#000006061E96&2#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB HS-SD Card
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.08#000006061E96&3#
Manufacturer: TEAC
Name: USB HS-SD Card
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.08#000006061E96&3#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB HS-xD/SM
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-XD#SM&REV_4.08#000006061E96&1#
Manufacturer: TEAC
Name: USB HS-xD/SM
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-XD#SM&REV_4.08#000006061E96&1#
Service: WUDFRd
.
==== System Restore Points ===================
.
RP1135: 7/4/2011 1:49:28 AM - Scheduled Checkpoint
RP1136: 7/5/2011 1:28:57 AM - Scheduled Checkpoint
RP1137: 7/5/2011 4:20:57 PM - Scheduled Checkpoint
RP1138: 7/7/2011 12:20:09 AM - Scheduled Checkpoint
RP1139: 7/8/2011 12:00:08 AM - Scheduled Checkpoint
RP1140: 7/8/2011 6:03:52 PM - Windows Update
RP1141: 7/8/2011 6:06:31 PM - Windows Update
RP1142: 7/8/2011 11:14:41 PM - Windows Backup
RP1143: 7/12/2011 4:39:00 AM - Restore Operation
RP1144: 7/12/2011 3:43:38 PM - Installed Java™ 6 Update 26
RP1145: 7/12/2011 8:00:52 PM - Installed HiJackThis
RP1146: 7/13/2011 12:44:21 PM - Windows Update
RP1147: 7/14/2011 9:05:31 AM - Scheduled Checkpoint
RP1148: 7/14/2011 9:31:02 AM - Removed HiJackThis
RP1149: 7/14/2011 9:31:35 AM - Removed HiJackThis
RP1150: 7/14/2011 9:35:32 AM - Installed HiJackThis
RP1151: 7/14/2011 9:37:44 AM - Removed HiJackThis
RP1152: 7/15/2011 11:58:15 AM - Scheduled Checkpoint
RP1153: 7/15/2011 11:22:37 PM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Brochures & Flyers
ArcSoft Print Creations - Photo Calendar
ATI Catalyst Install Manager
AutoUpdate
Bonjour
Browser Address Error Redirector
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
Comcast High-Speed Internet Install Wizard
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center (Support Software)
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EDocs
Epson Event Manager
Epson FAX Utility
Epson PC-FAX Driver
EPSON Scan
EPSON WorkForce 610 Series Printer Uninstall
ffdshow
GoToAssist Corporate
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® PRO Network Connections 12.1.11.0
iTunes
Java Auto Updater
Java™ 6 Update 26
LTCM Client
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Music, Photos & Videos Launcher
Norton Internet Security
OGA Notifier 2.0.0048.0
Panda ActiveScan 2.0
PowerDVD
Presto! PageManager 8.15.01 SE
Product Documentation Launcher
QualXServ Service Agreement
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Retrospect 6.5
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Safari
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skins
Spelling Dictionaries Support For Adobe Reader 9
SpywareBlaster 4.2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
USB Storage Adapter FX/AT (WDC)
Western Digital USB Mass Storage Driver Installation
WinRAR archiver
.
==== End Of File ===========================


I hope this is helps.

Additionally, I tried to run MBAM in Safe Mode with networking (noticed Protection Module was disabled), yet scan came up clean (No infections). I als ran NIS 2011 in Safe Mode withe networking the results were several tracking cookies (NIS 2011 took care of them).

Aside from that "all quiet on the Eastern Front!"

Bailey

#6 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 17 July 2011 - 07:16 AM

Afterwards I was told the worst POSSIBLE scare scenarios. No Firewall present on my Computer (big fat lie), No Windows Update(no big deal...easy as pie to fix by myself), 2,860 alerts/warnings in registry. The Registry alone would take 40 minutes to fix & had to be addressed first I was told (before the firewall issue). Since this was a seperate (non-NIS 2011, but rather Microsoft Windows) issue I would have to pay extra & should get out my credit card.

Very good you did this, especially since "cleaning the registry" is not something I recommend; in best case it doesn't improve a thing, in worst case it can do irrepairable damage to you Windows installation. Best is to stay clear from any registry cleaner!

Lets first check for rootkits also.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#7 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 17 July 2011 - 02:46 PM

Good Afternoon Elise,

So, as per instructions, I tried to download the TDSSKiller .zip directly to my desktop. It should have been simple, yet there are NEW features on my computer I'm not yet familiar with (i.s., Win IE 9, NIS 2011), hence (once clicking on the blue TDSSKiller .zip link I did not get the "download to" option).

I looked as to where the .zip file had gone to though on my computer and was able to extract TDSSKiller .exe to desktop. Right-click TDSSKiller .exe & run as administrator.

TDSSKiller 2.5.11.0

TDSS rootkit removing tool

Ojects to scan

Services and drivers

Boot sectors

...ran scan...

System scan completed

Duration: 00:00:13

Processed: 240 objects,

Infection: not found

I hope this helps.

Bailey

#8 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 17 July 2011 - 03:05 PM

Yes, that is okay. :)

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#9 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 19 July 2011 - 12:11 AM

Good Evening Elise,

So, things didn't go entirely as I had hoped for pertaining to ComboFix download/install/run. Once again I didn't get the "download to desktop" option, but rather download file folder. I extracted ComboFix from there to desktop, yet in the process also triggered the ComboFix scan Before I cound disable ALL of my a/v & disable modem (Internet connection).

Here is the ComboFix log...




ComboFix 11-07-18.05 - DavidKS 07/19/2011 0:45.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3069.2116 [GMT -4:00]
Running from: c:\users\DavidKS\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFR9434.tmp
c:\users\DavidKS\GoToAssistDownloadHelper.exe
c:\users\Mickey C\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
.
.
2011-07-19 04:53 . 2011-07-19 04:53 -------- d-----w- c:\users\DavidKS\AppData\Local\temp
2011-07-19 04:53 . 2011-07-19 04:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-07-19 04:53 . 2011-07-19 04:53 -------- d-----w- c:\users\Mickey C\AppData\Local\temp
2011-07-19 04:53 . 2011-07-19 04:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-16 00:33 . 2011-07-16 01:29 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-07-16 00:33 . 2011-07-16 00:33 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-16 00:33 . 2011-07-16 00:33 -------- d-----w- c:\program files\Symantec
2011-07-16 00:32 . 2011-07-16 00:33 -------- d-----w- c:\windows\system32\drivers\NIS
2011-07-16 00:32 . 2011-07-16 00:32 -------- d-----w- c:\program files\Norton Internet Security
2011-07-16 00:07 . 2011-07-16 01:06 -------- d-----w- c:\program files\NortonInstaller
2011-07-13 19:21 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-07-13 14:13 . 2011-07-15 02:07 -------- d-----w- c:\users\DavidKS\AppData\Local\NPE
2011-07-13 14:09 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-07-13 14:09 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-13 14:09 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-12 19:45 . 2011-07-12 19:45 -------- d-----w- c:\program files\Common Files\Java
2011-07-12 18:08 . 2011-07-12 18:08 -------- d-----w- c:\users\DavidKS\AppData\Roaming\Tific
2011-07-12 18:08 . 2011-07-12 18:08 -------- d-----w- c:\users\DavidKS\AppData\Local\Symantec
2011-07-12 17:51 . 2011-07-12 17:51 -------- d-----w- c:\users\DavidKS\AppData\Local\PackageAware
2011-07-11 23:11 . 2011-07-12 08:29 -------- d-----w- c:\users\DavidKS\AppData\Local\CrashDumps
2011-07-10 16:42 . 2011-07-11 08:49 -------- d-----w- c:\users\Mickey C\AppData\Local\CrashDumps
2011-07-10 02:35 . 2011-07-16 00:32 -------- d-----w- c:\programdata\Norton
2011-06-29 02:01 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 15:44 . 2011-07-13 15:44 447659 ----a-w- c:\windows\smc.zip
2011-07-06 23:52 . 2008-07-19 22:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2008-07-09 03:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 08:52 . 2010-05-26 20:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 17:16 . 2011-06-15 05:05 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 13:25 . 2011-06-15 05:06 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 13:25 . 2011-06-15 05:06 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-29 13:24 . 2011-06-15 05:05 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 13:24 . 2011-06-15 05:05 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-29 13:24 . 2011-06-15 05:05 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-21 13:58 . 2011-06-15 05:06 273408 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
c:\users\Mickey C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\DavidKS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2011-6-29 3656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-09-02 19:24 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\users\DavidKS\AppData\Roaming\iolo\
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Users^DavidKS^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\DavidKS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-10-08 22:04 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-02-06 21:02 170496 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell PC TuneUp Startup]
2008-04-30 13:59 307568 ----a-w- c:\program files\iolo\Common\Lib\ioloLManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 13:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 610 Series]
2009-01-26 06:00 199680 ----a-w- c:\windows\System32\spool\drivers\W32X86\3\E_FATIFJA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]
2009-06-05 04:00 843776 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 01:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTCM Client]
2009-08-05 17:36 1596096 ----a-w- c:\program files\LTCM Client\ltcmClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-07-06 23:52 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-07-06 23:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMSpeed]
2008-12-09 13:32 55120 ----a-w- c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-05-11 13:26 4452352 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 16:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-07-20 04:54 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2008-07-18 19:04 331776 ----a-w- c:\windows\System32\WDBtnMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WDCBG]
2004-08-02 18:50 118784 ----a-w- c:\windows\wdcbg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2008-05-24 18:34 26448 ----a-w- c:\windows\System32\spool\drivers\W32X86\3\WrtMon.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WDCFX_AT;USB Storage Adapter FX_AT (WDC);c:\windows\system32\DRIVERS\WDCFX_AT.SYS [2004-08-02 33536]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SYMDS.SYS [2011-01-27 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SYMEFA.SYS [2011-03-15 744568]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110701.001\BHDrvx86.sys [2011-05-19 810616]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2007-09-20 12800]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110716.031\IDSvix86.sys [2011-07-16 367736]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.SYS [2011-01-27 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NIS\1206000.01D\SYMTDIV.SYS [2011-03-22 331384]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-04-30 565608]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-04-30 565608]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-16 105592]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\Bomgar Task 2083627.job
- c:\program files\Internet Explorer\iexplore.exe [2011-07-16 03:27]
.
2011-07-17 c:\windows\Tasks\Malwarebytes' Scheduled Update for DavidKS.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-07-09 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pandasecurity.com/activescan/index/
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn
Trusted Zone: mlb.com\mlb
TCP: DhcpNameServer = 68.87.73.246 68.87.71.230
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-19 00:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
Completion time: 2011-07-19 00:55:50
ComboFix-quarantined-files.txt 2011-07-19 04:55
ComboFix2.txt 2010-05-18 14:53
.
Pre-Run: 93,158,174,720 bytes free
Post-Run: 93,118,676,992 bytes free
.
- - End Of File - - 9A45E4A71B36E77F573FFE7E389C2BEB


I hope this is helps & thank you for doing this!

Bailey

#10 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 19 July 2011 - 12:18 AM

Good Evening Elise (again),

I was reading the ComboFix .txt scan file results and noticed something interesting...


2011-07-13 c:\windows\Tasks\Bomgar Task 2083627.job
- c:\program files\Internet Explorer\iexplore.exe [2011-07-16 03:27]

I believe BOMGAR is IOYOGI's online system scan (i.e., the scan they did on my computer in Safe Mode with networking).

I don't know if this info helps you.

From a very tired & sore (post surgery),

Bailey

#11 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 19 July 2011 - 02:05 AM

Hi Bailey, I hope you'll be feeling better soon! :)

Not all things showing up in a combofix log are also deleted, so no worries about the task showing up.
How are things running at this point?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#12 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 19 July 2011 - 10:28 PM

Good Evening Elise,


"How are things running at this point?"

Well, I ONLY use the Computer (currently) to post logs on this thread, rather then surfing on the Net (once I have the "all clear" that would change), yet my comp allows: Win StartUp, IE opening, Logging-on to malwarebytes.org without interuptions.

Now I don't know if I did any (temp) damage to my a/v (NIS 2011 & MBAM) because I triggered the ComboFix when I transfered it from My Documents/Download to Desktop (prior to my disabling NIS 2011 & MBAM), yet I have the install disk to both programs in case the ComboFix scan corrupted NIS 2011/MBAM files and should I need to un-install/re-install (no problemo).

I only noticed, post ComboFix scan, that the MBAM Protection Module was disabled, yet after the scan I re-enabled the feature.

From HUMID Maryland,

Bailey

#13 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 20 July 2011 - 03:45 AM

Things are looking good at this point, so feel free to user your computer to see if there are any problems left.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#14 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 21 July 2011 - 02:31 AM

Good Morning Elise,

So, for starters, I wanted to, once again, thank you for troubleshooting ("clean comp/infected comp?").

As said...

I am, for the most part, bedridden (post surgery), hence NO surfing of the Web (I did check if multi-media files work...and they do).

Great advice on the ESET Scan as it DID catch an infection...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined

So, I am familiar with download trojans (click on a Google search hyperlink/downloader trojan mystery present/Webroot SpySweeper with Anti-Virus catches it/manual deletion of trojan in quarantine), yet the download trojans I'm familiar with are the fakeAlert variety (that try and convince you your computer is infected via pop-up alerts).

What about the TrojanDownloader.OpenStream.NAZ trojan? Any idea what (harm) that does/is meant to do?

Also...

ESET Scan results said deleted - quarantined? Do you happen to know which it is (of the two) just quarantined or actually deleted?

Today (in a few hours) I have a Outpatient follow up exam/biopsy, hence that could take all day by the time everything is said & done (ergo I might be TOO tired/wornout to post again untill Friday evening).

I hope this response finds you doing well (healthwise & other) & of good cheer!

From VERY humid Maryland,

Bailey

#15 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 21 July 2011 - 04:10 AM

Good Morning Elise (once again),

Sorry for having forgotten to ask this earlier...

The ESET scan gave me the pathway to the trojan, yet is there ANY way of telling for how long said trojan has been on my computer?

Bailey

#16 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 21 July 2011 - 08:22 AM

Hi Bailey,

Each virus scanner has its own "strong points". One thing that ESET always is able to do, is to find Java related, potentially dangerous objects. In this case, nothing to worry about, just a remnant. :)

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#17 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 22 July 2011 - 05:17 PM

Dear Elise,

I re-ran the ESET (free) online scan (no new infections), yet the quarantine still listed:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined

Anyway to permanently delete (rather then JUST quarantine) said downloader trojan? In case I uninstall the ESET files (and that THEN releases the virus)?

Or just NOT an issue as it was a remnant (echo/ghost?) of the downloader trojan (which would then beg to ask the question "What happened to the rest of TrojanDownloader.OpenStream.NAZ?")?

The ComboFix .txt scan results had said...

Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\Bomgar Task 2083627.job
- c:\program files\Internet Explorer\iexplore.exe [2011-07-16 03:27]
.

This is NOT active? Harmful (any more)?

Sorry for my naive questions when you have been SO kind & patiant with me.

From HUMID Maryland,

Bailey

Post Scriptum: Un-installed ALL tools (no problem)

#18 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 23 July 2011 - 01:34 AM

c:\windows\Tasks\Bomgar Task 2083627.job

My apologies, I had understood you meant to keep this file. It cannot do any harm as the only thing it does, is loading internet explorer. To delete it, simply navigate to c:\windows\Tasks, right click on the Bomgar Task file and select Delete.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined

The file is located in the WebDav cache, which is a type of shared storage. ESET detects the c00.php file as a stream downloader, whereas I suspect it is not. If you google this file name, you'll find many topics where the same got detected/deleted, which indicates it is a legit object. If WebDav or similar needs this, it will recreate it.

Or just NOT an issue as it was a remnant (echo/ghost?) of the downloader trojan (which would then beg to ask the question "What happened to the rest of TrojanDownloader.OpenStream.NAZ?")?

This file, whether it is bad or not, has nothing to do with your initial infection. :)
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#19 Beaumont

Beaumont

    New Member

  • Members
  • Pip
  • 13 posts

Posted 23 July 2011 - 04:02 PM

Dear Elise,

It is I that is sorry if I gave you the impression that I wanted to keep the Bomgar Task jobs file (I don't trust ioyogi/Bomgar as far as I can throw them). Ioyogi bambozzled me into believing they are the Symantec Corp., when I had a question regarding NIS 2011, and coned me into allowing them to do a remote assistance with online scan of my computer (in Safe Mode with networking)and then lied about the results of said scan.

I only brought up Bomgar because it appeared in the ComboFix scan results (and I no longer wish for Bomgar to be active/exist on my computer).

When I input c:\windows\Tasks (Start/Search bar) - Computer - OS (C:) Windows - Tasks

There are 2 files. One is Malwarebyte's Scheduled update and the other is a text document called SCHEDLGU, yet NO Bomgar Task file (does that mean Bomgar is dead/deleted/blown to smitherines)?

The SCHEDLGU contains:

"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/12/2011 7:24:29 AM
"Task Scheduler Service"
Started at 5/12/2011 3:12:15 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 5/12/2011 3:35:05 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/13/2011 7:10:46 AM
"Task Scheduler Service"
Started at 5/14/2011 1:08:24 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/14/2011 1:23:09 AM
"Task Scheduler Service"
Started at 5/14/2011 9:16:08 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/16/2011 4:35:26 PM
"Task Scheduler Service"
Started at 5/16/2011 7:26:09 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/17/2011 9:21:04 AM
"Task Scheduler Service"
Started at 5/17/2011 9:23:49 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/17/2011 10:52:12 AM
"Task Scheduler Service"
Started at 5/17/2011 10:53:34 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/17/2011 9:54:56 PM
"Task Scheduler Service"
Started at 5/17/2011 9:57:14 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/17/2011 11:39:23 PM
"Task Scheduler Service"
Started at 5/18/2011 8:28:01 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/18/2011 9:00:26 PM
"Task Scheduler Service"
Started at 5/18/2011 9:01:19 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/18/2011 10:48:51 PM
"Task Scheduler Service"
Started at 5/18/2011 11:50:51 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/19/2011 12:25:46 AM
"Task Scheduler Service"
Started at 5/19/2011 10:05:08 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/19/2011 9:02:25 PM
"Task Scheduler Service"
Started at 5/19/2011 9:03:33 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/20/2011 12:17:01 AM
"Task Scheduler Service"
Started at 5/20/2011 4:49:49 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/20/2011 4:55:53 AM
"Task Scheduler Service"
Started at 5/20/2011 4:51:50 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/20/2011 6:44:19 PM
"Task Scheduler Service"
Started at 5/20/2011 7:16:27 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/20/2011 11:19:09 PM
"Task Scheduler Service"
Started at 5/20/2011 11:20:33 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 5/21/2011 7:54:25 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 5/21/2011 10:04:17 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/21/2011 4:04:20 PM
"Task Scheduler Service"
Started at 5/21/2011 4:05:39 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/23/2011 7:45:51 AM
"Task Scheduler Service"
Started at 5/23/2011 6:39:47 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/24/2011 10:18:16 AM
"Task Scheduler Service"
Started at 5/24/2011 10:19:48 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/24/2011 8:04:36 PM
"Task Scheduler Service"
Started at 5/24/2011 8:06:14 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/25/2011 6:57:19 AM
"Task Scheduler Service"
Started at 5/25/2011 6:19:29 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/27/2011 7:00:53 AM
"Task Scheduler Service"
Started at 5/27/2011 11:02:51 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/27/2011 8:15:11 PM
"Task Scheduler Service"
Started at 5/27/2011 9:51:43 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/27/2011 11:34:06 PM
"Task Scheduler Service"
Started at 5/28/2011 12:30:00 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/28/2011 1:05:06 AM
"Task Scheduler Service"
Started at 5/28/2011 10:08:04 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/29/2011 8:01:04 AM
"Task Scheduler Service"
Started at 5/29/2011 1:47:23 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/1/2011 7:19:52 AM
"Task Scheduler Service"
Started at 6/1/2011 6:48:38 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/2/2011 7:29:10 AM
"Task Scheduler Service"
Started at 6/2/2011 7:22:29 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/3/2011 11:34:37 PM
"Task Scheduler Service"
Started at 6/3/2011 11:35:47 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/7/2011 10:36:38 PM
"Task Scheduler Service"
Started at 6/7/2011 10:37:54 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 6/9/2011 7:53:46 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/10/2011 1:42:37 AM
"Task Scheduler Service"
Started at 6/10/2011 7:41:12 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/15/2011 3:37:34 AM
"Task Scheduler Service"
Started at 6/15/2011 3:40:03 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/15/2011 7:47:58 AM
"Task Scheduler Service"
Started at 6/15/2011 7:50:39 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/15/2011 9:31:36 PM
"Task Scheduler Service"
Started at 6/16/2011 8:04:58 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/16/2011 8:07:46 PM
"Task Scheduler Service"
Started at 6/16/2011 8:09:40 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/16/2011 9:17:56 PM
"Task Scheduler Service"
Started at 6/17/2011 4:12:40 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/17/2011 5:24:15 PM
"Task Scheduler Service"
Started at 6/17/2011 5:25:18 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/17/2011 11:11:30 PM
"Task Scheduler Service"
Started at 6/18/2011 7:35:49 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/21/2011 7:57:41 AM
"Task Scheduler Service"
Started at 6/21/2011 7:42:25 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/23/2011 9:51:59 PM
"Task Scheduler Service"
Started at 6/24/2011 7:51:51 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 6/29/2011 3:17:13 AM
"Task Scheduler Service"
Started at 6/29/2011 3:18:51 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/1/2011 11:57:17 AM
"Task Scheduler Service"
Started at 7/1/2011 11:58:31 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/1/2011 7:04:51 PM
"Task Scheduler Service"
Started at 7/1/2011 7:06:01 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 7/4/2011 11:25:57 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 7/4/2011 7:13:52 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/5/2011 6:53:43 AM
"Task Scheduler Service"
Started at 7/5/2011 3:24:20 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/6/2011 5:41:07 PM
"Task Scheduler Service"
Started at 7/6/2011 5:42:22 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 7/12/2011 4:53:11 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/12/2011 1:25:06 PM
"Task Scheduler Service"
Started at 7/12/2011 1:26:18 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/12/2011 1:53:15 PM
"Task Scheduler Service"
Started at 7/12/2011 1:54:03 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/12/2011 2:25:52 PM
"Task Scheduler Service"
Started at 7/12/2011 2:26:54 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/13/2011 12:34:20 AM
"Task Scheduler Service"
Started at 7/13/2011 10:01:36 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/13/2011 10:15:24 AM
"Task Scheduler Service"
Started at 7/13/2011 10:16:42 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/13/2011 11:34:34 AM
"Task Scheduler Service"
Started at 7/13/2011 11:37:08 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 7/13/2011 12:13:55 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/13/2011 12:51:05 PM
"Task Scheduler Service"
Started at 7/13/2011 12:53:17 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/13/2011 1:48:33 PM
"Task Scheduler Service"
Started at 7/13/2011 1:55:18 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 7/13/2011 4:38:37 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/13/2011 5:53:00 PM
"Task Scheduler Service"
Started at 7/13/2011 5:54:01 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 7/13/2011 9:08:36 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/14/2011 2:01:44 AM
"Task Scheduler Service"
Started at 7/14/2011 7:12:18 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/14/2011 7:37:50 AM
"Task Scheduler Service"
Started at 7/14/2011 7:38:38 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/14/2011 10:43:38 AM
"Task Scheduler Service"
Started at 7/14/2011 10:44:53 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/14/2011 10:45:07 AM
"Task Scheduler Service"
Started at 7/14/2011 12:57:01 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/14/2011 7:07:58 PM
"Task Scheduler Service"
Started at 7/14/2011 7:08:51 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/14/2011 10:03:20 PM
"Task Scheduler Service"
Started at 7/14/2011 10:12:52 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/14/2011 10:20:44 PM
"Task Scheduler Service"
Started at 7/14/2011 10:21:32 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/15/2011 1:10:57 AM
"Task Scheduler Service"
Started at 7/15/2011 10:09:21 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/15/2011 1:41:13 PM
"Task Scheduler Service"
Started at 7/15/2011 7:22:24 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/15/2011 7:59:15 PM
"Task Scheduler Service"
Started at 7/15/2011 8:00:00 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/15/2011 8:03:32 PM
"Task Scheduler Service"
Started at 7/15/2011 8:04:16 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/15/2011 9:05:08 PM
"Task Scheduler Service"
Started at 7/15/2011 9:06:14 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/15/2011 11:28:27 PM
"Task Scheduler Service"
Started at 7/15/2011 11:30:00 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/16/2011 12:22:30 AM
"Task Scheduler Service"
Started at 7/16/2011 3:35:24 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/17/2011 2:17:01 AM
"Task Scheduler Service"
Started at 7/17/2011 10:10:42 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/17/2011 7:55:46 PM
"Task Scheduler Service"
Started at 7/19/2011 12:25:28 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 7/19/2011 12:38:20 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/19/2011 4:55:15 AM
"Task Scheduler Service"
Started at 7/19/2011 8:29:01 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/20/2011 4:33:30 AM
"Task Scheduler Service"
Started at 7/20/2011 3:48:00 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/20/2011 5:23:35 PM
"Task Scheduler Service"
Started at 7/20/2011 8:07:57 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/21/2011 9:05:58 AM
"Task Scheduler Service"
Started at 7/22/2011 4:07:23 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Started at 7/22/2011 11:33:53 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/23/2011 7:09:31 AM
"Task Scheduler Service"
Started at 7/23/2011 10:22:24 AM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 7/23/2011 4:23:15 PM
"Task Scheduler Service"
Started at 7/23/2011 4:24:11 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
[ ***** Most recent entry is above this line ***** ]


"Task Scheduler Service"
Started at 5/11/2011 3:48:23 PM
"Task Scheduler Service"
6.0.6001.18000 (longhorn_rtm.080118-1840)
"Task Scheduler Service"
Exited at 5/11/2011 8:48:07 PM
"Task Scheduler Service"
Started at 5/11/2011 8:49:47 PM





My apologies, I had understood you meant to keep this file. It cannot do any harm as the only thing it does, is loading internet explorer. To delete it, simply navigate to c:\windows\Tasks, right click on the Bomgar Task file and select Delete.


Thank you for saying more about the jave type downloader trojan. I only brought up the c00.php file because when I re-ran the ESET online scanner it still listed said file in quarantine (under Manage Quarantine) whereas I'd prefer it to be deleted rather then just quarantined, yet if you say it can do me no harm...great!



The file is located in the WebDav cache, which is a type of shared storage. ESET detects the c00.php file as a stream downloader, whereas I suspect it is not. If you google this file name, you'll find many topics where the same got detected/deleted, which indicates it is a legit object. If WebDav or similar needs this, it will recreate it.

Okay, imagine me a bit confused, yet glad to hear my computer is CLEAN/SECURE all the same. My hypothesis was that the C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php might be connected to the Bomger online scan (while my computer was in Safe Mode with networking, yet I have no way of being certain.

This file, whether it is bad or not, has nothing to do with your initial infection. :)


If you give the "thumbs up" (system secure/all clean) then THANK YOU. This is a great forum with wonderful people (such as yourself) on it.

Bailey

#20 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 24 July 2011 - 02:15 AM

It is possible the file is hidden. To be absolutely sure, redownload combofix and run the following script.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\windows\Tasks\Bomgar Task 2083627.job

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users