Beaumont

Malicious Online Scan of Computer

25 posts in this topic

Good Morning,

Well, for starters, thank you ever so much for looking at my post (and hopefully also for responding as well).

I have a Dell desktop Inspiron 530 (Vista Home Basic 32-bit/Service Pack 2) that came pre-installed with McAfee Security Center. Added to harddrive were: Webroot SpySweeper with Anti-Virus & MBAM (full version).

So, for 3 years all works rather well untill MSC expired last week. MSC was replaced with Norton Internet Security 2011.

I had a Windows update (to latest version of Windows Internet Explorer), un-installed MSC (via Add/Remove programs in Control Panel), and installed NIS 2011.

Installing NIS 2011 was not a problem, yet updating definitions was however. NIS 2011 would not update, nor Java, MBAM froze, and the computer came to a grinding halt.

My ISP said either I have a software conflict of interest (internet security software) and/or plus a virus/malware.

I chose to do a System Restore to go back to the previous week (which un-installed NIS 2011) and then un-installed Webroot...

The Computer operates better, yet because the problem persisted for days and I had no anti-virus defense (software conflict?) I am HIGHLY concerned that my harddrive might be infected!

To make matters worse...

I tried to contact Norton (Symantec) regarding Norton Internet Security 2011, yet there is NO 1-800 number on the side of the box, that I bought from Best Buy, nor inside with the paperwork either. So, I Googled Symantec/Norton phone number & ended up calling a 1-800 number from a ficticious website (at the time I did not realize that the website was fake/imposter Symantec).

Whoever I spoke to (from non-Symantec/Norton, yet led me to believe that it was Symantec/Norton) listened to what I had to say (possibility of virus/malware NIS 2011 was not catching/Firewall conflict) and then offered to do remote assistance (while on the phone with me) AND a Online System Scan of my computer in Safe Mode with networking.

Afterwards I was told the worst POSSIBLE scare scenarios. No Firewall present on my Computer (big fat lie), No Windows Update(no big deal...easy as pie to fix by myself), 2,860 alerts/warnings in registry. The Registry alone would take 40 minutes to fix & had to be addressed first I was told (before the firewall issue). Since this was a seperate (non-NIS 2011, but rather Microsoft Windows) issue I would have to pay extra & should get out my credit card.

Hmmm, something smelled fishy to me (particularily how the technician kept laying on the dangers of not acting immediately...once I had paid that is). At that point, at the latest, I suspected that something was WAY wrong (and I regretted allowing the online scan in Safe Mode with networking). I said, I sadly dont have a valid credit card and hung up.

I called my ISP & explained what had happened by calling Symantec/Norton tech support in India regarding NIS 2011 & my firewall. My ISP said I spoke with the wrong people (we compared 1-800 nubers,for Symantec, over the phone) AND ioyogi or Bangor System Scan isn't Symantec, but rather a different outfit entirely (maybe ioyogi listed their 1-800 number on a website that came up in Google search rather then Symantec on purpose/listed wrong 1-800 number).

Now I am both angry at being the victim of a con (even if they did not get any money out of me...they nonetheless were able to scan my computer remotely in safe mode with networking) as well as worried as to whether-or-not THEY stole personal information of mine in the process/left malicious virus, malware, spyware behind...or made changes to the registry).

Cound he have done something to my computer, while scanning it in Safe Mode with networking, that later wont appear in scans in regular mode (when I run NIS 2011/MBAM)? In other words made changes that I cannot detect (that are NOT in my best interest).

I would be ever SO grateful for input & good advice! :o)

My latest MBAM scan (and NIS 2011) came up clean, yet STILL worried (about malicious registry changes or spyware/virus)...

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7119

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19088

7/13/2011 11:45:07 PM

mbam-log-2011-07-13 (23-45-05).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 296878

Time elapsed: 1 hour(s), 4 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Could a kind soul on this forum PLEASE tell me if YOU THINK there could be any infections not coming up in scans in regular Windows Mode? The reason why I ask is because I am a techno clutz with no idea as to what this person in India did to my Computer while he did a Online Scan in Safe Mode with networking! :o(

I REALLY need a second opinion as to whether-or-not my desktop is clean/secure!

Share this post


Link to post
Share on other sites

Hi and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Share this post


Link to post
Share on other sites

Hello elise025,

Thank you ever SO MUCH for having taken the time to read, and respond to, my post.

Alas since I've started this thread I had to undergo minor surgery (malignant skin tumor), hence I might not be able to do the scan just right now (and post the results here on this thread) instead it might take till maybe Tuesday. Right now I'm in bad shape & shall have to follow doctor's orders (namely bedrest).

I did, however, wish to thank you & issue an apology that my response is slower then I would like for it to be.

I hope this response finds you doing well (I shall disconnect my modem & go to bed).

Thank you & I'll post back ASAP

Bailey

Share this post


Link to post
Share on other sites

Hi Bailey, thank you for keeping me informed; the delay is not a problem at all; health is a lot more important than computer problems!

I hope you will be feeling better soon and wish you a speedy recovery! :)

Share this post


Link to post
Share on other sites

Hello Again elise025,

Thank you for your kind regards & well wishes. This has, alas, been a really rotten week for me, yet your response is wonderful!

So, the painkillers they gave me (post surgery) are not working as well as they should, and this heatwave (plus Maryland's notorious Summertime humidty), isn't exactly helping me get the bedrest my doctor ordered (i.e., everything here is WAY TO HUMID).

Since I can't sleep I've dowloaded/installed/ran DDS.

Here are the 2 notepad pop-ups...

DDS (Ver_2011-07-14.01) - NTFS_x86

Internet Explorer: 9.0.8112.16421

Run by DavidKS at 18:37:30 on 2011-07-16

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3069.1866 [GMT -4:00]

.

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Ati2evxx.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Dell Support Center\gs_agent\dsc.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\sdclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.pandasecurity.com/activescan/index/

uWindow Title = Internet Explorer provided by Dell

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0080703

uProxyServer = actsvr.comcastonline.com:8100

uProxyOverride = cdn

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\18.6.0.29\coieplg.dll

BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\18.6.0.29\ips\ipsbho.dll

BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - <orphaned>

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.6.0.29\coieplg.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\18.6.0.29\coieplg.dll

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\users\davidks\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: NameServer = 68.87.73.246 68.87.71.230

TCP: Interfaces\{C629A87C-0BC3-4355-932D-C4DB37BD09A5} : DHCPNameServer = 68.87.73.246 68.87.71.230

Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\windows mail\WinMail.exe" OCInstallUserConfigOE

.

============= SERVICES / DRIVERS ===============

.

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-7-13 28552]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-7-15 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-7-15 744568]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-5-19 810616]

R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-7-2 12800]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110715.032\IDSvix86.sys [2011-7-15 367736]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-7-15 136312]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys [2011-7-15 331384]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-2 565608]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-2 565608]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-7-8 366640]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-7-15 130008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-15 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-7-8 22712]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 WDCFX_AT;USB Storage Adapter FX_AT (WDC);c:\windows\system32\drivers\wdcfx_at.sys [2008-7-18 33536]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

FileExt: .wsf: WSFFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2011-07-16 00:33:24 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-07-16 00:33:24 -------- d-----w- c:\program files\Symantec

2011-07-16 00:33:24 -------- d-----w- c:\program files\common files\Symantec Shared

2011-07-16 00:33:16 744568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symefa.sys

2011-07-16 00:33:16 50168 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtspx.sys

2011-07-16 00:33:16 340088 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symds.sys

2011-07-16 00:33:16 331384 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys

2011-07-16 00:33:16 296568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symnets.sys

2011-07-16 00:33:15 516216 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtsp.sys

2011-07-16 00:33:15 136312 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys

2011-07-16 00:32:14 -------- d-----w- c:\windows\system32\drivers\nis\1206000.01D

2011-07-16 00:32:02 -------- d-----w- c:\windows\system32\drivers\NIS

2011-07-16 00:32:00 -------- d-----w- c:\program files\Norton Internet Security

2011-07-16 00:07:16 -------- d-----w- c:\program files\NortonInstaller

2011-07-13 19:21:33 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2011-07-13 14:13:52 -------- d-----w- c:\users\davidks\appdata\local\NPE

2011-07-13 14:09:19 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-13 14:09:15 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-13 14:09:15 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-07-12 18:08:19 -------- d-----w- c:\users\davidks\appdata\roaming\Tific

2011-07-12 18:08:18 -------- d-----w- c:\users\davidks\appdata\local\Symantec

2011-07-12 17:51:10 -------- d-----w- c:\users\davidks\appdata\local\PackageAware

2011-07-12 17:20:57 -------- d-----w- c:\windows\pss

2011-07-12 05:48:42 0 ----a-w- C:\DFR9434.tmp

2011-07-11 23:11:17 -------- d-----w- c:\users\davidks\appdata\local\CrashDumps

2011-07-10 02:35:29 -------- d-----w- c:\programdata\Norton

2011-07-10 02:33:37 -------- d-----w- c:\programdata\NortonInstaller

2011-06-29 02:01:28 276992 ----a-w- c:\windows\system32\schannel.dll

.

==================== Find3M ====================

.

2011-07-16 03:27:01 161792 ----a-w- c:\windows\system32\msls31.dll

2011-07-16 03:27:01 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-07-16 03:27:00 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2011-07-16 03:27:00 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2011-07-16 03:27:00 48640 ----a-w- c:\windows\system32\mshtmler.dll

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-02 17:16:14 739328 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 13:25:10 146432 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-04-29 13:25:09 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-04-29 13:24:50 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-04-29 13:24:42 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-04-29 13:24:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-21 13:58:27 273408 ----a-w- c:\windows\system32\drivers\afd.sys

.

============= FINISH: 18:38:01.44 ===============

and...

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-07-14.01)

.

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume3

Install Date: 7/2/2008 2:30:07 PM

System Uptime: 7/16/2011 3:37:36 AM (15 hours ago)

.

Motherboard: Dell Inc. | | 0RY007

Processor: Intel® Core2 Duo CPU E4600 @ 2.40GHz | Socket 775 | 1200/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 223 GiB total, 84.918 GiB free.

D: is FIXED (NTFS) - 10 GiB total, 2.36 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: USB HS-CF Card

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.08#000006061E96&0#

Manufacturer: TEAC

Name: USB HS-CF Card

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.08#000006061E96&0#

Service: WUDFRd

.

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: USB HS-MS Card

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.08#000006061E96&2#

Manufacturer: TEAC

Name: USB HS-MS Card

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.08#000006061E96&2#

Service: WUDFRd

.

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: USB HS-SD Card

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.08#000006061E96&3#

Manufacturer: TEAC

Name: USB HS-SD Card

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.08#000006061E96&3#

Service: WUDFRd

.

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: USB HS-xD/SM

Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-XD#SM&REV_4.08#000006061E96&1#

Manufacturer: TEAC

Name: USB HS-xD/SM

PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-XD#SM&REV_4.08#000006061E96&1#

Service: WUDFRd

.

==== System Restore Points ===================

.

RP1135: 7/4/2011 1:49:28 AM - Scheduled Checkpoint

RP1136: 7/5/2011 1:28:57 AM - Scheduled Checkpoint

RP1137: 7/5/2011 4:20:57 PM - Scheduled Checkpoint

RP1138: 7/7/2011 12:20:09 AM - Scheduled Checkpoint

RP1139: 7/8/2011 12:00:08 AM - Scheduled Checkpoint

RP1140: 7/8/2011 6:03:52 PM - Windows Update

RP1141: 7/8/2011 6:06:31 PM - Windows Update

RP1142: 7/8/2011 11:14:41 PM - Windows Backup

RP1143: 7/12/2011 4:39:00 AM - Restore Operation

RP1144: 7/12/2011 3:43:38 PM - Installed Java 6 Update 26

RP1145: 7/12/2011 8:00:52 PM - Installed HiJackThis

RP1146: 7/13/2011 12:44:21 PM - Windows Update

RP1147: 7/14/2011 9:05:31 AM - Scheduled Checkpoint

RP1148: 7/14/2011 9:31:02 AM - Removed HiJackThis

RP1149: 7/14/2011 9:31:35 AM - Removed HiJackThis

RP1150: 7/14/2011 9:35:32 AM - Installed HiJackThis

RP1151: 7/14/2011 9:37:44 AM - Removed HiJackThis

RP1152: 7/15/2011 11:58:15 AM - Scheduled Checkpoint

RP1153: 7/15/2011 11:22:37 PM - Windows Update

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader X (10.0.1)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft Print Creations

ArcSoft Print Creations - Brochures & Flyers

ArcSoft Print Creations - Photo Calendar

ATI Catalyst Install Manager

AutoUpdate

Bonjour

Browser Address Error Redirector

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center Graphics Previews Vista

ccc-core-static

ccc-utility

CCC Help English

CCleaner (remove only)

Comcast High-Speed Internet Install Wizard

Dell DataSafe Online

Dell Getting Started Guide

Dell Support Center (Support Software)

DivX Codec

DivX Converter

DivX Player

DivX Web Player

EDocs

Epson Event Manager

Epson FAX Utility

Epson PC-FAX Driver

EPSON Scan

EPSON WorkForce 610 Series Printer Uninstall

ffdshow

GoToAssist Corporate

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Intel® PRO Network Connections 12.1.11.0

iTunes

Java Auto Updater

Java 6 Update 26

LTCM Client

Malwarebytes' Anti-Malware version 1.51.1.1800

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

MobileMe Control Panel

Move Networks Media Player for Internet Explorer

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 and SOAP Toolkit 3.0

Music, Photos & Videos Launcher

Norton Internet Security

OGA Notifier 2.0.0048.0

Panda ActiveScan 2.0

PowerDVD

Presto! PageManager 8.15.01 SE

Product Documentation Launcher

QualXServ Service Agreement

QuickTime

RealPlayer

Realtek High Definition Audio Driver

Retrospect 6.5

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Express Labeler 3

Roxio Update Manager

Safari

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2509488)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft Office 2007 System (KB2541012)

Security Update for Microsoft Office Excel 2007 (KB2541007)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2535818)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Skins

Spelling Dictionaries Support For Adobe Reader 9

SpywareBlaster 4.2

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

USB Storage Adapter FX/AT (WDC)

Western Digital USB Mass Storage Driver Installation

WinRAR archiver

.

==== End Of File ===========================

I hope this is helps.

Additionally, I tried to run MBAM in Safe Mode with networking (noticed Protection Module was disabled), yet scan came up clean (No infections). I als ran NIS 2011 in Safe Mode withe networking the results were several tracking cookies (NIS 2011 took care of them).

Aside from that "all quiet on the Eastern Front!"

Bailey

Share this post


Link to post
Share on other sites
Afterwards I was told the worst POSSIBLE scare scenarios. No Firewall present on my Computer (big fat lie), No Windows Update(no big deal...easy as pie to fix by myself), 2,860 alerts/warnings in registry. The Registry alone would take 40 minutes to fix & had to be addressed first I was told (before the firewall issue). Since this was a seperate (non-NIS 2011, but rather Microsoft Windows) issue I would have to pay extra & should get out my credit card.
Very good you did this, especially since "cleaning the registry" is not something I recommend; in best case it doesn't improve a thing, in worst case it can do irrepairable damage to you Windows installation. Best is to stay clear from any registry cleaner!

Lets first check for rootkits also.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Share this post


Link to post
Share on other sites

Good Afternoon Elise,

So, as per instructions, I tried to download the TDSSKiller .zip directly to my desktop. It should have been simple, yet there are NEW features on my computer I'm not yet familiar with (i.s., Win IE 9, NIS 2011), hence (once clicking on the blue TDSSKiller .zip link I did not get the "download to" option).

I looked as to where the .zip file had gone to though on my computer and was able to extract TDSSKiller .exe to desktop. Right-click TDSSKiller .exe & run as administrator.

TDSSKiller 2.5.11.0

TDSS rootkit removing tool

Ojects to scan

Services and drivers

Boot sectors

...ran scan...

System scan completed

Duration: 00:00:13

Processed: 240 objects,

Infection: not found

I hope this helps.

Bailey

Share this post


Link to post
Share on other sites

Yes, that is okay. :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

Good Evening Elise,

So, things didn't go entirely as I had hoped for pertaining to ComboFix download/install/run. Once again I didn't get the "download to desktop" option, but rather download file folder. I extracted ComboFix from there to desktop, yet in the process also triggered the ComboFix scan Before I cound disable ALL of my a/v & disable modem (Internet connection).

Here is the ComboFix log...

ComboFix 11-07-18.05 - DavidKS 07/19/2011 0:45.1.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3069.2116 [GMT -4:00]

Running from: c:\users\DavidKS\Desktop\ComboFix.exe

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\DFR9434.tmp

c:\users\DavidKS\GoToAssistDownloadHelper.exe

c:\users\Mickey C\GoToAssistDownloadHelper.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))

.

.

2011-07-19 04:53 . 2011-07-19 04:53 -------- d-----w- c:\users\DavidKS\AppData\Local\temp

2011-07-19 04:53 . 2011-07-19 04:53 -------- d-----w- c:\users\Public\AppData\Local\temp

2011-07-19 04:53 . 2011-07-19 04:53 -------- d-----w- c:\users\Mickey C\AppData\Local\temp

2011-07-19 04:53 . 2011-07-19 04:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-07-16 00:33 . 2011-07-16 01:29 -------- d-----w- c:\program files\Common Files\Symantec Shared

2011-07-16 00:33 . 2011-07-16 00:33 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-07-16 00:33 . 2011-07-16 00:33 -------- d-----w- c:\program files\Symantec

2011-07-16 00:32 . 2011-07-16 00:33 -------- d-----w- c:\windows\system32\drivers\NIS

2011-07-16 00:32 . 2011-07-16 00:32 -------- d-----w- c:\program files\Norton Internet Security

2011-07-16 00:07 . 2011-07-16 01:06 -------- d-----w- c:\program files\NortonInstaller

2011-07-13 19:21 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2011-07-13 14:13 . 2011-07-15 02:07 -------- d-----w- c:\users\DavidKS\AppData\Local\NPE

2011-07-13 14:09 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-13 14:09 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-07-13 14:09 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-12 19:45 . 2011-07-12 19:45 -------- d-----w- c:\program files\Common Files\Java

2011-07-12 18:08 . 2011-07-12 18:08 -------- d-----w- c:\users\DavidKS\AppData\Roaming\Tific

2011-07-12 18:08 . 2011-07-12 18:08 -------- d-----w- c:\users\DavidKS\AppData\Local\Symantec

2011-07-12 17:51 . 2011-07-12 17:51 -------- d-----w- c:\users\DavidKS\AppData\Local\PackageAware

2011-07-11 23:11 . 2011-07-12 08:29 -------- d-----w- c:\users\DavidKS\AppData\Local\CrashDumps

2011-07-10 16:42 . 2011-07-11 08:49 -------- d-----w- c:\users\Mickey C\AppData\Local\CrashDumps

2011-07-10 02:35 . 2011-07-16 00:32 -------- d-----w- c:\programdata\Norton

2011-06-29 02:01 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-13 15:44 . 2011-07-13 15:44 447659 ----a-w- c:\windows\smc.zip

2011-07-06 23:52 . 2008-07-19 22:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52 . 2008-07-09 03:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 08:52 . 2010-05-26 20:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-02 17:16 . 2011-06-15 05:05 739328 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 13:25 . 2011-06-15 05:06 146432 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-04-29 13:25 . 2011-06-15 05:06 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-04-29 13:24 . 2011-06-15 05:05 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-04-29 13:24 . 2011-06-15 05:05 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-04-29 13:24 . 2011-06-15 05:05 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-21 13:58 . 2011-06-15 05:06 273408 ----a-w- c:\windows\system32\drivers\afd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

c:\users\Mickey C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\users\DavidKS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote Table Of Contents.onetoc2 [2011-6-29 3656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-09-02 19:24 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\users\DavidKS\AppData\Roaming\iolo\

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^Users^DavidKS^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\DavidKS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-10-08 22:04 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2009-02-06 21:02 170496 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell PC TuneUp Startup]

2008-04-30 13:59 307568 ----a-w- c:\program files\iolo\Common\Lib\ioloLManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]

2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]

2009-04-07 13:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 610 Series]

2009-01-26 06:00 199680 ----a-w- c:\windows\System32\spool\drivers\W32X86\3\E_FATIFJA.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]

2009-06-05 04:00 843776 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-11-18 01:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTCM Client]

2009-08-05 17:36 1596096 ----a-w- c:\program files\LTCM Client\ltcmClient.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2011-07-06 23:52 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-07-06 23:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMSpeed]

2008-12-09 13:32 55120 ----a-w- c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]

2007-05-11 13:26 4452352 ----a-w- c:\windows\RtHDVCpl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2008-01-21 16:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2008-07-20 04:54 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]

2008-07-18 19:04 331776 ----a-w- c:\windows\System32\WDBtnMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WDCBG]

2004-08-02 18:50 118784 ----a-w- c:\windows\wdcbg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]

2008-05-24 18:34 26448 ----a-w- c:\windows\System32\spool\drivers\W32X86\3\WrtMon.exe

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 WDCFX_AT;USB Storage Adapter FX_AT (WDC);c:\windows\system32\DRIVERS\WDCFX_AT.SYS [2004-08-02 33536]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SYMDS.SYS [2011-01-27 340088]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SYMEFA.SYS [2011-03-15 744568]

S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110701.001\BHDrvx86.sys [2011-05-19 810616]

S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2007-09-20 12800]

S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110716.031\IDSvix86.sys [2011-07-16 367736]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.SYS [2011-01-27 136312]

S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NIS\1206000.01D\SYMTDIV.SYS [2011-03-22 331384]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-04-30 565608]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-04-30 565608]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]

S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-16 105592]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-13 c:\windows\Tasks\Bomgar Task 2083627.job

- c:\program files\Internet Explorer\iexplore.exe [2011-07-16 03:27]

.

2011-07-17 c:\windows\Tasks\Malwarebytes' Scheduled Update for DavidKS.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-07-09 23:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.pandasecurity.com/activescan/index/

uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100

uInternet Settings,ProxyOverride = cdn

Trusted Zone: mlb.com\mlb

TCP: DhcpNameServer = 68.87.73.246 68.87.71.230

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe

AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-19 00:53

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"

.

Completion time: 2011-07-19 00:55:50

ComboFix-quarantined-files.txt 2011-07-19 04:55

ComboFix2.txt 2010-05-18 14:53

.

Pre-Run: 93,158,174,720 bytes free

Post-Run: 93,118,676,992 bytes free

.

- - End Of File - - 9A45E4A71B36E77F573FFE7E389C2BEB

I hope this is helps & thank you for doing this!

Bailey

Share this post


Link to post
Share on other sites

Good Evening Elise (again),

I was reading the ComboFix .txt scan file results and noticed something interesting...

2011-07-13 c:\windows\Tasks\Bomgar Task 2083627.job

- c:\program files\Internet Explorer\iexplore.exe [2011-07-16 03:27]

I believe BOMGAR is IOYOGI's online system scan (i.e., the scan they did on my computer in Safe Mode with networking).

I don't know if this info helps you.

From a very tired & sore (post surgery),

Bailey

Share this post


Link to post
Share on other sites

Hi Bailey, I hope you'll be feeling better soon! :)

Not all things showing up in a combofix log are also deleted, so no worries about the task showing up.

How are things running at this point?

Share this post


Link to post
Share on other sites

Good Evening Elise,

"How are things running at this point?"

Well, I ONLY use the Computer (currently) to post logs on this thread, rather then surfing on the Net (once I have the "all clear" that would change), yet my comp allows: Win StartUp, IE opening, Logging-on to malwarebytes.org without interuptions.

Now I don't know if I did any (temp) damage to my a/v (NIS 2011 & MBAM) because I triggered the ComboFix when I transfered it from My Documents/Download to Desktop (prior to my disabling NIS 2011 & MBAM), yet I have the install disk to both programs in case the ComboFix scan corrupted NIS 2011/MBAM files and should I need to un-install/re-install (no problemo).

I only noticed, post ComboFix scan, that the MBAM Protection Module was disabled, yet after the scan I re-enabled the feature.

From HUMID Maryland,

Bailey

Share this post


Link to post
Share on other sites

Things are looking good at this point, so feel free to user your computer to see if there are any problems left.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Share this post


Link to post
Share on other sites

Good Morning Elise,

So, for starters, I wanted to, once again, thank you for troubleshooting ("clean comp/infected comp?").

As said...

I am, for the most part, bedridden (post surgery), hence NO surfing of the Web (I did check if multi-media files work...and they do).

Great advice on the ESET Scan as it DID catch an infection...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined

So, I am familiar with download trojans (click on a Google search hyperlink/downloader trojan mystery present/Webroot SpySweeper with Anti-Virus catches it/manual deletion of trojan in quarantine), yet the download trojans I'm familiar with are the fakeAlert variety (that try and convince you your computer is infected via pop-up alerts).

What about the TrojanDownloader.OpenStream.NAZ trojan? Any idea what (harm) that does/is meant to do?

Also...

ESET Scan results said deleted - quarantined? Do you happen to know which it is (of the two) just quarantined or actually deleted?

Today (in a few hours) I have a Outpatient follow up exam/biopsy, hence that could take all day by the time everything is said & done (ergo I might be TOO tired/wornout to post again untill Friday evening).

I hope this response finds you doing well (healthwise & other) & of good cheer!

From VERY humid Maryland,

Bailey

Share this post


Link to post
Share on other sites

Good Morning Elise (once again),

Sorry for having forgotten to ask this earlier...

The ESET scan gave me the pathway to the trojan, yet is there ANY way of telling for how long said trojan has been on my computer?

Bailey

Share this post


Link to post
Share on other sites

Hi Bailey,

Each virus scanner has its own "strong points". One thing that ESET always is able to do, is to find Java related, potentially dangerous objects. In this case, nothing to worry about, just a remnant. :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Share this post


Link to post
Share on other sites

Dear Elise,

I re-ran the ESET (free) online scan (no new infections), yet the quarantine still listed:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined

Anyway to permanently delete (rather then JUST quarantine) said downloader trojan? In case I uninstall the ESET files (and that THEN releases the virus)?

Or just NOT an issue as it was a remnant (echo/ghost?) of the downloader trojan (which would then beg to ask the question "What happened to the rest of TrojanDownloader.OpenStream.NAZ?")?

The ComboFix .txt scan results had said...

Contents of the 'Scheduled Tasks' folder

.

2011-07-13 c:\windows\Tasks\Bomgar Task 2083627.job

- c:\program files\Internet Explorer\iexplore.exe [2011-07-16 03:27]

.

This is NOT active? Harmful (any more)?

Sorry for my naive questions when you have been SO kind & patiant with me.

From HUMID Maryland,

Bailey

Post Scriptum: Un-installed ALL tools (no problem)

Share this post


Link to post
Share on other sites
c:\windows\Tasks\Bomgar Task 2083627.job
My apologies, I had understood you meant to keep this file. It cannot do any harm as the only thing it does, is loading internet explorer. To delete it, simply navigate to c:\windows\Tasks, right click on the Bomgar Task file and select Delete.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined
The file is located in the WebDav cache, which is a type of shared storage. ESET detects the c00.php file as a stream downloader, whereas I suspect it is not. If you google this file name, you'll find many topics where the same got detected/deleted, which indicates it is a legit object. If WebDav or similar needs this, it will recreate it.

Or just NOT an issue as it was a remnant (echo/ghost?) of the downloader trojan (which would then beg to ask the question "What happened to the rest of TrojanDownloader.OpenStream.NAZ?")?

This file, whether it is bad or not, has nothing to do with your initial infection. :)

Share this post


Link to post
Share on other sites

Dear Elise,

It is I that is sorry if I gave you the impression that I wanted to keep the Bomgar Task jobs file (I don't trust ioyogi/Bomgar as far as I can throw them). Ioyogi bambozzled me into believing they are the Symantec Corp., when I had a question regarding NIS 2011, and coned me into allowing them to do a remote assistance with online scan of my computer (in Safe Mode with networking)and then lied about the results of said scan.

I only brought up Bomgar because it appeared in the ComboFix scan results (and I no longer wish for Bomgar to be active/exist on my computer).

When I input c:\windows\Tasks (Start/Search bar) - Computer - OS (C:) Windows - Tasks

There are 2 files. One is Malwarebyte's Scheduled update and the other is a text document called SCHEDLGU, yet NO Bomgar Task file (does that mean Bomgar is dead/deleted/blown to smitherines)?

The SCHEDLGU contains:

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/12/2011 7:24:29 AM

"Task Scheduler Service"

Started at 5/12/2011 3:12:15 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 5/12/2011 3:35:05 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/13/2011 7:10:46 AM

"Task Scheduler Service"

Started at 5/14/2011 1:08:24 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/14/2011 1:23:09 AM

"Task Scheduler Service"

Started at 5/14/2011 9:16:08 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/16/2011 4:35:26 PM

"Task Scheduler Service"

Started at 5/16/2011 7:26:09 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/17/2011 9:21:04 AM

"Task Scheduler Service"

Started at 5/17/2011 9:23:49 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/17/2011 10:52:12 AM

"Task Scheduler Service"

Started at 5/17/2011 10:53:34 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/17/2011 9:54:56 PM

"Task Scheduler Service"

Started at 5/17/2011 9:57:14 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/17/2011 11:39:23 PM

"Task Scheduler Service"

Started at 5/18/2011 8:28:01 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/18/2011 9:00:26 PM

"Task Scheduler Service"

Started at 5/18/2011 9:01:19 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/18/2011 10:48:51 PM

"Task Scheduler Service"

Started at 5/18/2011 11:50:51 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/19/2011 12:25:46 AM

"Task Scheduler Service"

Started at 5/19/2011 10:05:08 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/19/2011 9:02:25 PM

"Task Scheduler Service"

Started at 5/19/2011 9:03:33 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/20/2011 12:17:01 AM

"Task Scheduler Service"

Started at 5/20/2011 4:49:49 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/20/2011 4:55:53 AM

"Task Scheduler Service"

Started at 5/20/2011 4:51:50 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/20/2011 6:44:19 PM

"Task Scheduler Service"

Started at 5/20/2011 7:16:27 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/20/2011 11:19:09 PM

"Task Scheduler Service"

Started at 5/20/2011 11:20:33 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 5/21/2011 7:54:25 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 5/21/2011 10:04:17 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/21/2011 4:04:20 PM

"Task Scheduler Service"

Started at 5/21/2011 4:05:39 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/23/2011 7:45:51 AM

"Task Scheduler Service"

Started at 5/23/2011 6:39:47 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/24/2011 10:18:16 AM

"Task Scheduler Service"

Started at 5/24/2011 10:19:48 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/24/2011 8:04:36 PM

"Task Scheduler Service"

Started at 5/24/2011 8:06:14 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/25/2011 6:57:19 AM

"Task Scheduler Service"

Started at 5/25/2011 6:19:29 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/27/2011 7:00:53 AM

"Task Scheduler Service"

Started at 5/27/2011 11:02:51 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/27/2011 8:15:11 PM

"Task Scheduler Service"

Started at 5/27/2011 9:51:43 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/27/2011 11:34:06 PM

"Task Scheduler Service"

Started at 5/28/2011 12:30:00 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/28/2011 1:05:06 AM

"Task Scheduler Service"

Started at 5/28/2011 10:08:04 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/29/2011 8:01:04 AM

"Task Scheduler Service"

Started at 5/29/2011 1:47:23 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/1/2011 7:19:52 AM

"Task Scheduler Service"

Started at 6/1/2011 6:48:38 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/2/2011 7:29:10 AM

"Task Scheduler Service"

Started at 6/2/2011 7:22:29 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/3/2011 11:34:37 PM

"Task Scheduler Service"

Started at 6/3/2011 11:35:47 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/7/2011 10:36:38 PM

"Task Scheduler Service"

Started at 6/7/2011 10:37:54 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 6/9/2011 7:53:46 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/10/2011 1:42:37 AM

"Task Scheduler Service"

Started at 6/10/2011 7:41:12 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/15/2011 3:37:34 AM

"Task Scheduler Service"

Started at 6/15/2011 3:40:03 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/15/2011 7:47:58 AM

"Task Scheduler Service"

Started at 6/15/2011 7:50:39 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/15/2011 9:31:36 PM

"Task Scheduler Service"

Started at 6/16/2011 8:04:58 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/16/2011 8:07:46 PM

"Task Scheduler Service"

Started at 6/16/2011 8:09:40 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/16/2011 9:17:56 PM

"Task Scheduler Service"

Started at 6/17/2011 4:12:40 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/17/2011 5:24:15 PM

"Task Scheduler Service"

Started at 6/17/2011 5:25:18 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/17/2011 11:11:30 PM

"Task Scheduler Service"

Started at 6/18/2011 7:35:49 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/21/2011 7:57:41 AM

"Task Scheduler Service"

Started at 6/21/2011 7:42:25 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/23/2011 9:51:59 PM

"Task Scheduler Service"

Started at 6/24/2011 7:51:51 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 6/29/2011 3:17:13 AM

"Task Scheduler Service"

Started at 6/29/2011 3:18:51 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/1/2011 11:57:17 AM

"Task Scheduler Service"

Started at 7/1/2011 11:58:31 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/1/2011 7:04:51 PM

"Task Scheduler Service"

Started at 7/1/2011 7:06:01 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 7/4/2011 11:25:57 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 7/4/2011 7:13:52 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/5/2011 6:53:43 AM

"Task Scheduler Service"

Started at 7/5/2011 3:24:20 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/6/2011 5:41:07 PM

"Task Scheduler Service"

Started at 7/6/2011 5:42:22 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 7/12/2011 4:53:11 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/12/2011 1:25:06 PM

"Task Scheduler Service"

Started at 7/12/2011 1:26:18 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/12/2011 1:53:15 PM

"Task Scheduler Service"

Started at 7/12/2011 1:54:03 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/12/2011 2:25:52 PM

"Task Scheduler Service"

Started at 7/12/2011 2:26:54 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/13/2011 12:34:20 AM

"Task Scheduler Service"

Started at 7/13/2011 10:01:36 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/13/2011 10:15:24 AM

"Task Scheduler Service"

Started at 7/13/2011 10:16:42 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/13/2011 11:34:34 AM

"Task Scheduler Service"

Started at 7/13/2011 11:37:08 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 7/13/2011 12:13:55 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/13/2011 12:51:05 PM

"Task Scheduler Service"

Started at 7/13/2011 12:53:17 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/13/2011 1:48:33 PM

"Task Scheduler Service"

Started at 7/13/2011 1:55:18 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 7/13/2011 4:38:37 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/13/2011 5:53:00 PM

"Task Scheduler Service"

Started at 7/13/2011 5:54:01 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 7/13/2011 9:08:36 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/14/2011 2:01:44 AM

"Task Scheduler Service"

Started at 7/14/2011 7:12:18 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/14/2011 7:37:50 AM

"Task Scheduler Service"

Started at 7/14/2011 7:38:38 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/14/2011 10:43:38 AM

"Task Scheduler Service"

Started at 7/14/2011 10:44:53 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/14/2011 10:45:07 AM

"Task Scheduler Service"

Started at 7/14/2011 12:57:01 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/14/2011 7:07:58 PM

"Task Scheduler Service"

Started at 7/14/2011 7:08:51 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/14/2011 10:03:20 PM

"Task Scheduler Service"

Started at 7/14/2011 10:12:52 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/14/2011 10:20:44 PM

"Task Scheduler Service"

Started at 7/14/2011 10:21:32 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/15/2011 1:10:57 AM

"Task Scheduler Service"

Started at 7/15/2011 10:09:21 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/15/2011 1:41:13 PM

"Task Scheduler Service"

Started at 7/15/2011 7:22:24 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/15/2011 7:59:15 PM

"Task Scheduler Service"

Started at 7/15/2011 8:00:00 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/15/2011 8:03:32 PM

"Task Scheduler Service"

Started at 7/15/2011 8:04:16 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/15/2011 9:05:08 PM

"Task Scheduler Service"

Started at 7/15/2011 9:06:14 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/15/2011 11:28:27 PM

"Task Scheduler Service"

Started at 7/15/2011 11:30:00 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/16/2011 12:22:30 AM

"Task Scheduler Service"

Started at 7/16/2011 3:35:24 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/17/2011 2:17:01 AM

"Task Scheduler Service"

Started at 7/17/2011 10:10:42 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/17/2011 7:55:46 PM

"Task Scheduler Service"

Started at 7/19/2011 12:25:28 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 7/19/2011 12:38:20 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/19/2011 4:55:15 AM

"Task Scheduler Service"

Started at 7/19/2011 8:29:01 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/20/2011 4:33:30 AM

"Task Scheduler Service"

Started at 7/20/2011 3:48:00 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/20/2011 5:23:35 PM

"Task Scheduler Service"

Started at 7/20/2011 8:07:57 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/21/2011 9:05:58 AM

"Task Scheduler Service"

Started at 7/22/2011 4:07:23 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Started at 7/22/2011 11:33:53 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/23/2011 7:09:31 AM

"Task Scheduler Service"

Started at 7/23/2011 10:22:24 AM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 7/23/2011 4:23:15 PM

"Task Scheduler Service"

Started at 7/23/2011 4:24:11 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

[ ***** Most recent entry is above this line ***** ]

"Task Scheduler Service"

Started at 5/11/2011 3:48:23 PM

"Task Scheduler Service"

6.0.6001.18000 (longhorn_rtm.080118-1840)

"Task Scheduler Service"

Exited at 5/11/2011 8:48:07 PM

"Task Scheduler Service"

Started at 5/11/2011 8:49:47 PM

My apologies, I had understood you meant to keep this file. It cannot do any harm as the only thing it does, is loading internet explorer. To delete it, simply navigate to c:\windows\Tasks, right click on the Bomgar Task file and select Delete.

Thank you for saying more about the jave type downloader trojan. I only brought up the c00.php file because when I re-ran the ESET online scanner it still listed said file in quarantine (under Manage Quarantine) whereas I'd prefer it to be deleted rather then just quarantined, yet if you say it can do me no harm...great!

The file is located in the WebDav cache, which is a type of shared storage. ESET detects the c00.php file as a stream downloader, whereas I suspect it is not. If you google this file name, you'll find many topics where the same got detected/deleted, which indicates it is a legit object. If WebDav or similar needs this, it will recreate it.

Okay, imagine me a bit confused, yet glad to hear my computer is CLEAN/SECURE all the same. My hypothesis was that the C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php might be connected to the Bomger online scan (while my computer was in Safe Mode with networking, yet I have no way of being certain.

This file, whether it is bad or not, has nothing to do with your initial infection. :)

If you give the "thumbs up" (system secure/all clean) then THANK YOU. This is a great forum with wonderful people (such as yourself) on it.

Bailey

Share this post


Link to post
Share on other sites

It is possible the file is hidden. To be absolutely sure, redownload combofix and run the following script.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


File::
c:\windows\Tasks\Bomgar Task 2083627.job

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Share this post


Link to post
Share on other sites

It is possible the file is hidden. To be absolutely sure, redownload combofix and run the following script.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


File::
c:\windows\Tasks\Bomgar Task 2083627.job

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Dear Elise,

Well, for starters, SO SORRY for STILL keeping you busy...

I did as you had asked regarding ComboFix, yet forgot that I was on a different user account on my computer (same harddrive though) when I ran the ComboFix (I was signed-in under User Mickey C...my boyfriend's old account rather then User DavidKS...which was my boyfriend's Dad's old account on this computer...a hand-me-down that now belongs to me...which was were WE DID ALL THE WORK/LOGS).

I'm SO doped up on painkillers (post surgery) & heat and humidity, and lack of sleep, its taking a toll.

Right after postings this ComboFix log (wrong user account on same computer/harddrive) do you need for me to turn off the computer...resign-on as User DavidKS (master account) and redo the ComboFix (this time as the same user account with which I've been posting here all this time...originally) or it doesn't matter from which user account the ComboFix was done as its the same computer/harddrive?

REALLY SORRY FOR BEING SUCH A TECHNO CLUTZ!

ComboFix log (right computer...wrong User account)...

ComboFix 11-07-23.04 - Mickey C 07/24/2011 5:42.2.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3069.1779 [GMT -4:00]

Running from: c:\users\Mickey C\Desktop\ComboFix.exe

Command switches used :: c:\users\Mickey C\Desktop\CFScript.txt

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\windows\Tasks\Bomgar Task 2083627.job"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\Tasks\Bomgar Task 2083627.job

.

.

((((((((((((((((((((((((( Files Created from 2011-06-24 to 2011-07-24 )))))))))))))))))))))))))))))))

.

.

2011-07-23 20:25 . 2011-07-23 20:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-21 04:55 . 2011-07-21 04:55 -------- d-----w- c:\program files\ESET

2011-07-16 00:33 . 2011-07-16 01:29 -------- d-----w- c:\program files\Common Files\Symantec Shared

2011-07-16 00:33 . 2011-07-16 00:33 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-07-16 00:33 . 2011-07-16 00:33 -------- d-----w- c:\program files\Symantec

2011-07-16 00:32 . 2011-07-16 00:33 -------- d-----w- c:\windows\system32\drivers\NIS

2011-07-16 00:32 . 2011-07-16 00:32 -------- d-----w- c:\program files\Norton Internet Security

2011-07-16 00:07 . 2011-07-16 01:06 -------- d-----w- c:\program files\NortonInstaller

2011-07-13 19:21 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2011-07-13 14:13 . 2011-07-15 02:07 -------- d-----w- c:\users\DavidKS\AppData\Local\NPE

2011-07-13 14:09 . 2011-06-02 13:34 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-13 14:09 . 2011-04-20 15:55 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-07-13 14:09 . 2011-04-20 15:50 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-12 19:45 . 2011-07-12 19:45 -------- d-----w- c:\program files\Common Files\Java

2011-07-12 18:08 . 2011-07-12 18:08 -------- d-----w- c:\users\DavidKS\AppData\Roaming\Tific

2011-07-12 18:08 . 2011-07-12 18:08 -------- d-----w- c:\users\DavidKS\AppData\Local\Symantec

2011-07-12 17:51 . 2011-07-12 17:51 -------- d-----w- c:\users\DavidKS\AppData\Local\PackageAware

2011-07-11 23:11 . 2011-07-19 07:08 -------- d-----w- c:\users\DavidKS\AppData\Local\CrashDumps

2011-07-10 16:42 . 2011-07-11 08:49 -------- d-----w- c:\users\Mickey C\AppData\Local\CrashDumps

2011-07-10 02:35 . 2011-07-16 00:32 -------- d-----w- c:\programdata\Norton

2011-06-29 02:01 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-13 15:44 . 2011-07-13 15:44 447659 ----a-w- c:\windows\smc.zip

2011-07-06 23:52 . 2008-07-19 22:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52 . 2008-07-09 03:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 08:52 . 2010-05-26 20:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-02 17:16 . 2011-06-15 05:05 739328 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 13:25 . 2011-06-15 05:06 146432 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-04-29 13:25 . 2011-06-15 05:06 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-04-29 13:24 . 2011-06-15 05:05 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-04-29 13:24 . 2011-06-15 05:05 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-04-29 13:24 . 2011-06-15 05:05 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

c:\users\DavidKS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote Table Of Contents.onetoc2 [2011-6-29 3656]

.

c:\users\Mickey C\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-09-02 19:24 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\users\DavidKS\AppData\Roaming\iolo\

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^Users^DavidKS^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\users\DavidKS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-10-08 22:04 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2009-02-06 21:02 170496 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell PC TuneUp Startup]

2008-04-30 13:59 307568 ----a-w- c:\program files\iolo\Common\Lib\ioloLManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]

2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]

2009-04-07 13:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 610 Series]

2009-01-26 06:00 199680 ----a-w- c:\windows\System32\spool\drivers\W32X86\3\E_FATIFJA.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]

2009-06-05 04:00 843776 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-11-18 01:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTCM Client]

2009-08-05 17:36 1596096 ----a-w- c:\program files\LTCM Client\ltcmClient.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2011-07-06 23:52 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-07-06 23:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMSpeed]

2008-12-09 13:32 55120 ----a-w- c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]

2007-05-11 13:26 4452352 ----a-w- c:\windows\RtHDVCpl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2008-01-21 16:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2008-07-20 04:54 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]

2008-07-18 19:04 331776 ----a-w- c:\windows\System32\WDBtnMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WDCBG]

2004-08-02 18:50 118784 ----a-w- c:\windows\wdcbg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]

2008-05-24 18:34 26448 ----a-w- c:\windows\System32\spool\drivers\W32X86\3\WrtMon.exe

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 WDCFX_AT;USB Storage Adapter FX_AT (WDC);c:\windows\system32\DRIVERS\WDCFX_AT.SYS [2004-08-02 33536]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SYMDS.SYS [2011-01-27 340088]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SYMEFA.SYS [2011-03-15 744568]

S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110701.001\BHDrvx86.sys [2011-05-19 810616]

S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2007-09-20 12800]

S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110722.031\IDSvix86.sys [2011-07-16 367736]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.SYS [2011-01-27 136312]

S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NIS\1206000.01D\SYMTDIV.SYS [2011-03-22 331384]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-04-30 565608]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-04-30 565608]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]

S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-16 105592]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-23 c:\windows\Tasks\Malwarebytes' Scheduled Update for DavidKS.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-07-09 23:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.pandasecurity.com/activescan/index/?track=1&Lang=en-US&IdPais=63

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.73.246 68.87.71.230

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-24 05:55

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"

.

Completion time: 2011-07-24 05:58:29

ComboFix-quarantined-files.txt 2011-07-24 09:58

ComboFix2.txt 2011-07-19 04:55

.

Pre-Run: 87,812,435,968 bytes free

Post-Run: 87,760,498,688 bytes free

.

- - End Of File - - F8C01003E4FEA6E05815A4A3890D2DD6

Share this post


Link to post
Share on other sites

No worries, for this kidn of file the userprofile doesn't matter. This is only important when fixing things in the registry hive assigned to a specific userprofile. Combofix deleted the file.

You can uninstall combofix again now. Do you have any other problem/question?

I hope you'll be feeling better soon! :)

Share this post


Link to post
Share on other sites

No worries, for this kidn of file the userprofile doesn't matter. This is only important when fixing things in the registry hive assigned to a specific userprofile. Combofix deleted the file.

You can uninstall combofix again now. Do you have any other problem/question?

I hope you'll be feeling better soon! :)

Dear Elise,

You are AWESOME!!!

I'm SO very glad that you found the ioyogi/Bomgar hidden file (via ComboFix) as they are SO dishonest. Good to know, post Bomgar online scan of my computer in Safe Mode with networking, that there are NO more malicious files (or anything relating to ioyogi/Bomgar).

As I have had sometime on my hands I ran a ESET online scan, in Safe Mode with networking, came up empty (aside from the 1 file that ESET had quarantined...still there under Manage Quarantine).

If you say ALL CLear...Wonderful...Marvelous...

Thank You, Thank You, Thank You, you are superb!

Bailey

Share this post


Link to post
Share on other sites

You are most welcome Bailey! :)

I will request this topic to be closed.

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.