Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

XP 2011 Security and Windows Fix Disk Virus

Started by Chelli , Apr 26 2011 02:14 PM

  • This topic is locked This topic is locked
87 replies to this topic

#16 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 28 April 2011 - 06:32 PM

Below is the report requested. While Gmer was running some of the pop up's continued... I just closed them as soon as I noticed them. I hope this didn't mess up the scan.

Gmer report:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-28 20:26:51
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HITACHI_DK23FB-60 rev.00M0A0C1
Running: lrdpjyz9.exe; Driver: C:\DOCUME~1\MHUMPH~1\LOCALS~1\Temp\pwlyapow.sys


---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys F7558BD0 4 Bytes [36, 9A, 4D, 80]
INITc VolSnap.sys F7558BF8 4 Bytes [94, 87, 4E, 80] {XCHG ESP, EAX; XCHG [ESI-0x80], ECX}
INITc VolSnap.sys F7558C20 4 Bytes [A0, C1, 4D, 80]
INITc VolSnap.sys F7558C48 4 Bytes [B0, C8, 4D, 80]
INITc VolSnap.sys F7558C70 4 Bytes [09, BF, 4D, 80]
INITc ...
init C:\WINDOWS\system32\drivers\tiumflt.sys entry point in "init" section [0xF7A35D00]
init C:\WINDOWS\system32\drivers\tiumfwl.sys entry point in "init" section [0xF7897EE0]
init C:\WINDOWS\System32\DRIVERS\gticard.sys entry point in "init" section [0xF400AFA0]
? C:\DOCUME~1\MHUMPH~1\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[332] Explorer.EXE 01011DD8 3 Bytes [10, 60, 04] {ADC [EAX+0x4], AH}
.text C:\WINDOWS\Explorer.EXE[332] Explorer.EXE 0101A55F 5 Bytes [8B, FF, 55, 8B, EC] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text C:\WINDOWS\Explorer.EXE[332] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00BD87C8
.text C:\WINDOWS\Explorer.EXE[332] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00BC164F
.text C:\WINDOWS\Explorer.EXE[332] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00BC1817

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device B0A39D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 8762BE84
Thread System [4:128] 8762E084

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\mhumphrey\Cookies\mgillikin@64.111.211[2].txt 0 bytes
File C:\Documents and Settings\mhumphrey\Cookies\mgillikin@modernhomemodernbaby[1].txt 0 bytes
File C:\Documents and Settings\mhumphrey\Cookies\mgillikin@liverail[4].txt 175 bytes
File C:\Documents and Settings\mhumphrey\Cookies\mgillikin@CAXVRQP4.txt 92 bytes
File C:\Documents and Settings\mhumphrey\Cookies\mgillikin@apps.conduit[6].txt 198 bytes
File C:\Documents and Settings\mhumphrey\Cookies\mgillikin@social.conduit[7].txt 200 bytes
File C:\Documents and Settings\mhumphrey\Cookies\mgillikin@CA7FMHH0.txt 108 bytes

---- EOF - GMER 1.0.15 ----

    Advertisements

Register to Remove

#17 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 29 April 2011 - 02:30 AM

Hi Chelli,

In order to run this next tool you will need to uninstall AVG. The tool will not run if it detects AVG. Please limit this computer's internet activity to downloading tools and replying to this thread while your antivirus program is uninstalled.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log. How's the computer?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#18 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 29 April 2011 - 12:11 PM

Ok. I uninstalled AVG. Downloaded and ran the program as instructed, however while it was running a blue screen appeared stating... "A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time youve seen this stop error screen restart your computer. If this screen appears again, follow these steps: Check for viruses... Remove any newly installed harddrives... check harddrives to see if properly configured. Run CHKDSK/F to check for hard drive corruption." I restarted and the screen appeared the 2nd time. Now what? I hope this is better than it looks.

#19 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 29 April 2011 - 12:13 PM

btw... using another computer to post this and the previous reply. :)

#20 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 29 April 2011 - 12:22 PM

Hi Chelli, Ok, please post the stop error name and code you recieved.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#21 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 29 April 2011 - 01:27 PM

STOP: 0x0000007B (0xF7988528, 0xC0000034, 0x00000000, 0x00000000)

#22 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 29 April 2011 - 01:35 PM

Hi Chelli, Is there any text description of the error? It will be right after the code. Something like this though the text may be different STOP: 0x0000007B (0xF741B84C,0xC0000034,0x00000000,0x00000000) INACCESSIBLE_BOOT_DEVICE

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#23 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 29 April 2011 - 01:41 PM

There is no text after the error message.

#24 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 30 April 2011 - 12:15 PM

Hi Chelli,

Sorry about the delay, seems there was server issues since last night.

Do you have an XP disk? Not a Recovery disk but a full XP disk?


Have you tried using Last Known Good Configuration?


  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the option, Last Known Good Configuration (your most recent settings that worked), then press "Enter".

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#25 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 30 April 2011 - 01:17 PM

Hi Chelli, I should have been clearer. We are not looking to reinstall Windows. The XP disk has a utility on it we can use to help resolve this problem. If you don't have an XP disk we can create a disk with the utility we need.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove

#26 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 30 April 2011 - 02:07 PM

Do you have an XP disk? Not a Recovery disk but a full XP disk?


Yes.

Have you tried using Last Known Good Configuration?


It worked. :woot: I followed your instructions and the computer came back up with the ComboFix box indicating it was creating the report.



Here is the report:

ComboFix 11-04-28.03 - mgillikin 04/29/11 13:40:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.720 [GMT -4:00]
Running from: c:\documents and settings\mhumphrey\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\mhumphrey.office\System
c:\documents and settings\mhumphrey.office\System\win_qp.jqx
c:\documents and settings\mhumphrey.office\System\win_qs.jqx
c:\documents and settings\mhumphrey.office\WINDOWS
c:\documents and settings\mhumphrey\Application Data\PriceGong
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\1.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\a.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\b.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\c.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\d.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\e.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\f.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\g.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\h.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\i.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\J.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\k.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\l.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\m.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\n.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\o.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\p.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\q.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\r.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\s.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\t.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\u.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\v.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\w.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\x.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\y.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\z.xml
c:\documents and settings\mhumphrey\System
c:\documents and settings\mhumphrey\System\win_qp.jqx
c:\documents and settings\mhumphrey\System\win_qs.jqx
c:\documents and settings\mhumphrey\WINDOWS
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\bszip.dll
c:\windows\system32\d
c:\windows\system32\drivers\fad.sys
c:\windows\system32\user.dll
c:\windows\system32\zip32.dll
c:\windows\system32\dll . . . . Failed to delete
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
c:\windows\explorer.exe . . . is infected!!
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FAD
-------\Legacy_78943
-------\Legacy_agpCPQ
-------\Legacy_cdudf_xp
-------\Legacy_dvd_2K
-------\Legacy_GoProto
-------\Legacy_Mtlstrm
-------\Legacy_OdysseyNetProv
-------\Legacy_PCASp50
-------\Legacy_RCFOX
-------\Legacy_RecAgent
-------\Legacy_RxFilter
-------\Legacy_s24trans
-------\Legacy_SDDMI2
-------\Legacy_SlNtHal
-------\Legacy_SlWdmSup
-------\Legacy_StreamDispatcher
-------\Legacy_WNTHW
-------\Service_78943
-------\Service_agpCPQ
-------\Service_ApfiltrService
-------\Service_BCM43XX
-------\Service_bvrp_pci
-------\Service_cdudf_xp
-------\Service_DevUpper
-------\Service_DNE
-------\Service_drvmcdb
-------\Service_dvd_2K
-------\Service_GoProto
-------\Service_GTICARD
-------\Service_gv3
-------\Service_HSFHWICH
-------\Service_i81x
-------\Service_iAimFP0
-------\Service_iAimFP1
-------\Service_iAimFP2
-------\Service_iAimFP3
-------\Service_iAimFP4
-------\Service_iAimTV0
-------\Service_iAimTV1
-------\Service_iAimTV2
-------\Service_iAimTV3
-------\Service_iAimTV4
-------\Service_ICDSX
-------\Service_Intel_MIPMNMP
-------\Service_LCcfltr
-------\Service_mmc_2K
-------\Service_MotoSwitchService
-------\Service_Mtlmnt5
-------\Service_Mtlstrm
-------\Service_NtMtlFax
-------\Service_odysseyIM4
-------\Service_OdysseyNetProv
-------\Service_omci
-------\Service_P2k
-------\Service_P3
-------\Service_PCASp50
-------\Service_pwd_2k
-------\Service_RCFOX
-------\Service_rcvpn
-------\Service_RecAgent
-------\Service_RxFilter
-------\Service_s24trans
-------\Service_SDDMI2
-------\Service_Slnt7554
-------\Service_SlNtHal
-------\Service_SlWdmSup
-------\Service_STAC97
-------\Service_StreamDispatcher
-------\Service_tiumfwl
-------\Service_tunmp
-------\Service_usb_rndisx
-------\Service_usbser
-------\Service_w70n51
-------\Service_wceusbsh
-------\Service_WNTHW
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-30 )))))))))))))))))))))))))))))))
.
.
2011-04-27 22:24 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 22:24 . 2011-04-27 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-27 16:48 . 2011-04-27 16:48 -------- d-----w- C:\_OTL
2011-04-25 18:36 . 2011-04-25 18:36 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-04-25 18:36 . 2011-04-25 18:36 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-04-25 18:36 . 2011-04-25 18:36 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-04-25 18:36 . 2011-04-25 18:36 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2002-08-29 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2002-08-29 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2002-08-29 10:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
------- Sigcheck -------
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 82753CED43E9FB7CA8E81F2089FFF07B . 507904 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
[-] 2008-04-14 . E99BE788FBEE60C53F47F1F8CEA2C926 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b9b97401-98e1-4942-930d-c36652dab7f2}"= "c:\program files\TranslatorBar_5\prxtbTra2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9b97401-98e1-4942-930d-c36652dab7f2}]
2011-01-17 14:54 175912 ----a-w- c:\program files\TranslatorBar_5\prxtbTra2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b9b97401-98e1-4942-930d-c36652dab7f2}"= "c:\program files\TranslatorBar_5\prxtbTra2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B9B97401-98E1-4942-930D-C36652DAB7F2}"= "c:\program files\TranslatorBar_5\prxtbTra2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-28 847942]
"CrawlerMail"="c:\progra~1\inbox\cmail.exe" [2009-12-14 1395200]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-06 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"U.S. Robotics Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"CARPService"="carpserv.exe" [2003-01-23 4608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-19 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-10 185896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-8-25 25214]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2006-9-2 114688]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-9-15 24576]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-01-12 22:17 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer for HDD Camcorder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer for HDD Camcorder.lnk
backup=c:\windows\pss\ImageMixer for HDD Camcorder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Program Neighborhood Agent.lnk
backup=c:\windows\pss\Program Neighborhood Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to WCClient.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to WCClient.lnk
backup=c:\windows\pss\Shortcut to WCClient.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=c:\windows\pss\SideACT!.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start WebEx MeetMeNow.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start WebEx MeetMeNow.LNK
backup=c:\windows\pss\Start WebEx MeetMeNow.LNKCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter.lnk
backup=c:\windows\pss\Wireless-G Notebook Adapter.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mhumphrey^start menu^programs^startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\mhumphrey\start menu\programs\startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mhumphrey^start menu^programs^startup^VZAccess Manager.lnk]
path=c:\documents and settings\mhumphrey\start menu\programs\startup\VZAccess Manager.lnk
backup=c:\windows\pss\VZAccess Manager.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2003-01-31 16:27 364544 -c--a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-11-15 23:44 1200128 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]
2003-05-30 02:45 135168 -c--a-w- c:\program files\RMClient\JobHisInit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-17 14:50 19968 -c----w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
2000-11-05 01:09 40960 -c--a-w- c:\program files\RMClient\MplSetUp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2002-12-18 19:20 86016 -c--a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-08-19 20:58 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2005-11-22 13:34 163840 -c--a-w- c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-14 00:25 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-10 02:26 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DM1Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\SYSTEM32\DRIVERS\RCFOX.SYS [04/21/05 4:15 PM 91136]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
R2 WNTHW;WNTHW;c:\windows\SYSTEM32\DRIVERS\WNTHW.SYS [02/25/05 10:25 AM 9176]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]
R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [02/14/03 4:03 PM 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/08/09 11:25 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/08/09 11:25 AM 135664]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\rcvpn.sys [04/21/05 4:13 PM 23180]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 15:25]
.
2011-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 15:25]
.
2011-04-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]
.
2011-04-08 c:\windows\Tasks\{27BAFF4D-9ACF-43FB-AA15-32F59E7BB09A}_OFFICE_mhumphrey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
2011-04-29 c:\windows\Tasks\{93508946-AE83-4345-83A8-5083A71FD435}_OFFICE_mhumphrey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
2011-04-28 c:\windows\Tasks\{CA45E155-63FE-40E1-A5F9-00635183B460}_OFFICE_mhumphrey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Inbox Search - tbr:iemenu
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Inbox\ctbr.dll
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: EMWebAutomation - hxxps://www.elliemaebiz.com/EmActiveX/EMWebAutomation.CAB
DPF: GPointDX - hxxps://www.elliemaebiz.com/EMActiveX/GPointDX.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: ViewCredit - hxxps://www.elliemaebiz.com/EMActiveX/ViewCredit.cab
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file://d:\scripts\LTOCX14N.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} - hxxp://www.therealyellowpageslive.net/live/ezlistng.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - hxxp://www.therealyellowpageslive.net/live/ezinit.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-avgrsstarter - (no file)
AddRemove- Free Loan Programs and CCS Edition - x:\pnttempl\PROMOR~1\ProCCS\UNWISE.EXE
AddRemove-ProMortgageFees v4.2 - x:\pnttempl\PROMOR~1\ProCCS\UNWISE.EXE
AddRemove-ProMortgageManager - x:\pnttempl\PROMOR~1\PMM\UNWISE.EXE
AddRemove- PMR - x:\pnttempl\PROMOR~1\ProCCS\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-30 14:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1123561945-842925246-854245398-2115\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000
.
[HKEY_USERS\S-1-5-21-1123561945-842925246-854245398-2115\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(212)
c:\windows\System32\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\windows\System32\cisvc.exe
c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe
c:\program files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\windows\System32\RegSrvc.exe
c:\windows\System32\RoamMgr.exe
c:\windows\System32\snmp.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Intel\Switching\User\RoamSvc.exe
c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\carpserv.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Inbox\CToolbar.exe
.
**************************************************************************
.
Completion time: 2011-04-30 15:03:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-30 19:03
.
Pre-Run: 23,597,408,256 bytes free
Post-Run: 23,500,992,512 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - F347980A3CC1D246E72E9B5C5195BB4B

#27 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 30 April 2011 - 02:10 PM

Hi Chelli,

I should have been clearer. We are not looking to reinstall Windows. The XP disk has a utility on it we can use to help resolve this problem. If you don't have an XP disk we can create a disk with the utility we need.


No stress! I wouldn't go there without definite instructions from you!! :)

#28 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 30 April 2011 - 02:29 PM

Computer seems to be much better. The only issue I see so far is my pdf printer is hanging up trying to print an Excel report.

#29 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 30 April 2011 - 05:31 PM

Hi Chelli,

Good job, that makes life a bit more easy.

I'm not sure if I can help with the printer but we do have other parts of the Forums that will be more than happy to assist after we have cleaned this machine. Try the printer again after this fix.

A bit more to do.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File ::
c:\windows\system32\dll

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\SYSTEM32\winlogon.exe
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\dllcache\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\system32\dllcache\explorer.exe

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image


Please post back with the combofix log.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#30 Chelli

Chelli

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 30 April 2011 - 08:43 PM

ComboFix Log:

ComboFix 11-04-28.03 - mgillikin 04/30/11 21:10:43.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.635 [GMT -4:00]
Running from: c:\documents and settings\mhumphrey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mhumphrey\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\MHUMPH~1\LOCALS~1\Temp\winlogon.dat
c:\documents and settings\mhumphrey\Application Data\PriceGong
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\1.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\a.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\b.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\c.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\d.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\e.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\f.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\g.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\h.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\i.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\J.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\k.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\l.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\m.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\n.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\o.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\p.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\q.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\r.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\s.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\t.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\u.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\v.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\w.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\x.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\y.xml
c:\documents and settings\mhumphrey\Application Data\PriceGong\Data\z.xml
c:\documents and settings\mhumphrey\Local Settings\Temp\winlogon.dat
c:\windows\system32\dll
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\SYSTEM32\winlogon.exe
c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\dllcache\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 )))))))))))))))))))))))))))))))
.
.
2011-04-27 22:24 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 22:24 . 2011-04-27 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-27 16:48 . 2011-04-27 16:48 -------- d-----w- C:\_OTL
2011-04-25 18:36 . 2011-04-25 18:36 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2011-04-25 18:36 . 2011-04-25 18:36 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-04-25 18:36 . 2011-04-25 18:36 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2011-04-25 18:36 . 2011-04-25 18:36 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2002-08-29 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2002-08-29 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2002-08-29 10:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b9b97401-98e1-4942-930d-c36652dab7f2}"= "c:\program files\TranslatorBar_5\prxtbTra2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9b97401-98e1-4942-930d-c36652dab7f2}]
2011-01-17 14:54 175912 ----a-w- c:\program files\TranslatorBar_5\prxtbTra2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b9b97401-98e1-4942-930d-c36652dab7f2}"= "c:\program files\TranslatorBar_5\prxtbTra2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B9B97401-98E1-4942-930D-C36652DAB7F2}"= "c:\program files\TranslatorBar_5\prxtbTra2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-28 847942]
"CrawlerMail"="c:\progra~1\inbox\cmail.exe" [2009-12-14 1395200]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-06 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"U.S. Robotics Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"CARPService"="carpserv.exe" [2003-01-23 4608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-19 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-10 185896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-8-25 25214]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2006-9-2 114688]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-9-15 24576]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-01-12 22:17 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer for HDD Camcorder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer for HDD Camcorder.lnk
backup=c:\windows\pss\ImageMixer for HDD Camcorder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Program Neighborhood Agent.lnk
backup=c:\windows\pss\Program Neighborhood Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Shortcut to WCClient.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to WCClient.lnk
backup=c:\windows\pss\Shortcut to WCClient.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=c:\windows\pss\SideACT!.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start WebEx MeetMeNow.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start WebEx MeetMeNow.LNK
backup=c:\windows\pss\Start WebEx MeetMeNow.LNKCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter.lnk
backup=c:\windows\pss\Wireless-G Notebook Adapter.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mhumphrey^start menu^programs^startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\mhumphrey\start menu\programs\startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^mhumphrey^start menu^programs^startup^VZAccess Manager.lnk]
path=c:\documents and settings\mhumphrey\start menu\programs\startup\VZAccess Manager.lnk
backup=c:\windows\pss\VZAccess Manager.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2003-01-31 16:27 364544 -c--a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2005-11-15 23:44 1200128 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]
2003-05-30 02:45 135168 -c--a-w- c:\program files\RMClient\JobHisInit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-17 14:50 19968 -c----w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
2000-11-05 01:09 40960 -c--a-w- c:\program files\RMClient\MplSetUp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2002-12-18 19:20 86016 -c--a-w- c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-08-19 20:58 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2005-11-22 13:34 163840 -c--a-w- c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-14 00:25 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-10 02:26 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DM1Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\SYSTEM32\DRIVERS\RCFOX.SYS [04/21/05 4:15 PM 91136]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
R2 WNTHW;WNTHW;c:\windows\SYSTEM32\DRIVERS\WNTHW.SYS [02/25/05 10:25 AM 9176]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]
R3 GTICARD;GTICARD;c:\windows\SYSTEM32\DRIVERS\gticard.sys [02/14/03 4:03 PM 59328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/08/09 11:25 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/08/09 11:25 AM 135664]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\rcvpn.sys [04/21/05 4:13 PM 23180]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 15:25]
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 15:25]
.
2011-04-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]
.
2011-04-08 c:\windows\Tasks\{27BAFF4D-9ACF-43FB-AA15-32F59E7BB09A}_OFFICE_mhumphrey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
2011-04-29 c:\windows\Tasks\{93508946-AE83-4345-83A8-5083A71FD435}_OFFICE_mhumphrey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
2011-04-28 c:\windows\Tasks\{CA45E155-63FE-40E1-A5F9-00635183B460}_OFFICE_mhumphrey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Inbox Search - tbr:iemenu
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Inbox\ctbr.dll
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: EMWebAutomation - hxxps://www.elliemaebiz.com/EmActiveX/EMWebAutomation.CAB
DPF: GPointDX - hxxps://www.elliemaebiz.com/EMActiveX/GPointDX.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: ViewCredit - hxxps://www.elliemaebiz.com/EMActiveX/ViewCredit.cab
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file://d:\scripts\LTOCX14N.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} - hxxp://www.therealyellowpageslive.net/live/ezlistng.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - hxxp://www.therealyellowpageslive.net/live/ezinit.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-30 21:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1123561945-842925246-854245398-2115\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000
.
[HKEY_USERS\S-1-5-21-1123561945-842925246-854245398-2115\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(212)
c:\windows\System32\LgNotify.dll
.
Completion time: 2011-04-30 21:28:08
ComboFix-quarantined-files.txt 2011-05-01 01:28
ComboFix2.txt 2011-04-30 19:03
.
Pre-Run: 23,490,740,224 bytes free
Post-Run: 23,466,098,688 bytes free
.
- - End Of File - - 863A0E7E7813A259B6F8ADE4D2E8CB8F

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·