Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91680 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Browser redirects and misc Trojans


  • This topic is locked This topic is locked
28 replies to this topic

#16 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 09 November 2009 - 01:21 PM

Flyingfish, Shouldn't matter but it would be good if you could run it from your main profile.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

    Advertisements

Register to Remove


#17 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 09 November 2009 - 03:31 PM

Hey TomK,

It wasn't so bad this time getting into the main profile. I did get two warning pop-up boxes about not being able to find the ntuser.dll file. IS that part of the trojan?

I was able to run Combo, first time I thought I did somethign to make it stall after the 4th stage so I closed it, and reran it, 2nd time with no problems.

So why did this little bugger come back? Was it stored in part in the profile?

LOG>

ComboFix 09-11-08.03 - Meow Meow and Meow 11/09/2009 14:48.14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.516 [GMT -6:00]
Running from: c:\documents and settings\Meow Meow and Meow\Desktop\ComboFix.exe
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Meow Meow and Meow\Local Settings\Application Data\{8F59A367-5FAA-4565-B28B-18FCC0DDFB7D}
c:\documents and settings\Meow Meow and Meow\Local Settings\Application Data\{8F59A367-5FAA-4565-B28B-18FCC0DDFB7D}\chrome.manifest
c:\documents and settings\Meow Meow and Meow\Local Settings\Application Data\{8F59A367-5FAA-4565-B28B-18FCC0DDFB7D}\chrome\content\_cfg.js
c:\documents and settings\Meow Meow and Meow\Local Settings\Application Data\{8F59A367-5FAA-4565-B28B-18FCC0DDFB7D}\chrome\content\c.js
c:\documents and settings\Meow Meow and Meow\Local Settings\Application Data\{8F59A367-5FAA-4565-B28B-18FCC0DDFB7D}\chrome\content\overlay.xul
c:\documents and settings\Meow Meow and Meow\Local Settings\Application Data\{8F59A367-5FAA-4565-B28B-18FCC0DDFB7D}\install.rdf
c:\windows\rasqervy.dll
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 03:19 . 2009-11-09 03:19 101888 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc0261.dll
2009-11-09 03:14 . 2009-11-09 21:08 16384 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-06 17:33 . 2009-11-06 17:37 -------- d-----w- c:\documents and settings\MiloTheGreat Houdini\Application Data\comcasttb
2009-11-06 17:33 . 2009-11-06 17:33 -------- d-----w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Malwarebytes
2009-11-06 17:27 . 2009-11-06 17:27 101888 ----a-w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Macromedia\Common\3abfc0261.dll
2009-11-06 17:26 . 2009-11-06 20:30 16384 ----a-w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-04 20:48 . 2009-11-08 03:10 16384 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-04 03:33 . 2009-11-04 03:33 16384 ----a-w- c:\documents and settings\LocalService\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-02 22:01 . 2009-11-09 20:48 16384 ----a-w- c:\documents and settings\Angelina\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-02 22:01 . 2009-11-02 22:02 101888 ----a-w- c:\documents and settings\Angelina\Application Data\Macromedia\Common\3abfc0261.dll
2009-10-22 14:01 . 2009-10-22 14:01 -------- d-----w- c:\documents and settings\Angelina\Application Data\Malwarebytes
2009-10-20 12:44 . 2009-10-20 12:44 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-18 16:44 . 2009-10-18 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 01:22 . 2008-12-10 22:33 -------- d-----w- c:\documents and settings\Angelina\Application Data\Apple Computer
2009-11-08 01:16 . 2008-01-02 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-24 12:58 . 2009-07-01 03:17 -------- d-----w- c:\program files\McAfee
2009-10-24 12:36 . 2009-09-20 01:20 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-10-24 12:36 . 2006-01-05 07:16 -------- d-----w- c:\program files\FaxTools
2009-10-24 12:36 . 2006-06-23 04:16 -------- d-----w- c:\program files\DivX
2009-10-24 12:36 . 2006-03-18 18:10 -------- d-----w- c:\program files\Dominion Wars
2009-10-24 12:36 . 2009-07-01 03:29 -------- d-----w- c:\program files\comcasttb
2009-10-24 12:36 . 2006-02-24 23:29 -------- d-----w- c:\program files\Microsoft Works
2009-10-24 12:36 . 2006-02-24 23:39 -------- d-----w- c:\program files\Microsoft Picture It! 9
2009-10-24 12:36 . 2006-01-05 07:07 -------- d-----w- c:\program files\Modem Helper
2009-10-24 12:36 . 2006-01-05 07:06 -------- d-----w- c:\program files\NetWaiting
2009-10-24 12:36 . 2008-07-24 01:19 -------- d-----w- c:\program files\RegCure
2009-10-24 12:36 . 2006-02-01 05:29 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-24 12:36 . 2008-07-26 16:25 -------- d-----w- c:\program files\Quicken
2009-10-20 12:46 . 2009-05-24 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 16:48 . 2007-10-15 23:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-21 20:00 . 2009-09-20 01:08 -------- d-----w- c:\program files\QuickTime
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\program files\iTunes
2009-09-20 01:15 . 2009-09-20 01:15 -------- d-----w- c:\program files\iPod
2009-09-20 01:15 . 2008-01-02 03:36 -------- d-----w- c:\program files\Common Files\Apple
2009-09-20 00:57 . 2009-09-20 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-18 19:26 . 2006-02-25 01:02 25088 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\wklnhst.dat
2009-09-17 12:44 . 2009-07-01 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-17 09:07 . 2009-09-17 09:07 72280 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 15:22 . 2009-07-01 03:19 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-07-01 03:19 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-07-01 03:19 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-05-24 20:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-05-24 20:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-10-21 18:51 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-29 00:42 . 2009-03-15 12:01 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2008-01-02 03:36 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-13 20:40 . 2009-08-29 21:55 43008 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-08-13 20:39 . 2009-08-29 21:55 340480 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-08-13 20:39 . 2009-08-29 21:55 346112 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-06-11 01:31 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe
2009-06-11 01:26 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe.bak
2009-06-11 01:26 . 2009-06-11 01:26 1192 ----a-w- c:\program files\jre-6u14-windows-i586.exe.sdm
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2003-07-16 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893066_0$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"WAB"="c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc02619.exe" [2009-11-09 16384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-5 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]
S1 bcbus;BestCrypt bus driver;c:\windows\system32\DRIVERS\bcbus.sys --> c:\windows\system32\DRIVERS\bcbus.sys [?]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 3:37 PM 616408]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E53DCF-6B78-4088-BE71-5CA5CDCB2624}]
rundll32 pcfr32.dll,laspi
.
Contents of the 'Scheduled Tasks' folder

2009-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-09 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.chicagobears.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
LSP: c:\windows\System32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.chicagobears.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rundll32.exe - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\wininet.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'winlogon.exe'(400)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\wininet.dll
c:\windows\System32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-11-09 15:15
ComboFix-quarantined-files.txt 2009-11-09 21:15

Pre-Run: 32,034,529,280 bytes free
Post-Run: 33,038,045,184 bytes free

- - End Of File - - 88F24BA22B2056968C8B1EECBF88F2ED
I Lag, therefore I am.

#18 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 09 November 2009 - 04:38 PM

Flyingfish,

I'm not sure what happened but let's wear it out.

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}


You want one and only one anti-virus program running. Please uninstall one of them.

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    FCopy::
    c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#19 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 09 November 2009 - 09:13 PM

I ran the script you provided. I think I might have picked up something else before running combo again this time.

So I am thinking maybe the McAfee virus software isn't that great. It doesn't seem to stop viruses very well, and when my comp gets clean, McAfee lets something else get through. I was using AVG previously and I thought they were not doing a good job either...is there a better virus software?

Here's the log...

ComboFix 09-11-08.03 - Meow Meow and Meow 11/09/2009 19:48.15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.693 [GMT -6:00]
Running from: c:\documents and settings\Meow Meow and Meow\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Meow Meow and Meow\Desktop\CFScript.txt
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MEOWME~1\LOCALS~1\Temp\rundll32.dll
c:\documents and settings\Meow Meow and Meow\Local Settings\temp\rundll32.dll
c:\documents and settings\Meow Meow and Meow\ntuser.dll
c:\documents and settings\Meow Meow and Meow\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Meow Meow and Meow\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\calc.dll

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-09 03:19 . 2009-11-09 22:10 103424 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc0261.dll
2009-11-09 03:14 . 2009-11-10 02:15 16384 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-06 17:33 . 2009-11-06 17:37 -------- d-----w- c:\documents and settings\MiloTheGreat Houdini\Application Data\comcasttb
2009-11-06 17:33 . 2009-11-06 17:33 -------- d-----w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Malwarebytes
2009-11-06 17:27 . 2009-11-06 17:27 101888 ----a-w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Macromedia\Common\3abfc0261.dll
2009-11-06 17:26 . 2009-11-06 20:30 16384 ----a-w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-04 20:48 . 2009-11-08 03:10 16384 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-04 03:33 . 2009-11-04 03:33 16384 ----a-w- c:\documents and settings\LocalService\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-02 22:01 . 2009-11-09 21:19 16384 ----a-w- c:\documents and settings\Angelina\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-02 22:01 . 2009-11-02 22:02 101888 ----a-w- c:\documents and settings\Angelina\Application Data\Macromedia\Common\3abfc0261.dll
2009-10-22 14:01 . 2009-10-22 14:01 -------- d-----w- c:\documents and settings\Angelina\Application Data\Malwarebytes
2009-10-20 12:44 . 2009-10-20 12:44 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-18 16:44 . 2009-10-18 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 00:25 . 2006-02-25 01:02 25464 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\wklnhst.dat
2009-11-08 01:22 . 2008-12-10 22:33 -------- d-----w- c:\documents and settings\Angelina\Application Data\Apple Computer
2009-11-08 01:16 . 2008-01-02 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-24 12:58 . 2009-07-01 03:17 -------- d-----w- c:\program files\McAfee
2009-10-24 12:36 . 2009-09-20 01:20 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-10-24 12:36 . 2006-01-05 07:16 -------- d-----w- c:\program files\FaxTools
2009-10-24 12:36 . 2006-06-23 04:16 -------- d-----w- c:\program files\DivX
2009-10-24 12:36 . 2006-03-18 18:10 -------- d-----w- c:\program files\Dominion Wars
2009-10-24 12:36 . 2009-07-01 03:29 -------- d-----w- c:\program files\comcasttb
2009-10-24 12:36 . 2006-02-24 23:29 -------- d-----w- c:\program files\Microsoft Works
2009-10-24 12:36 . 2006-02-24 23:39 -------- d-----w- c:\program files\Microsoft Picture It! 9
2009-10-24 12:36 . 2006-01-05 07:07 -------- d-----w- c:\program files\Modem Helper
2009-10-24 12:36 . 2006-01-05 07:06 -------- d-----w- c:\program files\NetWaiting
2009-10-24 12:36 . 2008-07-24 01:19 -------- d-----w- c:\program files\RegCure
2009-10-24 12:36 . 2006-02-01 05:29 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-24 12:36 . 2008-07-26 16:25 -------- d-----w- c:\program files\Quicken
2009-10-20 12:46 . 2009-05-24 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 16:48 . 2007-10-15 23:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-21 20:00 . 2009-09-20 01:08 -------- d-----w- c:\program files\QuickTime
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\program files\iTunes
2009-09-20 01:15 . 2009-09-20 01:15 -------- d-----w- c:\program files\iPod
2009-09-20 01:15 . 2008-01-02 03:36 -------- d-----w- c:\program files\Common Files\Apple
2009-09-20 00:57 . 2009-09-20 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-17 12:44 . 2009-07-01 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-17 09:07 . 2009-09-17 09:07 72280 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 15:22 . 2009-07-01 03:19 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-07-01 03:19 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-07-01 03:19 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-05-24 20:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-05-24 20:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-10-21 18:51 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-29 00:42 . 2009-03-15 12:01 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2008-01-02 03:36 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-13 20:40 . 2009-08-29 21:55 43008 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-08-13 20:39 . 2009-08-29 21:55 340480 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-08-13 20:39 . 2009-08-29 21:55 346112 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-06-11 01:31 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe
2009-06-11 01:26 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe.bak
2009-06-11 01:26 . 2009-06-11 01:26 1192 ----a-w- c:\program files\jre-6u14-windows-i586.exe.sdm
.

((((((((((((((((((((((((((((( SnapShot@2009-11-09_21.09.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-10 02:12 . 2009-11-10 02:12 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
+ 2006-01-05 06:02 . 2009-11-09 21:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-05 06:02 . 2009-11-09 17:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-09 21:54 . 2009-11-09 21:59 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-07-16 20:47 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
- 2008-06-20 11:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"WAB"="c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc02619.exe" [2009-11-10 16384]
"rundll32.exe"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-5 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=c:\docume~1\MEOWME~1\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"mixer1"=c:\docume~1\MEOWME~1\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"wave1"=c:\docume~1\MEOWME~1\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"aux1"=c:\docume~1\MEOWME~1\APPLIC~1\MACROM~1\Common\3abfc0261.dll
"wave2"=c:\docume~1\MEOWME~1\APPLIC~1\MACROM~1\Common\3abfc0261.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 3:37 PM 616408]
R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 11:11 AM 24064]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]
S1 bcbus;BestCrypt bus driver;c:\windows\system32\DRIVERS\bcbus.sys --> c:\windows\system32\DRIVERS\bcbus.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E53DCF-6B78-4088-BE71-5CA5CDCB2624}]
rundll32 pcfr32.dll,laspi
.
Contents of the 'Scheduled Tasks' folder

2009-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-10 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-10 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.chicagobears.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
LSP: c:\windows\System32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.chicagobears.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 20:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\wininet.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\wininet.dll
c:\windows\System32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Borland\Interbase\Bin\IBGuard.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Borland\Interbase\Bin\IBServer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-11-10 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 02:27
ComboFix2.txt 2009-11-09 21:16

Pre-Run: 33,011,425,280 bytes free
Post-Run: 32,979,877,888 bytes free

- - End Of File - - 9F1E3132FA0A114CE7848E27D5D569B5

THANKS!
I Lag, therefore I am.

#20 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 09 November 2009 - 09:56 PM

Flyingfish,

I've not been a fan of McAfee for some time. Basically because I think it's a resource hog. I also used to like AVG but I think it's bloated also. I currently have Avira on my desktop and AVAST! on my laptop. I happy with both but beginning to lean towards AVAST!.

The "new" stuff found may have been hidden by this patched file we restored: c:\windows\system32\drivers\tcpip.sys

More to do:

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "rundll32.exe"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27E53DCF-6B78-4088-BE71-5CA5CDCB2624}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Then


Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#21 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 11 November 2009 - 07:14 AM

Hey TomK,

Here's the combo log, I'll be able to run thr kasp scan after work. Thanks!

ComboFix 09-11-09.02 - Meow Meow and Meow 11/11/2009 0:15.17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.465 [GMT -6:00]
Running from: c:\documents and settings\Meow Meow and Meow\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Meow Meow and Meow\Desktop\CFScript.txt
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000006_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-11 04:34 . 2009-11-11 04:34 -------- d-----w- c:\windows\LastGood
2009-11-09 03:19 . 2009-11-10 19:07 102912 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc0261.dll
2009-11-09 03:14 . 2009-11-11 06:30 16384 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-06 17:33 . 2009-11-06 17:37 -------- d-----w- c:\documents and settings\MiloTheGreat Houdini\Application Data\comcasttb
2009-11-06 17:33 . 2009-11-06 17:33 -------- d-----w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Malwarebytes
2009-11-06 17:27 . 2009-11-06 17:27 101888 ----a-w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Macromedia\Common\3abfc0261.dll
2009-11-06 17:26 . 2009-11-06 20:30 16384 ----a-w- c:\documents and settings\MiloTheGreat Houdini\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-04 20:48 . 2009-11-08 03:10 16384 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-04 03:33 . 2009-11-10 02:29 16384 ----a-w- c:\documents and settings\LocalService\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-02 22:01 . 2009-11-09 21:19 16384 ----a-w- c:\documents and settings\Angelina\Application Data\Macromedia\Common\3abfc02619.exe
2009-11-02 22:01 . 2009-11-02 22:02 101888 ----a-w- c:\documents and settings\Angelina\Application Data\Macromedia\Common\3abfc0261.dll
2009-10-22 14:01 . 2009-10-22 14:01 -------- d-----w- c:\documents and settings\Angelina\Application Data\Malwarebytes
2009-10-20 12:44 . 2009-10-20 12:44 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-18 16:44 . 2009-10-18 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 00:25 . 2006-02-25 01:02 25464 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\wklnhst.dat
2009-11-08 01:22 . 2008-12-10 22:33 -------- d-----w- c:\documents and settings\Angelina\Application Data\Apple Computer
2009-11-08 01:16 . 2008-01-02 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-24 12:58 . 2009-07-01 03:17 -------- d-----w- c:\program files\McAfee
2009-10-24 12:36 . 2009-09-20 01:20 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-10-24 12:36 . 2006-01-05 07:16 -------- d-----w- c:\program files\FaxTools
2009-10-24 12:36 . 2006-06-23 04:16 -------- d-----w- c:\program files\DivX
2009-10-24 12:36 . 2006-03-18 18:10 -------- d-----w- c:\program files\Dominion Wars
2009-10-24 12:36 . 2009-07-01 03:29 -------- d-----w- c:\program files\comcasttb
2009-10-24 12:36 . 2006-02-24 23:29 -------- d-----w- c:\program files\Microsoft Works
2009-10-24 12:36 . 2006-02-24 23:39 -------- d-----w- c:\program files\Microsoft Picture It! 9
2009-10-24 12:36 . 2006-01-05 07:07 -------- d-----w- c:\program files\Modem Helper
2009-10-24 12:36 . 2006-01-05 07:06 -------- d-----w- c:\program files\NetWaiting
2009-10-24 12:36 . 2008-07-24 01:19 -------- d-----w- c:\program files\RegCure
2009-10-24 12:36 . 2006-02-01 05:29 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-24 12:36 . 2008-07-26 16:25 -------- d-----w- c:\program files\Quicken
2009-10-20 12:46 . 2009-05-24 20:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 16:48 . 2007-10-15 23:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-21 20:00 . 2009-09-20 01:08 -------- d-----w- c:\program files\QuickTime
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-20 01:16 . 2009-09-20 01:14 -------- d-----w- c:\program files\iTunes
2009-09-20 01:15 . 2009-09-20 01:15 -------- d-----w- c:\program files\iPod
2009-09-20 01:15 . 2008-01-02 03:36 -------- d-----w- c:\program files\Common Files\Apple
2009-09-20 00:57 . 2009-09-20 00:57 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-17 12:44 . 2009-07-01 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-17 09:07 . 2009-09-17 09:07 72280 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 15:22 . 2009-07-01 03:19 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-07-01 03:19 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-07-01 03:19 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-07-01 03:19 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-05-24 20:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-05-24 20:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-10-21 18:51 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-29 00:42 . 2009-03-15 12:01 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2008-01-02 03:36 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-14 13:21 . 2003-07-16 20:51 1850624 ----a-w- c:\windows\system32\win32k.sys
2009-08-13 20:40 . 2009-08-29 21:55 43008 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-08-13 20:39 . 2009-08-29 21:55 340480 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-08-13 20:39 . 2009-08-29 21:55 346112 ----a-w- c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-06-11 01:31 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe
2009-06-11 01:26 . 2009-06-11 01:26 0 ----a-w- c:\program files\jre-6u14-windows-i586.exe.bak
2009-06-11 01:26 . 2009-06-11 01:26 1192 ----a-w- c:\program files\jre-6u14-windows-i586.exe.sdm
.

((((((((((((((((((((((((((((( SnapShot@2009-11-09_21.09.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-10 02:12 . 2009-11-10 02:12 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
- 2006-12-12 21:08 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2006-12-12 21:08 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2006-01-05 06:02 . 2009-11-09 17:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-01-05 06:02 . 2009-11-11 02:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-10 02:33 . 2009-11-11 02:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-11-04 07:20 . 2009-11-09 17:44 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-06-20 11:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
+ 2003-07-16 20:47 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
+ 2008-10-14 21:50 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2006-01-05 18:04 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"WAB"="c:\documents and settings\Meow Meow and Meow\Application Data\Macromedia\Common\3abfc02619.exe" [2009-11-11 16384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-5 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YOP"=c:\progra~1\Yahoo!\YOP\yop.exe /autostart
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Activision\\Star Trek Armada II\\Armada2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 3:37 PM 616408]
R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 11:11 AM 24064]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]
S1 bcbus;BestCrypt bus driver;c:\windows\system32\DRIVERS\bcbus.sys --> c:\windows\system32\DRIVERS\bcbus.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-07-01 17:22]

2009-11-10 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-11-10 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.chicagobears.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
LSP: c:\windows\System32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\Meow Meow and Meow\Application Data\Mozilla\Firefox\Profiles\75p2ovg1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.chicagobears.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 00:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\wininet.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\wininet.dll
c:\windows\System32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-11-11 0:37
ComboFix-quarantined-files.txt 2009-11-11 06:37
ComboFix2.txt 2009-11-10 02:29
ComboFix3.txt 2009-11-09 21:16

Pre-Run: 32,904,470,528 bytes free
Post-Run: 32,868,446,208 bytes free

- - End Of File - - 4FA974398841CCC8E8E739CE71A70DE2
I Lag, therefore I am.

#22 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 11 November 2009 - 12:38 PM

Flyingfish, Please also give me an update on how things are running with your Kaspersky log.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#23 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 12 November 2009 - 07:57 PM

Hey TomK, I started the Kaep scan late last night and let it run over night since it takes a long time. When I woke up the browser was closed and no log, but from what I read I would need to manually trigger the log myself. So I don't know wth happened there, what should I do, re-run it? Thanks
I Lag, therefore I am.

#24 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 12 November 2009 - 08:14 PM

Flyingfish, Normally that is a good technique. Browser shouldn't close. :wacko: I'd feel better if you actually got to at least see the report. If you would, I'd like you to run it again. Odd's are it won't find anything but we'll never know until we actually know.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#25 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 14 November 2009 - 07:26 AM

Hi TomK, Was able to run Kasp, "no threats found", no log to post.
I Lag, therefore I am.

    Advertisements

Register to Remove


#26 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 15 November 2009 - 10:21 PM

Flyingfish, So... how are things running?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#27 Flyingfish

Flyingfish

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts
  • Interests:Armadillos, llamas, and occasionally I go slummin' with the El' Packas. But only the ones with small ears.

Posted 17 November 2009 - 11:15 AM

TomK, The computer seems to be doing pretty good. IE runs a bit slow, but i think that's b/c my computer is a tad on the old side when it comes to computers. I think it's 6 going on 7 years old. It could probably use a reformat, but I thought with today's comps you don't really need to do that much anymore unless your system dies. Going forward, I think I am going to get AVAST!, since you said you thought it was one of the better ones, and see if it does a better job with the viruses. If you don't think I need to do anything else with the comp, thanks a lot with solving the problem, you da man!
I Lag, therefore I am.

#28 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 17 November 2009 - 12:02 PM

Flyingfish,

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK
  • Note the space between the X and the U, it needs to be there.
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.

Please re-enable any security that was disabled.

With that done, is there anything more I can do for you?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#29 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,136 posts

Posted 23 November 2009 - 12:13 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users