Attached Files
-
Attach2.txt 3.74KB
344 downloads
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
[Resolved] Possible laptop infection from infected flash drive
Started by
stargazercece
, Nov 23 2009 09:37 PM
-
This topic is locked
21 replies to this topic
#1
stargazercece
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 23 November 2009 - 09:37 PM
Register to Remove
#2
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 30 November 2009 - 11:32 AM
stargazercece,
Please download Flash Disinfector.exe by sUBs and save it to your desktop.
Then
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Could be.Could the virus from the flash drive still be on my laptop letting more trouble in?
Please download Flash Disinfector.exe by sUBs and save it to your desktop.
- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the
utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
Then
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#3
stargazercece
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 01 December 2009 - 07:35 PM
When I clicked the link for Flash_Disinfector, Kaspersky stopped the page calling it malware. But I was able to download it, but it wouldn't run on the system. Combofix did run though.
ComboFix 09-12-01.01 - Cece 12/01/2009 19:30.2.2 - x86
Running from: d:\users\Cece_Phoenix\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\system32\clrviddc.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.
2009-12-02 00:47 . 2009-12-02 00:48 -------- d-----w- d:\users\Cece\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:48 -------- d-----w- d:\users\Cece_Phoenix\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:47 -------- d-----w- d:\users\Public\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:47 -------- d-----w- d:\users\Default\AppData\Local\temp
2009-12-02 00:18 . 2009-12-02 00:19 49152 d-----w- D:\32788R22FWJFW
2009-11-30 10:57 . 2009-11-30 10:57 -------- d-----w- d:\program files\Recuva
2009-11-26 01:46 . 2009-10-29 09:17 2048 ----a-w- d:\windows\system32\tzres.dll
2009-11-25 13:03 . 2009-08-11 16:44 1401856 ----a-w- d:\windows\system32\msxml6.dll
2009-11-25 13:03 . 2009-08-11 16:44 1248768 ----a-w- d:\windows\system32\msxml3.dll
2009-11-24 03:37 . 2009-11-24 03:37 484976 ----a-w- d:\programdata\Google\Google Toolbar\Update\gtbE0D6.tmp.exe
2009-11-20 14:10 . 2009-11-20 14:10 -------- d-----w- d:\program files\Java
2009-11-19 04:29 . 2009-11-19 04:29 72656 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\kavupgr.exe
2009-11-19 04:29 . 2009-11-19 04:29 72656 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\kis\kavupgr.exe
2009-11-12 01:48 . 2009-11-12 01:48 26694 ----a-r- d:\users\Cece\AppData\Roaming\Microsoft\Installer\{9278C797-7F46-4D4A-B8D7-4F168D5C8583}\BlackBerry.exe
2009-11-12 00:27 . 2009-11-12 00:27 26694 ----a-r- d:\users\Cece\AppData\Roaming\Microsoft\Installer\{E110612F-8478-4EF8-AF55-45B3779F9F12}\BlackBerry.exe
2009-11-11 13:38 . 2009-11-11 13:39 4096 d-----w- d:\program files\Roxio
2009-11-11 13:38 . 2009-11-11 13:38 -------- d-----w- d:\program files\Common Files\Sonic Shared
2009-11-11 13:30 . 2009-11-11 13:30 -------- d-----w- d:\program files\Research In Motion
2009-11-11 08:26 . 2009-08-14 13:27 2036736 ----a-w- d:\windows\system32\win32k.sys
2009-11-11 08:26 . 2009-08-10 12:35 355328 ----a-w- d:\windows\system32\WSDApi.dll
2009-11-04 15:10 . 2009-11-04 15:10 -------- d-----w- d:\program files\JL_Cmder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 23:53 . 2009-05-14 04:11 56800 ----a-w- d:\programdata\nvModes.dat
2009-11-30 09:57 . 2009-04-17 00:27 4096 d-----w- d:\programdata\Kaspersky Lab
2009-11-29 22:09 . 2009-03-26 07:08 382072 ----a-w- d:\windows\system32\perfh011.dat
2009-11-29 22:09 . 2009-03-26 07:08 101350 ----a-w- d:\windows\system32\perfc011.dat
2009-11-20 14:11 . 2009-08-03 21:36 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-11-18 22:32 . 2009-09-21 23:41 -------- d-----w- d:\users\Cece\AppData\Roaming\Skype
2009-11-18 22:31 . 2009-03-20 03:07 119488 ----a-w- d:\users\Cece\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-12 00:24 . 2009-07-21 20:07 4096 d-----w- d:\program files\Common Files\Research In Motion
2009-11-11 16:31 . 2006-11-02 11:18 4096 d-----w- d:\program files\Windows Mail
2009-11-11 13:49 . 2009-05-05 22:48 119488 ----a-w- d:\users\Cece_Phoenix\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-11 13:39 . 2009-09-20 01:43 4096 d-----w- d:\program files\Common Files\Roxio Shared
2009-11-11 13:39 . 2009-03-21 16:16 4096 d-----w- d:\program files\Common Files\PX Storage Engine
2009-11-11 13:38 . 2009-09-20 01:51 -------- d-----w- d:\programdata\Roxio
2009-11-11 13:38 . 2009-03-20 17:08 -------- d-----w- d:\program files\Common Files\InstallShield
2009-11-03 01:42 . 2009-10-03 05:01 195456 ------w- d:\windows\system32\MpSigStub.exe
2009-10-28 05:32 . 2009-10-28 05:32 -------- d-----w- d:\program files\Windows Portable Devices
2009-10-28 05:25 . 2006-11-02 10:25 665600 ----a-w- d:\windows\inf\drvindex.dat
2009-10-28 05:24 . 2009-10-28 05:24 0 ---ha-w- d:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 05:22 . 2009-10-28 05:22 0 ---ha-w- d:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-25 21:56 . 2009-05-14 04:25 -------- d-----w- d:\programdata\NVIDIA
2009-10-25 20:58 . 2006-11-02 12:35 -------- d-----w- d:\program files\Windows Calendar
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Sidebar
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Journal
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Collaboration
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Photo Gallery
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Defender
2009-10-15 17:03 . 2009-10-15 17:03 -------- d-----w- d:\users\Cece\AppData\Roaming\Foxit
2009-10-15 17:03 . 2009-10-15 17:03 -------- d-----w- d:\program files\Foxit Software
2009-10-15 00:43 . 2009-03-21 16:15 8192 d-----w- d:\program files\DivX
2009-10-15 00:42 . 2009-03-21 16:15 4096 d-----w- d:\program files\Common Files\DivX Shared
2009-10-15 00:30 . 2009-09-28 01:00 4096 d-----w- d:\programdata\NOS
2009-10-15 00:30 . 2009-09-28 01:00 -------- d-----w- d:\program files\NOS
2009-10-14 07:09 . 2009-04-17 00:28 95259 ----a-w- d:\windows\system32\drivers\klick.dat
2009-10-14 07:09 . 2009-04-17 00:28 108059 ----a-w- d:\windows\system32\drivers\klin.dat
2009-10-12 06:50 . 2009-10-12 06:50 -------- d-----w- d:\program files\CCleaner
2009-10-12 06:27 . 2009-09-16 02:03 932368 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-10-12 06:27 . 2009-09-16 02:03 678416 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-10-12 06:27 . 2009-09-16 02:03 604688 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-10-12 06:27 . 2009-09-16 02:03 522768 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-10-12 06:27 . 2009-09-16 02:03 1096208 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-10-11 00:59 . 2009-10-11 00:59 1 ----a-w- d:\users\Cece_Phoenix\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-11 00:56 . 2009-10-11 00:56 -------- d-----w- d:\users\Cece_Phoenix\AppData\Roaming\OpenOffice.org
2009-10-10 16:32 . 2009-10-10 16:32 -------- d-----w- d:\program files\JRE
2009-10-10 16:31 . 2009-10-10 16:31 4096 d-----w- d:\program files\OpenOffice.org 3
2009-10-08 21:08 . 2009-10-28 01:02 555520 ----a-w- d:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-10-28 01:02 234496 ----a-w- d:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-10-28 01:02 4096 ----a-w- d:\windows\system32\oleaccrc.dll
2009-10-04 21:45 . 2009-08-22 00:58 4096 d-----w- d:\users\Cece_Phoenix\AppData\Roaming\Skype
2009-10-04 21:36 . 2009-08-22 01:01 -------- d-----w- d:\users\Cece_Phoenix\AppData\Roaming\skypePM
2009-10-01 01:02 . 2009-10-28 01:04 2537472 ----a-w- d:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-28 01:05 30208 ----a-w- d:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-28 01:04 334848 ----a-w- d:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-28 01:04 87552 ----a-w- d:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-28 01:05 31232 ----a-w- d:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-28 01:04 546816 ----a-w- d:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-28 01:04 160256 ----a-w- d:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-28 01:04 60928 ----a-w- d:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-28 01:04 350208 ----a-w- d:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-28 01:04 196608 ----a-w- d:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-28 01:04 100864 ----a-w- d:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-28 01:05 81920 ----a-w- d:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-28 01:04 40448 ----a-w- d:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-28 01:04 226816 ----a-w- d:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-28 01:04 61952 ----a-w- d:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-28 01:04 33280 ----a-w- d:\windows\system32\WpdConns.dll
2009-09-25 02:10 . 2009-10-28 01:06 974848 ----a-w- d:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-28 01:06 189440 ----a-w- d:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-28 01:06 321024 ----a-w- d:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-28 01:06 1554432 ----a-w- d:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-28 01:06 351232 ----a-w- d:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-28 01:06 847360 ----a-w- d:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-28 01:06 280064 ----a-w- d:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-28 01:06 135680 ----a-w- d:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-28 01:06 195584 ----a-w- d:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-28 01:06 829440 ----a-w- d:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-28 01:06 369664 ----a-w- d:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-28 01:06 252928 ----a-w- d:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-28 01:06 519680 ----a-w- d:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-28 01:06 486912 ----a-w- d:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-28 01:06 161280 ----a-w- d:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-28 01:06 218112 ----a-w- d:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-28 01:06 1030144 ----a-w- d:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-28 01:06 828928 ----a-w- d:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-28 01:06 481792 ----a-w- d:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-28 01:06 190464 ----a-w- d:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-28 01:06 634880 ----a-w- d:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-28 01:06 37888 ----a-w- d:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-28 01:06 793088 ----a-w- d:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-28 01:06 1064448 ----a-w- d:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-28 01:06 258048 ----a-w- d:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-28 01:06 667648 ----a-w- d:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-28 01:06 26112 ----a-w- d:\windows\system32\printfilterpipelineprxy.dll
2009-09-20 00:46 . 2009-09-20 00:29 256 ----a-w- d:\windows\system32\pool.bin
2009-09-16 02:02 . 2009-09-16 02:02 59920 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2009-09-16 02:02 . 2009-09-16 02:02 109072 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2009-09-16 02:02 . 2009-09-16 02:02 264720 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2009-09-16 01:45 . 2009-04-17 00:27 835616 --sha-w- d:\windows\system32\drivers\fidbox2.dat
2009-09-16 01:45 . 2009-04-17 00:27 4150304 --sha-w- d:\windows\system32\drivers\fidbox.dat
2009-09-14 09:29 . 2009-10-14 19:54 144896 ----a-w- d:\windows\system32\drivers\srv2.sys
2009-09-10 16:48 . 2009-10-14 19:55 218624 ----a-w- d:\windows\system32\msv1_0.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- d:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="d:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-21 39408]
"ehTray.exe"="d:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="d:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"ISUSPM"="d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="d:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVP"="d:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-07-03 303376]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-19 198160]
"snp2uvc"="d:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"RoxWatchTray"="d:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]
d:\users\Cece\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCABattery"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(
:ec,57,16,97,b7,55,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-492191835-2237326735-3823121520-1000]
"EnableNotificationsRef"=dword:00000002
R0 klbg;Kaspersky Lab Boot Guard Driver;d:\windows\System32\drivers\klbg.sys [12/15/2008 7:41 PM 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;d:\windows\System32\drivers\klim6.sys [3/26/2008 12:10 PM 21008]
R3 klmouflt;Kaspersky Lab KLMOUFLT;d:\windows\System32\drivers\klmouflt.sys [5/16/2009 7:59 PM 19472]
S3 FontCache;Windows Font Cache Service;d:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/24/2009 11:19 PM 21504]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2009-12-02 d:\windows\Tasks\User_Feed_Synchronization-{2B0944A2-65B9-4416-9135-08E865DC4B91}.job
- d:\windows\system32\msfeedssync.exe [2009-10-19 03:41]
2009-12-02 d:\windows\Tasks\User_Feed_Synchronization-{DBEA06E4-BF20-48A7-A199-AA0AD16DEFFC}.job
- d:\windows\system32\msfeedssync.exe [2009-10-19 03:41]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: Add to Anti-Banner - d:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\users\Cece\AppData\Roaming\Mozilla\Firefox\Profiles\m8nai9rf.default\
FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Broadcom 802.11b Network Adapter - d:\program files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe verbose
AddRemove-NVIDIA Drivers - d:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-RealJukebox 1.0 - d:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - d:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 19:47
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-01 19:58
ComboFix-quarantined-files.txt 2009-12-02 00:58
ComboFix2.txt 2009-09-21 23:19
Pre-Run: 51,171,737,600 bytes free
Post-Run: 51,365,101,568 bytes free
- - End Of File - - 6AC991D452BC717D2C784E01F43F9EF6
ComboFix 09-12-01.01 - Cece 12/01/2009 19:30.2.2 - x86
Running from: d:\users\Cece_Phoenix\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\system32\clrviddc.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.
2009-12-02 00:47 . 2009-12-02 00:48 -------- d-----w- d:\users\Cece\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:48 -------- d-----w- d:\users\Cece_Phoenix\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:47 -------- d-----w- d:\users\Public\AppData\Local\temp
2009-12-02 00:47 . 2009-12-02 00:47 -------- d-----w- d:\users\Default\AppData\Local\temp
2009-12-02 00:18 . 2009-12-02 00:19 49152 d-----w- D:\32788R22FWJFW
2009-11-30 10:57 . 2009-11-30 10:57 -------- d-----w- d:\program files\Recuva
2009-11-26 01:46 . 2009-10-29 09:17 2048 ----a-w- d:\windows\system32\tzres.dll
2009-11-25 13:03 . 2009-08-11 16:44 1401856 ----a-w- d:\windows\system32\msxml6.dll
2009-11-25 13:03 . 2009-08-11 16:44 1248768 ----a-w- d:\windows\system32\msxml3.dll
2009-11-24 03:37 . 2009-11-24 03:37 484976 ----a-w- d:\programdata\Google\Google Toolbar\Update\gtbE0D6.tmp.exe
2009-11-20 14:10 . 2009-11-20 14:10 -------- d-----w- d:\program files\Java
2009-11-19 04:29 . 2009-11-19 04:29 72656 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\kavupgr.exe
2009-11-19 04:29 . 2009-11-19 04:29 72656 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\kis\kavupgr.exe
2009-11-12 01:48 . 2009-11-12 01:48 26694 ----a-r- d:\users\Cece\AppData\Roaming\Microsoft\Installer\{9278C797-7F46-4D4A-B8D7-4F168D5C8583}\BlackBerry.exe
2009-11-12 00:27 . 2009-11-12 00:27 26694 ----a-r- d:\users\Cece\AppData\Roaming\Microsoft\Installer\{E110612F-8478-4EF8-AF55-45B3779F9F12}\BlackBerry.exe
2009-11-11 13:38 . 2009-11-11 13:39 4096 d-----w- d:\program files\Roxio
2009-11-11 13:38 . 2009-11-11 13:38 -------- d-----w- d:\program files\Common Files\Sonic Shared
2009-11-11 13:30 . 2009-11-11 13:30 -------- d-----w- d:\program files\Research In Motion
2009-11-11 08:26 . 2009-08-14 13:27 2036736 ----a-w- d:\windows\system32\win32k.sys
2009-11-11 08:26 . 2009-08-10 12:35 355328 ----a-w- d:\windows\system32\WSDApi.dll
2009-11-04 15:10 . 2009-11-04 15:10 -------- d-----w- d:\program files\JL_Cmder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 23:53 . 2009-05-14 04:11 56800 ----a-w- d:\programdata\nvModes.dat
2009-11-30 09:57 . 2009-04-17 00:27 4096 d-----w- d:\programdata\Kaspersky Lab
2009-11-29 22:09 . 2009-03-26 07:08 382072 ----a-w- d:\windows\system32\perfh011.dat
2009-11-29 22:09 . 2009-03-26 07:08 101350 ----a-w- d:\windows\system32\perfc011.dat
2009-11-20 14:11 . 2009-08-03 21:36 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-11-18 22:32 . 2009-09-21 23:41 -------- d-----w- d:\users\Cece\AppData\Roaming\Skype
2009-11-18 22:31 . 2009-03-20 03:07 119488 ----a-w- d:\users\Cece\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-12 00:24 . 2009-07-21 20:07 4096 d-----w- d:\program files\Common Files\Research In Motion
2009-11-11 16:31 . 2006-11-02 11:18 4096 d-----w- d:\program files\Windows Mail
2009-11-11 13:49 . 2009-05-05 22:48 119488 ----a-w- d:\users\Cece_Phoenix\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-11 13:39 . 2009-09-20 01:43 4096 d-----w- d:\program files\Common Files\Roxio Shared
2009-11-11 13:39 . 2009-03-21 16:16 4096 d-----w- d:\program files\Common Files\PX Storage Engine
2009-11-11 13:38 . 2009-09-20 01:51 -------- d-----w- d:\programdata\Roxio
2009-11-11 13:38 . 2009-03-20 17:08 -------- d-----w- d:\program files\Common Files\InstallShield
2009-11-03 01:42 . 2009-10-03 05:01 195456 ------w- d:\windows\system32\MpSigStub.exe
2009-10-28 05:32 . 2009-10-28 05:32 -------- d-----w- d:\program files\Windows Portable Devices
2009-10-28 05:25 . 2006-11-02 10:25 665600 ----a-w- d:\windows\inf\drvindex.dat
2009-10-28 05:24 . 2009-10-28 05:24 0 ---ha-w- d:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-28 05:22 . 2009-10-28 05:22 0 ---ha-w- d:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-25 21:56 . 2009-05-14 04:25 -------- d-----w- d:\programdata\NVIDIA
2009-10-25 20:58 . 2006-11-02 12:35 -------- d-----w- d:\program files\Windows Calendar
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Sidebar
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Journal
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Collaboration
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Photo Gallery
2009-10-25 20:58 . 2006-11-02 12:35 4096 d-----w- d:\program files\Windows Defender
2009-10-15 17:03 . 2009-10-15 17:03 -------- d-----w- d:\users\Cece\AppData\Roaming\Foxit
2009-10-15 17:03 . 2009-10-15 17:03 -------- d-----w- d:\program files\Foxit Software
2009-10-15 00:43 . 2009-03-21 16:15 8192 d-----w- d:\program files\DivX
2009-10-15 00:42 . 2009-03-21 16:15 4096 d-----w- d:\program files\Common Files\DivX Shared
2009-10-15 00:30 . 2009-09-28 01:00 4096 d-----w- d:\programdata\NOS
2009-10-15 00:30 . 2009-09-28 01:00 -------- d-----w- d:\program files\NOS
2009-10-14 07:09 . 2009-04-17 00:28 95259 ----a-w- d:\windows\system32\drivers\klick.dat
2009-10-14 07:09 . 2009-04-17 00:28 108059 ----a-w- d:\windows\system32\drivers\klin.dat
2009-10-12 06:50 . 2009-10-12 06:50 -------- d-----w- d:\program files\CCleaner
2009-10-12 06:27 . 2009-09-16 02:03 932368 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-10-12 06:27 . 2009-09-16 02:03 678416 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-10-12 06:27 . 2009-09-16 02:03 604688 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-10-12 06:27 . 2009-09-16 02:03 522768 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-10-12 06:27 . 2009-09-16 02:03 1096208 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-10-11 00:59 . 2009-10-11 00:59 1 ----a-w- d:\users\Cece_Phoenix\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-11 00:56 . 2009-10-11 00:56 -------- d-----w- d:\users\Cece_Phoenix\AppData\Roaming\OpenOffice.org
2009-10-10 16:32 . 2009-10-10 16:32 -------- d-----w- d:\program files\JRE
2009-10-10 16:31 . 2009-10-10 16:31 4096 d-----w- d:\program files\OpenOffice.org 3
2009-10-08 21:08 . 2009-10-28 01:02 555520 ----a-w- d:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-10-28 01:02 234496 ----a-w- d:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-10-28 01:02 4096 ----a-w- d:\windows\system32\oleaccrc.dll
2009-10-04 21:45 . 2009-08-22 00:58 4096 d-----w- d:\users\Cece_Phoenix\AppData\Roaming\Skype
2009-10-04 21:36 . 2009-08-22 01:01 -------- d-----w- d:\users\Cece_Phoenix\AppData\Roaming\skypePM
2009-10-01 01:02 . 2009-10-28 01:04 2537472 ----a-w- d:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-28 01:05 30208 ----a-w- d:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-28 01:04 334848 ----a-w- d:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-28 01:04 87552 ----a-w- d:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-28 01:05 31232 ----a-w- d:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-28 01:04 546816 ----a-w- d:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-28 01:04 160256 ----a-w- d:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-28 01:04 60928 ----a-w- d:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-28 01:04 350208 ----a-w- d:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-28 01:04 196608 ----a-w- d:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-28 01:04 100864 ----a-w- d:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-28 01:05 81920 ----a-w- d:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-28 01:04 40448 ----a-w- d:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-28 01:04 226816 ----a-w- d:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-28 01:04 61952 ----a-w- d:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-28 01:04 33280 ----a-w- d:\windows\system32\WpdConns.dll
2009-09-25 02:10 . 2009-10-28 01:06 974848 ----a-w- d:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-28 01:06 189440 ----a-w- d:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-28 01:06 321024 ----a-w- d:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-28 01:06 1554432 ----a-w- d:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-28 01:06 351232 ----a-w- d:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-28 01:06 847360 ----a-w- d:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-28 01:06 280064 ----a-w- d:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-28 01:06 135680 ----a-w- d:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-28 01:06 195584 ----a-w- d:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-28 01:06 829440 ----a-w- d:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-28 01:06 369664 ----a-w- d:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-28 01:06 252928 ----a-w- d:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-28 01:06 519680 ----a-w- d:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-28 01:06 486912 ----a-w- d:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-28 01:06 161280 ----a-w- d:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-28 01:06 218112 ----a-w- d:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-28 01:06 1030144 ----a-w- d:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-28 01:06 828928 ----a-w- d:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-28 01:06 481792 ----a-w- d:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-28 01:06 190464 ----a-w- d:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-28 01:06 634880 ----a-w- d:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-28 01:06 37888 ----a-w- d:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-28 01:06 793088 ----a-w- d:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-28 01:06 1064448 ----a-w- d:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-28 01:06 258048 ----a-w- d:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-28 01:06 667648 ----a-w- d:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-28 01:06 26112 ----a-w- d:\windows\system32\printfilterpipelineprxy.dll
2009-09-20 00:46 . 2009-09-20 00:29 256 ----a-w- d:\windows\system32\pool.bin
2009-09-16 02:02 . 2009-09-16 02:02 59920 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2009-09-16 02:02 . 2009-09-16 02:02 109072 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2009-09-16 02:02 . 2009-09-16 02:02 264720 ----a-w- d:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2009-09-16 01:45 . 2009-04-17 00:27 835616 --sha-w- d:\windows\system32\drivers\fidbox2.dat
2009-09-16 01:45 . 2009-04-17 00:27 4150304 --sha-w- d:\windows\system32\drivers\fidbox.dat
2009-09-14 09:29 . 2009-10-14 19:54 144896 ----a-w- d:\windows\system32\drivers\srv2.sys
2009-09-10 16:48 . 2009-10-14 19:55 218624 ----a-w- d:\windows\system32\msv1_0.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- d:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="d:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-21 39408]
"ehTray.exe"="d:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="d:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"ISUSPM"="d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="d:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVP"="d:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-07-03 303376]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-19 198160]
"snp2uvc"="d:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"RoxWatchTray"="d:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]
d:\users\Cece\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCABattery"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(
:ec,57,16,97,b7,55,ca,01[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-492191835-2237326735-3823121520-1000]
"EnableNotificationsRef"=dword:00000002
R0 klbg;Kaspersky Lab Boot Guard Driver;d:\windows\System32\drivers\klbg.sys [12/15/2008 7:41 PM 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;d:\windows\System32\drivers\klim6.sys [3/26/2008 12:10 PM 21008]
R3 klmouflt;Kaspersky Lab KLMOUFLT;d:\windows\System32\drivers\klmouflt.sys [5/16/2009 7:59 PM 19472]
S3 FontCache;Windows Font Cache Service;d:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/24/2009 11:19 PM 21504]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2009-12-02 d:\windows\Tasks\User_Feed_Synchronization-{2B0944A2-65B9-4416-9135-08E865DC4B91}.job
- d:\windows\system32\msfeedssync.exe [2009-10-19 03:41]
2009-12-02 d:\windows\Tasks\User_Feed_Synchronization-{DBEA06E4-BF20-48A7-A199-AA0AD16DEFFC}.job
- d:\windows\system32\msfeedssync.exe [2009-10-19 03:41]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: Add to Anti-Banner - d:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\users\Cece\AppData\Roaming\Mozilla\Firefox\Profiles\m8nai9rf.default\
FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Broadcom 802.11b Network Adapter - d:\program files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe verbose
AddRemove-NVIDIA Drivers - d:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-RealJukebox 1.0 - d:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - d:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 19:47
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-01 19:58
ComboFix-quarantined-files.txt 2009-12-02 00:58
ComboFix2.txt 2009-09-21 23:19
Pre-Run: 51,171,737,600 bytes free
Post-Run: 51,365,101,568 bytes free
- - End Of File - - 6AC991D452BC717D2C784E01F43F9EF6
#4
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 01 December 2009 - 07:47 PM
stargazercece,
Looking good. Let's get an online scan as a double check.
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
Looking good. Let's get an online scan as a double check.
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
- Please go here then click on:
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. - Select the option YES, I accept the Terms of Use then click on:
- When prompted allow the Add-On/Active X to install.
- Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Now click on:
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
- Now click on:
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#5
stargazercece
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 04 December 2009 - 04:08 PM
Since that first flash disinfection didn't work, will something else be tried?
Here's the log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2675eefbe868c84885ccd6b32375f344
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-12-04 02:08:05
# local_time=2009-12-04 09:08:05 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 9576294 9576294 0 0
# compatibility_mode=1280 16777215 100 0 5910249 5910249 0 0
# compatibility_mode=5892 16776637 100 100 0 96504517 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=167539
# found=0
# cleaned=0
# scan_time=38827
#6
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 04 December 2009 - 06:10 PM
stargazercece,
The sub-routine was ran with ComboFix. You should be ok.
Log looks good
Time for some housekeeping
Please re-enable any security that was disabled.
Now to remove most of the tools that we have used in fixing your machine:
The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.
Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.
I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
Also: "How to prevent malware"
by miekiemoes
Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.
The sub-routine was ran with ComboFix. You should be ok.
Log looks good
Time for some housekeeping
- Click START then RUN
- Now type Combofix /Uninstall in the runbox and click OK
- Note the space between the X and the U, it needs to be there.
- Implement some cleanup procedures.
- Reset System Restore.
Please re-enable any security that was disabled.
Now to remove most of the tools that we have used in fixing your machine:
- Make sure you have an Internet Connection.
- Download OTC to your desktop and run it
- A list of tool components used in the cleanup of malware will be downloaded.
- If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
- Click Yes to begin the cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.
Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.
I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein
Also: "How to prevent malware"
by miekiemoes
Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#7
stargazercece
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 06 December 2009 - 12:55 AM
Wait, when I ran combofix was the flash drive supposed to be in the usb port?
#8
stargazercece
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 06 December 2009 - 01:06 AM
Wait, when I ran combofix was the flash drive supposed to be in the usb port? I didn't have mine plugged in.
#9
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 06 December 2009 - 08:48 AM
stargazercece,
Do this just to be sure: (Besides, it's a good program to run now and then)
Please download Malwarebytes' Anti-Malware to your desktop.
Do this just to be sure: (Besides, it's a good program to run now and then)
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform full scan, then click Scan.
- Be sure your flash drive is in and that it's drive letter is selected.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
- Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#10
stargazercece
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 08 December 2009 - 09:22 PM
A virus showed up in the combofix program. I hadn't removed it yet, because I didn't know whether it was needed in order to disinfect my flash drive. However when I went to remove it according to the instructions, a virus popped up and kaspersky caught it I think. It was called Trojan Program Trojan.BAT.DelFiles.eu. Kaspersky has either quarantined it or deleted it because it no longer shows up anywhere.
Here's the Malwarebytes log:
Malwarebytes' Anti-Malware 1.40
Database version: 2658
Windows 6.0.6002 Service Pack 2
12/8/2009 10:20:38 PM
mbam-log-2009-12-08 (22-20-38).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 269571
Time elapsed: 5 hour(s), 1 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Register to Remove
#11
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 08 December 2009 - 10:17 PM
stargazercece,
OK. The thing is, I need you to run or remove programs in the order and when I tell you to.
It is not unusual for your AV program to target files that ComboFix has already quarantined in the QooBox. Also, many security programs will target ComboFix or parts of ComboFix. What is unusual in the situation that you have described is the name of the infection you say was displayed. That particular infection only shows (as the name implies) as a .bat file. We removed no .bat files from your system. Typically this would enter the system as an attachment to an email. We found no infected emails. I am a bit a loss as to how you got that warning.
Now... it sounds like you did run OTC even though you didn't uninstall ComboFix first. Is this correct?
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#12
stargazercece
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 09 December 2009 - 07:06 PM
No. When you placed the post about removing Combofix and then running OTC, I replied with an inquiry about my flash drive. I never ran either program. The combofix virus alert showed up right as I was reading your post and before I went to run Malwarebytes (Dec 7th). Kaspersky was sitting there and then suddenly made a fuss about the virus.
#13
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 09 December 2009 - 07:43 PM
stargazercece,
Hmm... So is the ComboFix Icon still on your desktop?
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
#14
stargazercece
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 11 December 2009 - 09:52 PM
No kaspersky deleted it. I can't find it anywhere...
The detected threats report says:
12/7/2009 1:11:54 AM Deleted Trojan program Trojan.BAT.DelFiles.eu d:\Users\cece_phoenix\downloads\ComboFix.exe
12/7/2009 1:11:54 AM Deleted Trojan program Trojan.BAT.DelFiles.eu d:\Users\cece_phoenix\downloads\ComboFix.exe//PE_Patch.UPX
12/7/2009 1:11:54 AM Deleted Trojan program Trojan.BAT.DelFiles.eu d:\Users\cece_phoenix\downloads\ComboFix.exe//PE_Patch.UPX/32788R22FWJFW\c.bat
#15
Tomk
-
- Global Moderator
-
- 20,451 posts
Beguilement Monitor
Posted 11 December 2009 - 11:08 PM
stargazercece,
That appears to be a false positive but... that shows that ComboFix was located in the Downloads folder. Not the desktop as required. 
Go ahead and run OTC now and hopefully it will clean things up.
Then please verify that you clock settings are correct.
Go ahead and run OTC now and hopefully it will clean things up.
Then please verify that you clock settings are correct.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
------------------------------------------------------------
Microsoft MVP 2010-2014
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
