WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
All Sorts Of Trouble
Started by
DragonMyth36
, Jun 19 2010 04:22 PM
-
This topic is locked
19 replies to this topic
#1
DragonMyth36
-
- Authentic Member
-
- 9 posts
New Member
Posted 19 June 2010 - 04:22 PM
Register to Remove
#2
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 19 June 2010 - 06:35 PM
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
The first thing you need to do is uninstall one of the firewalls:
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.
1.Click Start > Settings > Control Panel.
2.Next, open Add/Remove Programs and remove either:
McAfee Personal Firewall
Outpost Firewall Pro
Reboot and let me know if there's any changes
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to 
for the help you received.
Proud graduate of TC/WTT Classroom
#3
DragonMyth36
-
- Authentic Member
-
- 9 posts
New Member
Posted 19 June 2010 - 06:44 PM
I don't have two installed. Outpost was removed years ago. For some reason some pieces of it must not have been removed in the uninstall.
#4
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 19 June 2010 - 06:45 PM
Do you still have combofix?
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#5
DragonMyth36
-
- Authentic Member
-
- 9 posts
New Member
Posted 19 June 2010 - 06:55 PM
Yes, but this all started happening after I used Combo fix .
#6
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 19 June 2010 - 06:58 PM
We need to uninstall it and then follow my suggestions.
DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.
Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.
Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
You might want to print these instructions out.
I suggest you do this:
XP Users
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.
Vista Users
To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:
Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:
If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.
If you are in the Control Panel Home view do the following:
Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Please do not delete anything unless instructed to.
We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache
Next:
Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
Next:
Download ComboFix from one of these locations:
Link 1
Link 2 If using this link, Right Click and select Save As.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it atleast 20-30 minutes to finish if needed.
Please do not attach the scan results from Combofx. Use copy/paste.
Also please describe how your computer behaves at the moment.
- Click START run
- Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.
Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.
Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
You might want to print these instructions out.
I suggest you do this:
XP Users
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.
Vista Users
To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:
Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:
If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.
If you are in the Control Panel Home view do the following:
Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Please do not delete anything unless instructed to.
We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache
Next:
Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
Next:
Download ComboFix from one of these locations:
Link 1
Link 2 If using this link, Right Click and select Save As.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
- Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have SP3, use the SP2 package.
If Vista or Windows 7, skip the Recovery Console part
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it atleast 20-30 minutes to finish if needed.
Please do not attach the scan results from Combofx. Use copy/paste.
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#7
DragonMyth36
-
- Authentic Member
-
- 9 posts
New Member
Posted 19 June 2010 - 07:05 PM
When I type ComboFix /uninstall it runs combofix and the only way to stop it from running is shutting it down from the task manager.
#8
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 19 June 2010 - 07:07 PM
It needs to run to uninstall it. It won't do a scan. What's it's doing is uninstalling and removing any bad files it found / fixed. Let it finish.When I type ComboFix /uninstall it runs combofix and the only way to stop it from running is shutting it down from the task manager.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#9
DragonMyth36
-
- Authentic Member
-
- 9 posts
New Member
Posted 19 June 2010 - 07:22 PM
Ok. Got it uninstalled and now I am on the step about to use combofix again. That will probably take a while. I'll be back when done.
#10
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 19 June 2010 - 07:23 PM
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
Register to Remove
#11
DragonMyth36
-
- Authentic Member
-
- 9 posts
New Member
Posted 19 June 2010 - 07:49 PM
Uh oh!
I get the blue screen of death right when it starts to run the scan.
Bad_pool_caller
0X000000C2 (0X000000CD4 0X00000000 0X805627E4)
Tried twice and both times the same thing happened.
Edited by DragonMyth36, 19 June 2010 - 07:50 PM.
#12
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 19 June 2010 - 07:53 PM
That's usually a Bad Ram error.
Restart the computer and try it again.
If you still get that error, try running it in Safe Mode
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#13
DragonMyth36
-
- Authentic Member
-
- 9 posts
New Member
Posted 19 June 2010 - 08:53 PM
Ok. Took a while. Internet Explorer no longer appears to be hijacked and it appears that automatic update of windows is working. It is currently downloading a bunch of updates.
One thing, now my firefox is a touch wonky. The CNN webpage loads really odd looking and on some pages the pics won't load up. I've checked more sites out. Most sites are loading just text with most of the graphics not showing up in Firefox. Things look normal in IE.
Other than that, things appear to be back to normal. I can now type windowsupdate without getting an error and IE is no longer hijacked. How do I fix whatever is wrong with Firefox?
And do you give my system the all clear?
ComboFix 10-06-19.01 - The Dragon 06/19/2010 21:10:46.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.615 [GMT -5:00]
Running from: c:\documents and settings\The Dragon\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\DRIVERS\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.
2010-06-20 02:06 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-06-20 02:06 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-06-15 16:15 . 2010-06-15 16:15 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2010-06-14 10:45 . 2010-06-14 10:45 -------- d-----w- c:\program files\Trend Micro
2010-06-09 11:59 . 2007-08-31 17:52 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-06-09 11:59 . 2007-08-31 17:52 33968 ----a-w- c:\windows\system32\anim.dll
2010-06-09 11:59 . 2004-12-07 15:11 258352 ----a-w- c:\windows\system32\unicows.dll
2010-06-09 11:59 . 1999-11-22 20:50 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-06-09 11:59 . 1999-11-22 20:50 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-06-09 11:59 . 2010-06-09 12:04 -------- d-----w- c:\program files\WinUtilities
2010-06-09 11:42 . 2010-06-09 11:42 -------- d-----w- c:\program files\CCleaner
2010-06-09 04:37 . 2010-06-09 04:37 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
2010-06-08 10:42 . 2010-06-08 10:42 -------- d-----w- c:\program files\Firaxis Games
2010-06-05 12:30 . 2010-06-05 12:30 -------- d-----w- c:\program files\Microsoft Games
2010-06-05 12:12 . 2010-06-05 12:12 -------- d-----w- c:\program files\WON
2010-06-05 12:12 . 2010-06-05 12:12 -------- d-----w- c:\program files\Sierra On-Line
2010-06-05 08:41 . 2010-06-05 08:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-05 06:42 . 2010-06-05 06:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-05 05:00 . 2010-06-05 05:00 -------- d-----w- c:\documents and settings\The Dragon\Local Settings\Application Data\rvobtenkh
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-20 02:25 . 2010-02-06 05:01 -------- d-----w- c:\program files\Chameleon Clock
2010-06-16 19:30 . 2010-02-03 09:05 -------- d-----w- c:\program files\McAfee
2010-06-16 13:13 . 2008-07-22 09:06 -------- d-----w- c:\program files\ESET
2010-06-14 14:19 . 2003-12-05 19:48 48976 ----a-w- c:\documents and settings\The Dragon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 12:19 . 2010-02-03 03:13 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 07:14 . 2008-10-01 11:27 -------- d-----w- c:\program files\Full Tilt Poker
2010-06-13 05:14 . 2010-02-03 03:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-09 11:52 . 2009-07-14 04:33 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Media Player Classic
2010-06-09 11:51 . 2005-11-03 20:16 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Azureus
2010-06-08 11:51 . 2003-12-03 05:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-08 04:57 . 2010-04-18 01:09 -------- d-----w- c:\documents and settings\The Dragon\Application Data\uTorrent
2010-06-05 02:14 . 2008-08-11 11:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-12 16:29 . 2003-12-05 21:21 -------- d-----w- c:\program files\Google
2010-05-03 19:11 . 2010-05-02 19:16 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Winamp
2010-05-02 19:17 . 2010-05-02 19:16 -------- d-----w- c:\program files\Winamp
2010-05-02 19:16 . 2010-05-02 19:16 -------- d-----w- c:\program files\Winamp Detect
2010-05-02 19:05 . 2007-03-15 04:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-30 13:08 . 2010-04-18 01:09 -------- d-----w- c:\program files\uTorrent
2010-04-30 09:54 . 2010-04-30 09:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 08:23 . 2010-02-03 03:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-30 08:05 . 2010-04-30 08:02 -------- d-----w- c:\documents and settings\The Dragon\Application Data\QuickScan
2010-04-30 05:27 . 2010-04-30 05:27 0 ----a-w- c:\windows\Gtesuvimu.bin
2010-04-30 05:27 . 2010-04-30 05:27 120 ----a-w- c:\windows\Mhoxevoganidesu.dat
2010-04-29 20:39 . 2010-04-30 09:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-04-30 09:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-01 23:54 . 2010-04-01 23:54 106 ----a-w- c:\windows\system32\desktop8.dat
2010-02-03 06:40 . 2010-02-03 06:40 4 ----a-w- c:\program files\978484.dat
2010-02-02 01:06 . 2010-02-02 01:06 4 ----a-w- c:\program files\206046.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock.exe" [2007-12-11 709632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DESKTOP(2).INI]
backup=c:\windows\pss\DESKTOP(2).INICommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^The Dragon^Start Menu^Programs^Startup^DESKTOP(2).INI]
backup=c:\windows\pss\DESKTOP(2).INIStartup
[HKLM\~\startupfolder\C:^Documents and Settings^The Dragon^Start Menu^Programs^Startup^ePrompter.lnk]
backup=c:\windows\pss\ePrompter.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aiifjyvq
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lbugeqonofaja]
c:\windows\masgndon.dll [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 19:01 13529088 ----a-w- c:\windows\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 19:01 86016 ----a-w- c:\windows\SYSTEM32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 01:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
c:\program files\PowerISO\PWRISOVM.EXE [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rfuzuqufunaviqe]
c:\windows\ayijobecebep.dll [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-05 13:56 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-04-30 09:11 321328 ----a-w- c:\program files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-03-07 01:08 3558136 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Full Tilt Poker\\FullTiltPoker.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\SYSTEM32\\taskmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/3/2010 4:09 AM 93320]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [4/12/2004 5:39 PM 36224]
S1 SandBox;Outpost Firewall Sandbox Driver;\??\c:\program files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS --> c:\program files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS [?]
S1 VFILT;Outpost Firewall Kernel Driver;\??\c:\program files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS --> c:\program files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/18/2010 5:05 AM 135664]
S2 mrtRate;mrtRate; [x]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL [?]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\ARP.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\ARP.DLL [?]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL [?]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL [?]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL [?]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL [?]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL [?]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL [?]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL [?]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL [?]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL [?]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL [?]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\DRIVERS\ProtoWall.sys --> c:\windows\system32\DRIVERS\ProtoWall.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\SECRET.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\SECRET.DLL [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [11/17/2006 4:31 PM 639224]
.
Contents of the 'Scheduled Tasks' folder
2010-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 10:05]
2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 10:05]
2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-03 18:22]
2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-03 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.runescape.com/title.ws
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\The Dragon\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\The Dragon\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 21:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1269095022-213562631-4004672536-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:49,11,e5,43,bd,9e,16,9d,c5,6d,0d,be,eb,82,3b,52,fd,70,86,2b,86,a1,05,
b4,f1,d4,ab,bf,ec,d7,9f,1c,9c,ca,2f,d4,ef,6c,f7,fb,59,89,59,7a,a8,18,e7,b1,\
"??"=hex:e6,6a,a3,1c,fa,72,01,e3,3c,21,d6,00,54,d0,25,36
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(256)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-19 21:38:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-20 02:38
ComboFix2.txt 2010-04-30 09:24
Pre-Run: 11,028,389,888 bytes free
Post-Run: 11,166,748,672 bytes free
- - End Of File - - A2153506EE8A8C8094ACA5CC5A6313BB
One thing, now my firefox is a touch wonky. The CNN webpage loads really odd looking and on some pages the pics won't load up. I've checked more sites out. Most sites are loading just text with most of the graphics not showing up in Firefox. Things look normal in IE.
Other than that, things appear to be back to normal. I can now type windowsupdate without getting an error and IE is no longer hijacked. How do I fix whatever is wrong with Firefox?
And do you give my system the all clear?
ComboFix 10-06-19.01 - The Dragon 06/19/2010 21:10:46.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.615 [GMT -5:00]
Running from: c:\documents and settings\The Dragon\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\DRIVERS\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.
2010-06-20 02:06 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-06-20 02:06 . 2008-04-13 18:39 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys
2010-06-15 16:15 . 2010-06-15 16:15 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2010-06-14 10:45 . 2010-06-14 10:45 -------- d-----w- c:\program files\Trend Micro
2010-06-09 11:59 . 2007-08-31 17:52 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-06-09 11:59 . 2007-08-31 17:52 33968 ----a-w- c:\windows\system32\anim.dll
2010-06-09 11:59 . 2004-12-07 15:11 258352 ----a-w- c:\windows\system32\unicows.dll
2010-06-09 11:59 . 1999-11-22 20:50 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-06-09 11:59 . 1999-11-22 20:50 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-06-09 11:59 . 2010-06-09 12:04 -------- d-----w- c:\program files\WinUtilities
2010-06-09 11:42 . 2010-06-09 11:42 -------- d-----w- c:\program files\CCleaner
2010-06-09 04:37 . 2010-06-09 04:37 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
2010-06-08 10:42 . 2010-06-08 10:42 -------- d-----w- c:\program files\Firaxis Games
2010-06-05 12:30 . 2010-06-05 12:30 -------- d-----w- c:\program files\Microsoft Games
2010-06-05 12:12 . 2010-06-05 12:12 -------- d-----w- c:\program files\WON
2010-06-05 12:12 . 2010-06-05 12:12 -------- d-----w- c:\program files\Sierra On-Line
2010-06-05 08:41 . 2010-06-05 08:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-05 06:42 . 2010-06-05 06:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-05 05:00 . 2010-06-05 05:00 -------- d-----w- c:\documents and settings\The Dragon\Local Settings\Application Data\rvobtenkh
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-20 02:25 . 2010-02-06 05:01 -------- d-----w- c:\program files\Chameleon Clock
2010-06-16 19:30 . 2010-02-03 09:05 -------- d-----w- c:\program files\McAfee
2010-06-16 13:13 . 2008-07-22 09:06 -------- d-----w- c:\program files\ESET
2010-06-14 14:19 . 2003-12-05 19:48 48976 ----a-w- c:\documents and settings\The Dragon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 12:19 . 2010-02-03 03:13 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 07:14 . 2008-10-01 11:27 -------- d-----w- c:\program files\Full Tilt Poker
2010-06-13 05:14 . 2010-02-03 03:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-09 11:52 . 2009-07-14 04:33 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Media Player Classic
2010-06-09 11:51 . 2005-11-03 20:16 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Azureus
2010-06-08 11:51 . 2003-12-03 05:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-08 04:57 . 2010-04-18 01:09 -------- d-----w- c:\documents and settings\The Dragon\Application Data\uTorrent
2010-06-05 02:14 . 2008-08-11 11:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-12 16:29 . 2003-12-05 21:21 -------- d-----w- c:\program files\Google
2010-05-03 19:11 . 2010-05-02 19:16 -------- d-----w- c:\documents and settings\The Dragon\Application Data\Winamp
2010-05-02 19:17 . 2010-05-02 19:16 -------- d-----w- c:\program files\Winamp
2010-05-02 19:16 . 2010-05-02 19:16 -------- d-----w- c:\program files\Winamp Detect
2010-05-02 19:05 . 2007-03-15 04:08 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-30 13:08 . 2010-04-18 01:09 -------- d-----w- c:\program files\uTorrent
2010-04-30 09:54 . 2010-04-30 09:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 08:23 . 2010-02-03 03:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-30 08:05 . 2010-04-30 08:02 -------- d-----w- c:\documents and settings\The Dragon\Application Data\QuickScan
2010-04-30 05:27 . 2010-04-30 05:27 0 ----a-w- c:\windows\Gtesuvimu.bin
2010-04-30 05:27 . 2010-04-30 05:27 120 ----a-w- c:\windows\Mhoxevoganidesu.dat
2010-04-29 20:39 . 2010-04-30 09:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-04-30 09:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-01 23:54 . 2010-04-01 23:54 106 ----a-w- c:\windows\system32\desktop8.dat
2010-02-03 06:40 . 2010-02-03 06:40 4 ----a-w- c:\program files\978484.dat
2010-02-02 01:06 . 2010-02-02 01:06 4 ----a-w- c:\program files\206046.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
<pre> c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe c:\program files\Common Files\Dell\EUSW\support .exe c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe c:\program files\Google\Quick Search Box\googlequicksearchbox .exe c:\program files\IObit\Advanced SystemCare 3\awc .exe c:\program files\Java\jre6\bin\jusched .exe c:\program files\Microsoft Security Essentials\msseces .exe c:\program files\PeerGuardian2\pg2 .exe c:\program files\QuickTime\qttask .exe c:\program files\Say the Time\saytime .exe c:\program files\SUPERAntiSpyware\superantispyware .exe c:\windows\SYSTEM32\dla\tfswctrl .exe </pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HomeAlarm"="c:\program files\Chameleon Clock\ChamClock.exe" [2007-12-11 709632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=c:\windows\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DESKTOP(2).INI]
backup=c:\windows\pss\DESKTOP(2).INICommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^The Dragon^Start Menu^Programs^Startup^DESKTOP(2).INI]
backup=c:\windows\pss\DESKTOP(2).INIStartup
[HKLM\~\startupfolder\C:^Documents and Settings^The Dragon^Start Menu^Programs^Startup^ePrompter.lnk]
backup=c:\windows\pss\ePrompter.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aiifjyvq
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lbugeqonofaja]
c:\windows\masgndon.dll [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 19:01 13529088 ----a-w- c:\windows\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 19:01 86016 ----a-w- c:\windows\SYSTEM32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 01:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
c:\program files\PowerISO\PWRISOVM.EXE [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rfuzuqufunaviqe]
c:\windows\ayijobecebep.dll [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-05 13:56 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-04-30 09:11 321328 ----a-w- c:\program files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-03-07 01:08 3558136 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Full Tilt Poker\\FullTiltPoker.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\SYSTEM32\\taskmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/3/2010 4:09 AM 93320]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [4/12/2004 5:39 PM 36224]
S1 SandBox;Outpost Firewall Sandbox Driver;\??\c:\program files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS --> c:\program files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS [?]
S1 VFILT;Outpost Firewall Kernel Driver;\??\c:\program files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS --> c:\program files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/18/2010 5:05 AM 135664]
S2 mrtRate;mrtRate; [x]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL [?]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\ARP.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\ARP.DLL [?]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL [?]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL [?]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL [?]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL [?]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL [?]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL [?]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL [?]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL [?]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL [?]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL [?]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\DRIVERS\ProtoWall.sys --> c:\windows\system32\DRIVERS\ProtoWall.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);\??\c:\program files\Agnitum\Outpost Firewall\kernel\SECRET.DLL --> c:\program files\Agnitum\Outpost Firewall\kernel\SECRET.DLL [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [11/17/2006 4:31 PM 639224]
.
Contents of the 'Scheduled Tasks' folder
2010-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 10:05]
2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 10:05]
2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-03 18:22]
2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-03 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.runescape.com/title.ws
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\The Dragon\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\The Dragon\Application Data\Mozilla\Firefox\Profiles\default.4ne\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\The Dragon\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 21:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1269095022-213562631-4004672536-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:49,11,e5,43,bd,9e,16,9d,c5,6d,0d,be,eb,82,3b,52,fd,70,86,2b,86,a1,05,
b4,f1,d4,ab,bf,ec,d7,9f,1c,9c,ca,2f,d4,ef,6c,f7,fb,59,89,59,7a,a8,18,e7,b1,\
"??"=hex:e6,6a,a3,1c,fa,72,01,e3,3c,21,d6,00,54,d0,25,36
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(256)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-19 21:38:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-20 02:38
ComboFix2.txt 2010-04-30 09:24
Pre-Run: 11,028,389,888 bytes free
Post-Run: 11,166,748,672 bytes free
- - End Of File - - A2153506EE8A8C8094ACA5CC5A6313BB
Edited by DragonMyth36, 19 June 2010 - 09:07 PM.
#14
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 19 June 2010 - 09:10 PM
Copy/paste the text in the Codebox below into notepad:
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
Drag CFScript.txt into ComboFix.exe
Then post the results log using Copy / Paste
Also please describe how your computer behaves at the moment.
Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:
Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.
File:: c:\windows\ayijobecebep.dll c:\program files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS c:\windows\system32\DRIVERS\ProtoWall.sys Folder:: c:\documents and settings\The Dragon\Local Settings\Application Data\rvobtenkh c:\program files\Agnitum\Outpost Firewall RenV:: c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe c:\program files\Common Files\Dell\EUSW\support .exe c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe c:\program files\Google\Quick Search Box\googlequicksearchbox .exe c:\program files\IObit\Advanced SystemCare 3\awc .exe c:\program files\Java\jre6\bin\jusched .exe c:\program files\Microsoft Security Essentials\msseces .exe c:\program files\PeerGuardian2\pg2 .exe c:\program files\QuickTime\qttask .exe c:\program files\Say the Time\saytime .exe c:\program files\SUPERAntiSpyware\superantispyware .exe c:\windows\SYSTEM32\dla\tfswctrl .exe Driver:: ProtoWall Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aiifjyvq] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lbugeqonofaja] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rfuzuqufunaviqe]
Save this file to your desktop, Save this as "CFScript"
Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...
Drag CFScript.txt into ComboFix.exe
Then post the results log using Copy / Paste
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#15
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 19 June 2010 - 09:15 PM
I need to get some sleep.
I'll check back in the morning.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
