Jump to content

tonyc1075

Members
  • Content Count

    35
  • Joined

  • Last visited

About tonyc1075

  • Rank
    Member

Previous Fields

  • System Specifications:
    Compaq Presario Laptop Windows XP w/SP3
  1. Everything cleaned up fine, and all looks good! Thanks so much for your help! You guys have been great, as always
  2. Everything seems to be running alright. Thanks for the input on the file sharing program and the out of date software. I'm cleaning all of that up now. What is the next step? Thanks for your help thus far!
  3. Kaspersky: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, September 3, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Thursday, September 03, 2009 18:59:21 Records in database: 2742945 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 71161 Threats found: 6 Infected objects found: 8 Suspicious objects found: 0 Scan duration: 02:12:40 File name / Threat / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACrndovnvyxu.sys.vir Infected: Rootkit.Win32.Agent.roy 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\payezavu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmoqxrfqaqg.dll.vir Infected: Packed.Win32.TDSS.y 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\UACppxiuwmdib.dll.vir Infected: Packed.Win32.TDSS.y 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Packed.Win32.Krap.x 1 C:\Qoobox\Quarantine\[4]-Submit_2009-09-02_20.42.09.zip Infected: Trojan.Win32.Agent2.chuf 1 C:\Qoobox\Quarantine\[4]-Submit_2009-09-02_20.42.09.zip Infected: Trojan-Downloader.Win32.Agent.bqxc 1 C:\Qoobox\Quarantine\[4]-Submit_2009-09-02_20.42.09.zip Infected: Trojan.Win32.Tdss.ajvp 1 Selected area has been scanned.
  4. WIN32K: Log file is located at: C:\Documents and Settings\Lea Soderstrom\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\addins\addins Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Config\Config Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d1\d1 Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d2\d2 Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d3\d3 Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d4\d4 Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d5\d5 Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d6\d6 Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d7\d7 Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d8\d8 Found mount point : C:\WINDOWS\ftpcache\ftpcache Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ftpcache\ftpcache Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\chsime\applets\applets Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imejp\applets\applets Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imejp98\imejp98 Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\shared\res\res Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\java\classes\classes Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\java\trustlib\trustlib Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1037\1037 Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1041\1041 Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1042\1042 Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1054\1054 Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\2052\2052 Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\3076\3076 Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1214440339-706699826-839522115-1003\S-1-5-21-1214440339-706699826-839522115-1003 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1214440339-706699826-839522115-1003\S-1-5-21-1214440339-706699826-839522115-1003 Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\dhcp\dhcp Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\export\export Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\sample\sample Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wins\wins Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\xircom\xircom Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Finished!
  5. Things seem to be running pretty well. I am not getting pop up notifications of anything, and the speed of the computer appears to be normal. I would have said that before we did this last set up stuff though, and MBAM found like 26 more problems! :-P Please keep in mind this is not my computer. It is just a friend's. If any of the programs she has on her computer look like they should not be on there, please let me know so I can take them off and keep this computer virus free. Thanks again I look forward to hearing the next step!
  6. Qoobox: ABBYY FineReader 5.0 Sprint Plus Ad-Aware Adobe Flash Player 10 Plugin Adobe Flash Player ActiveX Adobe Photoshop Album 2.0 Starter Edition Adobe Reader 7.1.0 AIM 6 Apple Mobile Device Support Apple Software Update ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver BlackBerry Desktop Software 4.6 BlackBerry Device Software Updater Bonjour Broadcom 440x 10/100 Integrated Controller Broadcom Management Programs 2 C-Major Audio Comcast High-Speed Internet Install Wizard Compatibility Pack for the 2007 Office system Conexant D110 MDC V.92 Modem Critical Update for Windows Media Player 11 (KB959772) Dell Media Experience Dell Photo AIO Printer 942 Dell ResourceCD DVDFab 6.0.1.0 (May 15, 2009) DVDFab Platinum 3.0.7.2 EndNote ESPN Java Check HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB970653-v3) Intel® PROSet/Wireless Software ISI ResearchSoft - Export Helper iTunes Jasc Paint Shop Photo Album Jasc Paint Shop Pro 8 Dell Edition Java 6 Update 11 Java 6 Update 6 Learn2 Player (Uninstall Only) LG USB Drivers LiveReg (Symantec Corporation) LiveUpdate 1.90 (Symantec Corporation) Malwarebytes' Anti-Malware McAfee SecurityCenter mCore mDriver mDrWiFi mHlpDell Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable mIWA mLogView mMHouse MobileMe Control Panel Move Networks Media Player for Internet Explorer Mozilla Firefox (3.0.13) mPfMgr mPfWiz mProSafe mSCfg MSRedist mSSO MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser (KB933579) mWlsSafe mWMI mZConfig Netflix Movie Viewer PowerDVD 5.7 QuickTime Roxio DLA Roxio Media Manager Roxio MyDVD LE Roxio RecordNow Audio Roxio RecordNow Copy Roxio RecordNow Data SAS 9.1 SAS Private JRE (J2SE Java Runtime Environment 1.4.2_09) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950759) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB963027) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) SigmaPlot 9.0 Sonic Update Manager Sony Digital Voice Editor 2 Spybot - Search & Destroy SUPERAntiSpyware Free Edition Update for Windows XP (KB942763) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) Viewpoint Media Player Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 Vuze Vuze Toolbar VZAccess Manager for RIM WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player Firefox Plugin Windows XP Service Pack 3
  7. MBAM code: Malwarebytes' Anti-Malware 1.40 Database version: 2734 Windows 5.1.2600 Service Pack 3 9/2/2009 9:50:07 PM mbam-log-2009-09-02 (21-50-07).txt Scan type: Full Scan (C:\|) Objects scanned: 166906 Time elapsed: 48 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 24 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\All Users\Application Data\SoftLand Ltd (Rogue.XPantiVirus) -> Quarantined and deleted successfully. Files Infected: C:\Qoobox\Quarantine\C\blyuwrjl.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\fyblb.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\osps.exe.vir (Spyware.Banker) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\11242964\11242964.exe.vir (Rogue.SystemSecurity) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\jifujeme.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\kozibala.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\UACimppalqmpy.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\UACsiexubfaav.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\vidohosi.exe.vir (Rogue.SystemSecurity) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\volamele.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\wingenocx.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP284\A0196051.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP284\A0196053.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196080.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196081.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196084.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196085.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196089.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196090.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196091.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196268.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196265.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{E4C9D55B-B4BF-4416-91CE-9924A2D6AB22}\RP285\A0196266.exe (Spyware.Banker) -> Quarantined and deleted successfully.
  8. ComboFix Log: ComboFix 09-09-02.02 - Lea Soderstrom 09/02/2009 20:42.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.484 [GMT -4:00] Running from: c:\documents and settings\Lea Soderstrom\Desktop\cmf.exe Command switches used :: c:\documents and settings\Lea Soderstrom\Desktop\cfscript.txt AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} FILE :: "C:\blyuwrjl.exe" "C:\osps.exe" "c:\windows\system32\payezavu.dll" "c:\windows\system32\wingenocx.dll" file zipped: C:\blyuwrjl.exe file zipped: C:\osps.exe file zipped: c:\windows\system32\payezavu.dll file zipped: c:\windows\system32\wingenocx.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\blyuwrjl.exe C:\osps.exe c:\program files\Protection System c:\windows\system32\payezavu.dll c:\windows\system32\wingenocx.dll . ((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 ))))))))))))))))))))))))))))))) . 2009-09-03 00:35 . 2009-09-03 00:35 -------- d-----w- c:\windows\LastGood 2009-09-02 04:17 . 2009-09-02 04:17 -------- d-----w- c:\program files\Trend Micro 2009-09-01 15:20 . 2009-09-01 15:20 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-08-13 15:13 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-03 00:35 . 2008-08-05 00:30 -------- d-----w- c:\program files\McAfee 2009-09-02 17:39 . 2004-08-04 10:00 56320 ------w- c:\windows\system32\eventlog.dll 2009-09-02 04:22 . 2009-03-16 23:45 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-09-02 04:19 . 2009-03-16 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-31 19:44 . 2009-06-25 03:49 -------- d-----w- c:\program files\Vuze 2009-08-31 19:44 . 2009-06-25 03:50 -------- d-----w- c:\documents and settings\Lea Soderstrom\Application Data\Azureus 2009-08-25 00:53 . 2008-06-23 00:50 -------- d-----w- c:\program files\Dl_cats 2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-03 15:32 . 2009-03-23 05:32 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-15 00:44 . 2008-05-22 18:26 70224 ----a-w- c:\documents and settings\Lea Soderstrom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-13 22:53 . 2009-04-04 16:07 256 ----a-w- c:\windows\system32\pool.bin 2009-07-05 16:32 . 2008-05-23 00:41 -------- d-----w- c:\program files\Common Files\Roxio Shared 2009-07-05 16:31 . 2008-05-23 00:38 -------- d-----w- c:\program files\Roxio 2009-07-05 16:30 . 2009-04-04 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio 2009-07-05 16:27 . 2008-05-23 00:38 -------- d-----w- c:\program files\Common Files\Sonic Shared 2009-06-26 16:50 . 2006-03-04 03:33 666624 ------w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2008-05-22 18:10 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-08 23:43 . 2009-07-03 03:34 15688 ----a-w- c:\windows\system32\lsdelete.exe 2008-06-02 17:11 . 2008-06-02 17:11 15040757 ----a-w- c:\program files\VSE80iLEN_patch13.zip . ((((((((((((((((((((((((((((( SnapShot@2009-09-02_17.58.22 ))))))))))))))))))))))))))))))))))))))))) . + 2008-05-22 18:20 . 2009-09-03 00:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-05-22 18:20 . 2009-09-02 17:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-05-22 18:20 . 2009-09-03 00:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-05-22 18:20 . 2009-09-02 17:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-16 136600] "Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-04-28 294912] "DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144] "DLBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-09 69632] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/16/2009 7:42 PM 64160] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024] R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [6/24/2009 11:50 PM 464264] R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [6/24/2009 11:50 PM 234888] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/4/2008 4:46 PM 24652] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408] . Contents of the 'Scheduled Tasks' folder 2009-08-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:43] 2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34] 2009-07-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-05 17:32] 2009-09-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-05 17:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.comcast.net/ mWindow Title = Windows Internet Explorer provided by Comcast uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Lea Soderstrom\Application Data\Mozilla\Firefox\Profiles\x9tth65f.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query= FF - prefs.js: browser.search.selectedEngine - swagbucks.com FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query= FF - plugin: c:\documents and settings\Lea Soderstrom\Application Data\Mozilla\Firefox\Profiles\x9tth65f.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-02 20:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(672) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll . Completion time: 2009-09-03 20:51 ComboFix-quarantined-files.txt 2009-09-03 00:50 ComboFix2.txt 2009-09-02 18:03 Pre-Run: 7,056,130,048 bytes free Post-Run: 7,045,505,024 bytes free 194 --- E O F --- 2009-08-31 15:49 Upload was successful
  9. Junction v1.05 - Windows junction creator and reparse point viewer Copyright © 2000-2007 Mark Russinovich Systems Internals - http://www.sysinternals.com Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process. Failed to open \\?\c:\\System Volume Information: Access is denied. Failed to open \\?\c:\\Program Files\Lavasoft\Ad-Aware\AAWService.exe: Access is denied. Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mba.exe: Access is denied. Failed to open \\?\c:\\Program Files\McAfee\VirusScan\mcods.exe: Access is denied. Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SASW.exe: Access is denied. Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied. .\\?\c:\\WINDOWS\$hf_mig$\KB931784\KB931784: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\addins\addins: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\Config\Config: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\Connection Wizard\Connection Wizard: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\CSC\d1\d1: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\CSC\d2\d2: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\CSC\d3\d3: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\CSC\d4\d4: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\CSC\d5\d5: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\CSC\d6\d6: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\CSC\d7\d7: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\CSC\d8\d8: MOUNT POINT Substitute Name: \Device\__max++>\^ ..\\?\c:\\WINDOWS\ftpcache\ftpcache: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\ime\chsime\applets\applets: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\ime\CHTIME\Applets\Applets: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\ime\imejp\applets\applets: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\ime\imejp98\imejp98: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\ime\imjp8_1\applets\applets: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\ime\imkr6_1\applets\applets: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\ime\imkr6_1\dicts\dicts: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\ime\shared\res\res: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\java\classes\classes: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\java\trustlib\trustlib: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\msapps\msinfo\msinfo: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\pchealth\helpctr\batch\batch: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\pchealth\helpctr\Config\News\News: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\pchealth\helpctr\System\DFS\DFS: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\pchealth\helpctr\Temp\Temp: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\Registration\CRMLog\CRMLog: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\Sun\Java\Deployment\Deployment: MOUNT POINT Substitute Name: \Device\__max++>\^ Failed to open \\?\c:\\WINDOWS\system32\dumprep.exe: Access is denied. ..\\?\c:\\WINDOWS\system32\1037\1037: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\1041\1041: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\1042\1042: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\1054\1054: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\2052\2052: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\3076\3076: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\3com_dmi\3com_dmi: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\appmgmt\MACHINE\MACHINE: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\appmgmt\S-1-5-21-1214440339-706699826-839522115-1003\S-1-5-21-1214440339-706699826-839522115-1003: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\Desktop\Desktop: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\Favorites\Favorites: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\My Documents: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\NetHood\NetHood: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\config\systemprofile\Recent\Recent: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\dhcp\dhcp: MOUNT POINT Substitute Name: \Device\__max++>\^ ..\\?\c:\\WINDOWS\system32\drivers\disdn\disdn: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\export\export: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\IME\CINTLGNT\CINTLGNT: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\IME\PINTLGNT\PINTLGNT: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\IME\TINTLGNT\TINTLGNT: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\system32\mui\dispspec\dispspec: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\oobe\html\oemcust\oemcust: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\oobe\html\oemhw\oemhw: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\oobe\html\oemreg\oemreg: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\oobe\sample\sample: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\ShellExt\ShellExt: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\spool\PRINTERS\PRINTERS: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\wbem\mof\bad\bad: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\wbem\mof\good\good: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\wbem\snmp\snmp: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\wins\wins: MOUNT POINT Substitute Name: \Device\__max++>\^ \\?\c:\\WINDOWS\system32\xircom\xircom: MOUNT POINT Substitute Name: \Device\__max++>\^ .\\?\c:\\WINDOWS\WinSxS\InstallTemp\InstallTemp: MOUNT POINT Substitute Name: \Device\__max++>\^
  10. I forgot to add....on the desktop after ComboFix was all said and done, there is a file there that wasn't there before I ran ComboFix. It is called "catchme" and it looks like a text file or similar. I'm afraid to open it or click on it, as I'm almost sure it's not from ComboFix. Please advise on that as well. Thanks!
  11. I have taken the infected computer off of the internet again. I have also NOT turned back on McAfee. I have not tried to run or do anything else. The computer simply sits waiting for further instruction. Thanks for the help thus far, and I appreciate the quick response! Just as an FYI, much of the crazy stuff that was happening before is now not happening. No pop-ups, no laggy computer, etc. I await further instruction
  12. Alright, I went on the internet via the infected computer, downloaded ComboFix but I called it cmf.exe so that the virus wouldn't recognize it. I then ran ComboFix in normal mode (not safe mode), and it did TONS of stuff. Here is the output: ComboFix 09-09-01.07 - Lea Soderstrom 09/02/2009 13:46.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.627 [GMT -4:00] Running from: c:\documents and settings\Lea Soderstrom\Desktop\cmf.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\-1529723819 c:\documents and settings\All Users\Application Data\11242964 c:\documents and settings\All Users\Application Data\11242964\11242964 c:\documents and settings\All Users\Application Data\11242964\11242964.exe c:\documents and settings\All Users\Application Data\11242964\pc11242964ins c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\fyblb.exe c:\windows\Installer\4f00185.msp c:\windows\system32\~.exe c:\windows\system32\drivers\UACrndovnvyxu.sys c:\windows\system32\fopihofu.exe c:\windows\system32\jifujeme.dll c:\windows\system32\kozibala.dll c:\windows\system32\morugawe.dll c:\windows\system32\nusayuta.dll c:\windows\system32\UACimppalqmpy.dll c:\windows\system32\uacinit.dll c:\windows\system32\UACmeqtstikse.dat c:\windows\system32\UACmoqxrfqaqg.dll c:\windows\system32\UACppxiuwmdib.dll c:\windows\system32\UACsiexubfaav.dll c:\windows\system32\vidohosi.exe c:\windows\system32\volamele.dll c:\windows\system32\wisdstr.exe c:\windows\system32\wscsvc32.exe ----- BITS: Possible infected sites ----- hxxp://193.33.61.160 Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\system32\logevent.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_UACd.sys -------\Legacy_FAD -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 ))))))))))))))))))))))))))))))) . 2009-09-02 17:30 . 2009-09-02 17:31 49664 --sha-w- c:\windows\system32\payezavu.dll 2009-09-02 04:17 . 2009-09-02 04:17 -------- d-----w- c:\program files\Trend Micro 2009-09-01 15:20 . 2009-09-01 15:20 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-01 00:01 . 2009-09-01 01:46 31232 ----a-w- c:\windows\system32\wingenocx.dll 2009-08-31 23:59 . 2009-09-01 01:50 -------- d-----w- c:\program files\Protection System 2009-08-31 19:46 . 2009-08-31 19:46 48640 ----a-w- C:\blyuwrjl.exe 2009-08-31 19:46 . 2009-08-31 19:46 17920 ----a-w- C:\osps.exe 2009-08-13 15:13 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-02 17:39 . 2004-08-04 10:00 56320 ----a-w- c:\windows\system32\eventlog.dll 2009-09-02 17:29 . 2008-08-05 00:30 -------- d-----w- c:\program files\McAfee 2009-09-02 04:22 . 2009-03-16 23:45 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-09-02 04:19 . 2009-03-16 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-31 19:44 . 2009-06-25 03:49 -------- d-----w- c:\program files\Vuze 2009-08-31 19:44 . 2009-06-25 03:50 -------- d-----w- c:\documents and settings\Lea Soderstrom\Application Data\Azureus 2009-08-25 00:53 . 2008-06-23 00:50 -------- d-----w- c:\program files\Dl_cats 2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-03 15:32 . 2009-03-23 05:32 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-15 00:44 . 2008-05-22 18:26 70224 ----a-w- c:\documents and settings\Lea Soderstrom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-13 22:53 . 2009-04-04 16:07 256 ----a-w- c:\windows\system32\pool.bin 2009-07-05 16:32 . 2008-05-23 00:41 -------- d-----w- c:\program files\Common Files\Roxio Shared 2009-07-05 16:31 . 2008-05-23 00:38 -------- d-----w- c:\program files\Roxio 2009-07-05 16:30 . 2009-04-04 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio 2009-07-05 16:27 . 2008-05-23 00:38 -------- d-----w- c:\program files\Common Files\Sonic Shared 2009-07-04 23:51 . 2009-04-04 15:29 -------- d-----w- c:\program files\Common Files\Research in Motion 2009-07-04 23:50 . 2009-07-04 23:04 -------- d-----w- c:\program files\Research In Motion 2009-06-26 16:50 . 2006-03-04 03:33 666624 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-12 12:31 . 2004-08-04 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 12:31 . 2004-08-04 10:00 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:13 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 13:19 . 2008-05-22 18:10 2066432 ----a-w- c:\windows\system32\mstscax.dll 2009-06-10 06:14 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-08 23:43 . 2009-07-03 03:34 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-06-08 23:43 . 2009-06-08 23:43 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2008-06-02 17:11 . 2008-06-02 17:11 15040757 ----a-w- c:\program files\VSE80iLEN_patch13.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-12-09 22:40 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-16 136600] "Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-04-28 294912] "DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144] "DLBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-09 69632] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-03 520024] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/16/2009 7:42 PM 64160] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024] R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [6/24/2009 11:50 PM 464264] R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [6/24/2009 11:50 PM 234888] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/4/2008 4:46 PM 24652] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408] . Contents of the 'Scheduled Tasks' folder 2009-08-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:43] 2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34] 2009-07-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-05 17:32] 2009-09-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-05 17:32] . - - - - ORPHANS REMOVED - - - - BHO-{4104b8cd-0743-4063-a374-d5bbd98c3ae9} - c:\windows\system32\jifujeme.dll HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe HKCU-Run-Aim6 - (no file) HKLM-Run-benofudela - c:\windows\system32\volamele.dll HKLM-Run-CPMa7e17766 - c:\windows\system32\morugawe.dll HKLM-Run-11242964 - c:\documents and settings\All Users\Application Data\11242964\11242964.exe Notify-OdysseyClient - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.comcast.net/ mWindow Title = Windows Internet Explorer provided by Comcast uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Lea Soderstrom\Application Data\Mozilla\Firefox\Profiles\x9tth65f.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query= FF - prefs.js: browser.search.selectedEngine - swagbucks.com FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query= FF - plugin: c:\documents and settings\Lea Soderstrom\Application Data\Mozilla\Firefox\Profiles\x9tth65f.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-02 13:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(672) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2948) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\program files\McAfee\VirusScan\Mcshield.exe c:\windows\system32\ati2evxx.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\progra~1\McAfee.com\Agent\mcagent.exe c:\program files\Dell Photo AIO Printer 942\dlbubmon.exe c:\progra~1\McAfee\MSC\mcuimgr.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe . ************************************************************************** . Completion time: 2009-09-02 14:03 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-02 18:03 Pre-Run: 7,149,518,848 bytes free Post-Run: 7,058,698,240 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 272 --- E O F --- 2009-08-31 15:49
  13. I made a new thread in the HJT section as that is what was instructed of a guy having the same problems as me. You can delete this thread. Thanks.
  14. Hi, I made a post in the general "Viruses, Spyware, and Adware" section, and I was instructed to come here. I will copy and paste what I had in that thread: This is for a friend of mine's computer. She is not sure how she got the virus and/or spyware. I'm pretty computer savvy, but this thing has her computer in a jumble. Anytime she connects to the internet, it immediately starts to download things and shortcuts to her desktop. The virus is not allowing me to run any virus or spyware software on her computer. Currently installed she has: Ad-Aware Spybot S&D MBAM Super Antispyware McAfee I tried to install HJT, but it will not run the .exe. I am trying all of this in safe mode w/o networking. The computer is XP Pro SP3. In safe mode w/o networking, the following processes are running: taskmgr.exe iexplore.exe mcagent.exe explorer.exe mcuimgr.exe mcmscsvc.exe svchost.exe svchost.exe svchost.exe lsass.exe services.exe winlogon.exe csrss.exe smss.exe system system idle process The lsass, csrss, and smss appear to be the virus, but I can't end them via the task manager. Windows tells me they are critical elements and can not be stopped. I'm not sure what I can do here outside of a reformat. Any help would be appreciated. Also, it appears that I can use the USB drives still, and that I can get to my computer. I have a flash drive if you guys can think of something you want me to try and put on her computer. Also, the computer pops up ALL THE TIME notifying me that my virus software is disabled and it tries to get me to download something else. There are notifications all over that come up. Most of them appear to be fake things letting me know something is wrong with the computer and to CLICK HERE TO DOWNLOAD SOFTWARE. Also, in normal mode, the desktop background changed to blue with red text saying something along the lines of "YOU HAVE MALWARE, PLEASE FOLLOW THE INSTRUCTIONS IN THE BOTTOM RIGHT TO FIX THIS. THIS IS A SERIOUS ISSUE. YOUR PERSONAL INFORMATION IS AT JEOPARDY, ETC." This desktop background is not visible when in safe mode. I have not rebooted the computer in normal mode for some time, so I'm not sure if it's still there. I tried to do a system restore to a restore point. It allowed me to choose a date, but when I clicked NEXT to make it restart and try to restore, it just froze and did nothing. The virus seemed to be preventing that action as well. TIA and sorry for the long post. --------------------------------------------- I was then told to do this: Run the scanners in safemode w/ networking. Rename the .exe's first then rightclick them and select 'Run As'. If that doesn't work, slave the drive in another computer or scan w/ a boot disc such as this or this. If you've never burned an ISO, I prefer IMGBurn, it's just about impossible to burn a disc incorrectly w/ it. --------------------------------------------- This was the result: Renaming some of the .exe's, I was able to get a little action. MBAM ran for about 3 seconds and then quit. SASW ran for a while actually before quitting. Here is a screen shot I grabbed before it quit: http://tinypic.com/r/sfics2/3 Does that offer any insight as to what can be done? I have not tried the .iso stuff yet. --------------------------------------------- I'm looking for direction from here. The .exe's for MBAM, SASW, and HJT all no longer work, and I can not even rename the files. As I said above, I have not tried the .iso things mentioned above as I'm not familiar with that approach, and I wanted to see if there was any input on the screen shot above first. Any help would be appreciated. Thanks!
  15. I'm having this exact same problem. Here is my thread: http://forums.pcpitstop.com/index.php?showtopic=172126 In it, I posted a pic of what Superantispyware found before the virus closed the program. Do you know if you have the same virus? Is there any solution yet on how to get rid of it?
×
×
  • Create New...