PDA

View Full Version : New win32.rubgbu.a?


Skoda
2010-05-14, 03:44
Hello, I believe I’m having a problem with the trojan win32.rubgbu.a. A few days ago, Monday I believe, I noticed my hidden files were no longer visible. And when going to tools>folder options> view, selecting “show hidden files and folders” then OK they would still not be visible. Then when going back to the folder options the option was reverted to “do not show hidden files and folders.”

I ran McAfee, found nothing. I then ran Spybot (prior to an update, my bad), it found win32.rubgbu.a and said it successfully removed it, but after restart the problems persisted. I did a little searching on the internet and every forum I came across said to download Malwarebytes, update it and run it. I did. It found win32.rubgbu.a, removed it and the problems went away, for about two days.

Today I tried to access my C drive and when double clicking it a “Open With” dialog box opened up. I then went to the folder options and say that “do not show hidden files and folders” was selected. I suspected the virus was back. I updated Spybot, ran it, and it “removed” the virus. I them ran Malwarebytes and it found nothing.

However, even though Sypbot and Malwarebytes no longer detect anything I still have a symptom. Double clicking on my C drive brings up the Open With dialog. Also, now being able to see the hidden files (and system files, I unchecked that box too) I noticed there were some suspicious files in my C drive. Specifically, autorun.inf, ca.exe, n6eyw.exe and qhbfqx.exe all created between 5/10/2010 and 5/13/2010.

One other thing I noticed is that most of the forum posts regarding this virus were from 2005, 2006 and 2007. Is it possible that I have a modified version of the virus?

Thank you in advance for your help.

Skoda

DDS (Ver_10-03-17.01) - NTFSx86
Run by rschkod at 20:19:49.06 on Thu 05/13/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1275 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.clemson.edu/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\rschkod\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [dso32] c:\docume~1\rschkod\locals~1\temp\dsoqq.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [NDPS] c:\windows\system32\dpmw32.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [niDevMon] c:\program files\national instruments\ni-daq\hwconfig\nidevmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\rschkod\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233244852115
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233244847536
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rschkod\applic~1\mozilla\firefox\profiles\bvoz45df.default\
FF - plugin: c:\documents and settings\rschkod\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2008-8-21 15448]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-7-7 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]
R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2008-8-21 12696]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2008-8-21 12696]
R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\ivi foundation\visa\winnt\nivisa\niLxiDiscovery.exe [2008-6-20 129144]
R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2008-6-18 192112]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2008-6-25 11344]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2008-6-20 11360]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-24 72904]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-24 34344]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-24 177672]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2008-6-13 11360]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2008-6-13 11360]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2008-7-23 11360]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-12-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-12-14 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2008-6-23 20104]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2008-11-11 26192]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2008-11-11 11344]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2008-11-11 22608]
S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2008-9-4 16456]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2008-7-24 11352]
S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2008-7-31 11336]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2008-8-1 11336]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2008-7-25 11344]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2008-7-31 11336]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2008-7-31 11336]
S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [2008-7-29 11352]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2008-7-23 11392]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2007-4-4 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2007-4-4 151683]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2008-7-23 11368]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2008-7-30 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2008-12-16 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2008-12-16 11896]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2008-6-25 20568]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2008-7-30 11376]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2008-8-7 11352]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2008-7-30 11344]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2008-7-30 11376]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2008-7-31 11336]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2008-7-25 11312]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2008-7-25 11360]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2008-7-28 11336]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2008-7-24 11360]
S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2008-7-31 11368]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2008-6-20 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2008-6-20 11360]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2008-7-31 11336]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2008-7-31 11336]
S3 pdaq;Personal Daq 55/56;c:\windows\system32\drivers\PDAQ.SYS [2009-6-23 9267]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-12-14 1112560]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

=============== Created Last 30 ================

2010-05-13 12:42:57 112640 --sh--r- C:\n6eyw.exe
2010-05-13 12:29:15 43 ----a-w- C:\s_.gif
2010-05-13 12:27:15 0 d-----w- c:\docume~1\rschkod\applic~1\mmEditor
2010-05-13 12:27:13 0 d-----w- c:\docume~1\rschkod\applic~1\mmDesigner
2010-05-11 15:26:36 0 d-----w- c:\program files\TweakNow RegCleaner
2010-05-11 15:26:36 0 d-----w- c:\docume~1\rschkod\applic~1\TweakNow RegCleaner
2010-05-11 12:11:21 0 d-----w- c:\docume~1\rschkod\applic~1\Malwarebytes
2010-05-11 12:11:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 12:11:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 12:11:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 12:11:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-10 17:46:31 112640 --sh--r- C:\qhbfqx.exe
2010-05-10 17:45:52 55 --sha-r- C:\autorun.inf
2010-05-10 17:45:52 110592 --sh--r- C:\ca.exe
2010-05-02 17:52:52 0 d-----w- C:\HP LJP2015 PCL6

==================== Find3M ====================


============= FINISH: 20:20:12.57 ===============
ken545
2010-05-20, 00:49
Hello Skoda

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.




Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Skoda
2010-05-20, 03:59
ComboFix produced log.txt (attached) and I reran the dds.scr (DDS.txt pasted and Attach.txt is attached. I called it attach2 to differentiate it from the previous one). Is the dds.scr the same as HijackThis?

Also, I should let you know that since my last post I removed a autorun.inf from my C drive and that seemed to take care of the "Open With" dialog that kept popping up.

Thank you again for your time and effort.


DDS (Ver_10-03-17.01) - NTFSx86
Run by rschkod at 20:50:48.82 on Wed 05/19/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1292 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe
C:\WINDOWS\system32\nwlscrpt.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rschkod\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.clemson.edu/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\rschkod\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [NDPS] c:\windows\system32\dpmw32.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [niDevMon] c:\program files\national instruments\ni-daq\hwconfig\nidevmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\docume~1\rschkod\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233244852115
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233244847536
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rschkod\applic~1\mozilla\firefox\profiles\bvoz45df.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2010-1-6 147472]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-24 343920]
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2008-8-21 15448]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-5-19 70728]
R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2008-8-21 12696]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2008-8-21 12696]
R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\ivi foundation\visa\winnt\nivisa\niLxiDiscovery.exe [2008-6-20 129144]
R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2008-6-18 192112]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2008-6-25 11344]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2008-6-20 11360]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-24 91832]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2008-6-13 11360]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2008-6-13 11360]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2008-7-23 11360]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-12-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-12-14 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2008-6-23 20104]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-24 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-19 66600]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2008-11-11 26192]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2008-11-11 11344]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2008-11-11 22608]
S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2008-9-4 16456]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2008-7-24 11352]
S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2008-7-31 11336]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2008-8-1 11336]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2008-7-25 11344]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2008-7-31 11336]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2008-7-31 11336]
S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [2008-7-29 11352]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2008-7-23 11392]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2007-4-4 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2007-4-4 151683]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2008-7-23 11368]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2008-7-30 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2008-12-16 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2008-12-16 11896]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2008-6-25 20568]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2008-7-30 11376]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2008-8-7 11352]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2008-7-30 11344]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2008-7-30 11376]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2008-7-31 11336]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2008-7-25 11312]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2008-7-25 11360]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2008-7-28 11336]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2008-7-24 11360]
S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2008-7-31 11368]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2008-6-20 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2008-6-20 11360]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2008-7-31 11336]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2008-7-31 11336]
S3 pdaq;Personal Daq 55/56;c:\windows\system32\drivers\PDAQ.SYS [2009-6-23 9267]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-12-14 1112560]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

=============== Created Last 30 ================

2010-05-20 00:36:50 0 d-sha-r- C:\cmdcons
2010-05-20 00:35:08 98816 ----a-w- c:\windows\sed.exe
2010-05-20 00:35:08 77312 ----a-w- c:\windows\MBR.exe
2010-05-20 00:35:08 256512 ----a-w- c:\windows\PEV.exe
2010-05-20 00:35:08 161792 ----a-w- c:\windows\SWREG.exe
2010-05-20 00:35:02 0 d-----w- C:\ComboFix
2010-05-19 13:56:57 0 d-----w- c:\windows\147BCE03C0F14C9F81576A89B6D2D973.TMP
2010-05-19 13:52:57 70728 ----a-w- c:\windows\system32\mfevtps.exe
2010-05-19 13:52:57 66600 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-19 13:09:16 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-17 14:34:24 121290 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2010-05-17 14:34:21 0 d-----w- c:\program files\File Renamer
2010-05-13 12:27:15 0 d-----w- c:\docume~1\rschkod\applic~1\mmEditor
2010-05-13 12:27:13 0 d-----w- c:\docume~1\rschkod\applic~1\mmDesigner
2010-05-11 15:26:36 0 d-----w- c:\program files\TweakNow RegCleaner
2010-05-11 15:26:36 0 d-----w- c:\docume~1\rschkod\applic~1\TweakNow RegCleaner
2010-05-11 12:11:21 0 d-----w- c:\docume~1\rschkod\applic~1\Malwarebytes
2010-05-11 12:11:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 12:11:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 12:11:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 12:11:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-02 17:52:52 0 d-----w- C:\HP LJP2015 PCL6

==================== Find3M ====================


============= FINISH: 20:50:54.17 ===============




ComboFix 10-05-19.02 - rschkod 05/19/2010 20:39:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1061 [GMT -4:00]
Running from: c:\documents and settings\rschkod\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://jade.ces.clemson.edu
.
((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2010-05-14 00:16 . 2010-05-14 00:17 -------- d-----w- c:\program files\ERUNT
2010-05-13 12:27 . 2010-05-13 12:27 -------- d-----w- c:\documents and settings\rschkod\Application Data\mmEditor
2010-05-13 12:27 . 2010-05-13 12:39 -------- d-----w- c:\documents and settings\rschkod\Application Data\mmDesigner
2010-05-11 15:26 . 2010-05-11 15:44 -------- d-----w- c:\program files\TweakNow RegCleaner
2010-05-11 15:26 . 2010-05-11 15:26 -------- d-----w- c:\documents and settings\rschkod\Application Data\TweakNow RegCleaner
2010-05-11 12:11 . 2010-05-11 12:11 -------- d-----w- c:\documents and settings\rschkod\Application Data\Malwarebytes
2010-05-11 12:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 12:11 . 2010-05-11 12:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 12:11 . 2010-05-11 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-11 12:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 17:53 . 2008-04-05 01:01 272896 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpcpp5r1.dll
2010-05-02 17:52 . 2010-05-02 17:52 -------- d-----w- C:\HP LJP2015 PCL6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 14:34 . 2010-05-17 14:34 121290 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2010-05-17 14:34 . 2010-05-17 14:34 -------- d-----w- c:\program files\File Renamer
2010-05-12 20:16 . 2007-06-07 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-06 16:18 . 2010-04-06 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-06 16:17 . 2010-04-06 16:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-29 12:57 . 2009-05-19 16:42 -------- d-----w- c:\documents and settings\rschkod\Application Data\Apple Computer
2010-03-29 12:49 . 2010-03-29 12:48 -------- d-----w- c:\program files\iTunes
2010-03-29 12:49 . 2010-03-29 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-29 12:48 . 2010-03-29 12:48 -------- d-----w- c:\program files\iPod
2010-03-29 12:48 . 2010-03-29 12:44 -------- d-----w- c:\program files\Common Files\Apple
2010-03-29 12:48 . 2009-05-20 13:13 -------- d-----w- c:\program files\Bonjour
2010-03-29 12:47 . 2010-03-29 12:46 -------- d-----w- c:\program files\QuickTime
2010-03-29 12:46 . 2006-07-07 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-29 12:45 . 2010-03-29 12:45 -------- d-----w- c:\program files\Apple Software Update
2010-03-29 12:44 . 2010-03-29 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-22 11:52 . 2009-12-04 14:18 79488 ----a-w- c:\documents and settings\rschkod\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-07 17:43 . 2010-03-07 17:43 2318 ----a-w- c:\documents and settings\rschkod\Application Data\MathWorks\MATLAB\R2008b\mexopts.bat
2004-03-15 21:51 . 2004-03-15 21:51 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 14:32 . 2006-01-23 14:32 131072 ----a-w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 14:48 . 2007-02-08 14:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 22:03 . 2007-07-24 22:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2008-12-10 18:50 . 2008-12-10 18:50 118784 ----a-w- c:\program files\internet explorer\plugins\LV86ActiveXControl.dll
2010-01-07 00:07 . 2010-05-19 13:52 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\rschkod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-16 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 136512]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-30 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"niDevMon"="c:\program files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2008-07-28 106576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-01-07 124240]

c:\documents and settings\rschkod\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 14:57 128296 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 03:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-12-14 18:25 244208 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-30 14:56 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\National Instruments\\Shared\\mDNS Responder\\nimdnsResponder.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\Maple 13\\jre\\bin\\maple.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [8/21/2008 8:04 PM 15448]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [1/6/2010 8:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [5/19/2010 9:52 AM 70728]
R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [8/21/2008 10:51 PM 12696]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [8/21/2008 10:51 PM 12696]
R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [6/20/2008 4:53 PM 129144]
R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [6/18/2008 4:57 PM 192112]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [6/25/2008 11:01 AM 11344]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [6/20/2008 9:27 PM 11360]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [6/13/2008 3:51 PM 11360]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [6/13/2008 3:51 PM 11360]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [7/23/2008 12:54 PM 11360]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [12/14/2007 2:25 PM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [12/14/2007 2:25 PM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [6/23/2008 6:11 PM 20104]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/19/2010 9:52 AM 66600]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [11/11/2008 1:50 PM 26192]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [11/11/2008 1:52 PM 11344]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [11/11/2008 1:53 PM 22608]
S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [9/4/2008 6:04 PM 16456]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [7/24/2008 11:32 AM 11352]
S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [7/31/2008 8:21 PM 11336]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [8/1/2008 12:30 PM 11336]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [7/25/2008 11:04 AM 11344]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [7/31/2008 8:21 PM 11336]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [7/31/2008 8:21 PM 11336]
S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [7/29/2008 7:21 PM 11352]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [7/23/2008 1:00 PM 11392]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [4/4/2007 9:06 AM 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [4/4/2007 9:06 AM 151683]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [7/23/2008 12:55 PM 11368]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [7/30/2008 9:58 AM 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [12/16/2008 1:57 AM 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [12/16/2008 1:55 AM 11896]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [6/25/2008 11:02 AM 20568]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [7/30/2008 4:26 AM 11376]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [8/7/2008 5:23 PM 11352]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [7/30/2008 9:59 AM 11344]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [7/30/2008 4:26 AM 11376]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [7/31/2008 8:21 PM 11336]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [7/25/2008 9:44 AM 11312]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [7/25/2008 9:44 AM 11360]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [7/28/2008 3:08 PM 11336]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [7/24/2008 5:38 PM 11360]
S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [7/31/2008 8:21 PM 11368]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [6/20/2008 9:28 PM 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [6/20/2008 9:27 PM 11360]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [7/31/2008 8:21 PM 11336]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [7/31/2008 8:21 PM 11336]
S3 pdaq;Personal Daq 55/56;c:\windows\system32\drivers\PDAQ.SYS [6/23/2009 10:18 AM 9267]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [12/14/2007 2:25 PM 1112560]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MFERKDET

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-14 c:\windows\Tasks\Backup of Schoolwork.job
- c:\windows\system32\ntbackup.exe [2004-08-09 04:56]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4226245511-3969656384-1142665152-1022Core.job
- c:\documents and settings\rschkod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-16 18:08]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4226245511-3969656384-1142665152-1022UA.job
- c:\documents and settings\rschkod\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-16 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.clemson.edu/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\rschkod\Application Data\Mozilla\Firefox\Profiles\bvoz45df.default\
FF - plugin: c:\documents and settings\rschkod\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\NETWIN32.DLL
.
Completion time: 2010-05-19 20:44:39
ComboFix-quarantined-files.txt 2010-05-20 00:44

Pre-Run: 177,721,458,688 bytes free
Post-Run: 177,748,480,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BF93612C34AC4C623D89B04D17BA20D7
ken545
2010-05-20, 11:19
Skoda,

Nothing earthshattering on your CF log, but its extensive and I need to look it over a bit more.

TweakNow RegCleaner <--Reg Cleaners are not recommended unless your a windows expert, remove the wrong entry or entries ( and they sometimes do) it can disable your system, remove unwanted entries and you will see no difference in system performance .

You ran Malwarebytes, open it, go to the logs tab and copy and paste the log for me to see. Please do not attach any logs as its easier for me to look at when just pasted into the forum.





Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.



Still having issues, post them please
Skoda
2010-05-20, 19:32
Here are three Malware scans and a recent McAfee scan.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4090

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/11/2010 11:10:38 AM
mbam-log-2010-05-11 (11-10-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 426351
Time elapsed: 2 hour(s), 25 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nod32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Documents and Settings\rschkod\Local Settings\Temp\nodqq.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\rschkod\Local Settings\Temp\nodqq0.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\Documents and Settings\rschkod\Local Settings\Temp\nodqq1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4090

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/13/2010 1:56:56 PM
mbam-log-2010-05-13 (13-56-56).txt

Scan type: Full scan (G:\|)
Objects scanned: 132817
Time elapsed: 1 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nod32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4113

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/18/2010 7:25:49 PM
mbam-log-2010-05-18 (19-25-49).txt

Scan type: Full scan (C:\|E:\|G:\|)
Objects scanned: 461489
Time elapsed: 3 hour(s), 12 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dso32 (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ca.exe (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\qhbfqx.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\rschkod\Local Settings\Temp\dsoqq1.dll (Worm.Taterf) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6A0AD430-C341-43F8-9F1A-AC478F60B03C}\RP296\A0011333.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6A0AD430-C341-43F8-9F1A-AC478F60B03C}\RP297\A0011337.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6A0AD430-C341-43F8-9F1A-AC478F60B03C}\RP299\A0011434.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.


McAfee Scan Log

5/19/2010 10:08:39 AM Engine version = 5400.1158
5/19/2010 10:08:39 AM AntiVirus DAT version = 5986.0
5/19/2010 10:08:39 AM Number of detection signatures in EXTRA.DAT = None
5/19/2010 10:08:39 AM Names of detection signatures in EXTRA.DAT = None
5/19/2010 10:08:25 AM Scan Started RSCHKOD-PC\rschkod Full Scan
5/19/2010 10:26:18 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallOverride.zip
5/19/2010 10:26:18 AM Not scanned (The file is encrypted) c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRungbua.zip
5/19/2010 11:15:02 AM Deleted rschkod ODS(Full Scan) c:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\adcbdas16jrexp.mexw32 Generic.dx!srm (Trojan)
5/19/2010 11:15:07 AM Deleted rschkod ODS(Full Scan) c:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\ctrcbctr05.mexw32 Generic.dx!ssc (Trojan)
5/19/2010 11:15:10 AM Deleted rschkod ODS(Full Scan) c:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\docbpc104das16jr.mexw32 Generic.dx!srh (Trojan)
5/19/2010 11:15:11 AM Deleted rschkod ODS(Full Scan) c:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\encadpa1700.mexw32 Generic.dx!ssd (Trojan)
5/19/2010 11:15:17 AM Deleted rschkod ODS(Full Scan) c:\Program Files\MATLAB\R2008b\toolbox\rtw\targets\xpc\target\build\xpcblocks\xpcbytepacking.mexw32 Generic.dx!sry (Trojan)
5/19/2010 12:04:44 PM Deleted rschkod ODS(Full Scan) c:\System Volume Information\_restore{6A0AD430-C341-43F8-9F1A-AC478F60B03C}\RP300\A0011474.exe Generic PWS.y!cpq (Trojan)
5/19/2010 12:04:46 PM Deleted rschkod ODS(Full Scan) c:\System Volume Information\_restore{6A0AD430-C341-43F8-9F1A-AC478F60B03C}\RP300\A0011500.exe Generic PWS.y!cpq (Trojan)
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Scan Summary
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Processes scanned : 72
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Processes detected : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Processes cleaned : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Boot sectors scanned : 2
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Boot sectors detected: 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Boot sectors cleaned : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Files scanned : 293174
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Files with detections: 7
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod File detections : 7
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Files cleaned : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Files deleted : 7
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Files not scanned : 36
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Scan Summary (Registry Scanning)
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Keys scanned : 80413
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Keys detected : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Keys cleaned : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Keys deleted : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Scan Summary (Cookie Scanning)
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Cookies scanned : 31
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Cookies detected : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Cookies cleaned : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Cookies deleted : 0
5/19/2010 12:20:00 PM Scan Summary RSCHKOD-PC\rschkod Run time : 2:11:35
5/19/2010 12:20:00 PM Scan Complete RSCHKOD-PC\rschkod Full Scan
ken545
2010-05-20, 19:51
You look ok, how are things running now ?
Skoda
2010-05-21, 20:29
Things seem to be running just fine. Thank you again for your help.
ken545
2010-05-22, 00:39
Great :bigthumb:

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken