stevo1569
2010-12-12, 19:26
Hello all, I've got a computer in front of me and it's about to make me go crazy. After reading all the into stuff to newbies I just realized also that I'm about to make your job a lot harder because I've already run a few "fixes". With that said, I know that I wasn't supposed to do that but I've got all the logs to make everything as easy as possible.
The main problem is, when the computer tries to boot into windows it gets to the windows logo and starts playing the sound and then goes BSOD with an stop code of 0x0000008E. Many places on the internet say it's a RAM error but after running a RAM test and several log in's into safe-mode, I am thoroughly convinced it has to be a virus/spyware/rootkit. ALSO, I only am seeing 1/3 of the control panel icons, security center is disabled and can't reactivate it, also I have no access to system restore. AND, when I ran these "fixes" they gave administrator rights privilege errors everywhere
Here starts the logs of everything that I ran and now know I shouldn't have:
DDS LOG:
DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Kristina at 11:59:37.88 on Sun 12/12/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2443 [GMT -5:00]
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\Kristina\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52061
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\celebrity toolbar\tbhelper.dll
mURLSearchHooks: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Automated Content Enhancer: {1d74e9dd-8987-448b-b2cb-67fff2b8a932} - c:\program files\automated content enhancer\4.1.0.5050\ACEIEAddOn.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - Symantec Intrusion Prevention
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\celebrity toolbar\mhxpcomi.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Web Search Operator: {eb4a577d-bcad-4b1c-8af2-9a74b8dd3431} - c:\program files\web search operator\3.1.0.1800\wso.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
TB: {D45817B8-3EAD-4d1d-8FCA-EC63A8E35DE2} - No File
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\celebrity toolbar\mhxpcomi.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\users\kristina\appdata\roaming\mozilla\firefox\profiles\5tb05d07.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52061
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\mhxpcom.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\kristina\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\kristina\appdata\roaming\Move Networks
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
S2 BNPagent;Bradford Persistent Agent Service;c:\program files\bradford networks\persistent agent\bndaemon.exe [2008-6-29 2944392]
S2 gupdate1c9e546d805beb2;Google Update Service (gupdate1c9e546d805beb2);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-16 103744]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-16 72936]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-16 33960]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-16 174952]
=============== Created Last 30 ================
2010-12-12 16:46:00 691 ----a-w- c:\users\kristina\appdata\roaming\GetValue.vbs
2010-12-12 16:46:00 6296 ----a-w- c:\windows\system32\tmp.reg
2010-12-12 16:46:00 35 ----a-w- c:\users\kristina\appdata\roaming\SetValue.bat
2010-12-12 16:41:03 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a91f3510-0f62-4a5c-a7ad-75151ea4e53b}\mpengine.dll
2010-12-12 07:53:59 -------- d-----w- C:\RegRunInfo
2010-12-12 07:47:38 2 --shatr- c:\windows\winstart.bat
2010-12-12 07:47:30 -------- d-----w- c:\program files\UnHackMe
2010-12-12 07:26:54 -------- d-----w- c:\users\kristina\appdata\local\temp
2010-12-12 07:25:57 -------- d-sh--w- C:\$RECYCLE.BIN
2010-12-12 07:12:16 98816 ----a-w- c:\windows\sed.exe
2010-12-12 07:12:16 89088 ----a-w- c:\windows\MBR.exe
2010-12-12 07:12:16 256512 ----a-w- c:\windows\PEV.exe
2010-12-12 07:12:16 161792 ----a-w- c:\windows\SWREG.exe
2010-12-12 07:09:46 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-12-12 04:23:22 -------- d-----w- c:\windows\pss
2010-12-11 19:23:00 -------- d-----w- c:\program files\CCleaner
2010-12-11 19:17:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-11 19:17:47 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-11 19:06:18 -------- d-----w- c:\users\kristina\appdata\roaming\Malwarebytes
2010-12-11 19:06:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-11 19:06:12 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-11 19:05:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 19:05:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 15:17:33 -------- d-----w- c:\windows\LastGood.Tmp
2010-11-24 14:31:28 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
==================== Find3M ====================
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
============= FINISH: 12:00:24.43 ===============
HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:22:52, on 12/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Safe mode with network support
Running processes:
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Kristina\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52061
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: MHURLSearchHook Class - {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - C:\Program Files\Celebrity Toolbar\tbhelper.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MHTBPos00 - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Celebrity Toolbar\tbcore3.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Automated Content Enhancer - {1D74E9DD-8987-448b-B2CB-67FFF2B8A932} - C:\Program Files\Automated Content Enhancer\4.1.0.5050\ACEIEAddOn.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: MyHeritage New Tab - {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - C:\Program Files\Celebrity Toolbar\mhxpcomi.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Web Search Operator - {EB4A577D-BCAD-4b1c-8AF2-9A74B8DD3431} - C:\Program Files\Web Search Operator\3.1.0.1800\wso.dll (file missing)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {D45817B8-3EAD-4d1d-8FCA-EC63A8E35DE2} - (no file)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: Celebrity Toolbar - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Celebrity Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - C:\Program Files\Celebrity Toolbar\mhxpcomi.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Unknown owner - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9e546d805beb2) (gupdate1c9e546d805beb2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8919 bytes
COMBOFIX LOG:
ComboFix 10-12-11.03 - Kristina 12/12/2010 2:16.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2526 [GMT -5:00]
Running from: c:\users\Kristina\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Kristina\AppData\Roaming\Microsoft\Windows\Recent\research paper final.docx
c:\windows\system32\Drivers\habu.sys
c:\windows\system32\KBL.LOG
----- BITS: Possible infected sites -----
hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.
2010-12-12 07:23 . 2010-12-12 07:23 -------- d-----w- c:\users\Kristina\AppData\Local\temp
2010-12-12 07:23 . 2010-12-12 07:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-12 07:09 . 2007-09-13 15:09 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-12-12 07:04 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB92AB66-080E-448E-A1A7-A9CA741B2293}\mpengine.dll
2010-12-11 19:23 . 2010-12-11 19:23 -------- d-----w- c:\program files\CCleaner
2010-12-11 19:17 . 2010-12-11 19:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-11 19:17 . 2010-12-11 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-11 19:06 . 2010-12-11 19:06 -------- d-----w- c:\users\Kristina\AppData\Roaming\Malwarebytes
2010-12-11 19:06 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-11 19:06 . 2010-12-11 19:06 -------- d-----w- c:\programdata\Malwarebytes
2010-12-11 19:05 . 2010-12-11 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 19:05 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 15:17 . 2010-12-11 01:07 -------- d-----w- c:\windows\LastGood.Tmp
2010-11-24 14:31 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-03 15:18 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-13 15:42 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-06 12:59 . 2010-02-04 00:35 192512 ----a-w- c:\program files\mozilla firefox\components\mhxpcom.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d40eb577-b16f-411b-81dc-afedf8b60a50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Celebrity Toolbar\tbhelper.dll" [2009-05-07 355840]
[HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Celebrity Toolbar\tbcore3.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
2009-07-15 14:09 2224152 ----a-w- c:\program files\Boston_Red_Sox\tbBos0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
2009-12-06 12:59 217088 ----a-w- c:\program files\Celebrity Toolbar\mhxpcomi.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d40eb577-b16f-411b-81dc-afedf8b60a50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 2642432]
[HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D40EB577-B16F-411B-81DC-AFEDF8B60A50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 2642432]
[HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-19 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-19 129560]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
R2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2008-06-29 2944392]
R2 gupdate1c9e546d805beb2;Google Update Service (gupdate1c9e546d805beb2);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 133104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-12-12 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-11-18 18:51]
2010-12-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-03 04:02]
2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 19:01]
2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 19:01]
2010-11-08 c:\windows\Tasks\HPCeeScheduleForKristina.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-02-23 19:58]
2010-12-07 c:\windows\Tasks\User_Feed_Synchronization-{9D35963A-AC5F-4552-9E36-287C18FA2EF6}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52061
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Celebrity Toolbar\mhxpcomi.dll
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://70.88.61.157/VatDec.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.10/TSWeb.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://myvpn.fgcu.edu/dana-cached/sc/JuniperSetupClient.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\users\Kristina\AppData\Roaming\Mozilla\Firefox\Profiles\5tb05d07.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52061
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\mhxpcom.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Kristina\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: The Browser Highlighter: browserhighlighter@ebay.com - c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Kristina\AppData\Roaming\Mozilla\Firefox\Profiles\5tb05d07.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\users\Kristina\AppData\Roaming\Move Networks
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
HKLM-Run-bncsaui.exe - %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
HKLM-RunOnce-<NO NAME> - (no file)
AddRemove-{95F19350-A3A2-491B-A404-54BDD34DB49D} - c:\programdata\{F5C4EB60-DE42-48AD-837F-4FFF2C6BAC0B}\Setup.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 02:23
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-12 02:26:53
ComboFix-quarantined-files.txt 2010-12-12 07:26
Pre-Run: 112,750,882,816 bytes free
Post-Run: 112,683,462,656 bytes free
- - End Of File - - 78C6EC568ED58C60499FFFE2BCA02FE9
SMITFRAUDFIX LOG:
SmitFraudFix v2.424
Scan done at 11:45:49.76, Sun 12/12/2010
Run from C:\Users\Kristina\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) Wireless WiFi Link 4965AGN
DNS Server Search Order: 172.25.0.9
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
»»»»»»»»»»»»»»»»»»»»»»»» RK.2
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Again, I know I shouldn't have run these fixes now but It's already done and I would truly appreciate this helkp as I would rather not clean install windows.
Thanks,
Steve.
The main problem is, when the computer tries to boot into windows it gets to the windows logo and starts playing the sound and then goes BSOD with an stop code of 0x0000008E. Many places on the internet say it's a RAM error but after running a RAM test and several log in's into safe-mode, I am thoroughly convinced it has to be a virus/spyware/rootkit. ALSO, I only am seeing 1/3 of the control panel icons, security center is disabled and can't reactivate it, also I have no access to system restore. AND, when I ran these "fixes" they gave administrator rights privilege errors everywhere
Here starts the logs of everything that I ran and now know I shouldn't have:
DDS LOG:
DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Kristina at 11:59:37.88 on Sun 12/12/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2443 [GMT -5:00]
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\Kristina\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52061
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\celebrity toolbar\tbhelper.dll
mURLSearchHooks: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Automated Content Enhancer: {1d74e9dd-8987-448b-b2cb-67fff2b8a932} - c:\program files\automated content enhancer\4.1.0.5050\ACEIEAddOn.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - Symantec Intrusion Prevention
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\celebrity toolbar\mhxpcomi.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Web Search Operator: {eb4a577d-bcad-4b1c-8af2-9a74b8dd3431} - c:\program files\web search operator\3.1.0.1800\wso.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
TB: {D45817B8-3EAD-4d1d-8FCA-EC63A8E35DE2} - No File
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\celebrity toolbar\mhxpcomi.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\users\kristina\appdata\roaming\mozilla\firefox\profiles\5tb05d07.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52061
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\mhxpcom.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\kristina\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\kristina\appdata\roaming\Move Networks
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
S2 BNPagent;Bradford Persistent Agent Service;c:\program files\bradford networks\persistent agent\bndaemon.exe [2008-6-29 2944392]
S2 gupdate1c9e546d805beb2;Google Update Service (gupdate1c9e546d805beb2);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-16 103744]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-16 72936]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-16 33960]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-16 174952]
=============== Created Last 30 ================
2010-12-12 16:46:00 691 ----a-w- c:\users\kristina\appdata\roaming\GetValue.vbs
2010-12-12 16:46:00 6296 ----a-w- c:\windows\system32\tmp.reg
2010-12-12 16:46:00 35 ----a-w- c:\users\kristina\appdata\roaming\SetValue.bat
2010-12-12 16:41:03 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a91f3510-0f62-4a5c-a7ad-75151ea4e53b}\mpengine.dll
2010-12-12 07:53:59 -------- d-----w- C:\RegRunInfo
2010-12-12 07:47:38 2 --shatr- c:\windows\winstart.bat
2010-12-12 07:47:30 -------- d-----w- c:\program files\UnHackMe
2010-12-12 07:26:54 -------- d-----w- c:\users\kristina\appdata\local\temp
2010-12-12 07:25:57 -------- d-sh--w- C:\$RECYCLE.BIN
2010-12-12 07:12:16 98816 ----a-w- c:\windows\sed.exe
2010-12-12 07:12:16 89088 ----a-w- c:\windows\MBR.exe
2010-12-12 07:12:16 256512 ----a-w- c:\windows\PEV.exe
2010-12-12 07:12:16 161792 ----a-w- c:\windows\SWREG.exe
2010-12-12 07:09:46 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-12-12 04:23:22 -------- d-----w- c:\windows\pss
2010-12-11 19:23:00 -------- d-----w- c:\program files\CCleaner
2010-12-11 19:17:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-11 19:17:47 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-11 19:06:18 -------- d-----w- c:\users\kristina\appdata\roaming\Malwarebytes
2010-12-11 19:06:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-11 19:06:12 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-11 19:05:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 19:05:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 15:17:33 -------- d-----w- c:\windows\LastGood.Tmp
2010-11-24 14:31:28 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
==================== Find3M ====================
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
============= FINISH: 12:00:24.43 ===============
HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:22:52, on 12/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Safe mode with network support
Running processes:
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Kristina\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52061
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: MHURLSearchHook Class - {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - C:\Program Files\Celebrity Toolbar\tbhelper.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MHTBPos00 - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Celebrity Toolbar\tbcore3.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Automated Content Enhancer - {1D74E9DD-8987-448b-B2CB-67FFF2B8A932} - C:\Program Files\Automated Content Enhancer\4.1.0.5050\ACEIEAddOn.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: MyHeritage New Tab - {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - C:\Program Files\Celebrity Toolbar\mhxpcomi.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Web Search Operator - {EB4A577D-BCAD-4b1c-8AF2-9A74B8DD3431} - C:\Program Files\Web Search Operator\3.1.0.1800\wso.dll (file missing)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {D45817B8-3EAD-4d1d-8FCA-EC63A8E35DE2} - (no file)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: Celebrity Toolbar - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Celebrity Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - C:\Program Files\Celebrity Toolbar\mhxpcomi.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Unknown owner - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9e546d805beb2) (gupdate1c9e546d805beb2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8919 bytes
COMBOFIX LOG:
ComboFix 10-12-11.03 - Kristina 12/12/2010 2:16.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2526 [GMT -5:00]
Running from: c:\users\Kristina\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Kristina\AppData\Roaming\Microsoft\Windows\Recent\research paper final.docx
c:\windows\system32\Drivers\habu.sys
c:\windows\system32\KBL.LOG
----- BITS: Possible infected sites -----
hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.
2010-12-12 07:23 . 2010-12-12 07:23 -------- d-----w- c:\users\Kristina\AppData\Local\temp
2010-12-12 07:23 . 2010-12-12 07:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-12 07:09 . 2007-09-13 15:09 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-12-12 07:04 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB92AB66-080E-448E-A1A7-A9CA741B2293}\mpengine.dll
2010-12-11 19:23 . 2010-12-11 19:23 -------- d-----w- c:\program files\CCleaner
2010-12-11 19:17 . 2010-12-11 19:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-11 19:17 . 2010-12-11 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-11 19:06 . 2010-12-11 19:06 -------- d-----w- c:\users\Kristina\AppData\Roaming\Malwarebytes
2010-12-11 19:06 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-11 19:06 . 2010-12-11 19:06 -------- d-----w- c:\programdata\Malwarebytes
2010-12-11 19:05 . 2010-12-11 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 19:05 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 15:17 . 2010-12-11 01:07 -------- d-----w- c:\windows\LastGood.Tmp
2010-11-24 14:31 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2009-10-03 15:18 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56 . 2010-10-13 15:42 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-06 12:59 . 2010-02-04 00:35 192512 ----a-w- c:\program files\mozilla firefox\components\mhxpcom.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d40eb577-b16f-411b-81dc-afedf8b60a50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Celebrity Toolbar\tbhelper.dll" [2009-05-07 355840]
[HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Celebrity Toolbar\tbcore3.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
2009-07-15 14:09 2224152 ----a-w- c:\program files\Boston_Red_Sox\tbBos0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
2009-12-06 12:59 217088 ----a-w- c:\program files\Celebrity Toolbar\mhxpcomi.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d40eb577-b16f-411b-81dc-afedf8b60a50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 2642432]
[HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D40EB577-B16F-411B-81DC-AFEDF8B60A50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 2642432]
[HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-19 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-19 129560]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
R2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2008-06-29 2944392]
R2 gupdate1c9e546d805beb2;Google Update Service (gupdate1c9e546d805beb2);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 133104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-12-12 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-11-18 18:51]
2010-12-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-03 04:02]
2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 19:01]
2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 19:01]
2010-11-08 c:\windows\Tasks\HPCeeScheduleForKristina.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-02-23 19:58]
2010-12-07 c:\windows\Tasks\User_Feed_Synchronization-{9D35963A-AC5F-4552-9E36-287C18FA2EF6}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52061
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Celebrity Toolbar\mhxpcomi.dll
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://70.88.61.157/VatDec.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.10/TSWeb.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://myvpn.fgcu.edu/dana-cached/sc/JuniperSetupClient.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\users\Kristina\AppData\Roaming\Mozilla\Firefox\Profiles\5tb05d07.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52061
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\mhxpcom.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Kristina\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: The Browser Highlighter: browserhighlighter@ebay.com - c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Kristina\AppData\Roaming\Mozilla\Firefox\Profiles\5tb05d07.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\users\Kristina\AppData\Roaming\Move Networks
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
HKLM-Run-bncsaui.exe - %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
HKLM-RunOnce-<NO NAME> - (no file)
AddRemove-{95F19350-A3A2-491B-A404-54BDD34DB49D} - c:\programdata\{F5C4EB60-DE42-48AD-837F-4FFF2C6BAC0B}\Setup.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 02:23
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-12 02:26:53
ComboFix-quarantined-files.txt 2010-12-12 07:26
Pre-Run: 112,750,882,816 bytes free
Post-Run: 112,683,462,656 bytes free
- - End Of File - - 78C6EC568ED58C60499FFFE2BCA02FE9
SMITFRAUDFIX LOG:
SmitFraudFix v2.424
Scan done at 11:45:49.76, Sun 12/12/2010
Run from C:\Users\Kristina\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» RK
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) Wireless WiFi Link 4965AGN
DNS Server Search Order: 172.25.0.9
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
»»»»»»»»»»»»»»»»»»»»»»»» RK.2
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Again, I know I shouldn't have run these fixes now but It's already done and I would truly appreciate this helkp as I would rather not clean install windows.
Thanks,
Steve.