PDA

View Full Version : another "click.giftload" victim



abstract50
2011-05-09, 09:48
Hello,
I recently visited "mysoju.com" where I am certain I was exposed to this virus along with "malware doctor" on Friday (May 6th). I have already tried "system restore," but was unsuccessful. I believe I have gotten rid of "malware doctor" but can't be certain. When I scanned my computer using spybot, it detected "click.giftload" and although it said it was removed, my computer moves at a snails pace especially when visiting webpages ie; youtube.com. There is no sign of redirects or pop ups thus far when using safari.

I have opened up the task manager and the cpu usage jumps upwards of 70 to 100% when visiting websites. As others have noted previously, there is also at least six (svchost.exe) processes that appear in task manager.
Below is the dds.txt file requested along with the attach.zip below.
THANK YOU SOOOO MUCH! :present:


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Marsha at 20:06:32.85 on Sun 05/08/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.443 [GMT -10:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\docume~1\marsha\locals~1\temp\cdm\{be05876d-561b-4024-9955-40efec6b1e69}\STacSV.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\HP\HPBTWD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\syncables\syncables desktop\Syncables.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe
C:\Program Files\syncables\syncables desktop\MigoMapi.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\Marsha\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://kcc.hawaii.edu/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101229165721.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\docume~1\marsha\locals~1\temp\adgv6pc8.tmp\utorrent.exe"
uRun: [HLBackupScheduler] c:\program files\verizon v cast media manager\V CAST Backup Scheduler.exe
uRun: [asecpp70.exe] c:\documents and settings\marsha\application data\e57edb6a5188e98a89d96ce530003e5d\asecpp70.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [HP BTW Detect Program] c:\program files\hp\HPBTWD.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
mRun: [Syncables] c:\program files\syncables\syncables desktop\Syncables.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [PININST] c:\system.sav\util\pininst.exe c:\system.sav\util\PININST.INI
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\marsha\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277974724577
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - kcc.hawaii.edu
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_US&q=
FF - component: c:\documents and settings\marsha\application data\mozilla\firefox\profiles\na8hmdbg.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {3776C304-4C34-4D88-9620-6E4878D013CD} - c:\documents and settings\marsha\local settings\application data\{3776C304-4C34-4D88-9620-6E4878D013CD}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-12-29 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-12-29 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-29 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-29 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-29 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-12-29 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-12-29 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-12-29 141792]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-4-21 113664]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-29 55840]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-2 38912]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-12-29 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-12-29 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-29 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-12-29 88544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-12-29 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-29 84264]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVEX15.SYS [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-07 02:29:42 0 ----a-w- c:\windows\Ybeli.bin
2011-05-07 02:29:37 -------- d-----w- c:\docume~1\marsha\locals~1\applic~1\{3776C304-4C34-4D88-9620-6E4878D013CD}
2011-05-01 22:43:26 -------- d-----w- c:\documents and settings\marsha\DownloadDirector
2011-05-01 22:02:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SafeNet Sentinel
2011-05-01 21:59:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SPSS
2011-05-01 21:59:56 -------- d-----w- c:\program files\common files\SPSS
2011-05-01 21:58:55 -------- d-----w- c:\program files\SPSSInc
2011-05-01 21:56:41 -------- d-----w- c:\program files\PASWStatisticsStudent18
2011-05-01 20:52:35 205 ----a-w- c:\windows\system32\lsprst7.dll
2011-05-01 20:52:35 1025 ----a-w- c:\windows\system32\sysprs7.dll
2011-04-14 13:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 13:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-04-13 05:00:03 -------- d-----w- c:\program files\NCH Software
2011-04-13 04:59:47 -------- d-----w- c:\docume~1\marsha\applic~1\NCH Software
2011-04-11 02:34:45 -------- d-----w- c:\docume~1\marsha\applic~1\SMRecorder
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 20:09:17.46 ===============

redcar92
2011-05-09, 18:30
Hello abstract50 and :snwelcome:.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

Please observe these rules while we work: Read the entire procedure It is important to perform ALL actions in sequence. If you don't know, stop and ask! Don't keep going on. Please reply to this thread. Do not start a new topic. Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it. Remember, absence of symptoms does not mean the infection is all gone. Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the all clean post.[/b]

redcar92
2011-05-10, 20:05
Greetings abstract50,

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the**save log button, save it to your desktop and post using copy/paste in your next reply.

abstract50
2011-05-10, 21:36
*As a side note, when using Mozilla Firefox I have been periodically experiencing the web site redirects.
Below is the aswMBR. THANKS AGAIN! :thanks:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-10 08:24:38
-----------------------------
08:24:38.515 OS Version: Windows 5.1.2600 Service Pack 3
08:24:38.515 Number of processors: 2 586 0x1C02
08:24:38.515 ComputerName: THUM UserName:
08:24:52.203 Initialize success
08:25:06.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:25:06.468 Disk 0 Vendor: WDC_WD1600BEVT-60ZCT1 13.01A13 Size: 152627MB BusType: 3
08:25:08.500 Disk 0 MBR read successfully
08:25:08.515 Disk 0 MBR scan
08:25:08.531 Disk 0 unknown MBR code
08:25:10.562 Disk 0 scanning sectors +312560640
08:25:10.656 Disk 0 scanning C:\WINDOWS\system32\drivers
08:25:24.218 Service scanning
08:25:26.390 Disk 0 trace - called modules:
08:25:26.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
08:25:26.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d75ab8]
08:25:26.421 3 CLASSPNP.SYS[f7668fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d44d98]
08:25:26.421 Scan finished successfully
08:26:44.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Marsha\Desktop\MBR.dat"
08:26:44.531 The log file has been saved successfully to "C:\Documents and Settings\Marsha\Desktop\aswMBR.txt"

redcar92
2011-05-11, 04:40
Greetings abstract50,
Good news, no Rootkit or MBR infection.

***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFRCNeeded.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CF2.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy/past the contents of C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

abstract50
2011-05-12, 05:31
When I installed it, there was a message reading new version available. I did not opt to download it because I was hesitant. Would you like me to redo the scan again with the newer version and install it when prompted to?
I also attached the actual txt. log below. :santa:

ComboFix 11-05-10.02 - Marsha 05/11/2011 8:24.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.488 [GMT -10:00]
Running from: c:\documents and settings\Marsha\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Marsha\Application Data\Adobe\plugs
c:\documents and settings\Marsha\Application Data\Adobe\shed
c:\documents and settings\Marsha\Local Settings\Application Data\{3776C304-4C34-4D88-9620-6E4878D013CD}
c:\documents and settings\Marsha\Local Settings\Application Data\{3776C304-4C34-4D88-9620-6E4878D013CD}\chrome.manifest
c:\documents and settings\Marsha\Local Settings\Application Data\{3776C304-4C34-4D88-9620-6E4878D013CD}\chrome\content\_cfg.js
c:\documents and settings\Marsha\Local Settings\Application Data\{3776C304-4C34-4D88-9620-6E4878D013CD}\chrome\content\overlay.xul
c:\documents and settings\Marsha\Local Settings\Application Data\{3776C304-4C34-4D88-9620-6E4878D013CD}\install.rdf
C:\Install.exe
c:\program files\HP\HPBTWD.exe
c:\windows\system32\lsprst7.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-09 06:03 . 2011-05-09 06:03 -------- d-----w- c:\program files\ERUNT
2011-05-07 02:29 . 2011-05-07 02:29 0 ----a-w- c:\windows\Ybeli.bin
2011-05-01 22:43 . 2011-05-01 22:43 -------- d-----w- c:\documents and settings\Marsha\DownloadDirector
2011-05-01 22:02 . 2011-05-01 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel
2011-05-01 21:59 . 2011-05-01 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2011-05-01 21:59 . 2011-05-01 21:59 -------- d-----w- c:\program files\Common Files\SPSS
2011-05-01 21:58 . 2011-05-01 22:37 -------- d-----w- c:\program files\SPSSInc
2011-05-01 21:56 . 2011-05-01 21:57 -------- d-----w- c:\program files\PASWStatisticsStudent18
2011-05-01 20:52 . 2011-05-01 20:52 1025 ----a-w- c:\windows\system32\sysprs7.dll
2011-04-14 13:39 . 2011-04-14 13:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 13:39 . 2011-04-14 13:39 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-04-13 05:00 . 2011-04-13 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2011-04-13 05:00 . 2011-04-18 02:58 -------- d-----w- c:\program files\NCH Software
2011-04-13 04:59 . 2011-04-13 05:06 -------- d-----w- c:\documents and settings\Marsha\Application Data\NCH Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2008-04-15 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-15 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-15 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-03-02 05:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2007-08-14 17:54 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2007-08-14 17:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2008-04-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-15 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-15 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-07-01 23:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-15 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2010-10-14 08:28 . 2010-12-30 02:57 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-08-05 737280]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2009-01-09 455224]
"Syncables"="c:\program files\syncables\syncables desktop\Syncables.exe" [2009-04-02 173360]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"PININST"="c:\system.sav\UTIL\PININST.EXE" [2006-02-25 94208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-08-14 467036]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-26 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-11-23 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-26 421160]
.
c:\documents and settings\Marsha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/29/2010 4:56 PM 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/29/2010 4:56 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [12/29/2010 4:56 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [12/29/2010 4:57 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/29/2010 4:57 PM 141792]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/21/2009 2:13 PM 113664]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/29/2010 4:56 PM 55840]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/2/2009 11:03 AM 38912]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/29/2010 4:56 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/29/2010 4:56 PM 88544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/29/2010 4:56 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/29/2010 4:56 PM 84264]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:50]
.
2011-04-14 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-04-13 05:06]
.
2011-05-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-208597416-1257733744-2204374147-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 13:02]
.
2010-12-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-208597416-1257733744-2204374147-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 13:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://kcc.hawaii.edu/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marsha\Application Data\Mozilla\Firefox\Profiles\na8hmdbg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - kcc.hawaii.edu
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-HLBackupScheduler - c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
HKCU-Run-asecpp70.exe - c:\documents and settings\Marsha\Application Data\E57EDB6A5188E98A89D96CE530003E5D\asecpp70.exe
HKLM-Run-HP BTW Detect Program - c:\program files\HP\HPBTWD.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 08:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-11 08:38:55
ComboFix-quarantined-files.txt 2011-05-11 18:38
.
Pre-Run: 140,359,061,504 bytes free
Post-Run: 140,834,758,656 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D938112DBFF634DB41D4561AADEE9F44

redcar92
2011-05-13, 03:34
Greetings abstract50,
P2P - I see you have P2P software uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page (http://p2p.malwareremoval.com/) will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/305923-perils-p2p-file-sharing.html).
I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Add or Remove Programs.

I also see that you have the Ask toolbar on your system. You may not be aware of the the above problems and Add or Remove Programs may not show them installed. If you want these nuisances removed, and cannot do it your self, let me know and we can remove them for you.

Next
Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:


cmd /c del /f/a/q "c:\windows\Ybeli.bin"

Next
Double click 0n MalwareBytes, mbam.exe to run it.
If Malwarebytes asks to update click on yes, if you are not asked.
Click on the Update tab then click on Check for updates.
After updates finish, click on the Scanner tab. Select Perform quick scan.
Click on Scan button.
When finished copy/paste the contents of mbam.txt into your next post please.

Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click on List of found threats.
Click Export to text file
Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.

Logs to post:


mbam.txt
ESET's log.txt
Tell me how your PC is behaving now please

abstract50
2011-05-14, 10:06
Hey Bill,
Yes, I would love assistance in removing the programs you mentioned because they are not appearing in my control panel.
Upon starting up my pc, a black window always appears for a second with the message: Windows did not shut down successfully and lists the set of choices: "Start Windows normally, etc.. It goes away by itself. I have not experienced any misdirections of websites using firefox nor safari so that must be a great sign?
When 'windows run' screen came up, I copied the text into the box and a black screen came up but disappeared. Is that what suppose to happen? With the ESET online scanner, it stated that other virus programs may affect it so I disabled my Mccafee. Should I have just kept it on, did it negatively impact the results?
As I performed these two scans they both showed no signs of virus. There was no option to provide a txt file with the ESET scan because it found no threats. I truly believed I had/have this virus based on my computer symptoms and if not I truly appreciate your help in assisting me.

Scan type: Quick scan
Objects scanned: 148330
Time elapsed: 14 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

redcar92
2011-05-15, 15:30
Hello abstract50,
The black screen you see at startup is normal after installing Combofix, it should have Recovery Console as a choice. This is a good thing.

Everything else sounds normal.

To remove ask and uTorrent please do the following:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:





Firefox::


FF - ProfilePath - c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
DDS::

uRun: [uTorrent] "c:\docume~1\marsha\locals~1\temp\adgv6pc8.tmp\utorrent.exe"
Registry::


Driver::



Save this as "CFScript.txt", and as* Type: All Files (*.*) in the same location as ComboFix.exe


http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFscript.png

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

http://i1176.photobucket.com/albums/x337/redcar92/WTT/ATF/atf.png

Next
Your Java appears to be down level.
Navigate to Control Panel then open Add Remove Programs.
Highlight each Java item listed then Remove or Uninstall.
Visit this site (http://www.java.com/en/download/index.jsp) to down load and install the latest Java.

Next
Your Adobe appears to be down level
Please visit this site http://www.adobe.com/downloads/ Click on Adobe Reader icon on the right side and you will be presented with the correct Adobe for your system.
Down load and install this Adobe please.

Please let me know your PC is working now.

abstract50
2011-05-16, 06:19
While running combofix, a error message pev.exe reading an "error occurred and most close." It occurred twice while running combofix. As for the computer, it seems to be running smoothly. :thanks:


ComboFix 11-05-10.02 - Marsha 05/15/2011 15:59:49.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.548 [GMT -10:00]
Running from: c:\documents and settings\Marsha\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marsha\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome.manifest
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\about.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\about.xul
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\constants.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\db.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\events.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\json.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\lifecycle.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\listeners.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\logger.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\network.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\observer.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\options.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\options.xul
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\preferences.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\toolbar.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\utilities.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\widget-controller.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\widget-frame.xul
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\widget-popup.xul
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\content\widgets.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\abc.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\amazon_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\as.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\ask_16x16.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\ask_32x32.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\ask_browser_ff_chrome.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\asklogo.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\bbc_news.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\beppe_grillo.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\bild.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\blogs.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\business.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\chevron.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\Close.gif
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\cnn_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\corriere_della_sera.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\dictionary.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\el_mundo.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\email_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\expansion.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\facebook_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\folha.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\ft.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\ftd.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\g1.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\games_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\gazzetta_dello_sport.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\gripper.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\highlight_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\highlighter_off.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\highlighter_on.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\images.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\kicker.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\labels-de.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\labels-en.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\labels-es.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\labels-fr.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\labels-it.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\labels-nl.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\labels-pt.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\labels-ru.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\laposte.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\lemonde.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\lequipe.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\libero_it.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-BR.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-DE.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-ES.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-EU.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-FR.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-IT.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-NL.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-RU.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-UK.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\links-US.properties
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\magnify_search.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\magnify_search_grey_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\maps.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\marmiton.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\mtv.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\news.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\oglobo.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\orkut.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\preferences.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask_de.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask_es.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask_fr.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask_it.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask_nl.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask_pl.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask_pt.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ask_ru.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_cobrand.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_current_site.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_de.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_es.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_fr.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_it.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_nl.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_pl.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_pt.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\search_ru.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\shopping.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\sports.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\stocks.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\terra.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\toolbar.css
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\toolbar.xul
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\tv.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\tv_movie_de.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\uol.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\weather.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\weather_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\web.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\web_de.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\widget-popup.css
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\WindowTop.gif
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\wordoftheday_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\youtube_16x.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\skin\zoomall.png
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\temp\ff-config.Fri-02-Apr-2010-01-53-04-GMT\ff-config.zip
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\temp\ff-config.Mon-07-Jun-2010-23-12-43-GMT\ff-config.zip
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\chrome\temp\ff-config.Tue-26-Oct-2010-01-30-00-GMT\ff-config.zip
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\datastore\cache.sqlite
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\defaults.js.bak
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\defaults\preferences\defaults.js
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\install.rdf
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1304750906922.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1304751012362.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1304751351374.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1304761443968.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1304872007241.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1304874605565.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1304911167138.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305013625778.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305014543979.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305136974640.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305182000196.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305278128534.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305356912966.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305386708861.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305387477757.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305387881089.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\logs\asktb-log-1305387882568.html
c:\docume~1\marsha\applic~1\mozilla\firefox\profiles\na8hmdbg.default\extensions\toolbar@ask.com\searchplugins\askcom.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-04-16 to 2011-05-16 )))))))))))))))))))))))))))))))
.
.
2011-05-14 06:04 . 2011-05-14 06:04 -------- d-----w- c:\program files\ESET
2011-05-09 06:03 . 2011-05-09 06:03 -------- d-----w- c:\program files\ERUNT
2011-05-01 22:43 . 2011-05-01 22:43 -------- d-----w- c:\documents and settings\Marsha\DownloadDirector
2011-05-01 22:02 . 2011-05-01 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel
2011-05-01 21:59 . 2011-05-01 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2011-05-01 21:59 . 2011-05-01 21:59 -------- d-----w- c:\program files\Common Files\SPSS
2011-05-01 21:58 . 2011-05-01 22:37 -------- d-----w- c:\program files\SPSSInc
2011-05-01 21:56 . 2011-05-01 21:57 -------- d-----w- c:\program files\PASWStatisticsStudent18
2011-05-01 20:52 . 2011-05-01 20:52 1025 ----a-w- c:\windows\system32\sysprs7.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-15 00:01 . 2010-12-30 02:57 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-15 00:01 . 2010-12-30 02:57 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-15 00:01 . 2010-12-30 02:56 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-15 00:01 . 2010-12-30 02:56 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-15 00:01 . 2010-12-30 02:56 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-15 00:01 . 2010-12-30 02:56 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-15 00:01 . 2010-12-30 02:56 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-15 00:01 . 2010-12-30 02:56 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-15 00:01 . 2010-12-30 02:56 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-15 00:01 . 2010-12-30 02:56 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-15 00:01 . 2010-12-30 02:56 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-03-07 05:33 . 2008-04-15 12:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-15 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-04-15 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-03-02 05:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2007-08-14 17:54 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2007-08-14 17:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2008-04-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2008-04-15 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-15 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-07-01 23:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-15 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-04-15 00:01 . 2010-12-30 02:57 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-11_18.34.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-16 01:47 . 2011-05-16 01:47 16384 c:\windows\temp\Perflib_Perfdata_404.dat
- 2009-08-23 10:38 . 2011-05-09 05:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-23 10:38 . 2011-05-12 18:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-23 10:38 . 2011-05-09 05:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-08-23 10:38 . 2011-05-12 18:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-08-23 10:38 . 2011-05-09 05:01 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-05-12 03:19 . 2011-05-12 18:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-05-12 10:50 . 2011-05-12 10:50 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2011-04-16 22:17 . 2011-04-16 22:17 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
+ 2009-06-15 00:54 . 2011-05-12 10:51 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-06-15 00:54 . 2011-04-16 22:27 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-06-15 00:54 . 2011-05-12 10:51 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-06-15 00:54 . 2011-04-16 22:27 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-06-15 00:54 . 2011-04-16 22:27 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-06-15 00:54 . 2011-05-12 10:51 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-04-16 22:17 . 2011-04-16 22:17 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2011-05-12 10:50 . 2011-05-12 10:50 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2010-06-08 22:26 . 2011-05-09 05:01 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-06-08 22:26 . 2011-05-12 18:59 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-06-15 00:54 . 2011-05-12 10:51 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-06-15 00:54 . 2011-04-16 22:27 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-06-15 00:54 . 2011-05-12 10:51 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2009-06-15 00:54 . 2011-04-16 22:27 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2009-06-15 00:54 . 2011-04-16 22:27 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2009-06-15 00:54 . 2011-05-12 10:51 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2009-06-15 00:54 . 2011-05-12 10:51 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2009-06-15 00:54 . 2011-04-16 22:27 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2011-05-16 01:48 . 2011-05-16 01:48 315392 c:\windows\ERDNT\AutoBackup\5-15-2011\Users\00000002\UsrClass.dat
+ 2011-05-16 01:48 . 2005-10-20 22:02 163328 c:\windows\ERDNT\AutoBackup\5-15-2011\ERDNT.EXE
+ 2011-05-14 15:23 . 2011-05-14 15:23 315392 c:\windows\ERDNT\AutoBackup\5-14-2011\Users\00000002\UsrClass.dat
+ 2011-05-14 15:23 . 2005-10-20 22:02 163328 c:\windows\ERDNT\AutoBackup\5-14-2011\ERDNT.EXE
+ 2011-05-13 17:00 . 2011-05-13 17:00 315392 c:\windows\ERDNT\AutoBackup\5-13-2011\Users\00000002\UsrClass.dat
+ 2011-05-13 17:00 . 2005-10-20 22:02 163328 c:\windows\ERDNT\AutoBackup\5-13-2011\ERDNT.EXE
+ 2011-05-12 15:21 . 2011-05-12 15:21 315392 c:\windows\ERDNT\AutoBackup\5-12-2011\Users\00000002\UsrClass.dat
+ 2011-05-12 15:21 . 2005-10-20 22:02 163328 c:\windows\ERDNT\AutoBackup\5-12-2011\ERDNT.EXE
+ 2011-04-29 22:27 . 2011-04-29 22:27 4158464 c:\windows\Installer\161964b.msp
+ 2011-04-29 22:30 . 2011-04-29 22:30 1197056 c:\windows\Installer\1619636.msp
+ 2009-06-15 00:54 . 2011-05-12 10:51 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-06-15 00:54 . 2011-04-16 22:27 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2011-05-16 01:48 . 2011-05-16 01:48 7725056 c:\windows\ERDNT\AutoBackup\5-15-2011\Users\00000001\ntuser.dat
+ 2011-05-14 15:23 . 2011-05-14 15:23 7725056 c:\windows\ERDNT\AutoBackup\5-14-2011\Users\00000001\ntuser.dat
+ 2011-05-13 17:00 . 2011-05-13 17:00 7725056 c:\windows\ERDNT\AutoBackup\5-13-2011\Users\00000001\ntuser.dat
+ 2011-05-12 15:21 . 2011-05-12 15:21 7716864 c:\windows\ERDNT\AutoBackup\5-12-2011\Users\00000001\ntuser.dat
+ 2010-07-02 07:24 . 2011-05-12 10:51 42829768 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-08-05 737280]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2009-01-09 455224]
"Syncables"="c:\program files\syncables\syncables desktop\Syncables.exe" [2009-04-02 173360]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"PININST"="c:\system.sav\UTIL\PININST.EXE" [2006-02-25 94208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-08-14 467036]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-26 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-26 421160]
.
c:\documents and settings\Marsha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/29/2010 4:56 PM 84200]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/29/2010 4:56 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [12/29/2010 4:56 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [12/29/2010 4:57 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/29/2010 4:57 PM 141792]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/21/2009 2:13 PM 113664]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/29/2010 4:56 PM 56064]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/2/2009 11:03 AM 38912]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/29/2010 4:56 PM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/29/2010 4:56 PM 88736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/29/2010 4:56 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/29/2010 4:56 PM 84488]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:50]
.
2011-04-14 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-04-13 05:06]
.
2011-05-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-208597416-1257733744-2204374147-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 13:02]
.
2011-05-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-208597416-1257733744-2204374147-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 13:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://kcc.hawaii.edu/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Marsha\Application Data\Mozilla\Firefox\Profiles\na8hmdbg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - kcc.hawaii.edu
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=UT2V5&o=15150&locale=en_US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 16:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-15 16:16:15
ComboFix-quarantined-files.txt 2011-05-16 02:16
ComboFix2.txt 2011-05-11 18:38
.
Pre-Run: 140,417,773,568 bytes free
Post-Run: 140,441,997,312 bytes free
.
- - End Of File - - CBD904830948C0C0976A8B437EC35ABA

redcar92
2011-05-18, 03:16
Hello abstract50,
Congratulations, by the looks of your logs, your PC looks All Clean.:shrug:
Now we need to clean up our tools.:cleaning:

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall
On your desktop, right click on DDS.com then select delete. Do the same with DDS.txt and attach.txt
On your desktop, right click on aswMBR.exe then select delete. Do the same for aswMBR.txt

You should keep Malwarebytes, ATF and ESET. Run and update them periodically to keep your system virus free.

Below I have included a number of recommendations for how to protect your computer against malware infections.


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them (http://www.microsoft.com/protect/yourself/password/create.mspx) Then consider a password keeper (http://keepass.info/), to keep all your passwords safe.
Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
Make Internet Explorer more secure


Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

Download TFC to your desktop (http://oldtimer.geekstogo.com/TFC.exe)


Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.
WOT, Web of Trust (http://www.mywot.com/), warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
[

Green to go
Yellow for caution
Red to stop

WOT has an addon available for both Firefox and IE
Keep a backup of your important files (http://www.geekstogo.com/2008/06/19/options-for-home-computer-data-backup-part-1/) - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
Think Prevention. (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
PC Safety and Security--What Do I Need?. (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please post back with any questions or issues. This thread will close in a few days after last post.
Thank you for your hard work and patience.:thanks:

tashi
2011-05-21, 05:25
Thank you redcar92. :)