Results 1 to 2 of 2

Thread: Trouble with rootkits

  1. #1
    Junior Member
    Join Date
    Dec 2010
    Posts
    1

    Default Trouble with rootkits

    Hello all, I've got a computer in front of me and it's about to make me go crazy. After reading all the into stuff to newbies I just realized also that I'm about to make your job a lot harder because I've already run a few "fixes". With that said, I know that I wasn't supposed to do that but I've got all the logs to make everything as easy as possible.

    The main problem is, when the computer tries to boot into windows it gets to the windows logo and starts playing the sound and then goes BSOD with an stop code of 0x0000008E. Many places on the internet say it's a RAM error but after running a RAM test and several log in's into safe-mode, I am thoroughly convinced it has to be a virus/spyware/rootkit. ALSO, I only am seeing 1/3 of the control panel icons, security center is disabled and can't reactivate it, also I have no access to system restore. AND, when I ran these "fixes" they gave administrator rights privilege errors everywhere

    Here starts the logs of everything that I ran and now know I shouldn't have:

    DDS LOG:
    DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
    Run by Kristina at 11:59:37.88 on Sun 12/12/2010
    Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_13
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2443 [GMT -5:00]

    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\explorer.exe
    C:\Users\Kristina\Downloads\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:52061
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    uURLSearchHooks: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
    uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\celebrity toolbar\tbhelper.dll
    mURLSearchHooks: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Automated Content Enhancer: {1d74e9dd-8987-448b-b2cb-67fff2b8a932} - c:\program files\automated content enhancer\4.1.0.5050\ACEIEAddOn.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - Symantec Intrusion Prevention
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
    BHO: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
    BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\celebrity toolbar\mhxpcomi.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Web Search Operator: {eb4a577d-bcad-4b1c-8af2-9a74b8dd3431} - c:\program files\web search operator\3.1.0.1800\wso.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: Boston Red Sox Toolbar: {d40eb577-b16f-411b-81dc-afedf8b60a50} - c:\program files\boston_red_sox\tbBos0.dll
    TB: {D45817B8-3EAD-4d1d-8FCA-EC63A8E35DE2} - No File
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
    TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {58ECB495-38F0-49cb-A538-10282ABF65E7}
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\celebrity toolbar\mhxpcomi.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
    Notify: igfxcui - igfxdev.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\kristina\appdata\roaming\mozilla\firefox\profiles\5tb05d07.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 52061
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\program files\mozilla firefox\components\mhxpcom.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\users\kristina\appdata\roaming\move networks\plugins\npqmp071701000002.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\kristina\appdata\roaming\Move Networks

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true

    ============= SERVICES / DRIVERS ===============

    S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-22 31816]
    S2 BNPagent;Bradford Persistent Agent Service;c:\program files\bradford networks\persistent agent\bndaemon.exe [2008-6-29 2944392]
    S2 gupdate1c9e546d805beb2;Google Update Service (gupdate1c9e546d805beb2);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
    S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-16 103744]
    S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-5-22 144704]
    S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-5-22 54608]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-16 72936]
    S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-16 33960]
    S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-16 174952]

    =============== Created Last 30 ================

    2010-12-12 16:46:00 691 ----a-w- c:\users\kristina\appdata\roaming\GetValue.vbs
    2010-12-12 16:46:00 6296 ----a-w- c:\windows\system32\tmp.reg
    2010-12-12 16:46:00 35 ----a-w- c:\users\kristina\appdata\roaming\SetValue.bat
    2010-12-12 16:41:03 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{a91f3510-0f62-4a5c-a7ad-75151ea4e53b}\mpengine.dll
    2010-12-12 07:53:59 -------- d-----w- C:\RegRunInfo
    2010-12-12 07:47:38 2 --shatr- c:\windows\winstart.bat
    2010-12-12 07:47:30 -------- d-----w- c:\program files\UnHackMe
    2010-12-12 07:26:54 -------- d-----w- c:\users\kristina\appdata\local\temp
    2010-12-12 07:25:57 -------- d-sh--w- C:\$RECYCLE.BIN
    2010-12-12 07:12:16 98816 ----a-w- c:\windows\sed.exe
    2010-12-12 07:12:16 89088 ----a-w- c:\windows\MBR.exe
    2010-12-12 07:12:16 256512 ----a-w- c:\windows\PEV.exe
    2010-12-12 07:12:16 161792 ----a-w- c:\windows\SWREG.exe
    2010-12-12 07:09:46 172032 ----a-w- c:\windows\system32\igfxres.dll
    2010-12-12 04:23:22 -------- d-----w- c:\windows\pss
    2010-12-11 19:23:00 -------- d-----w- c:\program files\CCleaner
    2010-12-11 19:17:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-11 19:17:47 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
    2010-12-11 19:06:18 -------- d-----w- c:\users\kristina\appdata\roaming\Malwarebytes
    2010-12-11 19:06:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-11 19:06:12 -------- d-----w- c:\progra~2\Malwarebytes
    2010-12-11 19:05:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-11 19:05:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 15:17:33 -------- d-----w- c:\windows\LastGood.Tmp
    2010-11-24 14:31:28 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

    ==================== Find3M ====================

    2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

    ============= FINISH: 12:00:24.43 ===============
    HIJACKTHIS LOG:


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:22:52, on 12/12/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18975)
    Boot mode: Safe mode with network support

    Running processes:
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\notepad.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE
    C:\Users\Kristina\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:52061
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    R3 - URLSearchHook: MHURLSearchHook Class - {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - C:\Program Files\Celebrity Toolbar\tbhelper.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: MHTBPos00 - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Celebrity Toolbar\tbcore3.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Automated Content Enhancer - {1D74E9DD-8987-448b-B2CB-67FFF2B8A932} - C:\Program Files\Automated Content Enhancer\4.1.0.5050\ACEIEAddOn.dll (file missing)
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
    O2 - BHO: MyHeritage New Tab - {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - C:\Program Files\Celebrity Toolbar\mhxpcomi.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Web Search Operator - {EB4A577D-BCAD-4b1c-8AF2-9A74B8DD3431} - C:\Program Files\Web Search Operator\3.1.0.1800\wso.dll (file missing)
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {D45817B8-3EAD-4d1d-8FCA-EC63A8E35DE2} - (no file)
    O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
    O3 - Toolbar: Celebrity Toolbar - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Celebrity Toolbar\tbcore3.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
    O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.1.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - C:\Program Files\Celebrity Toolbar\mhxpcomi.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bradford Persistent Agent Service (BNPagent) - Unknown owner - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate1c9e546d805beb2) (gupdate1c9e546d805beb2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
    O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8919 bytes

    COMBOFIX LOG:

    ComboFix 10-12-11.03 - Kristina 12/12/2010 2:16.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2526 [GMT -5:00]
    Running from: c:\users\Kristina\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    SP: Spybot - Search and Destroy *Disabled/Outdated* {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
    c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
    c:\users\Kristina\AppData\Roaming\Microsoft\Windows\Recent\research paper final.docx
    c:\windows\system32\Drivers\habu.sys
    c:\windows\system32\KBL.LOG

    ----- BITS: Possible infected sites -----

    hxxp://updates.swarmcast.net
    .
    ((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
    .

    2010-12-12 07:23 . 2010-12-12 07:23 -------- d-----w- c:\users\Kristina\AppData\Local\temp
    2010-12-12 07:23 . 2010-12-12 07:23 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-12-12 07:09 . 2007-09-13 15:09 172032 ----a-w- c:\windows\system32\igfxres.dll
    2010-12-12 07:04 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FB92AB66-080E-448E-A1A7-A9CA741B2293}\mpengine.dll
    2010-12-11 19:23 . 2010-12-11 19:23 -------- d-----w- c:\program files\CCleaner
    2010-12-11 19:17 . 2010-12-11 19:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-12-11 19:17 . 2010-12-11 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-11 19:06 . 2010-12-11 19:06 -------- d-----w- c:\users\Kristina\AppData\Roaming\Malwarebytes
    2010-12-11 19:06 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-11 19:06 . 2010-12-11 19:06 -------- d-----w- c:\programdata\Malwarebytes
    2010-12-11 19:05 . 2010-12-11 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-11 19:05 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-05 15:17 . 2010-12-11 01:07 -------- d-----w- c:\windows\LastGood.Tmp
    2010-11-24 14:31 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 15:41 . 2009-10-03 15:18 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-13 13:56 . 2010-10-13 15:42 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2009-12-06 12:59 . 2010-02-04 00:35 192512 ----a-w- c:\program files\mozilla firefox\components\mhxpcom.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{d40eb577-b16f-411b-81dc-afedf8b60a50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
    "{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Celebrity Toolbar\tbhelper.dll" [2009-05-07 355840]

    [HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]

    [HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
    [HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
    [HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
    [HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
    2009-05-07 21:46 2642432 ----a-w- c:\program files\Celebrity Toolbar\tbcore3.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d40eb577-b16f-411b-81dc-afedf8b60a50}]
    2009-07-15 14:09 2224152 ----a-w- c:\program files\Boston_Red_Sox\tbBos0.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
    2009-12-06 12:59 217088 ----a-w- c:\program files\Celebrity Toolbar\mhxpcomi.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{d40eb577-b16f-411b-81dc-afedf8b60a50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
    "{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 2642432]

    [HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]

    [HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D40EB577-B16F-411B-81DC-AFEDF8B60A50}"= "c:\program files\Boston_Red_Sox\tbBos0.dll" [2009-07-15 2224152]
    "{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 2642432]

    [HKEY_CLASSES_ROOT\clsid\{d40eb577-b16f-411b-81dc-afedf8b60a50}]

    [HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 159744]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
    "OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-19 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-19 154136]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-19 129560]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-23 111952]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001

    R2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2008-06-29 2944392]
    R2 gupdate1c9e546d805beb2;Google Update Service (gupdate1c9e546d805beb2);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 133104]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    HPService REG_MULTI_SZ HPSLPSVC
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-12 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-11-18 18:51]

    2010-12-10 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-03 04:02]

    2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 19:01]

    2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 19:01]

    2010-11-08 c:\windows\Tasks\HPCeeScheduleForKristina.job
    - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-02-23 19:58]

    2010-12-07 c:\windows\Tasks\User_Feed_Synchronization-{9D35963A-AC5F-4552-9E36-287C18FA2EF6}.job
    - c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://search.myheritage.com
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:52061
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Celebrity Toolbar\mhxpcomi.dll
    DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://70.88.61.157/VatDec.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.10/TSWeb.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://myvpn.fgcu.edu/dana-cached/sc/JuniperSetupClient.cab
    DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
    FF - ProfilePath - c:\users\Kristina\AppData\Roaming\Mozilla\Firefox\Profiles\5tb05d07.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2384137&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 52061
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\program files\Mozilla Firefox\components\mhxpcom.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\users\Kristina\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: The Browser Highlighter: browserhighlighter@ebay.com - c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Kristina\AppData\Roaming\Mozilla\Firefox\Profiles\5tb05d07.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\users\Kristina\AppData\Roaming\Move Networks

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    HKLM-Run-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    HKLM-Run-bncsaui.exe - %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
    HKLM-RunOnce-<NO NAME> - (no file)
    AddRemove-{95F19350-A3A2-491B-A404-54BDD34DB49D} - c:\programdata\{F5C4EB60-DE42-48AD-837F-4FFF2C6BAC0B}\Setup.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-12 02:23
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-12-12 02:26:53
    ComboFix-quarantined-files.txt 2010-12-12 07:26

    Pre-Run: 112,750,882,816 bytes free
    Post-Run: 112,683,462,656 bytes free

    - - End Of File - - 78C6EC568ED58C60499FFFE2BCA02FE9
    SMITFRAUDFIX LOG:

    SmitFraudFix v2.424

    Scan done at 11:45:49.76, Sun 12/12/2010
    Run from C:\Users\Kristina\Desktop\SmitfraudFix
    OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» VACFix

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

    Agent.OMZ.Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» RK


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Intel(R) Wireless WiFi Link 4965AGN
    DNS Server Search Order: 172.25.0.9

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{3EC232C7-E620-45A4-9CAB-997BEC9FE815}: DhcpNameServer=172.25.0.9
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{7DD10482-45EB-4D87-BE4C-FBACFA939231}: DhcpNameServer=172.25.0.9
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.25.0.9


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!



    »»»»»»»»»»»»»»»»»»»»»»»» RK.2



    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End





    Again, I know I shouldn't have run these fixes now but It's already done and I would truly appreciate this helkp as I would rather not clean install windows.

    Thanks,

    Steve.

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi stevo1569

    Your post is a few days old. You may have reinstalled by now. If you still need help post back.
    Last edited by tashi; 2010-12-29 at 20:31. Reason: Date of archive
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •