A dirty little bug is in my house

**mnyyoungs** · 2011-11-21, 15:38

Malware Bytes log...

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8206

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19154

21/11/2011 9:37:31 AM
mbam-log-2011-11-21 (09-37-31).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 295715
Time elapsed: 2 hour(s), 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\tdsskiller_quarantine\30.10.2011_10.36.17\pmax0000\svc0000\tsk0000.dta (Backdoor.0Access) -> Quarantined and deleted successfully.

**mnyyoungs** · 2011-11-21, 15:59

...and tadaaaa DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_22
Run by Family at 9:50:41 on 2011-11-21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1146 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\ProgramData\Clickfree\C2NPlus\UACProxy.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\ProgramData\Clickfree\C2NPlus\Reminder\SacNetAgent.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\ProgramData\Clickfree\C2NPlus\Reminder\SacReminder.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK32.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - McAfee Phishing Filter
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [SacReminderHDDV2N] c:\programdata\clickfree\c2nplus\reminder\SacReminder.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\family\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableStartupSound = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{764E5182-D195-4A9C-8CDE-86780F3355D6} : DhcpNameServer = 192.168.2.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\family\appdata\roaming\mozilla\firefox\profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\family\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\family\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\family\appdata\roaming\mozilla\firefox\profiles\85q3ua9k.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
FF - plugin: c:\users\family\program files\dna\plugins\npbtdna.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-5 64288]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2010-11-27 22312]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-12-5 101720]
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\clickfree\c2nplus\UACProxy.exe [2011-10-31 87368]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\clickfree\c2nplus\reminder\SacNetAgent.exe [2011-4-3 157296]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-10-31 1153368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-11-22 179712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\cshelper.exe --> c:\windows\system32\CSHelper.exe [?]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-30 21504]
S2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-17 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2007-11-22 73728]
.
=============== Created Last 30 ================
.
2011-11-21 14:49:05 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d208fc11-8e7a-4de4-917e-f39d40f22d8f}\offreg.dll
2011-11-21 11:48:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 11:48:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-20 21:41:46 -------- d-----w- C:\_OTM
2011-11-20 15:24:35 -------- d-----w- c:\users\family\appdata\local\temp
2011-11-20 15:22:35 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-20 14:46:48 98816 ----a-w- c:\windows\sed.exe
2011-11-20 14:46:48 518144 ----a-w- c:\windows\SWREG.exe
2011-11-20 14:46:48 256000 ----a-w- c:\windows\PEV.exe
2011-11-20 14:46:48 208896 ----a-w- c:\windows\MBR.exe
2011-11-20 14:46:36 -------- d-----w- C:\ComboFix
2011-11-17 02:11:42 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-14 22:57:57 4293777 ------r- C:\ComboFix.exe
2011-11-12 17:56:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05:01 -------- d-----w- c:\users\family\appdata\local\WinZip
2011-10-31 18:18:20 1529728 ----a-w- c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE
2011-10-31 18:13:51 145184 ----a-w- c:\program files\common files\microsoft shared\source engine\OSE.EXE
2011-10-30 14:38:20 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13:47 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d208fc11-8e7a-4de4-917e-f39d40f22d8f}\mpengine.dll
2011-10-25 22:48:06 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-10-24 17:56:35 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
==================== Find3M ====================
.
2011-10-30 14:43:29 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-30 23:06:24 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07:25 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-08-25 16:15:04 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 13:31:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-24 11:57:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 9:57:43.36 ===============

**jeffce** · 2011-11-21, 16:17

Hi mnyyoungs,

Malwarebytes looks good as well as DDS.

How is your system behaving?

**mnyyoungs** · 2011-11-21, 18:34

and DDS

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 22/11/2007 6:44:16 AM
System Uptime: 21/11/2011 9:48:24 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 0DT492
Processor: Intel(R) Pentium(R) Dual CPU T2310 @ 1.46GHz | Microprocessor | 1467/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 99 GiB total, 49.597 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.033 GiB free.
E: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 8.2.0
Adobe Shockwave Player 11.5
AnswerWorks 5.0 English Runtime
ArtistScope Plugin IE
Bonjour
Browser Address Error Redirector
Computrace
Conexant HDA D330 MDC V.92 Modem
Dell Driver Download Manager
Dell Driver Download Manager - 1
Dell Touchpad
DellSupport
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DNA
ERUNT 1.1j
ESET Online Scanner v3
Eusing Free Registry Cleaner
Facebook Plug-In
Google Chrome
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Internet Check-Up
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 7
Junk Mail filter update
Logitech Vid HD
Logitech Webcam Software
Logitech Webcam Software Driver Package
Malwarebytes' Anti-Malware version 1.51.2.1300
Malwarebytes' RogueRemover
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.6.24)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML4SP2
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
Personal Ancestral File 5
QuickBooks
QuickBooks Pro 2011
Quicken 2009
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
RPS CRT
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype™ 4.2
Soap 3.0 Toolkit
Sonic Activation Module
Spybot - Search & Destroy
SupportSoft Assisted Service
System Requirements Lab
Taxman 2004 Version 1.1
Taxman 2005 Upgrade 1.2
Taxman 2006 Upgrade 1.3
Taxman 2007 Upgrade 1.6
Taxman 2008 Upgrade 1.5
Taxman 2009 Version 1.3
Taxman 2010 Upgrade 1.0
UFile 2007
UFile 2008
UFile 2009
UFile 2010
UFile Updater 2007
UFile Updater 2008
UFile Updater 2009
UFile Updater 2010
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
User's Guides
VC80CRTRedist - 8.0.50727.4053
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
VLC media player 0.9.9
Windows Driver Package - FTDI CDM Driver Package (02/17/2009 2.04.16)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinZip 16.0
.
==== Event Viewer Messages From Past Week ========
.
21/11/2011 9:51:13 AM, Error: Service Control Manager [7000] - The Google Update Service (gupdate1c9834ebde52a90) service failed to start due to the following error: The system cannot find the file specified.
21/11/2011 9:49:10 AM, Error: Service Control Manager [7000] - The SigmaTel Audio Service service failed to start due to the following error: The system cannot find the file specified.
21/11/2011 9:49:10 AM, Error: Service Control Manager [7000] - The Security Services Driver (x86) service failed to start due to the following error: The system cannot find the file specified.
21/11/2011 9:49:10 AM, Error: Service Control Manager [7000] - The dlbx_device service failed to start due to the following error: The system cannot find the file specified.
21/11/2011 9:49:10 AM, Error: Service Control Manager [7000] - The CopySafe Helper Service service failed to start due to the following error: The system cannot find the file specified.
20/11/2011 6:44:42 AM, Error: Service Control Manager [7034] - The XAudioService service terminated unexpectedly. It has done this 1 time(s).
20/11/2011 6:44:33 AM, Error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
20/11/2011 6:44:30 AM, Error: Service Control Manager [7034] - The SacNetAgentService_C57C4F854F53 service terminated unexpectedly. It has done this 1 time(s).
20/11/2011 6:44:30 AM, Error: Service Control Manager [7034] - The CFUACProxy_c2nplus service terminated unexpectedly. It has done this 1 time(s).
20/11/2011 5:36:08 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Samsung ML-2010 Series with shared resource name Samsung ML-2010 Series. Error 2114. The printer cannot be used by others on the network.
20/11/2011 3:08:54 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070002: Windows Internet Explorer 9 for Windows Vista.
20/11/2011 10:11:32 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
16/11/2011 9:43:56 PM, Error: Service Control Manager [7038] - The FontCache service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: A system shutdown is in progress. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
16/11/2011 9:43:56 PM, Error: Service Control Manager [7000] - The Windows Font Cache Service service failed to start due to the following error: The service did not start due to a logon failure.
.
==== End Of File ===========================

**mnyyoungs** · 2011-11-21, 18:36

ooops sorry for the DDS twice...a couple quirky things but I'm hoping that updating windows sorts that out...Malwarebytes wouldn't run for me earlier, so I had to uninstall and reinstall...but I imagine that things like that will happen since the infection was deep....what are your thoughts/suggestions/next step(s)?

**jeffce** · 2011-11-22, 17:11

Hi mnyyoungs,

It looks like one of our tools worked a little too hard.

Please navigate to C:\QooBox and post the contents of ComboFix-quarantined-files.txt.

Thank you.

**mnyyoungs** · 2011-11-22, 23:30

WOW...if this means something to you, then you are more my hero than you were a few minutes ago!!!

2011-11-20 15:02:51 . 2011-11-20 15:02:51 4,464 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg.dat
2011-11-17 02:35:36 . 2011-11-17 02:35:36 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-11-17 02:35:34 . 2011-11-17 02:35:34 132 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-11-14 23:16:45 . 2011-11-20 14:49:46 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-11-09 01:00:22 . 2011-11-09 01:00:22 580 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Powerful Employment Policies.reg.dat
2011-11-09 00:58:43 . 2011-11-09 00:58:43 118 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368}.reg.dat
2011-11-09 00:45:42 . 2011-11-20 15:02:09 7,213 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-11-09 00:28:00 . 2011-11-20 14:49:45 350 ----a-w- C:\Qoobox\Quarantine\catchme.log

**jeffce** · 2011-11-23, 01:03

WOW...if this means something to you, then you are more my hero than you were a few minutes ago!!!

LOL!! Your my hero for sticking through all of this!!

------------------

Qoobox is the backup folder for items removed by combofix. it usually is removed when combofix is removed in the proper manner.

Please navigate to this file:

C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg.dat

Right click it and click rename
Remove the .dat file extension so the file now looks like this:

C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg

Left click on a blank spot near the filename and make sure it looks like the above
Right click the file and click merge
Accept any warnings

Let me know if it was successful.

**mnyyoungs** · 2011-11-23, 01:28

aweeee gorsh..thank you...it's been educational, to say the least!

Ok..this reg.dat file is showing it is a dat file, but the name is only .reg. However when I look at it in properties, it is reg.dat. Does that make sense...not sure what you would like me to do.

file name - Service_COMSysApp.reg

:-s

**jeffce** · 2011-11-23, 01:32

Click start > run (you can use the search box also) . Copy and paste the following line in the box and click ok.

regedit /e "%userprofile%\desktop\lookCOM.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp"

Don't miss the quote mark at the end,

You will now have a notepad on your desktop named lookcom.txt. Please post it's contents.

Thread: A dirty little bug is in my house

Thread Tools

Display

Posting Permissions