Help please!

ken545 · May 6, 2011

:bigthumb:

Everything running ok ? Boot up normally ?

stunner37 · May 9, 2011

You bet! We are running smoothly and the error message is now gone during start up. Are we in the clear now or are there any final steps we should follow through on?

:cowboy:

A

ken545 · May 9, 2011

You look good to me, but with the seriousness of your infection, lets do this

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

stunner37 · May 11, 2011

combofix log

ComboFix 11-05-09.04 - Ash 10/05/2011 21:09:52.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.473 [GMT -6:00]
Running from: c:\documents and settings\Ash\Desktop\CF.exe
AV: Shaw Secure 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 9.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ash\Application Data\Adobe\plugs
c:\documents and settings\Ash\Application Data\Adobe\shed
c:\documents and settings\Ash\Application Data\PriceGong
c:\documents and settings\Ash\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Ash\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Ash\Local Settings\Application Data\{8AE03E5F-CA8F-4A3D-85E4-863629FE246E}
c:\documents and settings\Ash\Local Settings\Application Data\{8AE03E5F-CA8F-4A3D-85E4-863629FE246E}\chrome.manifest
c:\documents and settings\Ash\Local Settings\Application Data\{8AE03E5F-CA8F-4A3D-85E4-863629FE246E}\chrome\content\_cfg.js
c:\documents and settings\Ash\Local Settings\Application Data\{8AE03E5F-CA8F-4A3D-85E4-863629FE246E}\chrome\content\overlay.xul
c:\documents and settings\Ash\Local Settings\Application Data\{8AE03E5F-CA8F-4A3D-85E4-863629FE246E}\install.rdf
c:\documents and settings\Ash\Recent\Thumbs.db
c:\documents and settings\Guest\Application Data\PriceGong
c:\documents and settings\Guest\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\z.xml
C:\install.exe
c:\windows\Installer\$PatchCache$\Managed\6B07CD9D31EBDD140935E916E7270D58\1.0.28\pst.ini
c:\windows\system32\local.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-08 06:00 . 2011-05-08 06:00 -------- d-----w- c:\documents and settings\Ash\Application Data\F-Secure
2011-05-08 01:31 . 2011-05-08 01:31 -------- d-----w- c:\windows\system32\LogFiles
2011-05-04 03:08 . 2011-05-04 03:15 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys
2011-05-04 03:08 . 2011-05-04 03:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2011-05-04 03:07 . 2011-05-04 03:39 82120 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2011-05-04 03:06 . 2011-05-04 03:39 -------- d-----w- c:\program files\Shaw Secure
2011-05-04 03:05 . 2011-05-04 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2011-05-04 03:05 . 2011-05-04 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2011-05-04 03:04 . 2011-05-04 03:04 -------- d-----w- c:\program files\Common Files\Java
2011-05-03 00:39 . 2011-05-03 00:39 -------- d-----w- c:\program files\ESET
2011-05-02 13:09 . 2011-05-02 13:09 -------- d-----w- c:\documents and settings\Ash\Application Data\Malwarebytes
2011-05-02 13:09 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-02 13:09 . 2011-05-02 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-02 13:09 . 2011-05-02 13:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-02 13:09 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-01 22:23 . 2011-05-01 22:23 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-05-01 22:23 . 2011-05-01 22:23 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-04-27 05:52 . 2011-04-27 05:52 -------- d-----w- c:\windows\26-04-2011
2011-04-27 05:51 . 2011-04-27 05:51 -------- d-----w- c:\program files\ERUNT
2011-04-27 05:38 . 2011-04-27 13:16 0 ----a-w- c:\windows\Ctofiwogijanile.bin
2011-04-15 02:56 . 2008-06-20 11:59 361600 -c----w- c:\windows\system32\dllcache\tcpip.sys
2011-04-15 02:05 . 2011-04-25 04:38 -------- d-----w- c:\documents and settings\Ash\Application Data\Adobe Mini Bridge CS5
2011-04-15 02:05 . 2011-04-15 02:05 -------- d-----w- c:\documents and settings\Ash\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-04-14 14:40 . 2011-04-15 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2011-04-14 14:36 . 2011-04-14 14:36 -------- d-----w- c:\program files\Adobe Media Player
2011-04-11 03:48 . 2011-04-11 03:48 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Conduit
2011-04-11 03:48 . 2011-04-11 03:48 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\BitTorrentBar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:31 . 2009-06-24 05:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2009-02-12 15:32 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:27 . 2009-02-12 15:33 1866880 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2009-02-12 15:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-12-20 22:15 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-12-20 22:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2009-02-12 15:26 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:19 . 2009-02-12 15:28 457472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:19 . 2009-02-12 15:32 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-08-11 04:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 13:05 . 2009-02-12 15:25 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
------- Sigcheck -------
.
[-] 2009-02-12 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
[-] 2009-02-14 . 2547D2CF090AC7636898F16957EBCEDC . 502272 . . [1.0626.6002.16497] . . c:\windows\system32\usp10.dll
.
[-] 2009-02-12 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"mumservice"="c:\program files\Motorola\Software Update\mumservice.exe" [2011-02-02 1066304]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Ash\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2009-6-23 128000]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO 4.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 4.0.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Subsonic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Subsonic.lnk
backup=c:\windows\pss\Subsonic.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ash^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Ash\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ash^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Ash\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 10:47 35760 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B2C_AGENT]
2011-01-13 16:20 395192 ----a-w- c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-08-20 19:45 1164584 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
2007-11-01 23:13 151552 -c----w- c:\program files\CyberLink\PCM4Everio\EverioService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 13:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 20:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 17:14 443728 -c--a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-07 00:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mumservice]
2011-02-02 22:45 1066304 ----a-w- c:\program files\Motorola\Software Update\mumservice.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 03:53 421888 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-27 00:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Motorola Media Link\\MML.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Subsonic\\subsonic-service.exe"=
"c:\\Program Files\\Subsonic\\subsonic-agent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [03/05/2011 21:08 42664]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [03/05/2011 21:07 82120]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [03/05/2011 21:06 68064]
R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [16/09/2010 23:47 87336]
R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [02/12/2010 17:48 218432]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [03/05/2011 21:06 130728]
R3 ramdisk;Windows RAM Disk Driver;c:\windows\system32\drivers\ramdisk.sys [14/02/2009 02:00 10431]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\System\CPL Bonus\Vcdrom.sys --> c:\program files\System\CPL Bonus\Vcdrom.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/05/2010 08:26 136176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [25/03/2011 20:41 6016]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [03/05/2011 21:06 63992]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/05/2010 08:26 136176]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [25/03/2011 20:41 20352]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [25/03/2011 20:41 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [25/03/2011 20:41 42752]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [25/03/2011 20:41 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [08/03/2011 22:59 9472]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]
S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [24/02/2011 21:25 20096]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [03/05/2011 21:06 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [03/05/2011 21:06 25184]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-09 c:\windows\Tasks\AdobeAAMUpdater-1.0-ASH-LAPTOP-Ash.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-04-14 09:44]
.
2011-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 14:26]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 14:26]
.
2011-03-26 c:\windows\Tasks\MotoHelper MUM.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 23:48]
.
2011-05-10 c:\windows\Tasks\MotoHelper Routing.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 23:48]
.
2011-03-26 c:\windows\Tasks\MotoHelper Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 23:48]
.
2011-05-10 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\SHAWSE~1\ANTI-V~1\fsav.exe [2011-05-04 15:56]
.
2011-05-10 c:\windows\Tasks\User_Feed_Synchronization-{80A4E1C4-06CA-45AC-AFAB-7F7B16FF837F}.job
- c:\windows\system32\msfeedssync.exe [2001-08-23 11:31]
.
2011-05-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-11 04:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 192.168.*.*
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Semagic - c:\program files\Semagic\link.htm
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\documents and settings\Ash\Application Data\Mozilla\Firefox\Profiles\i2rvvuz7.default\
FF - prefs.js: browser.startup.homepage - google.ca
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Browsing Protection: litmus-ff@f-secure.com - c:\program files\Shaw Secure\NRS\litmus-ff@f-secure.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Photo Collection Organizer - c:\program files\Photo Collection Organizer\PhotoCollectionOrganizer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 21:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\program files\shaw secure\hips\fshook32.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
- - - - - - - > 'lsass.exe'(900)
c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
c:\program files\shaw secure\hips\fshook32.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
- - - - - - - > 'csrss.exe'(820)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
Completion time: 2011-05-10 21:20:15
ComboFix-quarantined-files.txt 2011-05-11 03:20
.
Pre-Run: 10,636,337,152 bytes free
Post-Run: 10,976,645,120 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - FF9815AD7BC4C411BF73AEA08CDD9420

ken545 · May 11, 2011

Good Morning

BitTorrent <-- If I didn't mention it before, using file sharing like any of the torrents can be very dangerous, your downloading that file from an unknown source, malware writers are in tune to this and are using this method to infect you, doing what I do and knowing what I know I would never allow any form of File Sharing on any of my systems.

If you look through your Combofix log under this heading, you will see BitTorrent listed, that means that this program can let anything onto your system it wants bypassing your firewall. :sad:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Motorola Media Link\\MML.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Subsonic\\subsonic-service.exe"=
"c:\\Program Files\\Subsonic\\subsonic-agent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

Code:

Fcopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

stunner37 · May 12, 2011

Thank you! Good to know, will have that removed asap. Here is the requested log,

ComboFix 11-05-11.01 - Ash 11/05/2011 16:38:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.236 [GMT -6:00]
Running from: c:\documents and settings\Ash\Desktop\CF.exe
Command switches used :: c:\documents and settings\Ash\Desktop\CFScript.txt
AV: Shaw Secure 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 9.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-08 06:00 . 2011-05-08 06:00 -------- d-----w- c:\documents and settings\Ash\Application Data\F-Secure
2011-05-08 01:31 . 2011-05-08 01:31 -------- d-----w- c:\windows\system32\LogFiles
2011-05-04 03:08 . 2011-05-04 03:15 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys
2011-05-04 03:08 . 2011-05-04 03:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2011-05-04 03:07 . 2011-05-04 03:39 82120 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2011-05-04 03:06 . 2011-05-04 03:39 -------- d-----w- c:\program files\Shaw Secure
2011-05-04 03:05 . 2011-05-04 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2011-05-04 03:05 . 2011-05-04 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2011-05-04 03:04 . 2011-05-04 03:04 -------- d-----w- c:\program files\Common Files\Java
2011-05-03 00:39 . 2011-05-03 00:39 -------- d-----w- c:\program files\ESET
2011-05-02 13:09 . 2011-05-02 13:09 -------- d-----w- c:\documents and settings\Ash\Application Data\Malwarebytes
2011-05-02 13:09 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-02 13:09 . 2011-05-02 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-02 13:09 . 2011-05-02 13:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-02 13:09 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-01 22:23 . 2011-05-01 22:23 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-05-01 22:23 . 2011-05-01 22:23 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-04-27 05:52 . 2011-04-27 05:52 -------- d-----w- c:\windows\26-04-2011
2011-04-27 05:51 . 2011-04-27 05:51 -------- d-----w- c:\program files\ERUNT
2011-04-27 05:38 . 2011-04-27 13:16 0 ----a-w- c:\windows\Ctofiwogijanile.bin
2011-04-15 02:56 . 2008-06-20 11:59 361600 -c----w- c:\windows\system32\dllcache\tcpip.sys
2011-04-15 02:05 . 2011-04-25 04:38 -------- d-----w- c:\documents and settings\Ash\Application Data\Adobe Mini Bridge CS5
2011-04-15 02:05 . 2011-04-15 02:05 -------- d-----w- c:\documents and settings\Ash\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-04-14 14:40 . 2011-04-15 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2011-04-14 14:36 . 2011-04-14 14:36 -------- d-----w- c:\program files\Adobe Media Player
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:31 . 2009-06-24 05:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2009-02-12 15:32 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:27 . 2009-02-12 15:33 1866880 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2009-02-12 15:28 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-12-20 22:15 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-12-20 22:15 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2009-02-12 15:26 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:19 . 2009-02-12 15:28 457472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:19 . 2009-02-12 15:32 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-08-11 04:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 13:05 . 2009-02-12 15:25 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
------- Sigcheck -------
.
[-] 2009-02-14 . 2547D2CF090AC7636898F16957EBCEDC . 502272 . . [1.0626.6002.16497] . . c:\windows\system32\usp10.dll
.
[-] 2009-02-12 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-05-11_03.16.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-11 03:40 . 2011-05-11 03:40 16384 c:\windows\Temp\Perflib_Perfdata_2a8.dat
+ 2001-08-23 11:00 . 2011-05-11 03:44 76000 c:\windows\system32\perfc009.dat
- 2001-08-23 11:00 . 2011-05-11 02:24 76000 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2011-05-11 03:44 452366 c:\windows\system32\perfh009.dat
- 2001-08-23 11:00 . 2011-05-11 02:24 452366 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"mumservice"="c:\program files\Motorola\Software Update\mumservice.exe" [2011-02-02 1066304]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Ash\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2009-6-23 128000]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO 4.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 4.0.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Subsonic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Subsonic.lnk
backup=c:\windows\pss\Subsonic.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ash^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Ash\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ash^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Ash\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 10:47 35760 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B2C_AGENT]
2011-01-13 16:20 395192 ----a-w- c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-08-20 19:45 1164584 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
2007-11-01 23:13 151552 -c----w- c:\program files\CyberLink\PCM4Everio\EverioService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 13:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 20:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 17:14 443728 -c--a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-07 00:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mumservice]
2011-02-02 22:45 1066304 ----a-w- c:\program files\Motorola\Software Update\mumservice.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 03:53 421888 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-27 00:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Motorola Media Link\\MML.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Subsonic\\subsonic-service.exe"=
"c:\\Program Files\\Subsonic\\subsonic-agent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [03/05/2011 21:08 42664]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [03/05/2011 21:07 82120]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [03/05/2011 21:06 68064]
R2 DeviceMonitorService;DeviceMonitorService;c:\program files\Motorola Media Link\NServiceEntry.exe [16/09/2010 23:47 87336]
R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [02/12/2010 17:48 218432]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [03/05/2011 21:06 130728]
R3 ramdisk;Windows RAM Disk Driver;c:\windows\system32\drivers\ramdisk.sys [14/02/2009 02:00 10431]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\System\CPL Bonus\Vcdrom.sys --> c:\program files\System\CPL Bonus\Vcdrom.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/05/2010 08:26 136176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [25/03/2011 20:41 6016]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [03/05/2011 21:06 63992]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/05/2010 08:26 136176]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [25/03/2011 20:41 20352]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [25/03/2011 20:41 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [25/03/2011 20:41 42752]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [25/03/2011 20:41 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [08/03/2011 22:59 9472]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]
S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [24/02/2011 21:25 20096]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [03/05/2011 21:06 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [03/05/2011 21:06 25184]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-11 c:\windows\Tasks\AdobeAAMUpdater-1.0-ASH-LAPTOP-Ash.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-04-14 09:44]
.
2011-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 14:26]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-06 14:26]
.
2011-03-26 c:\windows\Tasks\MotoHelper MUM.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 23:48]
.
2011-05-10 c:\windows\Tasks\MotoHelper Routing.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 23:48]
.
2011-03-26 c:\windows\Tasks\MotoHelper Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-12-02 23:48]
.
2011-05-11 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\SHAWSE~1\ANTI-V~1\fsav.exe [2011-05-04 15:56]
.
2011-05-11 c:\windows\Tasks\User_Feed_Synchronization-{80A4E1C4-06CA-45AC-AFAB-7F7B16FF837F}.job
- c:\windows\system32\msfeedssync.exe [2001-08-23 11:31]
.
2011-05-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-11 04:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 192.168.*.*
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Semagic - c:\program files\Semagic\link.htm
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\documents and settings\Ash\Application Data\Mozilla\Firefox\Profiles\i2rvvuz7.default\
FF - prefs.js: browser.startup.homepage - google.ca
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Browsing Protection: litmus-ff@f-secure.com - c:\program files\Shaw Secure\NRS\litmus-ff@f-secure.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 16:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\program files\shaw secure\hips\fshook32.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
- - - - - - - > 'lsass.exe'(900)
c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
c:\program files\shaw secure\hips\fshook32.dll
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
- - - - - - - > 'explorer.exe'(1812)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\program files\LClock\LC.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(820)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
Completion time: 2011-05-11 16:52:36
ComboFix-quarantined-files.txt 2011-05-11 22:52
ComboFix2.txt 2011-05-11 03:20
.
Pre-Run: 11,009,265,664 bytes free
Post-Run: 10,999,582,720 bytes free
.
- - End Of File - - 673EF64BB09414F9D046085DA102CA35

ken545 · May 12, 2011

Looking good, what I would like you to do as a final scan is to run this free on line virus scanner, this could take up to an hour or more.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the

button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on
  
  to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the
  
  icon on your desktop.
Check
Click the

button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push

, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the

button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

stunner37 · May 13, 2011

3 threats found

C:\System Volume Information\_restore{9A62BD57-DD76-458F-B33F-50B39932C7FF}\RP467\A0128724.lnk LNK/URL.B trojan
C:\System Volume Information\_restore{9A62BD57-DD76-458F-B33F-50B39932C7FF}\RP467\A0128727.lnk LNK/URL.B trojan
C:\System Volume Information\_restore{9A62BD57-DD76-458F-B33F-50B39932C7FF}\RP470\A0130099.ini Win32/Adware.AntimalwareDoctor.AE.Gen application

ken545 · May 13, 2011

Those threats are in System Restore which are harmless unless you use it to restore your computer to an earlier date so its best to remove them

This will get rid of them and create a new restore point

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.

How is everything running now ????

stunner37 · May 14, 2011

Awesome thank you! everything is running well, no issues or performance lags. We have created a new restore point and cleaned previous as described above. I will run one more online scan later tonight to ensure nothing else shows up. :snorkle: Thanks again for everything, very much appreciated!

ken545 · May 14, 2011

Great

Malwarebytes is the free version and yours to keep, the Pro Version has a protection moduale that will block access to bad sites with a PAGE NOT FOUND, but thats your call if you want to upgrade or not

Click START then RUN
Now type Combofix /uninstallin the runbox and click OK. Note the space between the X and the /, it needs to be there.

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Safe Surfn
Ken

ken545 · May 15, 2011

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Help please!

ken545

Emeritus-Security Expert

stunner37

New member

ken545

Emeritus-Security Expert

stunner37

New member

ken545

Emeritus-Security Expert

stunner37

New member

ken545

Emeritus-Security Expert

stunner37

New member

ken545

Emeritus-Security Expert

stunner37

New member

ken545

Emeritus-Security Expert

ken545

Emeritus-Security Expert