Author Topic: Help! My computer is possessed! Logged files  (Read 10823 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19650
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help! My computer is possessed! Logged files
« Reply #15 on: March 15, 2011, 01:01:06 AM »
Hi, Grace. 

That was perfect!  Thank you.  Seeing what was fixed, it is no wonder you were having problems. 

Earlier, I had you update Java because you had so many of the old highly vulnerable Java software on your computer.  However, you also need to update the Adobe software on your computer.

Adobe Flash Player:

Direct download for IE:  http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
Direct Download for non-IE (Opera, Firefox etc): http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

After install, verify Flash Player version for each browser installed at About Flash Player page.

Adobe Reader:  Install the latest version of Adobe Reader from http://www.adobe.com/products/reader/

Adobe Shockwave Player:  Install the latest version from http://www.adobe.com/shockwave/download/

Note:  Please remember to uncheck any unwanted 3rd party toolbars/programs during installation.

You asked about Advanced System Care, which is an IOBit product.  Based on IOBit's past practices, I wouldn't run it on my computer.  See the following for additional information:
-- IOBit Steals Malwarebytes' Intellectual Property
-- IOBit’s Denial of Theft Unconvincing
-- IOBit Theft Conclusion, and more recently,
-- IObit’s Advanced SystemCare Free 3.7 Installs Spyware And More!

Please do the above updates first and then run ComboFix again.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\software\NETGEAR\WG111v2 Configuration Utility]
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline a-mazing

  • Jr. Member
  • **
  • Posts: 22
    • View Profile
Re: Help! My computer is possessed! Logged files
« Reply #16 on: March 15, 2011, 04:55:57 AM »
OK.  Everything has been going fine until I got to the part where I'm dragging the desktop file CFScript.txt to Combofix.exe.   It starts to run but then I get an error message that says "Are you trying to run CFScript.txt?  It appears CFScript.txt is incorrectly spelt"

I have it spelt exactly the way you said and the say the error message says but it still doesn't run.

Am I doing something wrong??

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19650
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help! My computer is possessed! Logged files
« Reply #17 on: March 15, 2011, 02:16:07 PM »
Hi, Grace.

Delete the CFScript.txt you created from your desktop, empty your recycle bin and try again.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline a-mazing

  • Jr. Member
  • **
  • Posts: 22
    • View Profile
Re: Help! My computer is possessed! Logged files
« Reply #18 on: March 15, 2011, 09:47:46 PM »
I tried that and I'm getting the same error message.  Could I be doing something wrong?

Offline Eric the Red

  • ISO/IEC 27001:2013
  • Administrator
  • Hero Member
  • *****
  • Posts: 1618
  • Would somebody please pass me a beer!
    • View Profile
Re: Help! My computer is possessed! Logged files
« Reply #19 on: March 15, 2011, 10:50:47 PM »
Grace,

Please locate the text file on your desktop and right click on it to bring up the context menu. From that menu click on "Properties". On the General tab you will see the file name;  left click and drag on the file name to highlight the entry and copy/paste the entire text string as it appears in "Properties" into your next reply here
"The time to start running is around about the "e" in "Hey, you!" "

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline a-mazing

  • Jr. Member
  • **
  • Posts: 22
    • View Profile
Re: Help! My computer is possessed! Logged files
« Reply #20 on: March 16, 2011, 04:34:12 PM »
OK.  Here is the file name and location:

Shortcut to CFScript.txt

C:\Documents and Settings\Owner.YOUR-D26EF63B94\Desktop

Thanks!

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19650
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help! My computer is possessed! Logged files
« Reply #21 on: March 16, 2011, 05:15:14 PM »
Hi, Grace.  That indicates that the file name is "Shortcut to CFScript.txt" not CFScript.txt. 

The script I provided is not critical, nor is it malware.  It was just to tidy up a bit.  We can omit it, as there is no need to cause unnecessary stress.

Please confirm that you have handled updating Adobe and your computer is back to normal and I'll provide final instructions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline a-mazing

  • Jr. Member
  • **
  • Posts: 22
    • View Profile
Re: Help! My computer is possessed! Logged files
« Reply #22 on: March 16, 2011, 05:50:17 PM »
OK!!  I just renamed the file and it worked perfectly!  Now I'm ready for the next step!
 Here is the log:

ComboFix 11-03-15.01 - Owner 03/16/2011  14:35:51.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.745 [GMT -4:00]
Running from: c:\documents and settings\Owner.YOUR-D26EF63B94\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-D26EF63B94\Desktop\CFScript.txt.lnk
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-16 to 2011-03-16  )))))))))))))))))))))))))))))))
.
.
2011-03-16 17:25 . 2011-03-16 17:25   28752   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB44B7A7-1436-44A1-A536-C05EDD09D92D}\MpKsl3da06e19.sys
2011-03-16 04:41 . 2011-02-23 14:35   5943120   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB44B7A7-1436-44A1-A536-C05EDD09D92D}\mpengine.dll
2011-03-15 23:20 . 2011-03-15 23:20   --------   d-----w-   c:\documents and settings\Owner.YOUR-D26EF63B94\Local Settings\Application Data\Temp
2011-03-12 20:47 . 2011-02-02 22:11   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-03-12 20:43 . 2011-03-12 20:43   --------   d-----w-   c:\program files\Microsoft Security Client
2011-03-11 04:59 . 2011-03-11 04:59   --------   d-----w-   c:\program files\Common Files\Java
2011-03-11 04:59 . 2011-03-11 04:58   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-03-11 04:59 . 2011-03-11 04:58   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-03-11 04:59 . 2011-03-11 04:58   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-11 00:11 . 2011-03-11 00:12   --------   d-----w-   c:\program files\trend micro
2011-03-11 00:11 . 2011-03-11 00:12   --------   d-----w-   C:\rsit
2011-03-10 23:17 . 2011-03-10 23:18   --------   d-----w-   c:\program files\ERUNT
2011-02-26 04:43 . 2011-02-26 04:43   --------   d-----w-   c:\program files\Yontoo Layers Client
2011-02-26 04:42 . 2011-03-04 22:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\pHjBcOg15405
2011-02-25 16:11 . 2011-02-25 16:20   --------   d-----w-   c:\windows\system32\msapps
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-18 18:46 . 2011-01-18 18:46   51200   ---ha-w-   c:\windows\system32\bootysvr.dll
2010-12-20 23:09 . 2010-08-02 17:03   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-08-02 17:03   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-03-15_05.20.32   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-16 17:26 . 2011-03-16 17:26   16384              c:\windows\Temp\Perflib_Perfdata_838.dat
+ 2011-03-16 17:25 . 2011-03-16 17:25   16384              c:\windows\Temp\Perflib_Perfdata_578.dat
+ 2011-03-16 17:26 . 2011-03-16 17:26   475136              c:\windows\ERDNT\AutoBackup\3-16-2011\Users\00000002\UsrClass.dat
+ 2011-03-16 17:26 . 2005-10-20 17:02   163328              c:\windows\ERDNT\AutoBackup\3-16-2011\ERDNT.EXE
+ 2011-03-15 21:31 . 2011-03-15 21:31   475136              c:\windows\ERDNT\AutoBackup\3-15-2011\Users\00000002\UsrClass.dat
+ 2011-03-15 21:31 . 2005-10-20 17:02   163328              c:\windows\ERDNT\AutoBackup\3-15-2011\ERDNT.EXE
+ 2011-03-16 17:26 . 2011-03-16 17:26   12087296              c:\windows\ERDNT\AutoBackup\3-16-2011\Users\00000001\ntuser.dat
+ 2011-03-15 21:31 . 2011-03-15 21:31   12087296              c:\windows\ERDNT\AutoBackup\3-15-2011\Users\00000001\ntuser.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-12-20 18:09   191488   ------w-   c:\program files\Yontoo Layers Client\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Creative Detector U"="c:\program files\Creative\MediaSource5\CTDetctu.exe" [2008-10-30 188416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-06 202256]
"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-05-01 28672]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 90112]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 2805248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Owner.YOUR-D26EF63B94\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2008-1-8 2138112]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2006-5-4 745472]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0SsiEfr.e
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
.
R1 MpKsl3da06e19;MpKsl3da06e19;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB44B7A7-1436-44A1-A536-C05EDD09D92D}\MpKsl3da06e19.sys [3/16/2011 1:25 PM 28752]
R2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [9/7/2004 9:55 PM 10112]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/3/2006 12:11 AM 66048]
R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\cxavsaud.sys [12/6/2003 3:44 PM 8320]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [6/9/2005 9:39 PM 1694592]
S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [11/1/2003 4:19 PM 17920]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [5/4/2006 12:26 AM 112384]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [5/4/2006 12:26 AM 13532]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [4/25/2007 3:47 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [4/25/2007 3:47 PM 85696]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [4/29/2008 6:50 PM 57648]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [4/29/2008 6:50 PM 8336]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [4/29/2008 6:50 PM 93488]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [4/29/2008 6:50 PM 84928]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [4/29/2008 6:50 PM 82864]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL3DA06E19
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-03-16 c:\windows\Tasks\Game_Booster_Startup.job
- c:\program files\IObit\Game Booster\gbtray.exe [2011-02-09 21:20]
.
2011-03-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-03-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1997236171-3393474795-40679285-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1997236171-3393474795-40679285-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
FF - ProfilePath - c:\documents and settings\Owner.YOUR-D26EF63B94\Application Data\Mozilla\Firefox\Profiles\s1vuwyay.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Owner.YOUR-D26EF63B94\Application Data\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-16 14:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Creative Detector = "c:\program files\Creative\MediaSource\Detector\CTDetect.exe" /R??D~0?A~????*?A~??B~X???w?C~????m?????!*Spammer*?h???h?????????B~w?C~????m?????!*Spammer*?k!?sw?C~????m??????????w??????A~?Ar???????A~???????w??A~???????s??????D~??A~??????A~???w<?b????????
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\NETGEAR\WG111v2 Configuration Utility]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1008)
c:\progra~1\MOUSEW~1\SYSTEM\LGMOUSHK.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-16  14:47:23
ComboFix-quarantined-files.txt  2011-03-16 18:47
ComboFix2.txt  2011-03-15 23:03
ComboFix3.txt  2011-03-15 05:24
ComboFix4.txt  2011-03-12 20:36
.
Pre-Run: 148,427,046,912 bytes free
Post-Run: 148,456,669,184 bytes free
.
- - End Of File - - D633D28CED7E6DCFFBAA18E72053C25A

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19650
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help! My computer is possessed! Logged files
« Reply #23 on: March 16, 2011, 08:37:15 PM »
Hi, Grace.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


Having a firewall, anti-virus and anti-malware software are not enough.  You also need to stay current with security updates.  If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates

To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector or, alternatively, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html

Please let me know if you have any questions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.