norgechica's own topic

Started by norgechica, July 28, 2010, 05:54:34 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2 3
User actions

norgechica

#15
August 02, 2010, 05:34:40 PM
Here is my log:





ComboFix 10-07-30.04 - Chris 08/02/2010  10:36:53.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.2036.1459 [GMT -6:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
.

(((((((((((((((((((((((((   Files Created from 2010-07-02 to 2010-08-02  )))))))))))))))))))))))))))))))
.

2010-08-02 16:44 . 2010-08-02 16:44   --------   d-----w-   c:\users\Chris\AppData\Local\temp
2010-08-02 16:44 . 2010-08-02 16:44   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-08-02 16:44 . 2010-08-02 16:44   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-08-02 16:35 . 2010-08-02 16:35   --------   d-----w-   C:\32788R22FWJFW
2010-07-31 13:49 . 2010-07-31 13:49   --------   d-----w-   c:\users\Chris\AppData\Roaming\Uniblue
2010-07-31 13:49 . 2010-07-31 13:49   --------   d-----w-   c:\program files\Uniblue
2010-07-29 04:12 . 2010-07-31 17:09   --------   d-----w-   c:\program files\trend micro
2010-07-29 04:12 . 2010-07-29 04:12   --------   d-----w-   C:\rsit
2010-07-28 18:30 . 2010-07-28 19:33   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2010-07-28 18:30 . 2010-07-28 18:32   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-07-28 17:41 . 2010-07-28 17:41   --------   d-----w-   c:\users\Chris\AppData\Roaming\Malwarebytes
2010-07-28 17:41 . 2010-07-28 17:41   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-28 17:41 . 2010-07-28 17:41   --------   d-----w-   c:\programdata\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 16:41 . 2008-03-19 23:14   1356   ----a-w-   c:\users\Chris\AppData\Local\d3d9caps.dat
2010-07-31 16:35 . 2010-02-06 03:12   --------   d-----w-   c:\programdata\FLEXnet
2010-07-10 02:22 . 2008-07-09 02:19   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
2010-07-07 16:05 . 2010-07-07 16:05   0   ---ha-w-   c:\users\Chris\AppData\Local\BIT7F3E.tmp
2010-06-26 14:49 . 2008-03-29 23:22   --------   d-----w-   c:\program files\Microsoft.NET
2010-06-17 13:08 . 2009-09-27 03:09   --------   d-----w-   c:\program files\iTunes
2010-06-17 13:07 . 2010-06-17 13:07   --------   d-----w-   c:\program files\iPod
2010-06-17 13:07 . 2008-04-15 02:28   --------   d-----w-   c:\program files\Common Files\Apple
2010-06-17 13:01 . 2009-04-02 02:50   --------   d-----w-   c:\program files\Bonjour
2010-06-17 12:52 . 2010-06-17 12:52   72504   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-11 17:10 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-06-11 04:46 . 2008-03-29 23:20   --------   d-----w-   c:\programdata\Microsoft Help
2010-06-05 15:10 . 2009-02-28 22:37   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-11 04:14   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 04:14   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-05-18 22:35 . 2010-05-18 22:35   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-05-18 22:35 . 2010-05-18 22:35   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-02-06 20:48 . 2008-08-14 04:43   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-03-04 16:54 . 2008-03-04 16:41   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-14 4452352]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-06 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-18 16712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
autobahn.lnk - c:\programdata\Autobahn\autobahn.exe [2009-1-21 712408]
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-17 333088]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-3-4 7168]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cd,88,ab,3f,5d,e9,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-06 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\User_Feed_Synchronization-{1151DCD9-52C0-42FF-9F66-544F2E8FB121}.job
- c:\windows\system32\msfeedssync.exe [2010-06-11 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x2a4zwwp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x2a4zwwp.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 10:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-08-02  10:46:24
ComboFix-quarantined-files.txt  2010-08-02 16:46
ComboFix2.txt  2010-07-31 16:45

Pre-Run: 66,176,028,672 bytes free
Post-Run: 66,105,307,136 bytes free

- - End Of File - - A41A84F409FF789D998E5E6F59DFA9DB

Corrine

#16
August 02, 2010, 06:54:00 PM
My apology.  When I wrote the ComboFix script, I made an error in the format.  Please allow ComboFix to update when prompted and do the following:

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select

KillAll::

File::
c:\users\Chris\AppData\Local\BIT7F3E.tmp


  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

norgechica

#17
August 02, 2010, 08:33:53 PM
The new log:  :)




ComboFix 10-07-30.04 - Chris 08/02/2010  14:10:10.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.2036.1309 [GMT -6:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
* Created a new restore point

FILE ::
"c:\users\Chris\AppData\Local\BIT7F3E.tmp"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Chris\AppData\Local\BIT7F3E.tmp

.
(((((((((((((((((((((((((   Files Created from 2010-07-02 to 2010-08-02  )))))))))))))))))))))))))))))))
.

2010-08-02 20:12 . 2010-08-02 20:15   --------   d-----w-   c:\users\Chris\AppData\Local\temp
2010-08-02 20:12 . 2010-08-02 20:12   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-08-02 20:12 . 2010-08-02 20:12   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-08-02 20:08 . 2010-08-02 20:09   --------   d-----w-   C:\32788R22FWJFW
2010-07-31 13:49 . 2010-07-31 13:49   --------   d-----w-   c:\users\Chris\AppData\Roaming\Uniblue
2010-07-31 13:49 . 2010-07-31 13:49   --------   d-----w-   c:\program files\Uniblue
2010-07-29 04:12 . 2010-07-31 17:09   --------   d-----w-   c:\program files\trend micro
2010-07-29 04:12 . 2010-07-29 04:12   --------   d-----w-   C:\rsit
2010-07-28 18:30 . 2010-07-28 19:33   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2010-07-28 18:30 . 2010-07-28 18:32   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-07-28 17:41 . 2010-07-28 17:41   --------   d-----w-   c:\users\Chris\AppData\Roaming\Malwarebytes
2010-07-28 17:41 . 2010-07-28 17:41   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-28 17:41 . 2010-07-28 17:41   --------   d-----w-   c:\programdata\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 20:12 . 2010-02-06 03:12   --------   d-----w-   c:\programdata\FLEXnet
2010-08-02 19:08 . 2008-03-19 23:14   1356   ----a-w-   c:\users\Chris\AppData\Local\d3d9caps.dat
2010-07-10 02:22 . 2008-07-09 02:19   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
2010-06-26 14:49 . 2008-03-29 23:22   --------   d-----w-   c:\program files\Microsoft.NET
2010-06-17 13:08 . 2009-09-27 03:09   --------   d-----w-   c:\program files\iTunes
2010-06-17 13:07 . 2010-06-17 13:07   --------   d-----w-   c:\program files\iPod
2010-06-17 13:07 . 2008-04-15 02:28   --------   d-----w-   c:\program files\Common Files\Apple
2010-06-17 13:01 . 2009-04-02 02:50   --------   d-----w-   c:\program files\Bonjour
2010-06-17 12:52 . 2010-06-17 12:52   72504   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-11 17:10 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-06-11 04:46 . 2008-03-29 23:20   --------   d-----w-   c:\programdata\Microsoft Help
2010-06-05 15:10 . 2009-02-28 22:37   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-11 04:14   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 04:14   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-05-18 22:35 . 2010-05-18 22:35   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-05-18 22:35 . 2010-05-18 22:35   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-02-06 20:48 . 2008-08-14 04:43   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-03-04 16:54 . 2008-03-04 16:41   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-14 4452352]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-06 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-18 16712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
autobahn.lnk - c:\programdata\Autobahn\autobahn.exe [2009-1-21 712408]
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-2-17 333088]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-3-4 7168]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cd,88,ab,3f,5d,e9,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-06 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\User_Feed_Synchronization-{1151DCD9-52C0-42FF-9F66-544F2E8FB121}.job
- c:\windows\system32\msfeedssync.exe [2010-06-11 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x2a4zwwp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\x2a4zwwp.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
.
**************************************************************************
.
Completion time: 2010-08-02  14:31:43 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-02 20:31
ComboFix2.txt  2010-08-02 16:46
ComboFix3.txt  2010-07-31 16:45

Pre-Run: 66,125,500,416 bytes free
Post-Run: 66,112,974,848 bytes free

- - End Of File - - 1891E775B592B6E108B0344845D432E5

Corrine

#18
August 02, 2010, 11:18:45 PM
Hi, norgechica.

I see the last two runs of ComboFix were done from normal mode.  Are you still unable to run IE in normal mode?  What about Firefox?  Have you been able to uninstall Uniblue or deal with Adobe Acrobat and Adobe Reader?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

norgechica

#19
August 03, 2010, 01:32:17 AM
Actually, the last two combofix's were both run from "safe mode with networking," and I still get a black blank screen when I log in normally.

Clark76

#20
August 03, 2010, 02:00:06 AM
QuoteAre you still unable to run IE in normal mode?  What about Firefox?  Have you been able to uninstall Uniblue or deal with Adobe Acrobat and Adobe Reader?
Please do not forget about Corrine's other questions.
Proud Member of ASAP
Proud Member of UNITE

norgechica

#21
August 03, 2010, 03:47:21 AM
No, I cannot run ANYTHING in normal mode, since I get a blank black screen when I login in. I am also unable to uninstall uniblue or fix adobe reader, since I cannot do so in safemode.

Corrine

#22
August 03, 2010, 02:10:34 PM
Hi, norgechica.

My apology.  I was looking for the word "minimal" in the log as identification as running in safe mode and missed the information that would show you were using safe mode w/networking. 

I have asked Clark76 to lend another pair of eyes to look at your logs to see if there is something that I am not seeing.  He is at work now so won't have an opportunity until later.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Clark76

#23
August 03, 2010, 09:54:53 PM
norgechica,

When did you loose the ablility to boot into normal mode.  Was it during the course of this thread or was was it when you were following the directions of the other thread?  If it was when you were following the directions for the other thread, could you provide the link to that thread please?
Proud Member of ASAP
Proud Member of UNITE

Clark76

#24
August 03, 2010, 11:16:43 PM
Sorry, there is one other thing I would like for you to do.

We need to check out your devices. Please download DevDiag, and save it to your Desktop:
WTT Download Page (recommended)
Direct Download

  • If you are using Vista or Windows 7, please right-click DevDiag.exe and select Run As Administrator. Otherwise, simply double-click the program to run it.
  • At the options screen, please type 2 and hit Enter.
  • The tool will take a few moments to scan. When finished, a report should pop-up, also available on your Desktop (DevDiag.txt).
  • Please do not copy/paste the report into your next reply. Instead, Attach it by clicking [color="red"]Add Reply[/color], and scrolling down to the Attachments section.
Proud Member of ASAP
Proud Member of UNITE

norgechica

#25
August 04, 2010, 04:44:10 AM
It was during the course of this thread that I lost the ability to boot in normal mode. Here is the attached log.

norgechica

#26
August 04, 2010, 04:53:56 AM
I just thought of something.... when I am in safemode letting something run that you ask me to run, after a while a message pops up on the screen as if it wants to turn on the screensaver but it can't, and it says something about the graphics card being incompatible or something. Could this have something to do with why my screen is black in normal mode? Or is this message just because a screen saver can't run in safemode?

Corrine

#27
August 04, 2010, 01:48:50 PM
Did you recently replace the graphics card or do an update to the software?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

norgechica

#28
August 04, 2010, 02:32:23 PM
No, I have not replaced the graphics card, and I haven't done any updates to it that I know of.

MikeW

#29
August 04, 2010, 09:33:09 PM
Worth checking that the resolution settings for you monitor has not been altered by the malware or the clean uo,
Win 11 Home MS Edge - WD - Mbam Pro
Print
Go Up Pages 1 2 3
User actions