Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Double the fun!  (Read 5172 times)

0 Members and 1 Guest are viewing this topic.

evilfantasy

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Calm like a bomb
  • Thanked: 489
  • Experience: Familiar
  • OS: Windows 10
Re: Double the fun!
« Reply #15 on: June 27, 2009, 08:11:23 PM »


Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]
KillAll::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"57086:TCP"=-
"57086:UDP"=-

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{7E335D04-2E6E-4D0E-A921-C3D9192E7121}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{B20D7ADD-989C-4BC0-A797-F6FE7998EFD7}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0]

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

GrimAbbott

    Topic Starter


    Rookie

    • Experience: Beginner
    • OS: Windows 7
    Re: Double the fun!
    « Reply #16 on: June 27, 2009, 09:02:38 PM »
    As requested:

    ComboFix 09-06-26.02 - Dad 06/27/2009 19:56.2 - NTFSx86
    Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1007.572 [GMT -7:00]
    Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    (((((((((((((((((((((((((   Files Created from 2009-05-28 to 2009-06-28  )))))))))))))))))))))))))))))))
    .

    2009-06-28 02:02 . 2009-06-28 02:02   --------   d-----w-   c:\windows\system32\dllcache\cache
    2009-06-27 21:03 . 2009-06-27 21:03   --------   d--h--w-   c:\windows\PIF
    2009-06-27 06:55 . 2009-06-27 06:55   --------   d-----w-   c:\documents and settings\Dad\Application Data\Malwarebytes
    2009-06-27 06:50 . 2009-06-27 06:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
    2009-06-27 06:27 . 2009-06-27 18:06   117760   ----a-w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-06-27 06:27 . 2009-06-27 06:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-06-27 06:20 . 2009-06-27 06:20   --------   d-----w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
    2009-06-27 05:46 . 2009-06-27 05:46   --------   d-----w-   c:\program files\Trend Micro
    2009-06-27 05:40 . 2009-06-27 05:39   410984   ----a-w-   c:\windows\system32\deploytk.dll
    2009-06-26 07:45 . 2009-03-30 17:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
    2009-06-26 07:45 . 2009-03-24 23:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
    2009-06-26 07:45 . 2009-02-13 19:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
    2009-06-26 07:45 . 2009-02-13 19:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
    2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\program files\Avira
    2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
    2009-06-26 07:36 . 2009-06-17 18:27   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
    2009-06-26 07:36 . 2009-06-26 07:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-06-26 07:36 . 2009-06-17 18:27   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
    2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\program files\iPod
    2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-06-22 00:46 . 2009-06-22 00:46   --------   d-----w-   c:\program files\Bonjour
    2009-06-22 00:45 . 2009-06-22 00:45   --------   d-----w-   c:\program files\QuickTime
    2009-06-22 00:43 . 2009-06-22 00:43   --------   d-----w-   c:\program files\Apple Software Update
    2009-06-21 22:50 . 2009-06-21 22:50   --------   d-----w-   c:\documents and settings\Dad\Local Settings\Application Data\AOL
    2009-06-05 20:57 . 2009-06-05 20:57   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-27 23:55 . 2009-04-10 18:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
    2009-06-27 06:49 . 2002-01-04 09:43   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
    2009-06-27 05:39 . 2002-01-02 07:20   --------   d-----w-   c:\program files\Java
    2009-06-27 04:41 . 2007-07-22 04:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-06-26 06:04 . 2007-03-25 15:49   51936   ----a-w-   c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-06-26 06:02 . 2002-01-02 07:21   --------   d-----w-   c:\program files\OpenOffice.org 2.2
    2009-06-26 05:56 . 2003-07-31 11:52   --------   d--h--w-   c:\program files\InstallShield Installation Information
    2009-06-26 05:52 . 2002-01-02 08:35   --------   d-----w-   c:\documents and settings\Dad\Application Data\OpenOffice.org2
    2009-06-26 05:52 . 2008-10-08 06:27   --------   d-----w-   c:\documents and settings\Dad\Application Data\stickies
    2009-06-26 05:20 . 2002-01-04 09:37   --------   d-----w-   c:\program files\Common Files\Panda Software
    2009-06-26 05:12 . 2008-11-25 19:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
    2009-06-22 00:48 . 2008-09-15 04:37   --------   d-----w-   c:\program files\Common Files\Apple
    2009-06-21 22:51 . 2009-04-10 18:24   --------   d-----w-   c:\program files\Common Files\AOL
    2009-06-09 17:09 . 2007-09-17 05:02   --------   d-----w-   c:\documents and settings\Samuel.OAKTREE3\Application Data\OpenOffice.org2
    2009-05-11 22:48 . 2009-05-11 22:20   34   ----a-w-   c:\documents and settings\Samuel.OAKTREE3\jagex_runescape_preferences.dat
    2009-04-10 18:29 . 2009-04-10 18:29   1144808   ----a-w-   c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
    2008-01-15 18:50 . 2007-10-21 07:10   1004   --sha-w-   c:\windows\system32\KGyGaAvL.sys
    .

    (((((((((((((((((((((((((((((   [email protected]_01.59.41   )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-06-28 03:02 . 2009-06-28 03:02   16384              c:\windows\temp\Perflib_Perfdata_294.dat
    + 2009-06-28 02:02 . 2008-10-16 22:09   51224              c:\windows\system32\dllcache\cache\wuauclt.exe
    + 2009-06-28 02:02 . 2004-08-04 07:56   82944              c:\windows\system32\dllcache\cache\ws2_32.dll
    + 2009-06-28 02:02 . 2004-08-04 07:56   24576              c:\windows\system32\dllcache\cache\userinit.exe
    + 2009-06-28 02:02 . 2004-08-04 07:56   14336              c:\windows\system32\dllcache\cache\svchost.exe
    + 2009-06-28 02:02 . 2005-06-10 23:53   57856              c:\windows\system32\dllcache\cache\spoolsv.exe
    + 2009-06-28 02:02 . 2004-08-04 07:56   17408              c:\windows\system32\dllcache\cache\powrprof.dll
    + 2009-06-28 02:02 . 2004-08-04 07:56   13312              c:\windows\system32\dllcache\cache\lsass.exe
    + 2009-06-28 02:02 . 2004-08-04 05:58   24576              c:\windows\system32\dllcache\cache\kbdclass.sys
    + 2009-06-28 02:02 . 2004-08-04 06:00   29056              c:\windows\system32\dllcache\cache\ip6fw.sys
    + 2009-06-28 02:02 . 2004-08-04 07:56   15360              c:\windows\system32\dllcache\cache\ctfmon.exe
    + 2009-06-28 02:02 . 2004-08-04 07:56   502272              c:\windows\system32\dllcache\cache\winlogon.exe
    + 2009-06-28 02:02 . 2008-10-16 10:37   659456              c:\windows\system32\dllcache\cache\wininet.dll
    + 2009-06-28 02:02 . 2007-03-08 15:36   577536              c:\windows\system32\dllcache\cache\user32.dll
    + 2009-06-28 02:02 . 2004-08-04 07:56   295424              c:\windows\system32\dllcache\cache\termsrv.dll
    + 2009-06-28 02:02 . 2008-06-20 10:45   360320              c:\windows\system32\dllcache\cache\tcpip.sys
    + 2009-06-28 02:02 . 2004-08-04 07:56   108032              c:\windows\system32\dllcache\cache\services.exe
    + 2009-06-28 02:02 . 2004-08-04 06:14   182912              c:\windows\system32\dllcache\cache\ndis.sys
    + 2009-06-28 02:02 . 2007-04-16 15:52   984576              c:\windows\system32\dllcache\cache\kernel32.dll
    + 2009-06-28 02:02 . 2004-08-04 07:56   110080              c:\windows\system32\dllcache\cache\imm32.dll
    + 2009-06-28 02:02 . 2004-08-04 07:56   167936              c:\windows\system32\dllcache\cache\appmgmts.dll
    + 2009-06-28 02:02 . 2004-08-04 07:56   1580544              c:\windows\system32\dllcache\cache\sfcfiles.dll
    + 2009-06-28 02:02 . 2008-08-14 09:58   2136064              c:\windows\system32\dllcache\cache\ntoskrnl.exe
    + 2009-06-28 02:02 . 2008-08-14 09:22   2015744              c:\windows\system32\dllcache\cache\ntkrnlpa.exe
    + 2009-06-28 02:02 . 2007-06-13 10:23   1033216              c:\windows\system32\dllcache\cache\explorer.exe
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    2009-04-21 00:18   1883672   ----a-w-   c:\program files\Freecorder\tbFre1.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-19 393216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
    "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-19 684032]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
    "AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "MBM 5"="c:\program files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 594944]
    "Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
    "iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "e:\\Program Files\\iTunes\\iTunes.exe"=
    "e:\\Program Files\\Stickies\\stickies.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 12:45 AM 108289]
    S1 Multicam;MultiCam for Picolo;c:\windows\system32\Drivers\multicam.sys --> c:\windows\system32\Drivers\multicam.sys [?]
    S1 SASKUTIL;SASKUTIL;\??\e:\program files\SUPERAntiSpyware\SASKUTIL.sys --> e:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
    S3 AtomSync;AtomSync;e:\program files\AtomSync\service.exe [9/23/2008 10:34 PM 159744]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/20/2008 10:47 PM 13224]
    S3 SASENUM;SASENUM;\??\e:\program files\SUPERAntiSpyware\SASENUM.SYS --> e:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2009-06-28 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 01:16]

    2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4265909289-2111342016-2801439982-1016.job
    - c:\documents and settings\Samuel.OAKTREE3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 07:05]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.gbcph.org/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\b9k9d87q.default\
    FF - prefs.js: browser.startup.homepage - www.gbcph.org
    FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
    FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
    FF - plugin: e:\program files\Mozilla Firefox\plugins\npmusicn.dll
    FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-06-27 20:03
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ... 

    scanning hidden autostart entries ...

    scanning hidden files ... 

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0\win32]
    @DACL=(02 0000)
    @="c:\\Program Files\\Zango\\bin\\10.3.75.0\\CoreSrv.dll"

    [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0\win32]
    @DACL=(02 0000)
    @="c:\\Program Files\\Zango\\bin\\10.3.75.0\\Toolbar.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(856)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'explorer.exe'(1440)
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\system32\MsPMSPSv.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-06-28 20:08 - machine was rebooted
    ComboFix-quarantined-files.txt  2009-06-28 03:08
    ComboFix2.txt  2009-06-28 02:04

    Pre-Run: 108,959,559,680 bytes free
    Post-Run: 108,944,457,728 bytes free

    214

    evilfantasy

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Calm like a bomb
    • Thanked: 489
    • Experience: Familiar
    • OS: Windows 10
    Re: Double the fun!
    « Reply #17 on: June 27, 2009, 10:47:20 PM »

    Delete these files/folders, as follows:

    1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
    It must be Notepad, not Wordpad.
    2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

    Code: [Select]
    KillAll::

    Folder::
    c:\Program Files\Zango

    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0\win32]

    [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0\win32]

    3. Go to the Notepad window and click Edit > Paste
    4. Then click File > Save
    5. Name the file CFScript.txt - Save the file to your Desktop
    6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



    ComboFix will begin to execute, just follow the prompts.
    After reboot (in case it asks to reboot), it will produce a log for you.
    Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

    GrimAbbott

      Topic Starter


      Rookie

      • Experience: Beginner
      • OS: Windows 7
      Re: Double the fun!
      « Reply #18 on: June 27, 2009, 11:50:47 PM »
      ComboFix 09-06-26.02 - Dad 06/27/2009 22:42.3 - NTFSx86
      Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1007.579 [GMT -7:00]
      Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
      Command switches used :: c:\documents and settings\Dad\Desktop\cfscript.txt
      AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
      .

      (((((((((((((((((((((((((   Files Created from 2009-05-28 to 2009-06-28  )))))))))))))))))))))))))))))))
      .

      2009-06-28 02:02 . 2009-06-28 02:02   --------   d-----w-   c:\windows\system32\dllcache\cache
      2009-06-27 21:03 . 2009-06-27 21:03   --------   d--h--w-   c:\windows\PIF
      2009-06-27 06:55 . 2009-06-27 06:55   --------   d-----w-   c:\documents and settings\Dad\Application Data\Malwarebytes
      2009-06-27 06:50 . 2009-06-27 06:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
      2009-06-27 06:27 . 2009-06-27 18:06   117760   ----a-w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
      2009-06-27 06:27 . 2009-06-27 06:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
      2009-06-27 06:20 . 2009-06-27 06:20   --------   d-----w-   c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
      2009-06-27 05:46 . 2009-06-27 05:46   --------   d-----w-   c:\program files\Trend Micro
      2009-06-27 05:40 . 2009-06-27 05:39   410984   ----a-w-   c:\windows\system32\deploytk.dll
      2009-06-26 07:45 . 2009-03-30 17:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
      2009-06-26 07:45 . 2009-03-24 23:08   55640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
      2009-06-26 07:45 . 2009-02-13 19:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
      2009-06-26 07:45 . 2009-02-13 19:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
      2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\program files\Avira
      2009-06-26 07:44 . 2009-06-26 07:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
      2009-06-26 07:36 . 2009-06-17 18:27   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
      2009-06-26 07:36 . 2009-06-26 07:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
      2009-06-26 07:36 . 2009-06-17 18:27   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
      2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\program files\iPod
      2009-06-22 00:48 . 2009-06-22 00:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
      2009-06-22 00:46 . 2009-06-22 00:46   --------   d-----w-   c:\program files\Bonjour
      2009-06-22 00:45 . 2009-06-22 00:45   --------   d-----w-   c:\program files\QuickTime
      2009-06-22 00:43 . 2009-06-22 00:43   --------   d-----w-   c:\program files\Apple Software Update
      2009-06-21 22:50 . 2009-06-21 22:50   --------   d-----w-   c:\documents and settings\Dad\Local Settings\Application Data\AOL
      2009-06-05 20:57 . 2009-06-05 20:57   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2009-06-27 23:55 . 2009-04-10 18:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
      2009-06-27 06:49 . 2002-01-04 09:43   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
      2009-06-27 05:39 . 2002-01-02 07:20   --------   d-----w-   c:\program files\Java
      2009-06-27 04:41 . 2007-07-22 04:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
      2009-06-26 06:04 . 2007-03-25 15:49   51936   ----a-w-   c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
      2009-06-26 06:02 . 2002-01-02 07:21   --------   d-----w-   c:\program files\OpenOffice.org 2.2
      2009-06-26 05:56 . 2003-07-31 11:52   --------   d--h--w-   c:\program files\InstallShield Installation Information
      2009-06-26 05:52 . 2002-01-02 08:35   --------   d-----w-   c:\documents and settings\Dad\Application Data\OpenOffice.org2
      2009-06-26 05:52 . 2008-10-08 06:27   --------   d-----w-   c:\documents and settings\Dad\Application Data\stickies
      2009-06-26 05:20 . 2002-01-04 09:37   --------   d-----w-   c:\program files\Common Files\Panda Software
      2009-06-26 05:12 . 2008-11-25 19:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
      2009-06-22 00:48 . 2008-09-15 04:37   --------   d-----w-   c:\program files\Common Files\Apple
      2009-06-21 22:51 . 2009-04-10 18:24   --------   d-----w-   c:\program files\Common Files\AOL
      2009-06-09 17:09 . 2007-09-17 05:02   --------   d-----w-   c:\documents and settings\Samuel.OAKTREE3\Application Data\OpenOffice.org2
      2009-05-11 22:48 . 2009-05-11 22:20   34   ----a-w-   c:\documents and settings\Samuel.OAKTREE3\jagex_runescape_preferences.dat
      2009-04-10 18:29 . 2009-04-10 18:29   1144808   ----a-w-   c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
      2008-01-15 18:50 . 2007-10-21 07:10   1004   --sha-w-   c:\windows\system32\KGyGaAvL.sys
      .

      (((((((((((((((((((((((((((((   [email protected]_01.59.41   )))))))))))))))))))))))))))))))))))))))))
      .
      + 2009-06-28 05:48 . 2009-06-28 05:48   16384              c:\windows\temp\Perflib_Perfdata_244.dat
      + 2009-06-28 02:02 . 2008-10-16 22:09   51224              c:\windows\system32\dllcache\cache\wuauclt.exe
      + 2009-06-28 02:02 . 2004-08-04 07:56   82944              c:\windows\system32\dllcache\cache\ws2_32.dll
      + 2009-06-28 02:02 . 2004-08-04 07:56   24576              c:\windows\system32\dllcache\cache\userinit.exe
      + 2009-06-28 02:02 . 2004-08-04 07:56   14336              c:\windows\system32\dllcache\cache\svchost.exe
      + 2009-06-28 02:02 . 2005-06-10 23:53   57856              c:\windows\system32\dllcache\cache\spoolsv.exe
      + 2009-06-28 02:02 . 2004-08-04 07:56   17408              c:\windows\system32\dllcache\cache\powrprof.dll
      + 2009-06-28 02:02 . 2004-08-04 07:56   13312              c:\windows\system32\dllcache\cache\lsass.exe
      + 2009-06-28 02:02 . 2004-08-04 05:58   24576              c:\windows\system32\dllcache\cache\kbdclass.sys
      + 2009-06-28 02:02 . 2004-08-04 06:00   29056              c:\windows\system32\dllcache\cache\ip6fw.sys
      + 2009-06-28 02:02 . 2004-08-04 07:56   15360              c:\windows\system32\dllcache\cache\ctfmon.exe
      + 2009-06-28 02:02 . 2004-08-04 07:56   502272              c:\windows\system32\dllcache\cache\winlogon.exe
      + 2009-06-28 02:02 . 2008-10-16 10:37   659456              c:\windows\system32\dllcache\cache\wininet.dll
      + 2009-06-28 02:02 . 2007-03-08 15:36   577536              c:\windows\system32\dllcache\cache\user32.dll
      + 2009-06-28 02:02 . 2004-08-04 07:56   295424              c:\windows\system32\dllcache\cache\termsrv.dll
      + 2009-06-28 02:02 . 2008-06-20 10:45   360320              c:\windows\system32\dllcache\cache\tcpip.sys
      + 2009-06-28 02:02 . 2004-08-04 07:56   108032              c:\windows\system32\dllcache\cache\services.exe
      + 2009-06-28 02:02 . 2004-08-04 06:14   182912              c:\windows\system32\dllcache\cache\ndis.sys
      + 2009-06-28 02:02 . 2007-04-16 15:52   984576              c:\windows\system32\dllcache\cache\kernel32.dll
      + 2009-06-28 02:02 . 2004-08-04 07:56   110080              c:\windows\system32\dllcache\cache\imm32.dll
      + 2009-06-28 02:02 . 2004-08-04 07:56   167936              c:\windows\system32\dllcache\cache\appmgmts.dll
      + 2009-06-28 02:02 . 2004-08-04 07:56   1580544              c:\windows\system32\dllcache\cache\sfcfiles.dll
      + 2009-06-28 02:02 . 2008-08-14 09:58   2136064              c:\windows\system32\dllcache\cache\ntoskrnl.exe
      + 2009-06-28 02:02 . 2008-08-14 09:22   2015744              c:\windows\system32\dllcache\cache\ntkrnlpa.exe
      + 2009-06-28 02:02 . 2007-06-13 10:23   1033216              c:\windows\system32\dllcache\cache\explorer.exe
      .
      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
      2009-04-21 00:18   1883672   ----a-w-   c:\program files\Freecorder\tbFre1.dll

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Sony Ericsson PC Suite"="e:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-19 393216]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
      "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
      "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-09-19 684032]
      "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
      "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
      "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
      "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
      "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
      "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
      "AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
      "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
      "MBM 5"="c:\program files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 594944]
      "Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
      "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
      "iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
      "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
      2008-12-22 19:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
      @="Service"

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
      @="Driver"

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
      "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
      "c:\\Documents and Settings\\Samuel.OAKTREE3\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
      "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
      "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
      "e:\\Program Files\\iTunes\\iTunes.exe"=
      "e:\\Program Files\\Stickies\\stickies.exe"=

      R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
      R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 12:45 AM 108289]
      S1 Multicam;MultiCam for Picolo;c:\windows\system32\Drivers\multicam.sys --> c:\windows\system32\Drivers\multicam.sys [?]
      S1 SASKUTIL;SASKUTIL;\??\e:\program files\SUPERAntiSpyware\SASKUTIL.sys --> e:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
      S3 AtomSync;AtomSync;e:\program files\AtomSync\service.exe [9/23/2008 10:34 PM 159744]
      S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/20/2008 10:47 PM 13224]
      S3 SASENUM;SASENUM;\??\e:\program files\SUPERAntiSpyware\SASENUM.SYS --> e:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
      .
      Contents of the 'Scheduled Tasks' folder

      2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
      - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

      2009-06-28 c:\windows\Tasks\Google Software Updater.job
      - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-02 01:16]

      2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4265909289-2111342016-2801439982-1016.job
      - c:\documents and settings\Samuel.OAKTREE3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 07:05]
      .
      .
      ------- Supplementary Scan -------
      .
      uStart Page = hxxp://www.gbcph.org/
      uDefault_Search_URL = hxxp://www.google.com/ie
      uInternet Settings,ProxyOverride = *.local
      uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
      DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
      DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
      FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\b9k9d87q.default\
      FF - prefs.js: browser.startup.homepage - www.gbcph.org
      FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
      FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
      FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
      FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
      FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
      FF - plugin: e:\program files\Mozilla Firefox\plugins\npmusicn.dll
      FF - plugin: e:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
      FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
      FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
      FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
      FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
      FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
      .

      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2009-06-27 22:51
      Windows 5.1.2600 Service Pack 2 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(860)
      c:\program files\SUPERAntiSpyware\SASWINLO.dll

      - - - - - - - > 'explorer.exe'(1456)
      c:\progra~1\WINDOW~2\wmpband.dll
      c:\windows\system32\WPDShServiceObj.dll
      c:\windows\system32\PortableDeviceTypes.dll
      c:\windows\system32\PortableDeviceApi.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
      c:\program files\Avira\AntiVir Desktop\avguard.exe
      c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
      c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
      c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
      c:\program files\Bonjour\mDNSResponder.exe
      c:\program files\Java\jre6\bin\jqs.exe
      c:\windows\system32\HPZipm12.exe
      c:\program files\Analog Devices\SoundMAX\SMAgent.exe
      c:\windows\system32\MsPMSPSv.exe
      c:\program files\iPod\bin\iPodService.exe
      .
      **************************************************************************
      .
      Completion time: 2009-06-28 22:56 - machine was rebooted
      ComboFix-quarantined-files.txt  2009-06-28 05:56
      ComboFix2.txt  2009-06-28 03:08
      ComboFix3.txt  2009-06-28 02:04

      Pre-Run: 108,956,647,424 bytes free
      Post-Run: 108,939,886,592 bytes free

      207

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Re: Double the fun!
      « Reply #19 on: June 28, 2009, 09:50:56 AM »
        OK I think we finally got all of that.

        • Click START then RUN
        • Now type Combofix /u in the runbox
        • Make sure there's a space between Combofix and /u
        • Then hit Enter.
        .
        • The above procedure will:
        • Delete the following:
        • ComboFix and its associated files and folders.
        • Reset the clock settings.
        • Hide file extensions, if required.
        • Hide System/Hidden files, if required.
        • Set a new, clean Restore Point.
        .
        ----------

      Clean out your temporary internet files and temp files.

      Download TFC by OldTimer to your desktop.

      Double-click TFC.exe to run it.

      Note: If you are running on Vista, right-click on the file and choose Run As Administrator

      TFC will close all programs when run, so make sure you have saved all your work before you begin.

      * Click the Start button to begin the cleaning process.
      * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
      * Please let TFC run uninterrupted until it is finished.

      Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

      ----------

      Use the ESET Online Antivirus Scanner

      This scanner requires Internet Explorer

      1. Check the box next to YES, I accept the Terms of Use.
      2. Click Start
      3. When asked, allow the activex control to install
      4. Click Start
      5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
      6. Click Scan
      7. Wait for the scan to finish
      8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
      9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

      GrimAbbott

        Topic Starter


        Rookie

        • Experience: Beginner
        • OS: Windows 7
        Re: Double the fun!
        « Reply #20 on: June 29, 2009, 03:48:43 AM »
        [email protected] as CAB hook log:
        OnlineScanner.ocx - delete file error:The process cannot access the file because it is being used by another process.

        OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.

        OnlineScanner.ocx - registred OK
        # version=6
        # iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
        # OnlineScanner.ocx=1.0.0.5863
        # api_version=3.0.2
        # EOSSerial=f8635a3504fa9c4583e41c03195de3f1
        # end=finished
        # remove_checked=true
        # archives_checked=false
        # unwanted_checked=true
        # unsafe_checked=false
        # antistealth_checked=true
        # utc_time=2009-06-29 09:53:45
        # local_time=2009-06-29 02:53:45 (-0800, Pacific Daylight Time)
        # country="United States"
        # lang=1033
        # osver=5.1.2600 NT Service Pack 2
        # compatibility_mode=1797 21 100 100 76642968750
        # scanned=46189
        # found=0
        # cleaned=0
        # scan_time=1490

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
        Re: Double the fun!
        « Reply #21 on: June 29, 2009, 11:30:35 AM »
        Looks good. Is the computer running OK now?

        Use the Secunia Software Inspector to check for out of date software.
        • Click Start Now
        • Check the box next to Enable thorough system inspection.
        • Click Start
        • Allow the scan to finish and scroll down to see if any updates are needed.
        • Update anything listed.
        .
        ----------

        Go to Microsoft Windows Update and get all critical updates.

        ----------

        I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

        SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
        * Using SpywareBlaster to protect your computer from Spyware and Malware
        * If you don't know what ActiveX controls are, see here

        Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

        Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.


        GrimAbbott

          Topic Starter


          Rookie

          • Experience: Beginner
          • OS: Windows 7
          Re: Double the fun!
          « Reply #22 on: June 30, 2009, 10:34:27 PM »
          Ahhh...much better!

          My thanks to all of the CH players who invested time in helping me resolve this problem. This has been a long but rewarding and educational process. Thanks also for the final "tools" recommendations to help safeguard my future computing experiences.

          Kudos to the team!

          (Now it's time to run off to the XP thread and see how my other machine is doing!)