Ok, like others that have posted in the forum, I somehow contracted the "internet security 2010" ransomware/Trojan/Virus. I had all the usual problems including denied access to my task manager. Before I found this forum I only managed to tie up IS2010 with Spybot long enough to delete it, but all the other symptoms remained. AFTER going though posts of people with similar problems on here I DLed combofix and malwarebytes, and followed directions as best i could from other posts. After a few scans between the 2 IT WORKED! I regained control and was finding no infection with quick scan. My question is: I'm now in the middle of a FULL SCAN with malwarebytes, and so far its found 19 infected files. Do you think this scan will finally eliminate the virus? Here are the last logs before I started the FULL SCAN. I will also post the results of the full scan when its complete.....but that may be awhile. any help in the mean time will be greatly appreciated.
LOGS:
Malwarebytes' Anti-Malware 1.43
Database version: 3503
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
1/6/2010 11:48:22 AM
mbam-log-2010-01-06 (11-48-22).txt
Scan type: Quick Scan
Objects scanned: 120753
Time elapsed: 7 minute(s), 16 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
LOG:
ComboFix 10-01-04.01 - Darcie & Ashley 01/06/2010 12:59:43.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.610 [GMT -8:00]
Running from: c:\documents and settings\Darcie
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\18467.exe
c:\windows\system32\IS15.exe
.
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.
2010-01-06 18:44 . 2010-01-06 18:44 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\Malwarebytes
2010-01-06 18:44 . 2009-12-30 22:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 18:44 . 2010-01-06 18:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 18:44 . 2010-01-06 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-06 18:44 . 2009-12-30 22:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 06:31 . 2010-01-06 06:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-05 22:58 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-05 22:58 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-05 22:58 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-05 22:58 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-05 22:57 . 2010-01-06 20:58 -------- d-----w- c:\program files\Spyware Doctor
2010-01-05 22:57 . 2010-01-05 22:59 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-05 22:57 . 2010-01-05 22:57 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\PC Tools
2010-01-05 22:57 . 2010-01-05 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-05 22:57 . 2010-01-06 20:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-05 22:52 . 2010-01-05 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-05 22:34 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 22:31 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-05 22:31 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-05 21:02 . 2010-01-05 22:06 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\QuickScan
2010-01-02 20:28 . 2010-01-02 20:28 -------- d-----w- c:\program files\FreeTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 19:04 . 2005-01-02 04:39 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-01-05 22:52 . 2005-01-11 20:56 -------- d-----w- c:\program files\Google
2010-01-05 22:11 . 2008-07-04 18:17 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\FrostWire
2009-12-16 16:37 . 2009-03-18 22:08 -------- d-----w- c:\program files\FrostWire
2009-11-21 01:33 . 2009-11-21 01:33 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\OpenOffice.org
2009-11-19 19:48 . 2009-11-30 20:40 872960 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 19:48 . 2009-11-30 20:40 43008 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 19:48 . 2009-11-30 20:40 340480 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 19:48 . 2009-11-30 20:40 346624 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-18 16:26 . 2005-07-10 20:39 -------- d-----w- c:\program files\Java
2009-11-18 16:26 . 2009-11-18 16:26 152576 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-18 16:26 . 2009-11-18 16:26 79488 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-18 05:39 . 2009-11-18 05:39 -------- d-----w- c:\program files\San Andreas Mod Installer
2009-11-17 06:34 . 2003-03-12 03:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-11 12:17 . 2008-12-02 01:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2009-02-25 1103216]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-05 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-25 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"DXM6Patch_981116"="c:\windows\p_981116.exe" [1998-12-01 497376]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2010-01-05 160752]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-11 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\90bd93d4724]
[BU]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AC3Filter\\ac3config.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [1/5/2010 2:58 PM 207792]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [10/19/2004 7:23 PM 4064]
S3 ebookman;FEP_USB Driver;c:\windows\SYSTEM32\DRIVERS\ebookman.sys [3/10/2004 6:27 PM 19677]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/5/2010 2:57 PM 359624]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-01-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-05 22:52]
2003-03-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dsl.sbc.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = localhost:8118
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZKfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: realtytools.com
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1808.5272\npCIDetect14.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07010901.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 13:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3546253606-4130668658-1351163875-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b0,dd,08,cd,f5,4f,8d,6c,87,67,d1,e5,ad,b9,47,cd,3f,90,e2,30,43,fc,98,
48,f0,5a,36,53,43,64,8a,b0,3b,e4,8e,63,d6,d1,e9,44,99,01,22,36,40,f1,2c,af,\
"??"=hex:72,88,18,21,4b,aa,e9,42,69,10,b1,3e,be,79,82,ea
[HKEY_USERS\S-1-5-21-3546253606-4130668658-1351163875-1007\Software\SecuROM\License information*]
"datasecu"=hex:e9,18,a9,0b,c9,54,79,ad,0b,e7,ee,3a,de,0f,09,dc,b2,22,69,58,2d,
7b,9c,b4,8f,ad,44,e5,a6,be,c3,b9,fd,98,f3,43,af,ce,65,5b,46,3c,01,f2,bd,76,\
"rkeysecu"=hex:d1,cc,c6,c6,ea,47,45,be,ec,c2,8b,03,18,90,74,92
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1B9EA6A9-42BA-882B-EDB93AE0A7C1C33A}\{4BB0785E-4605-BD30-345CF0C5449176A0}\{34B0ED28-A6B1-BC5C-E341396C7B13E743}*]
"TU4WOU1J6ARI5KX1FANSH3C1OF1"=hex:01,00,01,00,00,00,00,00,3d,cd,b7,46,4e,75,8f,
24,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20182402-24ED-DBEE-0C047CC941A92C12}\{18337038-91FA-1511-718667CAE01F35A0}\{7E9CBDE1-C583-B4C7-27A5326796C918BF}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E507E2F-8DE2-B600-388E74CEB17F3DFF}\{1B0F221A-E59F-0B42-732631A91276FA51}\{D15813DF-5A02-67D8-CCD20FCB931DE0AB}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2F2ED127-9180-E0E9-DD82A3EA97D23C2D}\{BC7AD397-E62C-4E1A-5A858785C5B4F8B7}\{1CB4FE78-537A-1AF0-DBD366375A0DFAF2}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{406CE662-49A5-A824-9AD16CDB8C980A83}\{51810E7B-CC7B-50CD-91DC82E76A5CA55B}\{3C9B1055-B264-EADB-6986DE03867D1DB4}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4262173D-BE17-0AF1-BC367E078DE3B172}\{0348FBC8-06E2-B99C-443C2E87108EE036}\{533D0420-D13F-E032-E569EC2F904CC0B3}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44DDD7DB-C851-F5D8-43BBD1CB976AABCC}\{47326943-CE6C-E3D1-74FCCAE0772B4FAB}\{FA8F0E33-B888-6EFF-6240990870DDF055}*]
"TU4WOU1J6ARI5KX1FANSH3C1OF1"=hex:01,00,01,00,00,00,00,00,3d,cd,b7,46,4e,75,8f,
24,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74599CE1-6A23-5483-EB701B08F9A92206}\{E02CED0D-4BCF-9035-DBE164FDC4BAFF1D}\{4E02710B-D78F-2FB3-D08A702F3A48D363}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FAFFD5B-ECA5-8590-06385EB5239D555A}\{E5D513A6-5530-C183-13C6195B3F88B339}\{5B7495F9-FD9A-8C8C-FD87354974961E7A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,de,be,bf,
1b,95,0f,24,d5,e7,bb,cc,3d,fb,8a,5c,f5,19,00,6f,bd,ec,e2,a9,3a,91,cd,da,d9,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91EC4B89-4AF2-1685-8B077627C8A43419}\{2EE609D8-52A7-5ABD-6D921F70AFC106D5}\{F0CB3253-4F19-C88D-A2C81B3BBC751916}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,de,be,bf,
1b,95,0f,24,d5,e7,bb,cc,3d,fb,8a,5c,f5,19,00,6f,bd,ec,e2,a9,3a,91,cd,da,d9,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A31F0760-3CAF-40FF-C311EB15E667F290}\{E2D01E6A-D52B-9055-85F4CB9FDFA44017}\{62A48FA1-2175-E3E4-19BA4655EA387446}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BCA821CD-4A5D-ABF7-7317F5EBFF711061}\{A8AD8BCF-CB94-6A01-1BDB64CAD4C7BA22}\{6360A729-06A7-39D5-91DA34CCB8512CF9}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EF8004E0-74D6-E5E1-DE92687B6F22CED2}\{D850A7E8-A29C-FCE9-D9B4F577AA6BB789}\{16701812-CEC8-7CB2-559D4C938E3C932C}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F71B406A-64B6-7890-A4E79C228CB5B5C7}\{B2D97AB2-1AAA-0E19-47D2DF75F80031A6}\{B1F98325-4C85-36BE-448BCE0A416EDA34}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7FB8A-7FC0-F5C6-C2C005BCC6E52A75}\{38D64012-6403-EA81-41E60280EAB79558}\{8D4E630B-001F-4733-DF87B943421629E7}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
Completion time: 2010-01-06 13:08:53
ComboFix-quarantined-files.txt 2010-01-06 21:08
ComboFix2.txt 2010-01-06 19:35
Pre-Run: 81,417,003,008 bytes free
Post-Run: 81,399,599,104 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 315DB84944BBE2EBF3B34F89202F0AA9
LOGS:
Malwarebytes' Anti-Malware 1.43
Database version: 3503
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
1/6/2010 11:48:22 AM
mbam-log-2010-01-06 (11-48-22).txt
Scan type: Quick Scan
Objects scanned: 120753
Time elapsed: 7 minute(s), 16 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
LOG:
ComboFix 10-01-04.01 - Darcie & Ashley 01/06/2010 12:59:43.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.610 [GMT -8:00]
Running from: c:\documents and settings\Darcie
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\18467.exe
c:\windows\system32\IS15.exe
.
((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.
2010-01-06 18:44 . 2010-01-06 18:44 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\Malwarebytes
2010-01-06 18:44 . 2009-12-30 22:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 18:44 . 2010-01-06 18:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 18:44 . 2010-01-06 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-06 18:44 . 2009-12-30 22:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 06:31 . 2010-01-06 06:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-05 22:58 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-05 22:58 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-05 22:58 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-05 22:58 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-05 22:57 . 2010-01-06 20:58 -------- d-----w- c:\program files\Spyware Doctor
2010-01-05 22:57 . 2010-01-05 22:59 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-05 22:57 . 2010-01-05 22:57 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\PC Tools
2010-01-05 22:57 . 2010-01-05 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-05 22:57 . 2010-01-06 20:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-05 22:52 . 2010-01-05 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-05 22:34 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 22:31 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-05 22:31 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-05 21:02 . 2010-01-05 22:06 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\QuickScan
2010-01-02 20:28 . 2010-01-02 20:28 -------- d-----w- c:\program files\FreeTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 19:04 . 2005-01-02 04:39 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-01-05 22:52 . 2005-01-11 20:56 -------- d-----w- c:\program files\Google
2010-01-05 22:11 . 2008-07-04 18:17 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\FrostWire
2009-12-16 16:37 . 2009-03-18 22:08 -------- d-----w- c:\program files\FrostWire
2009-11-21 01:33 . 2009-11-21 01:33 -------- d-----w- c:\documents and settings\Darcie & Ashley\Application Data\OpenOffice.org
2009-11-19 19:48 . 2009-11-30 20:40 872960 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 19:48 . 2009-11-30 20:40 43008 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 19:48 . 2009-11-30 20:40 340480 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 19:48 . 2009-11-30 20:40 346624 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-18 16:26 . 2005-07-10 20:39 -------- d-----w- c:\program files\Java
2009-11-18 16:26 . 2009-11-18 16:26 152576 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-18 16:26 . 2009-11-18 16:26 79488 ----a-w- c:\documents and settings\Darcie & Ashley\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-18 05:39 . 2009-11-18 05:39 -------- d-----w- c:\program files\San Andreas Mod Installer
2009-11-17 06:34 . 2003-03-12 03:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-11 12:17 . 2008-12-02 01:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2009-02-25 1103216]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-05 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-25 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"DXM6Patch_981116"="c:\windows\p_981116.exe" [1998-12-01 497376]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2010-01-05 160752]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-11 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\90bd93d4724]
[BU]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AC3Filter\\ac3config.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [1/5/2010 2:58 PM 207792]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [10/19/2004 7:23 PM 4064]
S3 ebookman;FEP_USB Driver;c:\windows\SYSTEM32\DRIVERS\ebookman.sys [3/10/2004 6:27 PM 19677]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/5/2010 2:57 PM 359624]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-01-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-05 22:52]
2003-03-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://dsl.sbc.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = localhost:8118
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZKfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: realtytools.com
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\documents and settings\Darcie & Ashley\Application Data\Mozilla\Firefox\Profiles\vbuafmq4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1808.5272\npCIDetect14.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07010901.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 13:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3546253606-4130668658-1351163875-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b0,dd,08,cd,f5,4f,8d,6c,87,67,d1,e5,ad,b9,47,cd,3f,90,e2,30,43,fc,98,
48,f0,5a,36,53,43,64,8a,b0,3b,e4,8e,63,d6,d1,e9,44,99,01,22,36,40,f1,2c,af,\
"??"=hex:72,88,18,21,4b,aa,e9,42,69,10,b1,3e,be,79,82,ea
[HKEY_USERS\S-1-5-21-3546253606-4130668658-1351163875-1007\Software\SecuROM\License information*]
"datasecu"=hex:e9,18,a9,0b,c9,54,79,ad,0b,e7,ee,3a,de,0f,09,dc,b2,22,69,58,2d,
7b,9c,b4,8f,ad,44,e5,a6,be,c3,b9,fd,98,f3,43,af,ce,65,5b,46,3c,01,f2,bd,76,\
"rkeysecu"=hex:d1,cc,c6,c6,ea,47,45,be,ec,c2,8b,03,18,90,74,92
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1B9EA6A9-42BA-882B-EDB93AE0A7C1C33A}\{4BB0785E-4605-BD30-345CF0C5449176A0}\{34B0ED28-A6B1-BC5C-E341396C7B13E743}*]
"TU4WOU1J6ARI5KX1FANSH3C1OF1"=hex:01,00,01,00,00,00,00,00,3d,cd,b7,46,4e,75,8f,
24,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20182402-24ED-DBEE-0C047CC941A92C12}\{18337038-91FA-1511-718667CAE01F35A0}\{7E9CBDE1-C583-B4C7-27A5326796C918BF}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E507E2F-8DE2-B600-388E74CEB17F3DFF}\{1B0F221A-E59F-0B42-732631A91276FA51}\{D15813DF-5A02-67D8-CCD20FCB931DE0AB}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2F2ED127-9180-E0E9-DD82A3EA97D23C2D}\{BC7AD397-E62C-4E1A-5A858785C5B4F8B7}\{1CB4FE78-537A-1AF0-DBD366375A0DFAF2}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{406CE662-49A5-A824-9AD16CDB8C980A83}\{51810E7B-CC7B-50CD-91DC82E76A5CA55B}\{3C9B1055-B264-EADB-6986DE03867D1DB4}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4262173D-BE17-0AF1-BC367E078DE3B172}\{0348FBC8-06E2-B99C-443C2E87108EE036}\{533D0420-D13F-E032-E569EC2F904CC0B3}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44DDD7DB-C851-F5D8-43BBD1CB976AABCC}\{47326943-CE6C-E3D1-74FCCAE0772B4FAB}\{FA8F0E33-B888-6EFF-6240990870DDF055}*]
"TU4WOU1J6ARI5KX1FANSH3C1OF1"=hex:01,00,01,00,00,00,00,00,3d,cd,b7,46,4e,75,8f,
24,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74099617-91C0-6CB0-475BC8650FC6C929}\{C2CB2410-92BB-FC4E-376913EB15620FA4}\{B6CDFCFD-0A38-7380-A1288DE48E078F85}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74599CE1-6A23-5483-EB701B08F9A92206}\{E02CED0D-4BCF-9035-DBE164FDC4BAFF1D}\{4E02710B-D78F-2FB3-D08A702F3A48D363}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FAFFD5B-ECA5-8590-06385EB5239D555A}\{E5D513A6-5530-C183-13C6195B3F88B339}\{5B7495F9-FD9A-8C8C-FD87354974961E7A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,de,be,bf,
1b,95,0f,24,d5,e7,bb,cc,3d,fb,8a,5c,f5,19,00,6f,bd,ec,e2,a9,3a,91,cd,da,d9,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8065E9BF-72C0-0FC1-5AFDE65F0780FDDF}\{9AEA461A-A66D-2047-6BE4E874E5E97513}\{AA471588-234B-ED0A-4D91A11ADDB01E65}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91EC4B89-4AF2-1685-8B077627C8A43419}\{2EE609D8-52A7-5ABD-6D921F70AFC106D5}\{F0CB3253-4F19-C88D-A2C81B3BBC751916}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,de,be,bf,
1b,95,0f,24,d5,e7,bb,cc,3d,fb,8a,5c,f5,19,00,6f,bd,ec,e2,a9,3a,91,cd,da,d9,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A31F0760-3CAF-40FF-C311EB15E667F290}\{E2D01E6A-D52B-9055-85F4CB9FDFA44017}\{62A48FA1-2175-E3E4-19BA4655EA387446}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BCA821CD-4A5D-ABF7-7317F5EBFF711061}\{A8AD8BCF-CB94-6A01-1BDB64CAD4C7BA22}\{6360A729-06A7-39D5-91DA34CCB8512CF9}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EF8004E0-74D6-E5E1-DE92687B6F22CED2}\{D850A7E8-A29C-FCE9-D9B4F577AA6BB789}\{16701812-CEC8-7CB2-559D4C938E3C932C}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F71B406A-64B6-7890-A4E79C228CB5B5C7}\{B2D97AB2-1AAA-0E19-47D2DF75F80031A6}\{B1F98325-4C85-36BE-448BCE0A416EDA34}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7FB8A-7FC0-F5C6-C2C005BCC6E52A75}\{38D64012-6403-EA81-41E60280EAB79558}\{8D4E630B-001F-4733-DF87B943421629E7}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
Completion time: 2010-01-06 13:08:53
ComboFix-quarantined-files.txt 2010-01-06 21:08
ComboFix2.txt 2010-01-06 19:35
Pre-Run: 81,417,003,008 bytes free
Post-Run: 81,399,599,104 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 315DB84944BBE2EBF3B34F89202F0AA9