Like many, I caught a trojan or trojans. It implanted links to porn sites on my computer and kept asking me to install this Win 7 System Guard to protect against supposedly 29 viruses/trojans/etc that I had on my computer.
My lavasoft and mcafee and firefox were disabled. When I got mcafee to run a scan, it didn't find anything.
So, I ran Combofix.exe and it deleted many files. Then I ran Malwarebytes' Anti-Malware fast scan and it deleted one trojan. Then I ran it again in full mode and it deleted one more trojan. Next was trendmicro's HouseCall which found nothing, then their rootkitbuster.exe, and finally combofix.exe and malwarebyte again in safe mode (which found nothing).
Unfortunately, that second combofix run deleted the log of the first, but I have the malwarebyte logs. My question is, after looking at the logs below, can I reasonably be sure my computer is disinfected, or is there more I need to do?
thanks in advance.
Here is the first MWB log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4049
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
4/29/2010 1:22:04 AM
mbam-log-2010-04-29 (01-22-04).txt
Scan type: Quick scan
Objects scanned: 112689
Time elapsed: 6 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Le Minh Triet\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
The second MWB log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4049
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
4/29/2010 2:33:01 AM
mbam-log-2010-04-29 (02-33-01).txt
Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 253461
Time elapsed: 58 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Users\Le Minh Triet\AppData\Local\Temp\csoqq.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.
The third MWB log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4049
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
4/29/2010 3:48:45 AM
mbam-log-2010-04-29 (03-48-45).txt
Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 250354
Time elapsed: 27 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
The Combofix log:
ComboFix 10-04-28.04 - Le Minh Triet 04/29/2010 3:11.2.2 - x86 MINIMAL
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2304 [GMT -5:00]
Running from: c:\users\Le Minh Triet\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.
2010-04-29 08:17 . 2010-04-29 08:17 -------- dc----w- c:\users\Owner\AppData\Local\temp
2010-04-29 08:17 . 2010-04-29 08:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-29 08:17 . 2010-04-29 08:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-29 08:07 . 2010-04-29 08:10 -------- d-----w- C:\32788R22FWJFW
2010-04-29 07:47 . 2010-04-29 07:47 -------- d-----w- c:\windows\system32\Wat
2010-04-29 06:13 . 2010-04-29 06:13 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Malwarebytes
2010-04-29 06:12 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 06:12 . 2010-04-29 06:12 -------- d-----w- c:\programdata\Malwarebytes
2010-04-29 06:12 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 06:12 . 2010-04-29 06:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 05:13 . 2010-04-29 05:13 260608 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{F3870710-5316-174B-94C6-7A3730C468E7}-sysmon64x.exe
2010-04-29 02:40 . 2010-04-29 02:40 260608 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{3F49E783-43EC-1B57-8F65-C78B5357E7A7}-sysmon64x.exe
2010-04-29 01:42 . 2010-04-29 05:21 -------- d-----w- c:\programdata\salizuya
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-----w- c:\programdata\rojolutu
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-----w- c:\programdata\jiwirido
2010-04-29 00:20 . 2010-04-29 00:20 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Flickr
2010-04-29 00:20 . 2010-04-29 00:20 -------- d-----w- c:\users\Le Minh Triet\AppData\Local\Flickr
2010-04-28 23:57 . 2010-04-28 23:57 -------- d-----w- c:\program files\SyncToy 2.1
2010-04-28 21:53 . 2010-03-26 02:49 66048 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
2010-04-28 21:53 . 2009-11-26 03:03 61952 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
2010-04-28 21:53 . 2010-04-07 20:28 253952 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
2010-04-28 21:46 . 2010-04-28 21:46 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 21:46 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 21:42 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 21:42 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 21:42 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 21:42 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-28 21:42 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-28 21:42 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-28 21:42 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-28 21:42 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-28 21:42 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-28 21:41 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-28 21:41 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-19 19:59 . 2010-04-19 19:59 255472 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-04-02 16:31 . 2010-04-02 16:32 20846064 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\rp\RealPlayerSPGold.exe
2010-04-02 16:31 . 2010-04-02 16:31 79368 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\vista.exe
2010-04-02 16:31 . 2010-04-02 16:31 64000 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gcapi_dll.dll
2010-04-02 16:31 . 2010-04-02 16:31 52288 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gtapi.dll
2010-04-02 16:31 . 2010-04-02 16:31 50688 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\fftbapi.dll
2010-04-02 16:31 . 2010-04-02 16:31 49152 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\CarboniteCompatibility.dll
2010-04-02 16:31 . 2010-04-02 16:31 118784 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\compat.dll
2010-04-02 03:52 . 2010-04-28 21:38 439816 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\setup.exe
2010-03-31 04:11 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 08:05 . 2010-01-02 17:16 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Skype
2010-04-29 07:48 . 2010-01-02 07:49 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2010-04-29 07:48 . 2010-01-02 07:12 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-04-29 05:24 . 2010-01-02 07:49 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2010-04-28 21:46 . 2010-01-02 17:27 -------- d-----w- c:\program files\Java
2010-04-28 21:39 . 2010-01-02 07:12 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-04-28 21:39 . 2010-01-02 07:12 57752 ------w- c:\windows\system32\rpcnet.exe
2010-03-26 19:03 . 2010-01-02 14:20 -------- d-----w- c:\program files\PC-Doctor
2010-03-26 17:30 . 2010-03-26 17:30 -------- d-----w- c:\program files\Utimaco
2010-03-25 20:26 . 2010-03-25 20:14 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\RipIt4Me
2010-03-25 20:25 . 2010-03-25 20:25 -------- d-----w- c:\program files\DVD Decrypter
2010-03-25 20:17 . 2010-03-25 20:17 643072 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\RipIt4Me\updater\ri4mupdater.exe
2010-03-25 20:16 . 2010-03-25 20:16 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Vso
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:15 -------- d-----w- c:\program files\DVDFab 7
2010-03-25 20:09 . 2010-03-25 20:09 -------- d-----w- c:\programdata\DVD Shrink
2010-03-25 20:09 . 2010-03-25 20:09 -------- d-----w- c:\program files\DVD Shrink
2010-03-25 03:28 . 2010-01-02 13:54 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\HandBrake
2010-03-25 01:48 . 2010-03-25 01:44 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\InfraRecorder
2010-03-25 01:43 . 2010-03-25 01:43 -------- d-----w- c:\program files\InfraRecorder
2010-03-19 14:24 . 2010-03-19 14:24 -------- d-----w- c:\program files\Lavasoft
2010-03-19 14:24 . 2010-03-19 14:24 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-19 14:24 . 2010-01-02 08:07 -------- d-----w- c:\programdata\Lavasoft
2010-03-19 12:07 . 2010-03-19 12:07 -------- d-----w- c:\programdata\FLEXnet
2010-03-19 10:16 . 2010-01-02 07:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-19 10:16 . 2010-03-19 10:16 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-19 10:15 . 2010-01-02 06:53 114560 ----a-w- c:\users\Le Minh Triet\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-17 00:33 . 2010-03-17 00:33 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\AdobeUM
2010-03-15 00:52 . 2010-03-15 00:52 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\inkscape
2010-03-15 00:51 . 2010-03-15 00:51 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Notepad++
2010-03-15 00:51 . 2010-03-15 00:51 -------- d-----w- c:\program files\Notepad++
2010-03-13 20:23 . 2010-01-23 13:43 -------- d-----w- c:\program files\uTorrent
2010-03-13 13:28 . 2010-01-23 13:42 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\uTorrent
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-10 15:14 . 2010-03-10 15:14 300616 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-10 15:14 . 2010-03-10 15:14 329312 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-10 15:14 . 2010-01-02 16:56 -------- d-----w- c:\program files\Common Files\Real
2010-03-10 15:13 . 2010-01-02 16:56 -------- d-----w- c:\program files\Real
2010-03-10 15:13 . 2010-03-10 15:13 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-09 21:46 . 2010-03-09 21:46 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-03-09 21:46 . 2010-03-09 21:46 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-09 21:44 . 2010-03-09 21:44 -------- d-----w- c:\programdata\Hewlett-Packard
2010-03-09 00:46 . 2010-03-09 00:46 -------- d-----w- c:\program files\Morphyre
2010-03-09 00:44 . 2010-01-02 16:34 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Winamp
2010-03-09 00:42 . 2010-01-02 16:34 -------- d-----w- c:\program files\Winamp
2010-03-09 00:40 . 2010-03-09 00:40 -------- d-----w- c:\program files\R4
2010-03-08 06:47 . 2010-01-02 16:34 -------- d-----w- c:\program files\Winamp Detect
2010-03-07 13:50 . 2010-03-07 13:50 79368 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-07 05:07 . 2010-03-07 05:07 439816 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-05 15:16 . 2010-03-05 15:16 -------- d-----w- c:\program files\Microsoft
2010-02-24 15:16 . 2010-01-02 06:54 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 08:06 . 2010-02-18 08:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-18 03:59 . 2010-01-02 07:20 38784 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-18 03:59 . 2010-01-02 07:20 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 14:13 . 2010-02-15 14:13 64099864 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe
2010-02-08 01:12 . 2010-02-08 01:12 12212040 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-02-08 01:12 . 2010-02-08 01:12 13930312 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-02-08 01:12 . 2010-02-08 01:12 77824 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-02-08 01:12 . 2010-02-08 01:12 61440 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-02-08 01:12 . 2010-02-08 01:12 58880 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-02-08 01:12 . 2010-02-08 01:12 50000 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\pcswpc.exe
2010-02-08 00:33 . 2010-02-08 01:12 98360888 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Nokia_Ovi_Suite_2_1_0_82_ALL.exe
2010-02-04 15:53 . 2010-03-19 14:24 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2010-03-19 14:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-02 07:45 . 2010-02-24 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2008-09-29 14:07 . 2010-01-02 09:20 22576 ----a-w- c:\program files\mozilla firefox\components\scriptff.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-11-04 03:12 556432 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Google Update"="c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-02 135664]
"googletalk"="c:\users\Le Minh Triet\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"TpShocks"="TpShocks.exe" [2009-07-09 337184]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-09 714016]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-13 36864]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-11-17 69568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-10-19 3093816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2009-09-27 83312]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-10 202256]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2007-09-07 53248]
"Launch Backup Service Once"="c:\program files\Lenovo\Rescue and Recovery\rrstrigger.exe" [2009-09-25 21304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-08-17 20:27 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
[HKLM\~\startupfolder\C:^Users^Le Minh Triet^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\Le Minh Triet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-13 13480]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 135664]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\LENOVO\HOTKEY\CAMMUTE.exe [2009-11-09 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-11-18 44984]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
R2 PrivateDisk;PrivateDisk;c:\program files\Utimaco\SafeGuard PrivateDisk\PrivateDiskM.sys [2007-09-07 57856]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-11-17 62904]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-19 1263728]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
R3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2009-11-20 20848]
R3 PCDSRVC{C4B36920-79E24793-06000000}_0;PCDSRVC{C4B36920-79E24793-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\pcdsrvc.pkms [2009-11-20 20848]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-09 75040]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-07-02 38336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-29 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:07]
2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:07]
2010-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1209684377-1073439955-1070647248-1000Core.job
- c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-04 08:07]
2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1209684377-1073439955-1070647248-1000UA.job
- c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-04 08:07]
2010-01-19 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdlauncher.exe [2009-11-20 10:12]
2010-04-06 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2010-02-18 00:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://med.uth.tmc.edu/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = ;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: tmc.edu\vpn.uth
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\
FF - prefs.js: browser.startup.homepage - hxxp://med.uth.tmc.edu/
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
FF - component: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunOnce- - (no file)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{C4B36920-79E24793-06000000}_0]
"ImagePath"="\??\c:\progra~1\pc-doc~1\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-29 03:18:42
ComboFix-quarantined-files.txt 2010-04-29 08:18
ComboFix2.txt 2010-04-29 05:30
Pre-Run: 12,342,243,328 bytes free
Post-Run: 12,292,853,760 bytes free
- - End Of File - - 9DDEBEB98A43FE90C536BC8E5BA75493
My lavasoft and mcafee and firefox were disabled. When I got mcafee to run a scan, it didn't find anything.
So, I ran Combofix.exe and it deleted many files. Then I ran Malwarebytes' Anti-Malware fast scan and it deleted one trojan. Then I ran it again in full mode and it deleted one more trojan. Next was trendmicro's HouseCall which found nothing, then their rootkitbuster.exe, and finally combofix.exe and malwarebyte again in safe mode (which found nothing).
Unfortunately, that second combofix run deleted the log of the first, but I have the malwarebyte logs. My question is, after looking at the logs below, can I reasonably be sure my computer is disinfected, or is there more I need to do?
thanks in advance.
Here is the first MWB log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4049
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
4/29/2010 1:22:04 AM
mbam-log-2010-04-29 (01-22-04).txt
Scan type: Quick scan
Objects scanned: 112689
Time elapsed: 6 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Le Minh Triet\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
The second MWB log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4049
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
4/29/2010 2:33:01 AM
mbam-log-2010-04-29 (02-33-01).txt
Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 253461
Time elapsed: 58 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Users\Le Minh Triet\AppData\Local\Temp\csoqq.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.
The third MWB log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4049
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
4/29/2010 3:48:45 AM
mbam-log-2010-04-29 (03-48-45).txt
Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 250354
Time elapsed: 27 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
The Combofix log:
ComboFix 10-04-28.04 - Le Minh Triet 04/29/2010 3:11.2.2 - x86 MINIMAL
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2304 [GMT -5:00]
Running from: c:\users\Le Minh Triet\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.
2010-04-29 08:17 . 2010-04-29 08:17 -------- dc----w- c:\users\Owner\AppData\Local\temp
2010-04-29 08:17 . 2010-04-29 08:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-29 08:17 . 2010-04-29 08:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-29 08:07 . 2010-04-29 08:10 -------- d-----w- C:\32788R22FWJFW
2010-04-29 07:47 . 2010-04-29 07:47 -------- d-----w- c:\windows\system32\Wat
2010-04-29 06:13 . 2010-04-29 06:13 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Malwarebytes
2010-04-29 06:12 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 06:12 . 2010-04-29 06:12 -------- d-----w- c:\programdata\Malwarebytes
2010-04-29 06:12 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 06:12 . 2010-04-29 06:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 05:13 . 2010-04-29 05:13 260608 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{F3870710-5316-174B-94C6-7A3730C468E7}-sysmon64x.exe
2010-04-29 02:40 . 2010-04-29 02:40 260608 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{3F49E783-43EC-1B57-8F65-C78B5357E7A7}-sysmon64x.exe
2010-04-29 01:42 . 2010-04-29 05:21 -------- d-----w- c:\programdata\salizuya
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-----w- c:\programdata\rojolutu
2010-04-29 01:42 . 2010-04-29 01:42 -------- d-----w- c:\programdata\jiwirido
2010-04-29 00:20 . 2010-04-29 00:20 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Flickr
2010-04-29 00:20 . 2010-04-29 00:20 -------- d-----w- c:\users\Le Minh Triet\AppData\Local\Flickr
2010-04-28 23:57 . 2010-04-28 23:57 -------- d-----w- c:\program files\SyncToy 2.1
2010-04-28 21:53 . 2010-03-26 02:49 66048 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
2010-04-28 21:53 . 2009-11-26 03:03 61952 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
2010-04-28 21:53 . 2010-04-07 20:28 253952 -c--a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
2010-04-28 21:46 . 2010-04-28 21:46 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 21:46 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 21:42 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 21:42 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 21:42 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 21:42 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-28 21:42 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-28 21:42 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-28 21:42 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-28 21:42 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-28 21:42 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-28 21:41 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-28 21:41 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-19 19:59 . 2010-04-19 19:59 255472 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-04-02 16:31 . 2010-04-02 16:32 20846064 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\rp\RealPlayerSPGold.exe
2010-04-02 16:31 . 2010-04-02 16:31 79368 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\vista.exe
2010-04-02 16:31 . 2010-04-02 16:31 64000 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gcapi_dll.dll
2010-04-02 16:31 . 2010-04-02 16:31 52288 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\gtapi.dll
2010-04-02 16:31 . 2010-04-02 16:31 50688 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\fftbapi.dll
2010-04-02 16:31 . 2010-04-02 16:31 49152 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\CarboniteCompatibility.dll
2010-04-02 16:31 . 2010-04-02 16:31 118784 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\RUP\inst_config\compat.dll
2010-04-02 03:52 . 2010-04-28 21:38 439816 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.11\setup.exe
2010-03-31 04:11 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 08:05 . 2010-01-02 17:16 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Skype
2010-04-29 07:48 . 2010-01-02 07:49 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2010-04-29 07:48 . 2010-01-02 07:12 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-04-29 05:24 . 2010-01-02 07:49 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2010-04-28 21:46 . 2010-01-02 17:27 -------- d-----w- c:\program files\Java
2010-04-28 21:39 . 2010-01-02 07:12 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-04-28 21:39 . 2010-01-02 07:12 57752 ------w- c:\windows\system32\rpcnet.exe
2010-03-26 19:03 . 2010-01-02 14:20 -------- d-----w- c:\program files\PC-Doctor
2010-03-26 17:30 . 2010-03-26 17:30 -------- d-----w- c:\program files\Utimaco
2010-03-25 20:26 . 2010-03-25 20:14 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\RipIt4Me
2010-03-25 20:25 . 2010-03-25 20:25 -------- d-----w- c:\program files\DVD Decrypter
2010-03-25 20:17 . 2010-03-25 20:17 643072 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\RipIt4Me\updater\ri4mupdater.exe
2010-03-25 20:16 . 2010-03-25 20:16 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Vso
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:16 47360 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\pcouffin.sys
2010-03-25 20:16 . 2010-03-25 20:15 -------- d-----w- c:\program files\DVDFab 7
2010-03-25 20:09 . 2010-03-25 20:09 -------- d-----w- c:\programdata\DVD Shrink
2010-03-25 20:09 . 2010-03-25 20:09 -------- d-----w- c:\program files\DVD Shrink
2010-03-25 03:28 . 2010-01-02 13:54 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\HandBrake
2010-03-25 01:48 . 2010-03-25 01:44 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\InfraRecorder
2010-03-25 01:43 . 2010-03-25 01:43 -------- d-----w- c:\program files\InfraRecorder
2010-03-19 14:24 . 2010-03-19 14:24 -------- d-----w- c:\program files\Lavasoft
2010-03-19 14:24 . 2010-03-19 14:24 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-19 14:24 . 2010-01-02 08:07 -------- d-----w- c:\programdata\Lavasoft
2010-03-19 12:07 . 2010-03-19 12:07 -------- d-----w- c:\programdata\FLEXnet
2010-03-19 10:16 . 2010-01-02 07:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-19 10:16 . 2010-03-19 10:16 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-19 10:15 . 2010-01-02 06:53 114560 ----a-w- c:\users\Le Minh Triet\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-17 00:33 . 2010-03-17 00:33 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\AdobeUM
2010-03-15 00:52 . 2010-03-15 00:52 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\inkscape
2010-03-15 00:51 . 2010-03-15 00:51 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Notepad++
2010-03-15 00:51 . 2010-03-15 00:51 -------- d-----w- c:\program files\Notepad++
2010-03-13 20:23 . 2010-01-23 13:43 -------- d-----w- c:\program files\uTorrent
2010-03-13 13:28 . 2010-01-23 13:42 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\uTorrent
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-10 15:14 . 2010-03-10 15:14 300616 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-10 15:14 . 2010-03-10 15:14 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-10 15:14 . 2010-03-10 15:14 329312 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-10 15:14 . 2010-01-02 16:56 -------- d-----w- c:\program files\Common Files\Real
2010-03-10 15:13 . 2010-01-02 16:56 -------- d-----w- c:\program files\Real
2010-03-10 15:13 . 2010-03-10 15:13 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-09 21:46 . 2010-03-09 21:46 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-03-09 21:46 . 2010-03-09 21:46 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-09 21:44 . 2010-03-09 21:44 -------- d-----w- c:\programdata\Hewlett-Packard
2010-03-09 00:46 . 2010-03-09 00:46 -------- d-----w- c:\program files\Morphyre
2010-03-09 00:44 . 2010-01-02 16:34 -------- d-----w- c:\users\Le Minh Triet\AppData\Roaming\Winamp
2010-03-09 00:42 . 2010-01-02 16:34 -------- d-----w- c:\program files\Winamp
2010-03-09 00:40 . 2010-03-09 00:40 -------- d-----w- c:\program files\R4
2010-03-08 06:47 . 2010-01-02 16:34 -------- d-----w- c:\program files\Winamp Detect
2010-03-07 13:50 . 2010-03-07 13:50 79368 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-07 05:07 . 2010-03-07 05:07 439816 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-05 15:16 . 2010-03-05 15:16 -------- d-----w- c:\program files\Microsoft
2010-02-24 15:16 . 2010-01-02 06:54 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-18 08:06 . 2010-02-18 08:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-18 03:59 . 2010-01-02 07:20 38784 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-18 03:59 . 2010-01-02 07:20 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-15 14:13 . 2010-02-15 14:13 64099864 ----a-w- c:\users\Le Minh Triet\AppData\Roaming\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe
2010-02-08 01:12 . 2010-02-08 01:12 12212040 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-02-08 01:12 . 2010-02-08 01:12 13930312 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-02-08 01:12 . 2010-02-08 01:12 77824 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-02-08 01:12 . 2010-02-08 01:12 61440 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-02-08 01:12 . 2010-02-08 01:12 58880 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-02-08 01:12 . 2010-02-08 01:12 50000 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Installer\CommonCustomActions\pcswpc.exe
2010-02-08 00:33 . 2010-02-08 01:12 98360888 ----a-w- c:\programdata\OviInstallerCache\{D07520AE-F890-40E2-97BB-FC627869C8B3}\Nokia_Ovi_Suite_2_1_0_82_ALL.exe
2010-02-04 15:53 . 2010-03-19 14:24 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2010-03-19 14:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-02 07:45 . 2010-02-24 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2008-09-29 14:07 . 2010-01-02 09:20 22576 ----a-w- c:\program files\mozilla firefox\components\scriptff.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-11-04 03:12 556432 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Google Update"="c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-02 135664]
"googletalk"="c:\users\Le Minh Triet\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"TpShocks"="TpShocks.exe" [2009-07-09 337184]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-09 714016]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-13 36864]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-11-17 69568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-10-19 3093816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2009-09-27 83312]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-10 202256]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2007-09-07 53248]
"Launch Backup Service Once"="c:\program files\Lenovo\Rescue and Recovery\rrstrigger.exe" [2009-09-25 21304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-08-17 20:27 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
[HKLM\~\startupfolder\C:^Users^Le Minh Triet^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\Le Minh Triet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-13 13480]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 135664]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\LENOVO\HOTKEY\CAMMUTE.exe [2009-11-09 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-11-18 44984]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
R2 PrivateDisk;PrivateDisk;c:\program files\Utimaco\SafeGuard PrivateDisk\PrivateDiskM.sys [2007-09-07 57856]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-11-17 62904]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-19 1263728]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
R3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2009-11-20 20848]
R3 PCDSRVC{C4B36920-79E24793-06000000}_0;PCDSRVC{C4B36920-79E24793-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\pcdsrvc.pkms [2009-11-20 20848]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-09 75040]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-07-02 38336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-29 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:07]
2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 08:07]
2010-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1209684377-1073439955-1070647248-1000Core.job
- c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-04 08:07]
2010-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1209684377-1073439955-1070647248-1000UA.job
- c:\users\Le Minh Triet\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-04 08:07]
2010-01-19 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\pcdlauncher.exe [2009-11-20 10:12]
2010-04-06 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdr5cuiw32.exe [2010-02-18 00:15]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://med.uth.tmc.edu/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = ;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: tmc.edu\vpn.uth
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\
FF - prefs.js: browser.startup.homepage - hxxp://med.uth.tmc.edu/
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
FF - component: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\RayV\RayV\plugins\nprayvplugin.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\Firefox\Profiles\2oicotto.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\Le Minh Triet\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunOnce-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{C4B36920-79E24793-06000000}_0]
"ImagePath"="\??\c:\progra~1\pc-doc~1\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-29 03:18:42
ComboFix-quarantined-files.txt 2010-04-29 08:18
ComboFix2.txt 2010-04-29 05:30
Pre-Run: 12,342,243,328 bytes free
Post-Run: 12,292,853,760 bytes free
- - End Of File - - 9DDEBEB98A43FE90C536BC8E5BA75493