0

I have followed the sites directions and here are my logs:

• MalwareBytes’ Anti-Malware log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122701

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/27/2011 11:06:42 AM
mbam-log-2011-12-27 (11-06-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 243664
Time elapsed: 37 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\Object (PUP.FCTPlugin) -> Quarantined and deleted successfully.

Files Infected:
c:\system volume information\_restore{28108503-6381-4d59-9d63-89dd8597a805}\RP221\A0061036.sys (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\cdrom.sys (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\program files\Object\status.txt (PUP.FCTPlugin) -> Quarantined and deleted successfully.
c:\program files\Object\config.ini (PUP.FCTPlugin) -> Quarantined and deleted successfully.
c:\program files\Object\enable.txt (PUP.FCTPlugin) -> Quarantined and deleted successfully.
c:\program files\Object\status2.txt (PUP.FCTPlugin) -> Quarantined and deleted successfully.

• GMER One.log <EMPTY>

• GMER Two.log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-27 10:10:57
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160412AS rev.0006HPM1
Running: lo6r9gm6.exe; Driver: C:\DOCUME~1\booya\LOCALS~1\Temp\uwldrpow.sys


---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) B9122000-B913B000 (102400 bytes)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB54135$\3198184919 0 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\bckfg.tmp 845 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\keywords 108 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\L 0 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\L\cytnlawa 62976 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\U 0 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3198184919\U\80000032.@ 77312 bytes
File C:\WINDOWS\$NtUninstallKB54135$\3838931701 0 bytes

---- EOF - GMER 1.0.15 ----


• BOTH DDS ScanLogs (DDS.txt & Attach.txt)

DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Run by booya at 11:16:17 on 2011-12-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2972.2628 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nortel\Nortel VPN Client\NvcSvcMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\booya\Local Settings\Application Data\ATT Connect\Participant\pull.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.e-access.att.com/empsvcs/hrpinmgt/pagLogin/?retURL=hxxp://moose.web.att.com&sysName=NOP
uInternet Settings,ProxyServer = ftp=10.10.185.200:8080;http=10.10.185.200:8080;https=10.10.185.200:8080;socks=10.10.185.200:8080
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {de4e75d3-60aa-4f02-a0e4-c8a40576574c} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Push Client] c:\documents and settings\booya\local settings\application data\att connect\participant\pull.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\booya\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288893946250
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
mASetup: 2951A911-FE2C-0126-9DD3-33D7C7DC4E3E - "c:\windows\system32\msiexec.exe" /fpu {CC8C6973-85DF-49BD-9883-9C9986C5285E} /q
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\booya\application data\mozilla\firefox\profiles\627g10vs.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.ftp - 10.10.185.200
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.10.185.200
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.10.185.200
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.10.185.200
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.10.185.200
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\booya\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-6-14 24064]
R2 NvcSvcMgr;Nortel VPN Client;c:\program files\nortel\nortel vpn client\NvcSvcMgr.exe [2010-3-1 595304]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2010-3-1 26112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-6-14 44800]
R3 NT_NvcA;Nortel VPN Adapter;c:\windows\system32\drivers\ntnvca.sys [2010-3-1 40016]
S2 cdralw;NVIDIA Compatible Windows Miniport Driver;c:\windows\system32\drivers\nvmini.sys --> c:\windows\system32\drivers\nvmini.sys [?]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-9-23 245760]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-12-25 18560]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2010-3-1 89088]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-12-27 07:49:08 311296 ----a-w- c:\documents and settings\booya\local settings\application data\joarfozjim.exe
2011-12-25 17:37:29 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2011-12-25 17:37:24 -------- d-----w- c:\windows\2437DF07D3CB4D858397ED8AE9ED26D5.TMP
2011-12-25 17:34:31 -------- d-----w- c:\documents and settings\all users\application data\Leapfrog
2011-12-25 17:34:30 -------- d-----w- c:\program files\LeapFrog
2011-12-02 23:08:41 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-02 23:08:41 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-12-02 23:07:34 -------- d-----w- c:\program files\iPod
2011-12-02 23:07:30 -------- d-----w- c:\program files\iTunes
2011-12-02 23:04:23 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-12-02 23:04:22 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-12-02 23:03:21 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-10-18 05:19:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 11:16:57.90 ===============


attach.txt:

==== System Restore Points ===================
.
RP165: 9/29/2011 11:37:23 PM - System Checkpoint
RP167: 9/30/2011 5:02:37 PM - Installed Virtual Account Numbers
RP168: 10/1/2011 5:15:51 PM - System Checkpoint
RP169: 10/3/2011 12:08:14 PM - System Checkpoint
RP170: 10/5/2011 7:29:42 AM - System Checkpoint
RP171: 10/6/2011 6:13:33 PM - System Checkpoint
RP172: 10/7/2011 10:56:01 AM - Removed Virtual Account Numbers
RP173: 10/10/2011 5:08:37 PM - System Checkpoint
RP174: 10/11/2011 6:44:56 PM - System Checkpoint
RP175: 10/13/2011 1:25:26 AM - System Checkpoint
RP176: 10/14/2011 7:38:11 AM - System Checkpoint
RP177: 10/15/2011 2:37:48 PM - System Checkpoint
RP178: 10/17/2011 7:30:35 AM - System Checkpoint
RP179: 10/18/2011 8:27:39 AM - System Checkpoint
RP180: 10/19/2011 9:31:00 AM - System Checkpoint
RP181: 10/20/2011 11:32:40 AM - System Checkpoint
RP182: 10/24/2011 11:32:46 AM - System Checkpoint
RP183: 10/27/2011 5:32:36 PM - System Checkpoint
RP184: 10/28/2011 9:05:01 PM - System Checkpoint
RP185: 10/31/2011 2:28:51 PM - System Checkpoint
RP186: 11/1/2011 4:19:44 PM - System Checkpoint
RP187: 11/2/2011 10:10:59 PM - Removed Apple Software Update
RP188: 11/2/2011 10:11:46 PM - Removed Apple Mobile Device Support
RP189: 11/2/2011 10:13:40 PM - Removed iTunes
RP190: 11/2/2011 10:17:05 PM - Removed Bonjour
RP191: 11/2/2011 10:17:29 PM - Removed Apple Application Support
RP192: 11/3/2011 10:43:40 PM - System Checkpoint
RP193: 11/5/2011 12:40:34 AM - System Checkpoint
RP194: 11/6/2011 1:45:45 AM - System Checkpoint
RP195: 11/7/2011 10:22:06 AM - System Checkpoint
RP196: 11/8/2011 4:25:11 PM - System Checkpoint
RP197: 11/9/2011 4:49:10 PM - System Checkpoint
RP198: 11/11/2011 7:50:24 AM - System Checkpoint
RP199: 11/14/2011 12:02:16 PM - System Checkpoint
RP200: 11/15/2011 7:44:21 PM - System Checkpoint
RP201: 11/17/2011 9:41:14 AM - System Checkpoint
RP202: 11/21/2011 7:56:05 AM - System Checkpoint
RP203: 11/22/2011 5:32:05 PM - System Checkpoint
RP204: 11/24/2011 10:29:17 AM - System Checkpoint
RP205: 11/25/2011 5:48:25 PM - System Checkpoint
RP206: 11/28/2011 9:18:44 AM - System Checkpoint
RP207: 12/1/2011 8:28:29 AM - System Checkpoint
RP208: 12/2/2011 12:22:14 PM - System Checkpoint
RP209: 12/2/2011 5:07:22 PM - Installed iTunes
RP210: 12/5/2011 8:44:15 AM - System Checkpoint
RP211: 12/6/2011 5:55:44 PM - System Checkpoint
RP212: 12/8/2011 5:53:17 PM - System Checkpoint
RP213: 12/9/2011 6:51:03 PM - System Checkpoint
RP214: 12/12/2011 8:07:45 AM - System Checkpoint
RP215: 12/14/2011 12:08:28 PM - System Checkpoint
RP216: 12/15/2011 2:18:19 PM - System Checkpoint
RP217: 12/16/2011 3:57:58 PM - System Checkpoint
RP218: 12/19/2011 5:25:38 PM - System Checkpoint
RP219: 12/23/2011 9:21:23 AM - System Checkpoint
RP220: 12/27/2011 2:00:20 AM - Removed LeapFrog Connect
RP221: 12/27/2011 2:15:55 AM - Removed LeapFrog Connect
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.3.3
Agere Systems HDA Modem
AiO_Scan_CDA
AOTS IGWL Extension 3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BMC Remedy User 7.0
Bonjour
Google Chrome
HL-2270DW
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Photosmart, Officejet and Deskjet 7.0.A
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
Mozilla Firefox 8.0 (x86 en-US)
Nortel VPN Client
QuickTime
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
UEStudio
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973815)
Update Service
VanDyke Software SecureCRT 5.0
Virtual Account Numbers
Visual Studio 2005 Tools for Office Second Edition Runtime
VLC media player 1.1.4
WebEx
WebFldrs XP
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
Windows Essentials Media Codec Pack 3.0
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinRAR 4.10 beta 1 (32-bit)
Xming 6.9.0.31
.
==== Event Viewer Messages From Past Week ========
.
12/27/2011 8:21:31 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
12/27/2011 2:14:03 AM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
12/27/2011 2:13:52 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
12/27/2011 2:13:44 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/27/2011 2:13:17 AM, error: Service Control Manager [7034] - The LeapFrog Connect Device Service service terminated unexpectedly. It has done this 1 time(s).
12/27/2011 11:09:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Imapi
12/27/2011 1:59:34 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/23/2011 9:05:36 AM, error: PSched [14103] - QoS [Adapter NDISWANIP]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
.
==== End Of File ===========================

2
Contributors
7
Replies
8
Views
5 Years
Discussion Span
Last Post by PhilliePhan
0

ComboFix 11-12-27.01 - booya 12/27/2011 21:18:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2972.2647 [GMT -6:00]
Running from: c:\documents and settings\booya\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\booya\Local Settings\Application Data\joarfozjim.exe
c:\documents and settings\booya\Start Menu\Internet Explorer.lnk
c:\windows\$NtUninstallKB54135$
c:\windows\$NtUninstallKB54135$\3198184919\@
c:\windows\$NtUninstallKB54135$\3198184919\bckfg.tmp
c:\windows\$NtUninstallKB54135$\3198184919\cfg.ini
c:\windows\$NtUninstallKB54135$\3198184919\Desktop.ini
c:\windows\$NtUninstallKB54135$\3198184919\keywords
c:\windows\$NtUninstallKB54135$\3198184919\kwrd.dll
c:\windows\$NtUninstallKB54135$\3198184919\L\cytnlawa
c:\windows\$NtUninstallKB54135$\3198184919\lsflt7.ver
c:\windows\$NtUninstallKB54135$\3198184919\U\00000001.@
c:\windows\$NtUninstallKB54135$\3198184919\U\00000002.@
c:\windows\$NtUninstallKB54135$\3198184919\U\00000004.@
c:\windows\$NtUninstallKB54135$\3198184919\U\80000000.@
c:\windows\$NtUninstallKB54135$\3198184919\U\80000004.@
c:\windows\$NtUninstallKB54135$\3198184919\U\80000032.@
c:\windows\$NtUninstallKB54135$\3838931701
c:\windows\EventSystem.log
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\system32\dllcache\cdrom.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CDRALW
-------\Legacy_NPF
-------\Service_cdralw
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 03:27 . 2008-04-14 06:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-12-28 03:27 . 2008-04-14 06:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-12-27 08:29 . 2011-12-27 08:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-25 17:37 . 2011-11-12 17:18 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2011-12-25 17:37 . 2011-12-27 08:00 -------- d-----w- c:\windows\2437DF07D3CB4D858397ED8AE9ED26D5.TMP
2011-12-25 17:37 . 2011-12-25 17:37 -------- d-----w- c:\program files\DIFX
2011-12-25 17:34 . 2011-12-27 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2011-12-25 17:34 . 2011-12-27 08:10 -------- d-----w- c:\program files\LeapFrog
2011-12-02 23:08 . 2009-05-18 19:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-12-02 23:08 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-12-02 23:07 . 2011-12-02 23:07 -------- d-----w- c:\program files\iPod
2011-12-02 23:07 . 2011-12-02 23:08 -------- d-----w- c:\program files\iTunes
2011-12-02 23:04 . 2011-12-02 23:04 -------- d-----w- c:\program files\Apple Software Update
2011-12-02 23:04 . 2011-08-02 23:38 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-12-02 23:04 . 2011-08-02 23:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-12-02 23:03 . 2011-12-02 23:03 -------- d-----w- c:\program files\Bonjour
2011-12-02 23:03 . 2011-12-02 23:07 -------- d-----w- c:\program files\Common Files\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-18 05:19 . 2011-10-01 18:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-22 16:01 . 2011-02-24 15:29 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-06-22 16:01 . 2011-02-24 15:29 449848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2011-02-24 15:29 . 2011-02-24 15:29 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2011-02-24 15:29 . 2011-02-24 15:29 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-11-10 04:37 . 2011-09-30 17:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-12-04 . 1B4E3AF654F96D1689F9186F2BD26407 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Push Client"="c:\documents and settings\booya\Local Settings\Application Data\ATT Connect\Participant\pull.exe" [2009-09-17 935240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-06 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-06 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-06 142360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^booya^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\booya\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsMon00]
2010-06-10 18:42 2621440 ------r- c:\program files\Browny02\Brother\BrStMonW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-19 19:05 136176 ----atw- c:\documents and settings\booya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-13 06:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVC]
2010-03-01 16:19 1717600 ----a-w- c:\program files\Nortel\Nortel VPN Client\Nvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Push Client]
2009-09-17 23:50 935240 ----a-w- c:\documents and settings\booya\Local Settings\Application Data\ATT Connect\Participant\pull.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2009-03-29 21:24 1044480 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 16:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"gupdate"=2 (0x2)
"VSS"=3 (0x3)
"SwPrv"=3 (0x3)
"mnmsrvc"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"rpcapd"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"SysmonLog"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [6/14/2010 9:52 PM 24064]
R2 NvcSvcMgr;Nortel VPN Client;c:\program files\Nortel\Nortel VPN Client\NvcSvcMgr.exe [3/1/2010 10:19 AM 595304]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [3/1/2010 10:00 AM 26112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/14/2010 9:58 PM 44800]
R3 NT_NvcA;Nortel VPN Adapter;c:\windows\system32\drivers\ntnvca.sys [3/1/2010 9:52 AM 40016]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [9/23/2011 10:08 PM 245760]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2011 11:37 AM 18560]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [3/1/2010 10:00 AM 89088]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\2951A911-FE2C-0126-9DD3-33D7C7DC4E3E]
2008-04-14 10:42 78848 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-682003330-1003Core.job
- c:\documents and settings\booya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-19 19:05]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-682003330-1003UA.job
- c:\documents and settings\booya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-19 19:05]
.
2011-12-28 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-21 16:52]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.e-access.att.com/empsvcs/hrpinmgt/pagLogin/?retURL=hxxp://moose.web.att.com&sysName=NOP
uInternet Settings,ProxyServer = ftp=10.10.185.200:8080;http=10.10.185.200:8080;https=10.10.185.200:8080;socks=10.10.185.200:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\booya\Application Data\Mozilla\Firefox\Profiles\627g10vs.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.ftp - 10.10.185.200
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.10.185.200
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.10.185.200
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.10.185.200
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.10.185.200
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{de4e75d3-60aa-4f02-a0e4-c8a40576574c} - (no file)
MSConfigStartUp-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-27 21:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-27 21:34:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 03:34
.
Pre-Run: 116,513,599,488 bytes free
Post-Run: 117,138,812,928 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0A0C7434E51234767472AC4AE17EB1EC

0

Great - that looks good. How are things running?

Before we give the "all clear," let's check a few other things:

-- Re-run GMER and post the logs.

-- Please download and run Farbar Service Scanner
-- Check Include All Files and hit scan. It should produce a log. Please post the FSS.txt for me.

-- Please run an ESET Online Scan and post the results.

PP:)

0

Farbar Service Scanner
Ran by booya (administrator) on 29-12-2011 at 19:54:07
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
IE proxy is enabled.
ProxyServer: ftp=10.10.185.200:8080;http=10.10.185.200:8080;https=10.10.185.200:8080;socks=10.10.185.200:8080


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Eacfilt(10) Gpc(6) IPSec(4) IPSECEXT(8) IPSECSHM(9) NetBT(5) NT_NvcA(11) PSched(7) Tcpip(3)
0x0C0000000400000001000000020000000300000005000000060000000700000008000000090000000A0000000B0000000C000000

**** End of log ****


ESET Summary:

SUMMARY....found the following infected files:
1. Win32/Adware.Toolbar.Dealio application
2. a variant of Win32/Kryptik.YEO trojan
3. a variant of Win32/Kryptik. YBG trojan
4. MSIL/Solimba.A application
5. a variant of Win32/Kryptik. YBG trojan

ESET LOG:

C:\Documents and Settings\booya\Application Data\Sun\Java\Deployment\cache\6.0\49\5ddb04f1-7f93e514 a variant of Win32/Kryptik.YEO trojan cleaned by deleting - quarantined
C:\Documents and Settings\booya\My Documents\media player codecs\media.player.codec.pack.v3.9.6.setup.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\booya\Local Settings\Application Data\joarfozjim.exe.vir a variant of Win32/Kryptik.YBG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{28108503-6381-4D59-9D63-89DD8597A805}\RP175\A0047891.exe MSIL/Solimba.A application deleted - quarantined
C:\System Volume Information\_restore{28108503-6381-4D59-9D63-89DD8597A805}\RP222\A0061125.exe a variant of Win32/Kryptik.YBG trojan cleaned by deleting - quarantined

0

That looks good - How are things running now?

-- Please update your Java here --> http://www.java.com/en/download/index.jsp
Then, look in Add/Remove programs and remove any old versions.

Or, you can open Javacpl and hit update and do this automatically.

-- Please run ATF-Cleaner as per the Read Me First sticky post and make sure Clear Java Cache is selected.


Then, please uninstall combofix as per the linky below:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Let me know if you run into any problems with the above.

Cheers :)
PP

0

Done.

So I am a little worried eset found so many corrupt files after performing the aforementioned tasks. Should I run a random virus/malware detection program from time to time?

Thank you to all who have helped me get this far.
opr8tions

0


So I am a little worried eset found so many corrupt files after performing the aforementioned tasks. Should I run a random virus/malware detection program from time to time?

Absolutely!
You should update and run MBAM every couple of weeks - more often if you engage in unsafe internet practices.

Keep a good AV/Firewall combo updated and running at all times. There are many good and free options available.
Online scans such as ESET are a good "backup" to your resident AV program if you feel you need a "second opinion."

The stuff ESET found is not worriesome.
You are going to get adware (or worse) in a lot of codec packs. I would recommend downloading them from a site such as Majorgeeks.com. The site owners are very good about keeping their downloads free of malware and crapware.

The Kryptik trojan was removed by combofix. What ESET detected was the combofix quarantine - no worries there.
To avoid these types of malware, always keep your Java updated and always remove older versions. If you automatically update it, this should be done for you.
Also, running ATF-Cleaner will flush the Java cache (if you set it to do so as directed in the Read Me First post).

The other detections are in System Restore. The combofix uninstall routine should have flushed System Restore points, or, at least it used to.
You can do this manually by turning System Restore Off and then back On.

Happy New Year :)
PP

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.