I have returned I was away from my Comp for a long time
my old logs and steps have been made un active by admin.
The last thing I was asked to do was to run Combofix.
I am going to post the Combofix log with this post.
Sorry about the Delay
The old posts are under the same name "Alpha Antivirus and other nasties my wife downloaded"
ComboFix 09-12-04.02 - Meghan 01/02/2010 11:14.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1001 [GMT -8:00]
Running from: c:\users\Meghan\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1835885441-439211620-2350860753-500
c:\$recycle.bin\S-1-5-21-1835885441-439211620-2350860753-500\desktop.ini
.
((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.
2010-01-02 19:18 . 2010-01-02 19:20 -------- d-----w- c:\users\Meghan\AppData\Local\temp
2010-01-02 19:18 . 2010-01-02 19:18 -------- d-----w- c:\users\Total Clarity\AppData\Local\temp
2010-01-02 19:18 . 2010-01-02 19:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-13 11:06 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-13 11:06 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-13 11:06 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 23:37 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 01:30 . 2009-04-03 17:28 4096 d-----w- c:\programdata\Google Updater
2009-12-10 11:07 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-12-10 03:31 . 2009-02-06 06:09 4096 d-----w- c:\users\Meghan\AppData\Roaming\Corel
2009-11-28 23:21 . 2009-11-28 23:21 -------- d-----w- c:\program files\Trend Micro
2009-11-26 06:57 . 2009-11-26 06:57 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbD07F.tmp.exe
2009-11-21 06:40 . 2009-12-09 23:41 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 23:41 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-09 23:41 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-09 23:41 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 03:37 . 2009-11-19 03:37 -------- d-----w- c:\users\Meghan\AppData\Roaming\Malwarebytes
2009-11-18 19:24 . 2009-11-18 19:24 -------- d-----w- c:\users\Total Clarity\AppData\Roaming\Malwarebytes
2009-11-18 19:24 . 2009-11-18 19:24 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-18 19:24 . 2009-11-18 19:24 -------- d-----w- c:\programdata\Malwarebytes
2009-11-18 15:38 . 2009-11-17 07:39 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 07:18 . 2009-11-17 07:39 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-17 14:59 . 2009-11-17 06:05 40960 d-----w- c:\program files\Spyware Doctor
2009-11-17 14:59 . 2009-11-17 06:05 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-17 05:49 . 2009-11-17 05:49 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 05:49 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 05:44 . 2009-11-17 05:44 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 05:42 . 2009-11-17 05:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-17 05:13 . 2009-10-01 02:06 -------- d-----w- c:\program files\McAfee Security Scan
2009-11-09 00:15 . 2007-11-06 22:48 4096 d-----w- c:\program files\Picasa2
2009-11-03 04:42 . 2009-10-03 23:37 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 11:01 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-08 21:08 . 2009-11-17 05:32 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-17 05:32 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-17 05:32 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2008-02-15 21:07 . 2008-02-15 21:07 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-16 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 255528]
"WordPerfect Office 1215"="c:\program files\WordPerfect Office 12\Programs\Registration.exe" [2004-03-08 733184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-04-25 4444160]
"NDSTray.exe"="NDSTray.exe" [BU]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-04-13 1822720]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
c:\users\Total Clarity\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2007-2-12 2516584]
c:\users\Meghan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):21,06,f0,49,98,4c,ca,01
R0 AFS;AFS;c:\windows\System32\drivers\AFS.SYS [5/28/2008 2:22 PM 79052]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [11/6/2007 2:37 PM 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\rtl8187B.sys [12/11/2007 5:29 AM 252416]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [9/30/2008 7:09 AM 21504]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-01-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-06 17:28]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-MVApplication1 - c:\windows\mvuninst\App1\mvuninst.exe Memorex exPressit Label Design Studio
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 11:19
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????e??o| ??? O???O?@?O?X?O?p?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85267369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8810bd24
\Driver\ACPI -> acpi.sys @ 0x82c92d68
\Driver\atapi -> ataport.SYS @ 0x82dd8a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-01-02 11:29
ComboFix-quarantined-files.txt 2010-01-02 19:29
Pre-Run: 94,090,444,800 bytes free
Post-Run: 94,188,314,624 bytes free
- - End Of File - - 47B06BA97D7025FD4586AF64DF3C9D7D