Bankerfox.a & fake security alerts

View previous topic View next topic Go down

Bankerfox.a & fake security alerts

Post by R977 on Thu Jun 17, 2010 12:17 am

I have recently received the Bankerfox.a virus and fake security alerts. I have XP Professional and run McAfee regularly. I've just installed Adaware and run it also. I have read several of the topics related to this and downloaded some anti-malware (Malwarebytes, Spydoctor, and Smitfraud). Malwarebytes seems to have fixed the problem but I need to make sure. Oh, and I will be changing to Firefox from IE and I have reset the proxy settings...

Here are two of the logs from Malwarebytes:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4207

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/16/2010 7:05:55 PM
mbam-log-2010-06-16 (19-05-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 247998
Time elapsed: 42 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbjtwvnjpb (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbjtwvnjpb (Trojan.Dropper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\emkgqdpl (Rogue.AntivirusSuite.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\emkgqdpl (Rogue.AntivirusSuite.Gen) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Family\local settings\application data\vumkyphiu\amkrhyt.exe (Trojan.Dropper) -> No action taken.



AND


Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4207

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/16/2010 7:06:08 PM
mbam-log-2010-06-16 (19-06-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 247998
Time elapsed: 42 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbjtwvnjpb (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbjtwvnjpb (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\emkgqdpl (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\emkgqdpl (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Family\local settings\application data\vumkyphiu\amkrhyt.exe (Trojan.Dropper) -> Quarantined and deleted successfully.



Can you tell if the problem is fixed or is there more to do?
Thanks.

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Thu Jun 17, 2010 12:34 am

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Thu Jun 17, 2010 12:47 am

Ran OTL, here are the logs:

OTL logfile created on: 6/16/2010 7:41:24 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Family\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 688.83 Gb Total Space | 643.01 Gb Free Space | 93.35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Unable to calculate disk information.

Computer Name: DESKTOP
Current User Name: Family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/16 19:41:01 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe
PRC - [2010/06/15 20:55:45 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/06/15 20:55:44 | 001,352,832 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/05/11 11:51:52 | 001,287,120 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/24 13:58:22 | 000,309,760 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 11:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe
PRC - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2010/01/22 08:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2010/01/08 13:26:28 | 001,012,688 | ---- | M] (PC Tool) -- C:\Program Files\Spyware Doctor\Alert.exe
PRC - [2009/11/04 17:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 16:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/02 14:02:56 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/08/05 12:36:20 | 000,105,664 | ---- | M] (Leader Technologies Inc.) -- C:\Program Files\LTCM Client\ltcmScheduler.exe
PRC - [2009/07/10 14:49:24 | 000,323,584 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/07/07 11:23:00 | 001,779,952 | ---- | M] () -- C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
PRC - [2009/06/30 12:22:54 | 001,316,192 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
PRC - [2009/06/18 22:46:24 | 000,494,064 | ---- | M] () -- C:\Program Files\Roxio\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/03/05 00:05:26 | 000,096,752 | ---- | M] () -- C:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
PRC - [2009/02/06 01:00:00 | 000,843,776 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
PRC - [2009/02/04 22:26:38 | 000,128,232 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2009/01/12 10:54:02 | 000,669,520 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2008/12/18 15:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/12/09 10:32:06 | 000,055,120 | ---- | M] (NewSoft Technology Corporation) -- C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.exe
PRC - [2008/05/26 23:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/09/11 01:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/09/11 01:43:54 | 000,067,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
PRC - [2006/12/19 19:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [2006/11/03 19:02:14 | 000,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/06/16 19:41:01 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe
MOD - [2010/02/26 07:16:18 | 000,154,160 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\smum32.dll
MOD - [2009/10/30 10:18:16 | 000,147,024 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\PCTGMhk.dll
MOD - [2008/04/14 07:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SQLWriter)
SRV - File not found [Auto | Stopped] -- -- (SQLBrowser)
SRV - File not found [Auto | Stopped] -- -- (SessionLauncher)
SRV - File not found [Auto | Stopped] -- -- (McciServiceHost)
SRV - [2010/06/15 20:55:44 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdcoreservice)
SRV - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdauxservice)
SRV - [2010/01/22 08:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/12/05 19:10:17 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/04 17:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 16:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/28 12:50:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MpfSrv.exe -- (MpfService)
SRV - [2009/10/02 14:02:56 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/26 12:19:12 | 001,124,848 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/05 00:05:26 | 000,096,752 | ---- | M] () [Auto | Running] -- C:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe -- (CEEBC40A-FDED-4C59-B354-939132350B01)
SRV - [2008/12/18 15:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/11/24 23:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/09/11 01:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2006/12/19 19:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)


========== Driver Services (SafeList) ==========

DRV - [2010/06/15 20:55:50 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/11/04 17:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 17:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/10/22 01:23:18 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/10/22 01:23:18 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/06/26 11:27:40 | 000,057,328 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2009/05/26 00:36:18 | 000,093,184 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009/05/26 00:35:52 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/04/09 13:23:02 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/03/04 17:14:22 | 005,027,840 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/03/04 16:59:56 | 000,117,888 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/07/01 17:13:26 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2008/07/01 17:13:26 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/07/01 17:13:24 | 000,267,520 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2008/04/14 07:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 07:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2001/08/17 21:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 21:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 21:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 21:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 21:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 20:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 20:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 20:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 20:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 20:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 20:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 20:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 20:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 20:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 20:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1048



O1 HOSTS File: ([2010/06/15 20:43:30 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe ()
O4 - HKLM..\Run: [Desktop Disc Tool] c:\Program Files\Roxio\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [FUFAXSTM] C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe (Leader Technologies Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [ltcmScheduler] C:\Program Files\LTCM Client\ltcmScheduler.exe (Leader Technologies Inc.)
O4 - HKCU..\Run: [PMSpeed] C:\Program Files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.exe (NewSoft Technology Corporation)
O4 - HKCU..\Run: [WorkForce 610(Network)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S20IC1.EXE File not found
O4 - HKLM..\RunOnceEx: [ContentMerger] c:\Program Files\Common Files\Roxio Shared\10.0\SharedCom\ContentMerger10.exe (Sonic Solutions)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Family\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} [You must be registered and logged in to see this link.] (Microsoft Data Collection Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/16 19:41:00 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe
[2010/06/16 18:22:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Application Data\Malwarebytes
[2010/06/16 18:21:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/16 18:21:52 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/16 18:21:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/16 18:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/16 18:10:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Local Settings\Application Data\Threat Expert
[2010/06/16 18:03:12 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/06/16 18:03:12 | 001,652,664 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/06/16 18:03:12 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/06/16 18:03:12 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/06/16 18:02:00 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/06/16 18:01:55 | 000,218,592 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/06/16 18:01:55 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/06/16 18:01:46 | 000,063,360 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/06/16 18:01:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/06/16 18:01:40 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/06/16 18:01:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Application Data\PC Tools
[2010/06/16 18:01:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/06/16 16:16:30 | 036,597,872 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Family\Desktop\sdsetup_aff.exe
[2010/06/16 16:16:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/06/15 20:56:13 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/15 20:56:07 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/06/15 20:54:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/06/15 20:53:49 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/06/15 20:53:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/06/15 20:48:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Application Data\Skinux
[2010/06/15 20:05:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/06/15 19:25:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Desktop\SmitfraudFix
[2010/06/15 16:50:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/15 16:50:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/15 16:24:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Local Settings\Application Data\vumkyphiu
[2010/06/11 17:32:51 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/07 21:22:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Application Data\Blackberry Desktop
[2010/06/07 21:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2010/06/07 18:58:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Application Data\Research In Motion
[2010/05/30 09:27:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Local Settings\Application Data\fqroprvet
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/16 19:41:01 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Family\Desktop\OTL.exe
[2010/06/16 19:10:33 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/06/16 19:09:33 | 000,023,629 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/06/16 19:09:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/16 19:07:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/16 19:07:57 | 000,151,824 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2010/06/16 19:07:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/16 19:07:55 | 3220,230,144 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/16 19:07:01 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Family\NTUSER.DAT
[2010/06/16 19:07:01 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Family\ntuser.ini
[2010/06/16 18:35:45 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/16 18:21:55 | 000,000,698 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/16 18:01:50 | 000,001,639 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/06/16 17:40:06 | 004,793,456 | -H-- | M] () -- C:\Documents and Settings\Family\Local Settings\Application Data\IconCache.db
[2010/06/16 07:59:44 | 036,597,872 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Family\Desktop\sdsetup_aff.exe
[2010/06/15 20:56:04 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/06/15 20:56:03 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/15 20:55:50 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/06/15 20:54:00 | 000,000,869 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/15 19:13:42 | 001,872,472 | ---- | M] () -- C:\Documents and Settings\Family\Desktop\SmitfraudFix.exe
[2010/06/15 11:55:36 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/11 20:00:15 | 000,329,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 18:24:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/11 18:20:17 | 000,602,764 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/11 18:20:17 | 000,513,452 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/11 18:20:17 | 000,097,356 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/11 16:28:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/10 13:55:42 | 016,799,744 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/06/10 13:55:42 | 007,959,552 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/06/07 22:37:06 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/06/07 21:16:01 | 000,763,832 | ---- | M] () -- C:\WINDOWS\BDTSupport.dll
[2010/06/07 19:21:02 | 001,652,664 | ---- | M] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/06/06 11:58:40 | 000,013,206 | ---- | M] () -- C:\Documents and Settings\Family\Desktop\BILLS 2010.docx
[2010/06/05 13:01:20 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Family\Desktop\Word 2007.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/16 18:21:55 | 000,000,698 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/16 18:03:12 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/06/16 18:03:12 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/06/16 18:03:12 | 000,763,832 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/06/16 18:03:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/06/16 18:03:12 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/06/16 18:03:12 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/06/16 18:02:00 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/06/16 18:01:55 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/06/16 18:01:55 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/06/16 18:01:50 | 000,001,639 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/06/16 18:01:47 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/06/16 16:28:43 | 3220,230,144 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/15 21:39:13 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/15 20:57:30 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/06/15 20:54:00 | 000,000,869 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/06/15 19:48:15 | 001,872,472 | ---- | C] () -- C:\Documents and Settings\Family\Desktop\SmitfraudFix.exe
[2010/06/15 16:51:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/07 18:58:13 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/12/31 11:40:55 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/12/09 09:06:43 | 000,000,040 | ---- | C] () -- C:\WINDOWS\System32\EAL.INI
[2009/12/05 17:14:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2009/12/05 11:49:12 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/12/05 11:48:27 | 000,000,089 | ---- | C] () -- C:\WINDOWS\EPWF610.ini
[2009/11/20 02:15:12 | 000,001,155 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/11/20 00:52:35 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/04/25 16:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 11:16:35 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2008/04/25 11:16:35 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2008/04/25 11:16:35 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2008/04/25 11:16:35 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2008/04/25 11:16:35 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Log #2 coming...

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Thu Jun 17, 2010 12:48 am

Log #2:

OTL Extras logfile created on: 6/16/2010 7:41:24 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Family\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 688.83 Gb Total Space | 643.01 Gb Free Space | 93.35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Unable to calculate disk information.

Computer Name: DESKTOP
Current User Name: Family
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
"C:\Program Files\Common Files\Motive\McciServiceHost.exe" = C:\Program Files\Common Files\Motive\McciServiceHost.exe:*:Enabled:McciServiceHost -- File not found
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{01A1A019-E1D8-482A-BE17-5E118D17C0A0}" = ArcSoft Print Creations - Brochures & Flyers
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{070B059B-F742-4532-B9D1-11E1E3887C6C}" = BlackBerry Device Software Updater
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
"{0B34A675-6029-AC00-90EF-74D28B842882}" = CCC Help Chinese Standard
"{0B50356E-ED2C-E8B8-1DCF-370D92048416}" = CCC Help Korean
"{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}" = Epson FAX Utility
"{0E5C9A93-F910-B2D4-A2C2-3BD9DA952A4C}" = Skins
"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
"{140BF940-2769-50D6-0D54-0AC1BDE01BA4}" = CCC Help Japanese
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{294EAADF-E50F-4DD8-AD8D-19587EA10512}" = Modem Diagnostic Tool
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3106DC33-E869-8341-4730-E4FF289BCCF9}" = CCC Help Turkish
"{32F9BACF-FCD3-4B6A-AD85-255A449B6FA5}" = Roxio BackOnTrack
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3BD76F20-EAA2-012B-AE7F-000000000000}" = TurboTax 2009 wokiper
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}" = Adobe Premiere Elements 4.0
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{453173DB-9744-2A1E-6BCB-3DD55773D506}" = Catalyst Control Center Graphics Previews Common
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Easy CD and DVD Burning
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}" = Roxio Media Manager
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{612B5D2E-8084-4102-91DE-24281E4EFB2C}" = Roxio Easy CD and DVD Burning
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6509DE4F-DCCF-578B-40A8-101348F6A65D}" = CCC Help Portuguese
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C5415FA-D8D1-6F19-435A-705417AB72E4}" = CCC Help Italian
"{6FD60C58-7319-044A-0072-6D8EAA0A1926}" = Catalyst Control Center Graphics Full New
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7374D6DD-3D36-6D3E-5EE1-789E2813DC27}" = ccc-core-static
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
"{73CD9967-000C-49C6-A900-C87D5B2D253F}" = Presto! PageManager 8.15.01 SE
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{8300B23B-CEFA-E2C4-D771-DFBE3EB607B3}" = Catalyst Control Center Localization All
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8C56376D-9057-B9E4-44CE-9C4EB39DAA66}" = Catalyst Control Center Graphics Light
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9CC26B88-6560-56DA-0FB2-5CD93A616739}" = CCC Help Spanish
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A33E7B0C-B99C-4EC9-B702-8A328B161AF9}" = Roxio Burn
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A69D7B32-2BE9-42BF-B576-69B5E0FF7394}" = Catalyst Control Center - Branding
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{ACB4C3FB-2682-11B5-32CA-10A29A73A1B2}" = Catalyst Control Center Graphics Full Existing
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{AF8A834A-6EAE-46E2-754D-38F13CF47977}" = CCC Help French
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
"{BA165460-FCF7-4D6C-A7A2-F2321700720F}" = MobileMe Control Panel
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BBC7164B-A04A-A4D6-48E2-02819DF6CA01}" = ccc-core-preinstall
"{BC66FD90-7BF4-4026-8119-04161D02A2F3}" = ArcSoft Print Creations
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C178B38F-613A-4EFE-B718-A675BD27A1E1}" = BlackBerry Desktop Software 4.3
"{C5A7668E-2AF7-69E1-45FD-F59A230629E0}" = ccc-utility
"{C773BF86-547F-06FA-ED45-DF284236E8A5}" = CCC Help Chinese Traditional
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}" = Quicken 2010
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D998C238-6EFB-7CC3-6E14-940CE7E06762}" = CCC Help Hungarian
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E00B477F-8558-45DA-B25A-69935FB89A94}" = Dell Dock
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E6511D1C-B58C-DA1F-DC9B-D09E95C0C071}" = CCC Help German
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
"{EE914C1D-B4FC-BBCA-1BB0-142E36615043}" = CCC Help English
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F85C7118-F3DC-4ED9-AB27-3E7931EA3D88}" = Adobe Premiere Elements 4.0 Templates
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FC3E1F14-ACCE-3030-18A3-10B778F535B7}" = Catalyst Control Center Core Implementation
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FDB46DE7-9045-47BB-970A-3E4ED5369E03}" = EMC 10 Content
"{FFFAE01B-466F-4C07-9821-A94FD753BDDA}" = EpsonNet Setup
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"ATI Display Driver" = ATI Display Driver
"ATT" = AT&T U-verse Setup
"BlackBerry_{C178B38F-613A-4EFE-B718-A675BD27A1E1}" = BlackBerry Desktop Software 4.3
"Browser Defender_is1" = Browser Defender 2.0.6.15
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CNXT_MODEM_PCI_HSF" = Conexant D850 PCI V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"EPSON PC-FAX Driver 2" = Epson PC-FAX Driver
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 610 Series" = EPSON WorkForce 610 Series Printer Uninstall
"ie8" = Windows Internet Explorer 8
"LTCM Client" = LTCM Client
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MSC" = McAfee SecurityCenter
"PremElem40" = Adobe Premiere Elements 4.0
"PremElem40Templates" = Adobe Premiere Elements 4.0 Templates
"SMALLBUSINESSR" = Microsoft Office Small Business 2007
"Spyware Doctor" = Spyware Doctor 7.0
"TurboTax 2009" = TurboTax 2009
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Mail" = att.net Internet Mail

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Juniper_Term_Services" = Juniper Terminal Services Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/16/2010 12:04:06 AM | Computer Name = DESKTOP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1953

Error - 6/16/2010 12:04:08 AM | Computer Name = DESKTOP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/16/2010 12:04:08 AM | Computer Name = DESKTOP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3906

Error - 6/16/2010 12:04:08 AM | Computer Name = DESKTOP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3906

Error - 6/16/2010 5:20:21 PM | Computer Name = DESKTOP | Source = Swapdrive Backup | ID = 0
Description = Swapdrive Backup: Web Service Error: System.Net.WebException: Unable
to connect to the remote server ---> System.Net.Sockets.SocketException: No connection
could be made because the target machine actively refused it 127.0.0.1:1055 at
System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP) at System.Net.ServicePoint.ConnectSocketInternal(Boolean
connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState
state, IAsyncResult asyncResult, Int32 timeout, Exception& exception) --- End
of inner exception stack trace --- at System.Net.HttpWebRequest.GetRequestStream(TransportContext&
context) at System.Net.HttpWebRequest.GetRequestStream() at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters) at Swapdrive.Shared.com.backup.uswsvcdell.Service.GetInfo(GetInfoRequest
req) at Swapdrive.Shared.ActivationWsvcs.GetInfo()

Error - 6/16/2010 5:22:13 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application amkrhyt.exe, version 2.4.4587.1000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/16/2010 5:31:15 PM | Computer Name = DESKTOP | Source = Swapdrive Backup | ID = 0
Description = Swapdrive Backup: Web Service Error: System.Net.WebException: The
operation has timed out at System.Net.HttpWebRequest.GetRequestStream(TransportContext&
context) at System.Net.HttpWebRequest.GetRequestStream() at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters) at Swapdrive.Shared.com.backup.uswsvcdell.Service.GetInfo(GetInfoRequest
req) at Swapdrive.Shared.ActivationWsvcs.GetInfo()

Error - 6/16/2010 6:39:17 PM | Computer Name = DESKTOP | Source = pctsSvc.exe | ID = 0
Description =

Error - 6/16/2010 6:55:14 PM | Computer Name = DESKTOP | Source = pctsSvc.exe | ID = 0
Description =

Error - 6/16/2010 7:00:12 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application amkrhyt.exe, version 2.4.4587.1000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 6/16/2010 12:04:06 AM | Computer Name = DESKTOP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1953

Error - 6/16/2010 12:04:08 AM | Computer Name = DESKTOP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/16/2010 12:04:08 AM | Computer Name = DESKTOP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3906

Error - 6/16/2010 12:04:08 AM | Computer Name = DESKTOP | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3906

Error - 6/16/2010 5:20:21 PM | Computer Name = DESKTOP | Source = Swapdrive Backup | ID = 0
Description = Swapdrive Backup: Web Service Error: System.Net.WebException: Unable
to connect to the remote server ---> System.Net.Sockets.SocketException: No connection
could be made because the target machine actively refused it 127.0.0.1:1055 at
System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP) at System.Net.ServicePoint.ConnectSocketInternal(Boolean
connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState
state, IAsyncResult asyncResult, Int32 timeout, Exception& exception) --- End
of inner exception stack trace --- at System.Net.HttpWebRequest.GetRequestStream(TransportContext&
context) at System.Net.HttpWebRequest.GetRequestStream() at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters) at Swapdrive.Shared.com.backup.uswsvcdell.Service.GetInfo(GetInfoRequest
req) at Swapdrive.Shared.ActivationWsvcs.GetInfo()

Error - 6/16/2010 5:22:13 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application amkrhyt.exe, version 2.4.4587.1000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/16/2010 5:31:15 PM | Computer Name = DESKTOP | Source = Swapdrive Backup | ID = 0
Description = Swapdrive Backup: Web Service Error: System.Net.WebException: The
operation has timed out at System.Net.HttpWebRequest.GetRequestStream(TransportContext&
context) at System.Net.HttpWebRequest.GetRequestStream() at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodName, Object[] parameters) at Swapdrive.Shared.com.backup.uswsvcdell.Service.GetInfo(GetInfoRequest
req) at Swapdrive.Shared.ActivationWsvcs.GetInfo()

Error - 6/16/2010 6:39:17 PM | Computer Name = DESKTOP | Source = pctsSvc.exe | ID = 0
Description =

Error - 6/16/2010 6:55:14 PM | Computer Name = DESKTOP | Source = pctsSvc.exe | ID = 0
Description =

Error - 6/16/2010 7:00:12 PM | Computer Name = DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application amkrhyt.exe, version 2.4.4587.1000, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/27/2010 11:55:21 AM | Computer Name = DESKTOP | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.67 on
the Network Card with network address 002564053C0F.


< End of report >


That should be both logs..

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Thu Jun 17, 2010 12:55 am

Hello.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    [2010/06/15 16:24:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Local Settings\Application Data\vumkyphiu
    [2010/05/30 09:27:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Family\Local Settings\Application Data\fqroprvet



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Thu Jun 17, 2010 1:03 am

From OTL:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
C:\Documents and Settings\Family\Local Settings\Application Data\vumkyphiu folder moved successfully.
C:\Documents and Settings\Family\Local Settings\Application Data\fqroprvet folder moved successfully.

OTL by OldTimer - Version 3.2.6.0 log created on 06162010_200210


As for the proxy settings, I had already done that but double checked to be sure and all was well.

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Thu Jun 17, 2010 1:15 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Thu Jun 17, 2010 1:51 pm

I'm getting this when I try Link1 for ComboFix in Firefox:

File not found

Firefox can't find the file at [You must be registered and logged in to see this link.]
* Check the file name for capitalization or other typing errors.

* Check to see if the file was moved, renamed or deleted.

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Thu Jun 17, 2010 2:16 pm

Ok, I'm on a different computer now. Several things have happened..

By clearing the History in Firefox I was able to download ComboFix. I renamed it as told. It downloaded successfully after turning off McAfee. I ran it after it downloaded a Restore. During Combo-Fix, it said I had a bad file (Bad_Pool_Caller) and WIndows shut down, telling me to reboot. I did.

Do I run Combo-Fix again?

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Thu Jun 17, 2010 4:10 pm

Yes, try that please.

If still no go, please let me know.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Thu Jun 17, 2010 5:11 pm

Had to run an errand, back now, still on different box.

Ran the Combo-Fix again and recv'd the same message. Windows shut down, rebooted.

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Thu Jun 17, 2010 5:17 pm

Turned McAfee back on and now on infected box. Easier to do this way but I can switch off of it if you need to me to.

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Fri Jun 18, 2010 12:00 am

Hello.
Please update and run a new MBAM scan, post the new log when done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Fri Jun 18, 2010 12:22 am

Ran this earlier today anticipating you asking for it.

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4210

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/17/2010 1:52:33 PM
mbam-log-2010-06-17 (13-52-33).txt

Scan type: Quick scan
Objects scanned: 143233
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Fri Jun 18, 2010 12:25 am

Though I do only want to address one thing at a time, I've gone to Firefox today and every now and then, not every time, it will redirect itself to advertisements. They're not porn sites or anything, more like management business schools, etc. They go away easily on just clicking the tab off but...just fyi for later.

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Sat Jun 19, 2010 12:19 am

Hello.


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Sat Jun 19, 2010 2:39 am

21:37:44:718 5396 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
21:37:44:718 5396 ================================================================================
21:37:44:718 5396 SystemInfo:

21:37:44:718 5396 OS Version: 5.1.2600 ServicePack: 3.0
21:37:44:718 5396 Product type: Workstation
21:37:44:718 5396 ComputerName: DESKTOP
21:37:44:718 5396 UserName: Family
21:37:44:718 5396 Windows directory: C:\WINDOWS
21:37:44:718 5396 Processor architecture: Intel x86
21:37:44:718 5396 Number of processors: 2
21:37:44:718 5396 Page size: 0x1000
21:37:44:718 5396 Boot type: Normal boot
21:37:44:718 5396 ================================================================================
21:37:44:906 5396 Initialize success
21:37:44:921 5396
21:37:44:921 5396 Scanning Services ...
21:37:45:187 5396 Raw services enum returned 377 services
21:37:45:203 5396
21:37:45:203 5396 Scanning Drivers ...
21:37:45:781 5396 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
21:37:45:859 5396 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:37:45:875 5396 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:37:45:906 5396 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
21:37:45:968 5396 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:37:46:015 5396 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
21:37:46:031 5396 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
21:37:46:062 5396 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
21:37:46:078 5396 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
21:37:46:171 5396 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
21:37:46:218 5396 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
21:37:46:281 5396 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
21:37:46:343 5396 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
21:37:46:359 5396 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
21:37:46:359 5396 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
21:37:46:421 5396 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:37:46:453 5396 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
21:37:46:515 5396 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
21:37:46:562 5396 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
21:37:46:640 5396 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:37:46:656 5396 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:37:46:734 5396 ati2mtag (79e69e18960e8013840af2681c5e77ab) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:37:46:812 5396 AtiHdmiService (d9bc8892b9440a2551b8148c57aa039e) C:\WINDOWS\system32\drivers\AtiHdmi.sys
21:37:46:890 5396 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:37:46:921 5396 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:37:46:937 5396 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:37:46:953 5396 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
21:37:46:968 5396 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:37:46:984 5396 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
21:37:47:000 5396 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:37:47:015 5396 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:37:47:046 5396 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:37:47:125 5396 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
21:37:47:140 5396 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
21:37:47:156 5396 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
21:37:47:171 5396 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
21:37:47:203 5396 Disk (a50482c6101910e48030466b8a96abd4) C:\WINDOWS\system32\DRIVERS\disk.sys
21:37:47:203 5396 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\disk.sys. Real md5: a50482c6101910e48030466b8a96abd4, Fake md5: 044452051f3e02e7963599fc8f4f3e25
21:37:47:203 5396 File "C:\WINDOWS\system32\DRIVERS\disk.sys" infected by TDSS rootkit ... 21:37:48:046 5396 Backup copy found, using it..
21:37:48:046 5396 will be cured on next reboot
21:37:48:078 5396 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:37:48:093 5396 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:37:48:109 5396 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:37:48:125 5396 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:37:48:171 5396 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
21:37:48:187 5396 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:37:48:203 5396 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:37:48:203 5396 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:37:48:218 5396 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:37:48:234 5396 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:37:48:250 5396 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:37:48:250 5396 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:37:48:265 5396 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:37:48:281 5396 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:37:48:328 5396 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:37:48:343 5396 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:37:48:343 5396 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:37:48:375 5396 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
21:37:48:421 5396 HSFHWBS2 (ac04fc91b57b27086ccf02086fd3f4cb) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
21:37:48:515 5396 HSF_DPV (f362c0b442337da8ab0608dfaa4ca076) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
21:37:48:593 5396 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:37:48:609 5396 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
21:37:48:640 5396 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
21:37:48:640 5396 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:37:48:656 5396 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
21:37:48:796 5396 IntcAzAudAddService (2feb5bf0312e1cb76cd2caa875cbaa5d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
21:37:48:875 5396 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
21:37:48:890 5396 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:37:48:906 5396 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:37:48:921 5396 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:37:48:937 5396 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:37:48:953 5396 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:37:48:968 5396 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:37:48:968 5396 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:37:49:000 5396 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:37:49:015 5396 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:37:49:015 5396 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:37:49:046 5396 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
21:37:49:062 5396 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:37:49:093 5396 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:37:49:093 5396 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
21:37:49:125 5396 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
21:37:49:156 5396 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
21:37:49:234 5396 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
21:37:49:296 5396 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
21:37:49:359 5396 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
21:37:49:421 5396 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
21:37:49:468 5396 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:37:49:484 5396 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:37:49:500 5396 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:37:49:500 5396 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:37:49:515 5396 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:37:49:515 5396 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
21:37:49:593 5396 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
21:37:49:703 5396 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
21:37:49:781 5396 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
21:37:49:812 5396 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:37:49:843 5396 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:37:49:859 5396 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:37:49:921 5396 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:37:49:953 5396 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:37:49:953 5396 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:37:49:984 5396 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:37:49:984 5396 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
21:37:50:000 5396 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:37:50:000 5396 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:37:50:015 5396 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:37:50:031 5396 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:37:50:046 5396 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
21:37:50:046 5396 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:37:50:062 5396 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:37:50:078 5396 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:37:50:078 5396 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:37:50:125 5396 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:37:50:171 5396 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
21:37:50:203 5396 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:37:50:234 5396 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:37:50:234 5396 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:37:50:250 5396 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:37:50:265 5396 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:37:50:281 5396 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:37:50:312 5396 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:37:50:328 5396 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:37:50:359 5396 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:37:50:375 5396 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:37:50:421 5396 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
21:37:50:468 5396 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
21:37:50:484 5396 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:37:50:484 5396 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:37:50:500 5396 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:37:50:515 5396 PxHelp20 (5491e4e7d93804f43abe8ce3c39f5a86) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:37:50:531 5396 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
21:37:50:546 5396 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
21:37:50:562 5396 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
21:37:50:578 5396 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
21:37:50:593 5396 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
21:37:50:609 5396 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:37:50:625 5396 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:37:50:640 5396 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:37:50:640 5396 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:37:50:656 5396 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:37:50:656 5396 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:37:50:671 5396 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:37:50:703 5396 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
21:37:50:703 5396 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:37:50:734 5396 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
21:37:50:796 5396 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
21:37:50:828 5396 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
21:37:50:859 5396 RTLE8023xp (839141088ad7ee90f5b441b2d1afd22c) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
21:37:50:937 5396 RxFilter (aabb1d240862349181f5350dd62faae7) C:\WINDOWS\system32\DRIVERS\RxFilter.sys
21:37:51:031 5396 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:37:51:062 5396 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:37:51:062 5396 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:37:51:093 5396 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
21:37:51:109 5396 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
21:37:51:125 5396 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:37:51:125 5396 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:37:51:171 5396 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
21:37:51:171 5396 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:37:51:203 5396 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:37:51:218 5396 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
21:37:51:265 5396 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
21:37:51:312 5396 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
21:37:51:328 5396 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
21:37:51:406 5396 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:37:51:421 5396 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:37:51:437 5396 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:37:51:453 5396 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:37:51:468 5396 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:37:51:484 5396 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
21:37:51:500 5396 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:37:51:515 5396 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
21:37:51:578 5396 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:37:51:609 5396 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
21:37:51:687 5396 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:37:51:703 5396 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:37:51:796 5396 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:37:51:812 5396 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:37:51:843 5396 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:37:51:843 5396 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:37:51:859 5396 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:37:51:875 5396 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:37:51:890 5396 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
21:37:51:921 5396 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
21:37:51:953 5396 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:37:51:968 5396 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:37:52:000 5396 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:37:52:078 5396 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:37:52:109 5396 winachsf (92ce6497076eac3083185c44157b3a46) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
21:37:52:171 5396 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:37:52:171 5396 Reboot required for cure complete..
21:37:52:484 5396 Cure on reboot scheduled successfully
21:37:52:484 5396
21:37:52:484 5396 Completed
21:37:52:484 5396
21:37:52:484 5396 Results:
21:37:52:484 5396 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
21:37:52:484 5396 File objects infected / cured / cured on reboot: 1 / 0 / 1
21:37:52:484 5396
21:37:52:484 5396 KLMD(ARK) unloaded successfully

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Sat Jun 19, 2010 2:48 am

So where are we in all this? The original pop ups from Bankerfox.A have stopped. I get occasional redirects on Firefox. Just wondering how much more there is to do.

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Sat Jun 19, 2010 4:37 pm

Hello.
Try Combofix now please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Sat Jun 19, 2010 5:44 pm

ComboFix 10-06-16.04 - Family 06/19/2010 12:36:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2007 [GMT -5:00]
Running from: c:\documents and settings\Family\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 16:53 . 2010-06-19 16:53 -------- d-----w- c:\windows\LastGood
2010-06-18 22:57 . 2010-06-18 22:57 -------- d-----w- c:\program files\iPod
2010-06-18 22:57 . 2010-06-18 22:57 -------- d-----w- c:\program files\iTunes
2010-06-18 22:53 . 2010-06-18 22:53 -------- d-----w- c:\program files\Bonjour
2010-06-18 22:50 . 2010-06-18 22:50 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-18 15:16 . 2010-06-18 15:16 -------- d-----w- c:\program files\ESET
2010-06-17 02:32 . 2010-06-17 02:32 0 ----a-w- c:\windows\nsreg.dat
2010-06-17 02:32 . 2010-06-17 02:32 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Mozilla
2010-06-17 01:02 . 2010-06-17 01:02 -------- d-----w- C:\_OTL
2010-06-16 23:22 . 2010-06-16 23:22 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2010-06-16 23:21 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-16 23:21 . 2010-06-16 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-16 23:21 . 2010-06-16 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-16 23:21 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-16 23:10 . 2010-06-16 23:10 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Threat Expert
2010-06-16 23:01 . 2010-06-17 02:28 -------- d-----w- c:\program files\Spyware Doctor
2010-06-16 21:16 . 2010-06-17 02:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-16 02:39 . 2010-06-16 01:56 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-16 01:56 . 2010-06-16 01:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-16 01:56 . 2010-06-16 01:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-16 01:54 . 2010-06-16 01:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-16 01:54 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-16 01:53 . 2010-06-16 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-16 01:53 . 2010-06-16 01:54 -------- d-----w- c:\program files\Lavasoft
2010-06-16 01:48 . 2010-06-16 01:48 -------- d-----w- c:\documents and settings\Family\Application Data\Skinux
2010-06-15 21:51 . 2010-06-19 00:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-11 22:32 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 02:22 . 2010-06-08 02:22 -------- d-----w- c:\documents and settings\Family\Application Data\Blackberry Desktop
2010-06-08 02:16 . 2010-06-08 02:16 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-06-08 00:08 . 2010-06-08 00:08 53248 ----a-r- c:\documents and settings\Family\Application Data\Microsoft\Installer\{070B059B-F742-4532-B9D1-11E1E3887C6C}\ARPPRODUCTICON.exe
2010-06-07 23:58 . 2010-06-08 03:37 256 ----a-w- c:\windows\system32\pool.bin
2010-06-07 23:58 . 2010-06-07 23:58 -------- d-----w- c:\documents and settings\Family\Application Data\Research In Motion
2010-05-28 12:39 . 2010-05-28 12:39 37464 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\setup\uninstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 02:59 . 2009-12-05 16:56 -------- d-----w- c:\documents and settings\Family\Application Data\.oit
2010-06-19 02:59 . 2009-12-05 06:13 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-06-19 02:40 . 2008-04-14 00:10 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-06-18 23:22 . 2009-12-26 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-18 22:57 . 2009-12-06 00:30 -------- d-----w- c:\program files\Common Files\Apple
2010-06-15 21:27 . 2009-11-20 05:49 -------- d-----w- c:\program files\McAfee
2010-06-11 23:23 . 2009-11-20 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 02:16 . 2009-12-03 02:03 -------- d-----w- c:\documents and settings\Family\Application Data\Roxio
2010-06-08 00:08 . 2009-12-09 15:06 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-06-08 00:02 . 2009-11-20 05:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-28 12:53 . 2010-01-28 13:44 -------- d-----w- c:\documents and settings\Family\Application Data\Juniper Networks
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-16 17:00 . 2009-12-05 16:51 -------- d-----w- c:\documents and settings\Family\Application Data\Epson
2010-05-06 10:41 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-03 21:25 . 2010-05-03 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-03 21:22 . 2010-05-03 21:21 -------- d-----w- c:\program files\QuickTime
2010-05-02 06:34 . 2008-04-25 16:16 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-25 16:16 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 01:47 . 2009-12-06 00:35 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 01:47 . 2009-12-06 00:35 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-10 19:08 . 2010-04-10 19:08 43144 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\uninstall.exe
2010-04-10 19:08 . 2010-04-10 19:08 263536 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe
2010-04-10 19:07 . 2010-04-10 19:07 6656 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_KO.dll
2010-04-10 19:07 . 2010-04-10 19:07 6656 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_JA.dll
2010-04-10 19:07 . 2010-04-10 19:07 13312 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_DE.dll
2010-04-10 19:07 . 2010-04-10 19:07 11776 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_FR.dll
2010-04-10 19:07 . 2010-04-10 19:07 11776 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_ES.dll
2010-04-10 19:07 . 2010-04-10 19:07 4608 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_ZH_CN.dll
2010-04-10 19:07 . 2010-04-10 19:07 4608 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_ZH.dll
2010-04-10 19:07 . 2010-04-10 19:07 10752 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_en.dll
2010-04-10 19:07 . 2010-04-10 19:07 188416 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServProxy.dll
2010-04-10 19:07 . 2010-04-10 19:07 90112 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServDt.dll
2010-04-10 19:07 . 2010-04-10 19:07 303104 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClient.dll
2010-04-10 19:07 . 2010-04-10 19:07 24576 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_EN.dll
2010-04-10 18:59 . 2010-04-10 18:59 18944 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_FR.dll
2010-04-10 18:59 . 2010-04-10 18:59 18944 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_DE.dll
2010-04-10 18:59 . 2010-04-10 18:59 16384 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_ZH_CN.dll
2010-04-10 18:59 . 2010-04-10 18:59 16384 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_ZH.dll
2010-04-10 18:59 . 2010-04-10 18:59 18432 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_ES.dll
2010-04-10 18:59 . 2010-04-10 18:59 16896 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_KO.dll
2010-04-10 18:58 . 2010-04-10 18:58 16896 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_JA.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]
"ltcmScheduler"="c:\program files\LTCM Client\ltcmScheduler.exe" [2009-08-05 105664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-04 18084864]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-14 61440]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Desktop Disc Tool"="c:\program files\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-19 494064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-11-20 50688]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/15/2010 8:56 PM 64288]
R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;c:\program files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [3/5/2009 12:05 AM 96752]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 3:05 PM 155648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352832]
S2 McciServiceHost;McciServiceHost;"c:\program files\Common Files\Motive\McciServiceHost.exe" --> c:\program files\Common Files\Motive\McciServiceHost.exe [?]
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [6/26/2009 12:19 PM 1124848]
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:55]

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-18 c:\windows\Tasks\QuickClean.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:1048
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\vnh4uu28.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-19 12:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-19 12:41:30
ComboFix-quarantined-files.txt 2010-06-19 17:41

Pre-Run: 690,025,295,872 bytes free
Post-Run: 690,158,354,432 bytes free

- - End Of File - - 7ED4EEF830A209B73FC1630E7AA1C223

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Sun Jun 20, 2010 12:15 am

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:1048

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Sun Jun 20, 2010 1:03 pm

ComboFix 10-06-16.04 - Family 06/20/2010 7:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2025 [GMT -5:00]
Running from: c:\documents and settings\Family\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Family\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-19 16:53 . 2010-06-19 16:53 -------- d-----w- c:\windows\LastGood
2010-06-18 22:57 . 2010-06-18 22:57 -------- d-----w- c:\program files\iPod
2010-06-18 22:57 . 2010-06-18 22:57 -------- d-----w- c:\program files\iTunes
2010-06-18 22:53 . 2010-06-18 22:53 -------- d-----w- c:\program files\Bonjour
2010-06-18 22:50 . 2010-06-18 22:50 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-18 15:16 . 2010-06-18 15:16 -------- d-----w- c:\program files\ESET
2010-06-17 02:32 . 2010-06-17 02:32 0 ----a-w- c:\windows\nsreg.dat
2010-06-17 02:32 . 2010-06-17 02:32 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Mozilla
2010-06-17 01:02 . 2010-06-17 01:02 -------- d-----w- C:\_OTL
2010-06-16 23:22 . 2010-06-16 23:22 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2010-06-16 23:21 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-16 23:21 . 2010-06-16 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-16 23:21 . 2010-06-16 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-16 23:21 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-16 23:10 . 2010-06-16 23:10 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Threat Expert
2010-06-16 23:01 . 2010-06-17 02:28 -------- d-----w- c:\program files\Spyware Doctor
2010-06-16 21:16 . 2010-06-17 02:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-16 02:39 . 2010-06-16 01:56 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-16 01:56 . 2010-06-16 01:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-16 01:56 . 2010-06-16 01:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-16 01:54 . 2010-06-16 01:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-16 01:54 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-16 01:53 . 2010-06-16 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-16 01:53 . 2010-06-16 01:54 -------- d-----w- c:\program files\Lavasoft
2010-06-16 01:48 . 2010-06-16 01:48 -------- d-----w- c:\documents and settings\Family\Application Data\Skinux
2010-06-15 21:51 . 2010-06-19 00:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-11 22:32 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 02:22 . 2010-06-08 02:22 -------- d-----w- c:\documents and settings\Family\Application Data\Blackberry Desktop
2010-06-08 02:16 . 2010-06-08 02:16 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-06-08 00:08 . 2010-06-08 00:08 53248 ----a-r- c:\documents and settings\Family\Application Data\Microsoft\Installer\{070B059B-F742-4532-B9D1-11E1E3887C6C}\ARPPRODUCTICON.exe
2010-06-07 23:58 . 2010-06-08 03:37 256 ----a-w- c:\windows\system32\pool.bin
2010-06-07 23:58 . 2010-06-07 23:58 -------- d-----w- c:\documents and settings\Family\Application Data\Research In Motion
2010-05-28 12:39 . 2010-05-28 12:39 37464 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\setup\uninstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 02:59 . 2009-12-05 16:56 -------- d-----w- c:\documents and settings\Family\Application Data\.oit
2010-06-19 02:59 . 2009-12-05 06:13 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-06-19 02:40 . 2008-04-14 00:10 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-06-18 23:22 . 2009-12-26 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-18 22:57 . 2009-12-06 00:30 -------- d-----w- c:\program files\Common Files\Apple
2010-06-15 21:27 . 2009-11-20 05:49 -------- d-----w- c:\program files\McAfee
2010-06-11 23:23 . 2009-11-20 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 02:16 . 2009-12-03 02:03 -------- d-----w- c:\documents and settings\Family\Application Data\Roxio
2010-06-08 00:08 . 2009-12-09 15:06 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-06-08 00:02 . 2009-11-20 05:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-28 12:53 . 2010-01-28 13:44 -------- d-----w- c:\documents and settings\Family\Application Data\Juniper Networks
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-16 17:00 . 2009-12-05 16:51 -------- d-----w- c:\documents and settings\Family\Application Data\Epson
2010-05-06 10:41 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-03 21:25 . 2010-05-03 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-03 21:22 . 2010-05-03 21:21 -------- d-----w- c:\program files\QuickTime
2010-05-02 06:34 . 2008-04-25 16:16 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-25 16:16 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 01:47 . 2009-12-06 00:35 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 01:47 . 2009-12-06 00:35 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-10 19:08 . 2010-04-10 19:08 43144 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\uninstall.exe
2010-04-10 19:08 . 2010-04-10 19:08 263536 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe
2010-04-10 19:07 . 2010-04-10 19:07 6656 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_KO.dll
2010-04-10 19:07 . 2010-04-10 19:07 6656 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_JA.dll
2010-04-10 19:07 . 2010-04-10 19:07 13312 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_DE.dll
2010-04-10 19:07 . 2010-04-10 19:07 11776 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_FR.dll
2010-04-10 19:07 . 2010-04-10 19:07 11776 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_ES.dll
2010-04-10 19:07 . 2010-04-10 19:07 4608 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_ZH_CN.dll
2010-04-10 19:07 . 2010-04-10 19:07 4608 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_ZH.dll
2010-04-10 19:07 . 2010-04-10 19:07 10752 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServResource_en.dll
2010-04-10 19:07 . 2010-04-10 19:07 188416 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServProxy.dll
2010-04-10 19:07 . 2010-04-10 19:07 90112 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServDt.dll
2010-04-10 19:07 . 2010-04-10 19:07 303104 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClient.dll
2010-04-10 19:07 . 2010-04-10 19:07 24576 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_EN.dll
2010-04-10 18:59 . 2010-04-10 18:59 18944 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_FR.dll
2010-04-10 18:59 . 2010-04-10 18:59 18944 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_DE.dll
2010-04-10 18:59 . 2010-04-10 18:59 16384 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_ZH_CN.dll
2010-04-10 18:59 . 2010-04-10 18:59 16384 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_ZH.dll
2010-04-10 18:59 . 2010-04-10 18:59 18432 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_ES.dll
2010-04-10 18:59 . 2010-04-10 18:59 16896 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_KO.dll
2010-04-10 18:58 . 2010-04-10 18:58 16896 ----a-w- c:\documents and settings\Family\Application Data\Juniper Networks\Juniper Terminal Services Client\dsWinClientResource_JA.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-03 00:57 . 2010-06-20 12:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-03 00:57 . 2010-06-19 16:46 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-03 00:57 . 2010-06-20 12:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-03 00:57 . 2010-06-19 16:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-19 20:38 . 2010-06-20 12:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-12-03 00:57 . 2010-06-19 16:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]
"ltcmScheduler"="c:\program files\LTCM Client\ltcmScheduler.exe" [2009-08-05 105664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-04 18084864]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-14 61440]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Desktop Disc Tool"="c:\program files\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-19 494064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]

c:\documents and settings\Family\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-30 1316192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-11-20 50688]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/15/2010 8:56 PM 64288]
R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;c:\program files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [3/5/2009 12:05 AM 96752]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 3:05 PM 155648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1352832]
S2 McciServiceHost;McciServiceHost;"c:\program files\Common Files\Motive\McciServiceHost.exe" --> c:\program files\Common Files\Motive\McciServiceHost.exe [?]
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [6/26/2009 12:19 PM 1124848]
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 01:55]

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-18 c:\windows\Tasks\QuickClean.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-20 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\vnh4uu28.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-20 08:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5252)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-06-20 08:01:03
ComboFix-quarantined-files.txt 2010-06-20 13:01
ComboFix2.txt 2010-06-19 17:41

Pre-Run: 690,172,338,176 bytes free
Post-Run: 690,150,305,792 bytes free

- - End Of File - - EBA0DAA826A613B4E003CFFB416C8C56

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Sun Jun 20, 2010 7:04 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Sun Jun 20, 2010 11:04 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bbf3abc0ab2b844ba6c033b50d472c89
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-18 04:09:24
# local_time=2010-06-18 11:09:24 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776533 100 96 5827112 28876119 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=116304
# found=0
# cleaned=0
# scan_time=2768
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bbf3abc0ab2b844ba6c033b50d472c89
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-20 11:02:19
# local_time=2010-06-20 06:02:19 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776533 100 96 6025430 29074437 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=112086
# found=0
# cleaned=0
# scan_time=2025

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Mon Jun 21, 2010 3:20 pm

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Mon Jun 21, 2010 5:50 pm

Runs fine as far as I can tell. The virus has stopped doing the fake security popups. I really appreciate all you've done. Think it's fixed?

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Tue Jun 22, 2010 1:33 am

[You must be registered and logged in to see this link.]

This is weird. Google and my saved bookmark went to this site instead of yours. Just fyi. 1st time its done that.

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Tue Jun 22, 2010 2:52 pm

Hello.
I know, it's a recent bug with forumotion, we are waiting for them to fix it.

The logs look good, the machine should be okay now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Tue Jun 22, 2010 3:40 pm

I'm satisfied if your satisfied. Mark this as solved. Thanks for everything :smile2:

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by Belahzur on Tue Jun 22, 2010 5:43 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Bankerfox.a & fake security alerts

Post by R977 on Wed Jun 23, 2010 1:32 am

Thanks again

R977
Novice
Novice

Posts Posts : 29
Joined Joined : 2010-06-16
Gender Gender : Male
OS OS : XP Professional
Protection Protection : McAfee/Malwarebytes/Spybot/Spyware/SpyGuard
Points Points : 24024
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum