×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

ComboFix log
2

ComboFix log

ComboFix log

(OP)
My computer is Windows Vista machine. It was taken over by a fake anti-virus called Vista Security or something like that.  All attempts at removal were unsuccessful, so I ran combofix.

I actually I ran ComboFix twice and both logs are posted below.

The first time I ran ComboFix, at certain steps I got errors that I could not complete certain activities due to lack of administrator priveleges.

The second time, I ran it by right-clicking and selected "run as administrator".  The results seemed roughly the same (still got errors about administrator priveleges and still ran to completion.

My question: Do you recommend any actions based on results of these ComboFix logs below?

Quote (First ComboFix Log):


ComboFix 11-04-15.06 - admin 04/16/2011  22:21:42.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.1.1033.18.1918.1431 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: RULE_COMPONENT_MNM *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: RULE_COMPONENT_MNM *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: RULE_COMPONENT_MNM *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\26205960.exe
c:\programdata\43179784.exe
c:\programdata\AIAkiwgpWK.exe
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair\Windows Repair.lnk
c:\users\admin\Desktop\Windows Repair.lnk
c:\windows\system32\config\systemprofile\wuaucldt.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\null0.8717782285845986.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\wuaucldt.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-17 to 2011-04-17  )))))))))))))))))))))))))))))))
.
.
2011-04-17 03:25 . 2011-04-17 03:25    --------    d-----w-    c:\users\admin\AppData\Local\temp
2011-04-17 03:25 . 2011-04-17 03:25    --------    d-----w-    c:\users\Default\AppData\Local\temp
2011-04-01 14:32 . 2011-04-01 14:32    --------    d-----w-    C:\Windows Repair
2011-03-28 19:00 . 2011-03-28 19:00    119296    --sha-r-    c:\windows\system32\itirclh.dll
2011-03-27 00:42 . 2010-12-20 23:09    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 00:42 . 2010-12-20 23:08    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-03-26 01:35 . 2011-03-26 01:35    --------    d--h--w-    c:\program files\MalwarebytesAntiMalware2
2011-03-26 00:08 . 2011-03-26 00:08    --------    d--h--w-    c:\users\admin\AppData\Roaming\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08    --------    d--h--w-    c:\programdata\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08    --------    d--h--w-    c:\program files\Malwarebytes' Anti-Malware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 22:25 . 2009-11-24 22:06    119808    ---ha-w-    c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-14 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware6\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
R2 WLANBelkinService;Belkin WLAN service;c:\program files\Belkin\F7D4101\V1\wlansrv.exe [2009-12-28 36864]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-23 30192]
R3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork    REG_MULTI_SZ       PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-02-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
2011-02-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: ataretail.com
Trusted Zone: bdsmktg.com\ic
Trusted Zone: claops.com\www
Trusted Zone: clareps.com\intranet
Trusted Zone: fgxi.com\ross
Trusted Zone: intersourcing.com\www51
Trusted Zone: jcprewards.com\www
Trusted Zone: paychex.com\eservices
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\0a5p0b5b.default\
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\qca.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AIAkiwgpWK - c:\programdata\AIAkiwgpWK.exe
HKCU-Run-Regedit32 - c:\windows\system32\regedit.exe
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-16 22:25
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-16  22:27:01
ComboFix-quarantined-files.txt  2011-04-17 03:26
.
Pre-Run: 92,754,616,320 bytes free
Post-Run: 93,978,804,224 bytes free
.
- - End Of File - - 19B61BA8653D76E4723D4109A3FE8409

Quote (Second ComboFix Log):


ComboFix 11-04-15.06 - admin 04/16/2011  22:30:33.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic   6.0.6001.1.1252.1.1033.18.1918.1277 [GMT -5:00]
Running from: C:\ComboFix.exe
AV: RULE_COMPONENT_MNM *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: RULE_COMPONENT_MNM *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: RULE_COMPONENT_MNM *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-17 to 2011-04-17  )))))))))))))))))))))))))))))))
.
.
2011-04-17 03:32 . 2011-04-17 03:32    --------    d-----w-    c:\users\admin\AppData\Local\temp
2011-04-17 03:32 . 2011-04-17 03:32    --------    d-----w-    c:\users\Default\AppData\Local\temp
2011-04-01 14:32 . 2011-04-01 14:32    --------    d-----w-    C:\Windows Repair
2011-03-28 19:00 . 2011-03-28 19:00    119296    --sha-r-    c:\windows\system32\itirclh.dll
2011-03-27 00:42 . 2010-12-20 23:09    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 00:42 . 2010-12-20 23:08    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-03-26 01:35 . 2011-03-26 01:35    --------    d-----w-    c:\program files\MalwarebytesAntiMalware2
2011-03-26 00:08 . 2011-03-26 00:08    --------    d-----w-    c:\users\admin\AppData\Roaming\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08    --------    d-----w-    c:\programdata\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 22:25 . 2009-11-24 22:06    119808    ----a-w-    c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-14 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware6\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
R2 WLANBelkinService;Belkin WLAN service;c:\program files\Belkin\F7D4101\V1\wlansrv.exe [2009-12-28 36864]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-23 30192]
R3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork    REG_MULTI_SZ       PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-02-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
2011-02-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: ataretail.com
Trusted Zone: bdsmktg.com\ic
Trusted Zone: claops.com\www
Trusted Zone: clareps.com\intranet
Trusted Zone: fgxi.com\ross
Trusted Zone: intersourcing.com\www51
Trusted Zone: jcprewards.com\www
Trusted Zone: paychex.com\eservices
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\0a5p0b5b.default\
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\qca.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-16 22:32
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-16  22:33:57
ComboFix-quarantined-files.txt  2011-04-17 03:33
ComboFix2.txt  2011-04-17 03:27
.
Pre-Run: 94,033,887,232 bytes free
Post-Run: 94,002,577,408 bytes free
.
- - End Of File - - 48E334A4D1BC32D2664A118CF2BA9BDF

RE: ComboFix log

This reads like you need some qualified help, I suggest the Majorgeeks Malware forum, start by reading and following the instructions here http://forums.majorgeeks.com/showthread.php?t=35407 they have no auto-lock thread after x days of inactivity and only qualified Malware helpers and yourself can post in your topic.

good luck and let us know how it goes :)

RE: ComboFix log

Those error are "normal" when running it on Vista.  Disregard them. If the PC is running normally again, don't worry.

Actions - I would run a full MBAM scan, followed by:

Run RKILL, GMER and HijackThis (in that order) just to see that any 2nd/3rd/4th opinions don't find any bad stuff.

Then if things are running well, I would turn your system restore OFF and then reboot.  Turn it back on again.

RE: ComboFix log

(OP)
Will do goombawahoo.

RE: ComboFix log

(OP)
By the way - thanks Satrow also. I have stumbled onto a similar site bleepingcomputer. The only problem is that it seems that people have to wait a long time for response there.

RE: ComboFix log

Yup, bleeping is very good but it can be slow for malware, excellent site for troubleshooting BSOD's though.

RE: ComboFix log

Plus they EXPLICITLY tell you NOT to run combofix on your own and maintain a "do what I say" attitude if you tell them that you're half way technically competent.

I wouldn't fiddle with them to actually help with malware removal.

RE: ComboFix log

(OP)
After completion of ComboFix, most symptoms are gone. Two anomalies remain:
1 - Mozilla Firefox does nothing when double-clicked to launch. Internet Explorer works fine.
2 – Upon startup I get a systray icon labeled "blocked startup programs". When I right-click and select "show blocked programs", I get an error message: "Windows Defender... Appliation failed to initialize 0x80070006. The handle is invalid"
Item 2 may or may not have been present before my infection (I wasn't paying close attention). Some internet links suggests that McAfee doesn't coexist well with Windows Defender.

Here are sequence of stuff done (sorry, not in order requested):
I let McAfee repair itself, and ran full McAfee virus scan – no problems.
I upgraded Vista to Service Pak 2.
I ran Malware Bytes Anti-Malware, only one item found:
Files Infected: c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\URNQL19N\load[4].php (Trojan.Downloader) -> Quarantined and deleted successfully

I ran DDS (results  below).
I ran defogger (in prep for GMER)
I ran GMER (results  below)
I ran Rkill (results  below)
I ran Hijack This (results  below)


Quote (DDS):

DDS (Ver_11-03-05.01) - NTFSx86
Run by admin at 14:52:44.54 on Sun 04/17/2011
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1918.931 [GMT -5:00]
.
AV: product_keys/key *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: product_keys/key *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: product_keys/key *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\F7D4101\V1\PBN.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Belkin\F7D4101\V1\wlansrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\admin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware6\mbam.exe" /runcleanupscript
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [Skytel] Skytel.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\playwi~1.lnk - c:\program files\belkin\f7d4101\v1\PBN.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: ataretail.com
Trusted Zone: bdsmktg.com\ic
Trusted Zone: claops.com\www
Trusted Zone: clareps.com\intranet
Trusted Zone: fgxi.com\ross
Trusted Zone: intersourcing.com\www51
Trusted Zone: jcprewards.com\www
Trusted Zone: paychex.com\eservices
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://bdsmarketing.webex.com/client/T27L/nbr/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\0a5p0b5b.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-14 386840]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-3-27 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2011-2-11 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2011-2-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2011-2-11 144704]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-4-17 439632]
R2 WLANBelkinService;Belkin WLAN service;c:\program files\belkin\f7d4101\v1\wlansrv.exe [2009-12-28 36864]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2009-11-6 699896]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2011-2-11 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-11 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-11 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2011-2-11 40552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-19 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2011-2-11 34248]
S3 STSService;STSService;"c:\program files\soundtaxi media suite\stsservice.exe" --> c:\program files\soundtaxi media suite\STSService.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-17 17:18:38 -------- d-----w- c:\windows\system32\eu-ES
2011-04-17 17:18:38 -------- d-----w- c:\windows\system32\ca-ES
2011-04-17 17:18:36 -------- d-----w- c:\windows\system32\vi-VN
2011-04-17 16:38:02 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2011-04-17 16:36:59 450560 ----a-w- c:\windows\system32\comdlg32.dll
2011-04-17 16:35:42 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2011-04-17 16:35:42 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-04-17 16:35:42 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-04-17 16:35:42 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2011-04-17 16:35:42 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2011-04-17 16:35:42 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
2011-04-17 16:35:42 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
2011-04-17 16:35:39 705536 ----a-w- c:\windows\system32\SmiEngine.dll
2011-04-17 16:35:35 218624 ----a-w- c:\windows\system32\wdscore.dll
2011-04-17 16:35:35 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2011-04-17 16:35:21 247808 ----a-w- c:\windows\system32\drvstore.dll
2011-04-17 06:46:42 -------- d-----w- c:\progra~2\Trend Micro
2011-04-17 05:56:57 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-17 05:56:56 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-17 05:56:45 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-17 05:51:31 -------- d-----w- c:\program files\WinPcap
2011-04-17 05:50:32 -------- d-----w- c:\program files\Trend Micro
2011-04-17 03:33:58 -------- d-----w- c:\users\admin\appdata\local\temp
2011-04-17 03:33:36 -------- d-sh--w- C:\$RECYCLE.BIN
2011-04-17 03:30:04 -------- d-----w- C:\ComboFix
2011-04-17 03:29:28 4322776 ----a-r- C:\ComboFix.exe
2011-04-17 03:18:41 98816 ----a-w- c:\windows\sed.exe
2011-04-17 03:18:41 89088 ----a-w- c:\windows\MBR.exe
2011-04-17 03:18:41 256512 ----a-w- c:\windows\PEV.exe
2011-04-17 03:18:41 161792 ----a-w- c:\windows\SWREG.exe
2011-04-01 14:32:47 -------- d-----w- C:\Windows Repair
2011-03-28 19:00:33 119296 --sha-r- c:\windows\system32\itirclh.dll
2011-03-27 00:42:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 00:42:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-27 00:42:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware6
2011-03-26 23:11:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware5
2011-03-26 21:50:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4
2011-03-26 20:51:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2011-03-26 01:35:36 -------- d-----w- c:\program files\MalwarebytesAntiMalware2
2011-03-26 00:08:58 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2011-03-26 00:08:48 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-26 00:08:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 06:21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16:53 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20:39 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-17 06:23:50 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll

Quote (GMER):


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-17 18:01:06
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000053 ST316081 rev.4.AA
Running: gmer.exe; Driver: C:\Users\admin\AppData\Local\Temp\pglorpod.sys


---- System - GMER 1.0.15 ----

Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   ZwCreateFile [0x877A20E0]
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   ZwMapViewOfSection [0x877A2132]
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   ZwProtectVirtualMemory [0x877A20F4]
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   ZwSetInformationProcess [0x877A20B8]
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   ZwTerminateProcess [0x877A2161]
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   ZwUnmapViewOfSection [0x877A2148]
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   ZwYieldExecution [0x877A211E]
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   NtCreateFile
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   NtMapViewOfSection
Code            \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)                   NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwYieldExecution                                                                82075982 5 Bytes  JMP 877A2122 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text           C:\Windows\system32\DRIVERS\nvlddmkm.sys                                                     section is writeable [0x8BE03340, 0x3D9767, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text           C:\Windows\system32\services.exe[604] kernel32.dll!GetStartupInfoW                           76C91929 5 Bytes  JMP 008200A4
.text           C:\Windows\system32\services.exe[604] kernel32.dll!GetStartupInfoA                           76C919C9 5 Bytes  JMP 00820093
.text           C:\Windows\system32\services.exe[604] kernel32.dll!CreateProcessW                            76C91BF3 5 Bytes  JMP 00820F28
.text           C:\Windows\system32\services.exe[604] kernel32.dll!CreateProcessA                            76C91C28 5 Bytes  JMP 00820F43
.text           C:\Windows\system32\services.exe[604] kernel32.dll!VirtualProtect                            76C91DC3 5 Bytes  JMP 00820F83
.text           C:\Windows\system32\services.exe[604] kernel32.dll!CreateNamedPipeA                          76C92EF5 5 Bytes  JMP 00820000
.text           C:\Windows\system32\services.exe[604] kernel32.dll!CreateNamedPipeW                          76C95C0C 5 Bytes  JMP 00820FAF
.text           C:\Windows\system32\services.exe[604] kernel32.dll!CreatePipe                                76CB8E6E 5 Bytes  JMP 00820082
.text           C:\Windows\system32\services.exe[604] kernel32.dll!LoadLibraryExW                            76CB9109 5 Bytes  JMP 00820F94
.text           C:\Windows\system32\services.exe[604] kernel32.dll!LoadLibraryW                              76CB9362 5 Bytes  JMP 00820040
.text           C:\Windows\system32\services.exe[604] kernel32.dll!LoadLibraryExA                            76CB94B4 5 Bytes  JMP 00820051
.text           C:\Windows\system32\services.exe[604] kernel32.dll!LoadLibraryA                              76CB94DC 5 Bytes  JMP 0082001B
.text           C:\Windows\system32\services.exe[604] kernel32.dll!VirtualProtectEx                          76CBDBDA 5 Bytes  JMP 00820F72
.text           C:\Windows\system32\services.exe[604] kernel32.dll!GetProcAddress                            76CD903B 5 Bytes  JMP 008200DA
.text           C:\Windows\system32\services.exe[604] kernel32.dll!CreateFileW                               76CDAECB 5 Bytes  JMP 00820FCA
.text           C:\Windows\system32\services.exe[604] kernel32.dll!CreateFileA                               76CDCE5F 5 Bytes  JMP 00820FE5
.text           C:\Windows\system32\services.exe[604] kernel32.dll!WinExec                                   76D25CF7 5 Bytes  JMP 008200B5
.text           C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegCreateKeyExA                           76FF39AB 5 Bytes  JMP 0083005B
.text           C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegCreateKeyA                             76FF3BA9 5 Bytes  JMP 00830040
.text           C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegOpenKeyA                               76FF89C7 5 Bytes  JMP 00830000
.text           C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegCreateKeyW                             7700391E 5 Bytes  JMP 00830FB9
.text           C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegCreateKeyExW                           770041F1 5 Bytes  JMP 00830F94
.text           C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegOpenKeyExA                             77007C42 5 Bytes  JMP 00830FD4
.text           C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegOpenKeyW                               7700E2B5 5 Bytes  JMP 00830FE5
.text           C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegOpenKeyExW                             77017BA1 5 Bytes  JMP 00830025
.text           C:\Windows\system32\services.exe[604] msvcrt.dll!_wsystem                                    76C37F2F 5 Bytes  JMP 00240FAD
.text           C:\Windows\system32\services.exe[604] msvcrt.dll!system                                      76C3804B 5 Bytes  JMP 00240042
.text           C:\Windows\system32\services.exe[604] msvcrt.dll!_creat                                      76C3BBE1 5 Bytes  JMP 00240016
.text           C:\Windows\system32\servic

RE: ComboFix log

(OP)
Whoops. It must have truncated my message due to length in the middle of GMER.  I'll post rest of GMER if you want. Meanwhile, here are RKILL and HJT

Quote (RKILL):


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/17/2011 at 19:15:07.
Operating System: Windows Vista (TM) Home Basic


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\System32\grpconv.exe


Rkill completed on 04/17/2011 at 19:15:13.

Quote (HiJack This):


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:21:32 PM, on 4/17/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19048)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\F7D4101\V1\PBN.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\admin\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vb32&d=0309&m=et1161-05
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware6\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Play Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F7D4101\V1\PBN.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bdsmarketing.webex.com/client/T27L/nbr/ieatgpc1.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: STSService - Unknown owner - C:\Program Files\SoundTaxi Media Suite\STSService.exe (file missing)
O23 - Service: Belkin WLAN service (WLANBelkinService) - Unknown owner - C:\Program Files\Belkin\F7D4101\V1\wlansrv.exe

--
End of file - 8400 bytes

RE: ComboFix log

Geez - you've spent more time than reloading the system already!!!  I'd say:
Uninstall Firefox
Registry repair with CCleaner (run unitl no errors & save backup before repairing each time)
Reboot
Reinstall Firefox
Call it a day (week)

Otherwise, you might as well have reloaded - don't you think?

RE: ComboFix log

And after you've reloaded or 'fixed' it, learn how to use ProcessExplorer to track down the malware that's running and suspend it all, then kill it and then use Autoruns to prevent it running again at boot. It might not enable you to pick out all malware that's in the wild but it'll deal with the vast majority. http://technet.microsoft.com/en-us/sysinternals/bb545021

 

RE: ComboFix log

Quote:

Geez - you've spent more time than reloading the system already!!!

Yah, but think of all the experience he's getting. winky smile
 

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: ComboFix log

Experience often = pain with the possible exception of the opposite sex.  But even then.......................  pain, definitely pain.

But what you're saying is "no pain no gain".  I can respect that.


I agree about using Process Explorer to see what's running on your PC and Autoruns to prevent things from starting up.  However, some of the baddies are not visible using these tools.  That's when we throw all the programs mentioned at it.

Not mentioned, but good are CWShredder, TDSSKiller


 

RE: ComboFix log

(OP)

Quote (gombawahoo):


Geez - you've spent more time than reloading the system already!!!  I'd say:
Uninstall Firefox
Registry repair with CCleaner (run unitl no errors & save backup before repairing each time)
Reboot
Reinstall Firefox
Call it a day (week)

Otherwise, you might as well have reloaded - don't you think?
This computer came loaded with Windows, I did not purchase it.  Computer OEM did not provide any CD ($300 for eMachines computer and monitor from Wal-Mart).

The checks that I ran supported posting at BleepingComputer. I also posted some of the items that were suggested above.

Does anyone have any comments on these logs?

RE: ComboFix log

In general
I would get rid of Google Desktop unless you really love it/use it as it will slow you down.
I would get rid of Mcafee because it will really slow you down.
I would disable the Indexing service because performance takes a hit when it kicks in.


You could turn the following off to shut some stuff down.
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
See if this disappears when (if) you uninstall Google Desktop.  I'm always suspicious of the App Init DLL entry.  Lots of malware tries to run itself from there.


O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
Kill this if you DON'T use your (old fashioned) modem.


O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
Kill this if you don't play the wild tangent games

RE: ComboFix log

(OP)
Thanks... good idea to get rid of stuff I don't need.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close