[Solved] Think Point and other issues

Bobbye · Nov 13, 2010

We're almost through- hold off on router for a bit:

Please run this Custom CFScript

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\Drivers\l6dp.sys
c:\windows\system32\Drivers\L6TPortA.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"<NO NAME>"=-
RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7D123B2E-0C5F-D919-194C2B3C78E1FEC1}\{313463E6-9B37-5C56-F570B6CAA31EBA6B}\{14D54DC1-EDC1-0F67-65A1433CC409F39D}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DA5FD177-5ED9-D129-A0BCADEF3ACDBDBC}\{79EAF540-0E74-317B-4A6E156139C845D3}\{99F2609B-7483-5DDB-3E9DF7E4B6714B5D}*]
Driver::
L6DP
L6TPortA
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please update Adobe Reader: Visit this Adobe Reader site and make sure you have the most current update. Uninstall v7 and any other earlier versions as they are vulnerabilities.

HijackThis is okay.

BrianB · Nov 13, 2010

OK here is the latest Combofix log:

ComboFix 10-11-11.01 - Brian 11/13/2010 19:57:04.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2366 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\cfscript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\windows\system32\Drivers\l6dp.sys"
"c:\windows\system32\Drivers\L6TPortA.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_L6DP
-------\Service_L6TPortA

((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-12 23:21 . 2010-11-12 23:21 388096 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-12 23:21 . 2010-11-12 23:21 -------- d-----w- c:\program files\Trend Micro
2010-11-09 23:42 . 2010-11-09 23:42 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-11-07 02:45 . 2010-11-07 02:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-11-06 21:00 . 2010-11-06 21:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-11-06 13:10 . 2010-11-06 13:10 -------- d-----w- c:\documents and settings\Brian\Application Data\Tific
2010-11-06 13:10 . 2010-11-06 13:10 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Symantec
2010-11-06 12:50 . 2010-11-06 12:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-06 12:50 . 2010-11-06 12:50 -------- d-----w- c:\program files\Symantec
2010-11-06 12:50 . 2010-11-06 12:50 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-06 12:49 . 2010-11-07 12:25 -------- d-----w- c:\windows\system32\drivers\N360
2010-11-06 12:49 . 2010-11-06 12:49 -------- d-----w- c:\program files\Norton 360
2010-11-06 12:49 . 2010-11-06 12:49 -------- d-----w- c:\program files\Windows Sidebar
2010-11-06 12:49 . 2010-11-06 12:49 -------- d-----w- c:\program files\NortonInstaller
2010-11-06 12:49 . 2010-11-06 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-11-06 01:49 . 2010-11-09 23:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-11-05 23:12 . 2010-11-05 23:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-05 09:10 . 2010-11-05 09:10 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
2010-11-05 06:09 . 2010-11-05 06:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-11-05 03:52 . 2010-11-05 03:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-05 03:51 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-05 03:51 . 2010-11-05 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-05 03:51 . 2010-11-05 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-05 03:51 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-05 03:47 . 2010-11-05 03:47 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-11-05 03:43 . 2010-11-06 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-11-05 03:23 . 2010-11-05 03:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-11-02 19:14 . 2010-11-02 19:15 -------- d-----w- c:\program files\iTunes
2010-11-02 19:10 . 2010-11-02 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-11-02 13:47 . 2010-09-15 08:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-02 13:40 . 2010-11-02 13:40 -------- d-----w- c:\windows\system32\Adobe
2010-11-02 11:39 . 2010-11-02 11:39 -------- d-----w- c:\documents and settings\Brian\Application Data\Acapela Group
2010-11-02 11:38 . 2010-11-02 11:38 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Xtranormal
2010-11-02 11:35 . 2010-11-04 23:58 -------- d-----w- c:\program files\Xtranormal
2010-11-02 11:34 . 2010-11-02 13:12 -------- d-----w- c:\documents and settings\Brian\Application Data\Xtranormal
2010-10-29 23:03 . 2010-10-29 23:07 -------- d-----w- c:\program files\PS3 Media Server

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2010-08-11 23:29 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 16:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-16 17:46 . 2010-09-16 17:46 28672 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-09-16 15:22 . 2010-09-16 15:22 53248 ----a-r- c:\documents and settings\Brian\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-09-15 06:29 . 2008-03-30 02:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 10:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 10:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 10:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 00:37 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 10:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2007-05-09 21:31 . 2007-05-09 21:29 15788024 ----a-w- c:\program files\StuffIt11.0.0.34.exe
2006-11-30 15:03 . 2006-11-30 15:03 16508560 ----a-w- c:\program files\jre-1_5_0_09-windows-i586-p-s.exe
2006-11-28 15:56 . 2006-11-28 15:56 14879120 ----a-w- c:\program files\GoogleEarthWin.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-12_23.13.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-14 01:09 . 2010-11-14 01:09 16384 c:\windows\Temp\Perflib_Perfdata_444.dat
+ 2010-11-14 01:07 . 2010-11-14 01:07 16384 c:\windows\Temp\Perflib_Perfdata_244.dat
+ 2005-06-10 11:27 . 2010-11-13 16:32 72576 c:\windows\SYSTEM32\PERFC009.DAT
- 2005-06-10 11:27 . 2010-11-07 12:35 72576 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-06-10 11:27 . 2010-11-13 16:32 445370 c:\windows\SYSTEM32\PERFH009.DAT
- 2005-06-10 11:27 . 2010-11-07 12:35 445370 c:\windows\SYSTEM32\PERFH009.DAT
+ 2010-11-12 23:21 . 2010-11-12 23:21 1094656 c:\windows\Installer\192091.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-23 68856]
"Logitech Vid"="c:\program files\Logitech\Vid\Vid.exe" [2010-05-11 6061400]
"Logitech Vid HD"="c:\program files\Logitech\Vid\vid.exe" [2010-05-11 6061400]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2007-10-31 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-07-14 26112]
"bbui"="c:\program files\Creative\8xxx\bbui.exe" [2002-03-08 258048]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"HostManager"="c:\program files\Common Files\AOL\1187566823\ee\AOLSoftware.exe" [2008-06-24 41824]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1363.0\mswinext.exe" [2010-01-26 243032]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-2-19 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-10 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Creative\\8xxx\\bbui.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1187566823\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Brian\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid\\Vid.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\symds.sys [11/6/2010 11:58 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\symefa.sys [11/6/2010 11:58 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20101104.001\BHDrvx86.sys [11/3/2010 7:07 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\cchpx86.sys [11/6/2010 11:58 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0403000.005\ironx86.sys [11/6/2010 11:58 AM 116784]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [11/6/2010 11:57 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/6/2010 7:54 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20101112.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]
S2 gupdate1c9f44852430e5e;Google Update Service (gupdate1c9f44852430e5e);c:\program files\Google\Update\GoogleUpdate.exe [6/23/2009 4:19 PM 133104]
S3 VVBETHERNET;Broadband Blaster 8012U Ethernet Driver;c:\windows\SYSTEM32\DRIVERS\vvbeth.sys [7/15/2006 5:12 PM 15878]
S3 vvbususb;Broadband Blaster 8012U USB;c:\windows\SYSTEM32\DRIVERS\vvbususb.sys [7/15/2006 5:12 PM 51448]
.
Contents of the 'Scheduled Tasks' folder

2010-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-30 03:42]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 21:19]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 21:19]

2010-11-09 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Brian.job
- c:\program files\Norton 360\Engine\4.3.0.5\navw32.exe [2010-11-06 19:24]

2010-11-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-11-13 c:\windows\Tasks\User_Feed_Synchronization-{35D46A12-E3B1-49FD-A798-D1C86D2B3D55}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/Home
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
Trusted Zone: db.com
Trusted Zone: line6.net
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://dbrasweb-ny1.us.db.com/llclient/dbrasweb/winxp/,DanaInfo=rctoolbox2.us.db.com,CT=java+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-13 20:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3465306497-152574272-1382073938-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1184)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Smith Micro\StuffIt11\ArcNameService.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\AOL 9.1\waol.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\FSScrCtl.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\AOL 9.1\shellmon.exe
.
**************************************************************************
.
Completion time: 2010-11-13 20:14:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-14 01:14
ComboFix2.txt 2010-11-12 23:16
ComboFix3.txt 2010-11-12 02:53

Pre-Run: 10,112,466,944 bytes free
Post-Run: 10,093,244,416 bytes free

- - End Of File - - 07A042C0C4062345968DE3FA2C14AA65

Bobbye · Nov 14, 2010

The logs are clean. Do you have ant other malware related issues? If not:

Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

You can put the new router in now.

BrianB · Nov 15, 2010

Bless you! I think I'm good now. PC running like it's brand new. Just amazing. Thank you very much.

The question is now... so I don't have to come back and be a pain in the ****... what do I run along with my Norton 360 to keep me safe? And I'm still wondering, is it the ThinkPoint virus all I had or was it multiple things? Those intrusions Norton blocked that I put in my first post seem like things other than Thinkpoint? I do my banking on that pc so I can't help but wonder if info has been gathered for a while. Just being paranoid I guess....

Bobbye · Nov 15, 2010

You're welcome We removed everything that was found. Here are some tips for additional security. Just keep in mind that the user is the first line of security> so safe surfing goes a long way! You should change all of your passwords and monitor the online financial transactions.

Tips for added security and safer browsing:
Note: All of these programs may not work on Windows 7 or a 64bit OS.

Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.

Have layered Security:

Antivirus Software(only one):Both of the following programs are free and known to be good:
[o]Avira Free
[o]Avast Home

Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
[o]Comodo
[o]Zone Alarm

Antispyware: I recommend all of the following:
[o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.

[o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
[o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
[o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Stay current on updates:
[o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
[o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
[o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Reset Cookies to prevent Tracking Cookies:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Do regular Maintenance
Remove Temporary Internet Files regularly:
[o]ATF Cleaner by Atribune
OR
[o]TFC
Disable and Enable System Restore:
[o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Practice Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

BrianB · Nov 15, 2010

Ok thanks. I will print this out and keep. Consider my case solved.

Bobbye · Nov 15, 2010

I'll close this thread since the problem is resolved. In answer to your question in the PM:

ThinkPoint is a rogue anti-spyware program that comes bundled with the fake Microsoft Security Essentials Alert. It will block task manager, registry editor and other tools too claiming that these tools were block due the security reasons and might be infected with malicious code.

The malware authors try to mimic legitimate programs in looks and what the action will be> that's why so many users get drawn into these programs. The main entry we see is hotfix.exe

Did you have Think Point? I don't think you did. The hotfix.exe processes would have been running in the Task Manager and you didn't mention the system areas being blocked..

TechSpot

[Solved] Think Point and other issues

Bobbye Helper on the Fringe

BrianB Newcomer, in training

Bobbye Helper on the Fringe

BrianB Newcomer, in training

Bobbye Helper on the Fringe

BrianB Newcomer, in training

Bobbye Helper on the Fringe