Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hiloti + Google hijack


  • This topic is locked This topic is locked
53 replies to this topic

#46 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:53 PM

Posted 18 January 2010 - 06:24 AM

Great work, it looks like we are getting there, the random number files did appear to be related to Kaspersky when I was researching so they should
be fine. I would like you to run combofix again to see if there are any more problems, are you still having any problems with your search being hijacked?

Please delete any copy of Combofix you have then download and run a new copy.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Posted Image
If I have helped you, and you would like to make a donation to me, click here

BC AdBot (Login to Remove)

 


#47 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 18 January 2010 - 11:04 PM

I haven't had any Google hijacks since the Kapersky tool cleaned the rootkit it found. Here's the ComboFix log:
==========================================================

ComboFix 10-01-18.02 - David 01/18/2010 22:50:08.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.354 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\29730101f036533c486c3ad832bfb581\Cwd.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\2c7835a8a10669b6f202e17e474011e1\Process.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\68e97b02af7f01d132cf0e90dd7ad74a\Registry.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\7e677021f75ef44702a9219cd1855b55\List.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\88d0e8c4961b749c8fcc6400ca060fd2\WinError.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\a92e9d0745782753138e6c0f74be7f82\Socket.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\eb55096b87c792ab8b30d6cdefef8d12\Dumper.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\eca2604334cf65a36123562b3bd4a409\Encode.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\f1218e99b70f6a76d1c2fa98cba4ac46\Win32.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1264\perl58.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\054a515a11c7920cfc4d7faea7af4932\XS.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\12913763d8b9f06d2ca82771fcb306f1\Parser.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\14f8cfecb15e1c87916789ed739489ff\Expat.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\1661c0bf55e937fc17e888420955b231\Byte.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\18eb3d3d937ca6cb5e26d752e5330d95\Registry.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\1b8dbc9967c4559d794e3c3f32351f38\MD5.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\22647639fdd9ac2ac4e37e97d38d3fa3\POSIX.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\27a7d7c14d1dcc61c603e9aa84019c1c\OLE.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\29730101f036533c486c3ad832bfb581\Cwd.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\2c7835a8a10669b6f202e17e474011e1\Process.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\2eca23e437744e1286c6e3c4983737b5\IO.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\3a121330ee88767be4d2a6e2e01021de\File.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\531074183cd92c8ee6e38095fed64379\Detector.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\563d7ead40b59c49009856a0b10f2014\Array.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\5665e9d91ffd5329b4b069811edd98e1\XS.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\68e97b02af7f01d132cf0e90dd7ad74a\Registry.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\6ab3292ea2fe89cb7db3f546c718e6a8\B.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\6ecc81286663495601d2499da7def595\Zlib.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\6f1c2438342f9c681542a4c32ad1f17d\Storable.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\729aebf6338f07961c67068f1ec22bf5\FastCalc.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\776043a051266bed6315875a8a879b49\GD.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\79d2ba91dcd37057e0539ed55a845a5e\HiRes.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\86ca4b17d1dc927226fa1f37ebe2273c\Fcntl.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\88d0e8c4961b749c8fcc6400ca060fd2\WinError.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\899240261dde99660e14431e6d8d1fe9\DBI.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\8f7795dcbafc290e9d71b3cedc3f6470\Util.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\92e8b5997b24c470e95412a86a38765d\Base64.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\935d16d0d9563f34e09919b6d80fb3ed\Unicode.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\a507fccf2be25b878761a66bf411c201\mysql.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\a92e9d0745782753138e6c0f74be7f82\Socket.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\ad76515ff4d1de346e3888790190a3c0\API.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\c8268acd4616fc1069e936b486bd0ccf\vxs.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\cd69c51b5253d9b11bea339b859819b7\ReadKey.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\d21e2f9367d0e3efd5d09cb808f66fd9\File.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\e13cf768ec1b1a37b205ba2cf243710f\Hostname.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\eafccbed965007c129598be76f4f1c36\Peek.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\eca2604334cf65a36123562b3bd4a409\Encode.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\f1218e99b70f6a76d1c2fa98cba4ac46\Win32.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\fa142febd5dc53f93f911452e1a99387\Hebrew.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1848\perl58.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\29730101f036533c486c3ad832bfb581\Cwd.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\2c7835a8a10669b6f202e17e474011e1\Process.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\68e97b02af7f01d132cf0e90dd7ad74a\Registry.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\7e677021f75ef44702a9219cd1855b55\List.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\88d0e8c4961b749c8fcc6400ca060fd2\WinError.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\a92e9d0745782753138e6c0f74be7f82\Socket.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\eb55096b87c792ab8b30d6cdefef8d12\Dumper.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\eca2604334cf65a36123562b3bd4a409\Encode.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\f1218e99b70f6a76d1c2fa98cba4ac46\Win32.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1264\perl58.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\054a515a11c7920cfc4d7faea7af4932\XS.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\12913763d8b9f06d2ca82771fcb306f1\Parser.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\14f8cfecb15e1c87916789ed739489ff\Expat.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\1661c0bf55e937fc17e888420955b231\Byte.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\18eb3d3d937ca6cb5e26d752e5330d95\Registry.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\1b8dbc9967c4559d794e3c3f32351f38\MD5.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\22647639fdd9ac2ac4e37e97d38d3fa3\POSIX.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\27a7d7c14d1dcc61c603e9aa84019c1c\OLE.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\29730101f036533c486c3ad832bfb581\Cwd.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\2c7835a8a10669b6f202e17e474011e1\Process.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\2eca23e437744e1286c6e3c4983737b5\IO.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\3a121330ee88767be4d2a6e2e01021de\File.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\531074183cd92c8ee6e38095fed64379\Detector.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\563d7ead40b59c49009856a0b10f2014\Array.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\5665e9d91ffd5329b4b069811edd98e1\XS.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\68e97b02af7f01d132cf0e90dd7ad74a\Registry.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\6ab3292ea2fe89cb7db3f546c718e6a8\B.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\6ecc81286663495601d2499da7def595\Zlib.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\6f1c2438342f9c681542a4c32ad1f17d\Storable.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\729aebf6338f07961c67068f1ec22bf5\FastCalc.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\776043a051266bed6315875a8a879b49\GD.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\79d2ba91dcd37057e0539ed55a845a5e\HiRes.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\86ca4b17d1dc927226fa1f37ebe2273c\Fcntl.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\88d0e8c4961b749c8fcc6400ca060fd2\WinError.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\899240261dde99660e14431e6d8d1fe9\DBI.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\8f7795dcbafc290e9d71b3cedc3f6470\Util.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\92e8b5997b24c470e95412a86a38765d\Base64.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\935d16d0d9563f34e09919b6d80fb3ed\Unicode.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\a507fccf2be25b878761a66bf411c201\mysql.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\a92e9d0745782753138e6c0f74be7f82\Socket.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\ad76515ff4d1de346e3888790190a3c0\API.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\c8268acd4616fc1069e936b486bd0ccf\vxs.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\cd69c51b5253d9b11bea339b859819b7\ReadKey.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\d21e2f9367d0e3efd5d09cb808f66fd9\File.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\e13cf768ec1b1a37b205ba2cf243710f\Hostname.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\eafccbed965007c129598be76f4f1c36\Peek.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\eca2604334cf65a36123562b3bd4a409\Encode.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\f1218e99b70f6a76d1c2fa98cba4ac46\Win32.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\fa142febd5dc53f93f911452e1a99387\Hebrew.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1848\perl58.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-17 21:12 . 2010-01-17 21:14 79360 ----a-w- c:\windows\system32\drivers\kav_nvatabus.sys
2010-01-15 04:56 . 2010-01-15 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-01-15 04:50 . 2010-01-15 04:50 9158 ----a-r- c:\documents and settings\David\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2010-01-15 04:48 . 2008-01-10 02:05 593920 ------w- c:\windows\system32\ati2sgag.exe
2010-01-15 04:48 . 2008-01-10 02:58 307200 ----a-r- c:\windows\system32\atiiiexx.dll
2010-01-15 04:48 . 2008-01-10 03:07 368640 ----a-r- c:\windows\system32\ATIDEMGX.dll
2010-01-15 04:48 . 2008-01-10 02:35 887724 ----a-r- c:\windows\system32\ativva6x.dat
2010-01-15 04:48 . 2008-01-10 02:35 3107788 ----a-r- c:\windows\system32\ativva5x.dat
2010-01-15 04:48 . 2008-01-10 02:35 3107788 ----a-r- c:\windows\system32\ativvaxx.dat
2010-01-15 04:48 . 2008-01-07 14:43 165782 ----a-r- c:\windows\system32\atiicdxx.dat
2010-01-15 04:47 . 2010-01-15 04:52 -------- d-----w- c:\program files\ATI Technologies
2010-01-15 04:38 . 2010-01-15 04:38 -------- d-----w- c:\program files\Phyxion.net
2010-01-14 06:22 . 2004-07-09 09:26 354816 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-01-14 06:22 . 2004-07-09 09:26 354816 ----a-w- c:\windows\system32\psisdecd.dll
2010-01-14 06:22 . 2004-07-09 09:26 52096 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-01-14 06:22 . 2004-07-09 09:26 52096 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-01-14 06:22 . 2004-07-09 09:26 15104 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-01-14 06:22 . 2004-07-09 09:26 15104 ----a-w- c:\windows\system32\drivers\mpe.sys
2010-01-14 06:22 . 2004-07-09 09:26 11392 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2010-01-14 06:22 . 2004-07-09 09:26 11392 ----a-w- c:\windows\system32\drivers\bdasup.sys
2010-01-14 06:21 . 2002-12-12 05:14 46592 ----a-w- c:\windows\system32\dxdllreg.exe
2010-01-12 04:59 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-01-12 04:59 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-01-12 04:59 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-01-12 04:59 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-01-12 04:59 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-01-12 04:59 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-01-12 04:59 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-01-12 04:59 . 2004-08-04 06:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-01-12 04:59 . 2004-08-04 06:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-01-12 04:59 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-01-12 04:57 . 2008-04-13 19:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-01-12 04:56 . 2001-08-17 18:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-01-12 04:55 . 2008-04-14 01:12 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2010-01-12 04:54 . 2001-08-18 03:36 44544 -c--a-w- c:\windows\system32\dllcache\ovui2.dll
2010-01-12 04:53 . 2008-04-13 19:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-01-12 04:52 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-01-12 04:51 . 2001-08-18 03:34 9216 -c--a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2010-01-12 04:50 . 2001-08-17 17:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-01-12 04:49 . 2001-08-18 03:36 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-01-12 04:48 . 2001-08-18 03:36 32256 -c--a-w- c:\windows\system32\dllcache\diapi2NT.dll
2010-01-12 04:47 . 2001-08-17 17:49 9472 -c--a-w- c:\windows\system32\dllcache\ativmdcd.sys
2010-01-12 04:46 . 2008-04-13 19:46 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2010-01-12 04:46 . 2001-08-17 19:55 38400 -c--a-w- c:\windows\system32\dllcache\8514a.dll
2010-01-12 04:46 . 2008-04-13 19:40 12288 -c--a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-01-12 04:46 . 2001-08-17 19:55 689216 -c--a-w- c:\windows\system32\dllcache\3dfxvs.dll
2010-01-12 04:46 . 2001-08-17 17:48 148352 -c--a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-01-12 04:46 . 2001-08-17 19:06 11264 -c--a-w- c:\windows\system32\dllcache\1394vdbg.sys
2010-01-12 04:46 . 2001-08-17 18:28 762780 -c--a-w- c:\windows\system32\dllcache\3cwmcru.sys
2010-01-12 04:46 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-01-09 02:43 . 2010-01-09 02:43 -------- d-----w- C:\_OTL
2010-01-05 05:51 . 2010-01-05 05:52 -------- d-----w- C:\rsit
2010-01-05 05:25 . 2010-01-05 05:25 -------- d-----w- c:\program files\Sun
2010-01-05 05:25 . 2010-01-05 05:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 03:57 . 2010-01-05 05:52 -------- d-----w- c:\program files\trend micro
2010-01-05 03:26 . 2010-01-16 14:53 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 15:23 . 2008-02-14 09:03 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-16 15:23 . 2008-02-14 09:12 168 --sh--r- c:\windows\system32\C875C4C38F.sys
2010-01-16 14:54 . 2009-12-08 09:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 04:56 . 2008-03-06 04:58 -------- d-----w- c:\documents and settings\David\Application Data\ATI
2010-01-15 04:48 . 2004-10-17 14:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-15 04:30 . 2008-03-06 04:54 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-01-07 21:07 . 2009-12-08 09:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-08 09:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 06:43 . 2009-04-01 01:45 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-05 05:25 . 2005-05-01 08:29 -------- d-----w- c:\program files\Java
2010-01-04 05:46 . 2004-10-17 10:51 79360 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2010-01-03 23:48 . 2006-10-17 03:01 -------- d-----w- c:\documents and settings\David\Application Data\Empire Download Manager
2009-12-16 05:40 . 2007-04-14 13:38 -------- d-----w- c:\documents and settings\David\Application Data\uTorrent
2009-12-09 06:42 . 2009-12-09 06:42 -------- d-----w- c:\program files\ESET
2009-12-09 06:42 . 2009-12-09 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-12-08 09:54 . 2009-12-08 09:54 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2009-12-08 09:54 . 2009-12-08 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-08 09:43 . 2009-08-06 03:29 -------- d-----w- c:\documents and settings\David\Application Data\foobar2000
2009-11-14 05:15 . 2009-05-09 16:21 143976 ----a-w- c:\documents and settings\David\Application Data\Move Networks\uninstall.exe
2009-11-14 05:15 . 2009-10-16 04:45 5646272 ----a-w- c:\documents and settings\David\Application Data\Move Networks\plugins\npqmp071701000008.dll
2009-11-14 05:15 . 2009-11-14 05:15 1794376 ----a-w- c:\documents and settings\David\Application Data\Move Networks\MoveMediaPlayerWin_071701000008.exe
2009-11-07 00:38 . 2009-11-07 00:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-04 00:09 . 2009-11-04 00:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-04 00:09 . 2009-11-04 00:09 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-04 00:08 . 2009-11-04 00:08 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-04 00:08 . 2009-06-01 05:03 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-04 00:08 . 2009-05-04 05:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-04 00:07 . 2009-11-04 00:07 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-04 00:07 . 2009-11-04 00:07 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-04 00:06 . 2009-11-04 00:06 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-04 00:06 . 2009-11-04 00:06 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-04 00:00 . 2009-07-06 05:03 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2003-12-18 17:33 . 2004-11-14 07:34 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 13:46 . 2004-11-14 07:34 10960 ----a-w- c:\program files\EULA.txt
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-04 22:04 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-04 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-04 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-18 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-03-05 516096]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"CTHelper"="CTHELPER.EXE" [2006-05-24 17920]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-21 788880]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-28 198160]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-05 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SqueezeCenter Tray Tool.lnk - c:\program files\SqueezeCenter\SqueezeTray.exe [2009-8-13 1814617]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-10-31 00:52 16200 ----a-w- c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Documents and Settings\\David\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp (UI)
"9001:TCP"= 9001:TCP:SqueezeCenter 9001 tcp (UI)
"9002:TCP"= 9002:TCP:SqueezeCenter 9002 tcp (UI)
"9003:TCP"= 9003:TCP:SqueezeCenter 9003 tcp (UI)
"9004:TCP"= 9004:TCP:SqueezeCenter 9004 tcp (UI)
"9005:TCP"= 9005:TCP:SqueezeCenter 9005 tcp (UI)
"9006:TCP"= 9006:TCP:SqueezeCenter 9006 tcp (UI)
"9007:TCP"= 9007:TCP:SqueezeCenter 9007 tcp (UI)
"9008:TCP"= 9008:TCP:SqueezeCenter 9008 tcp (UI)
"9009:TCP"= 9009:TCP:SqueezeCenter 9009 tcp (UI)
"9010:TCP"= 9010:TCP:SqueezeCenter 9010 tcp (UI)
"9100:TCP"= 9100:TCP:SqueezeCenter 9100 tcp (UI)
"8000:TCP"= 8000:TCP:SqueezeCenter 8000 tcp (UI)
"10000:TCP"= 10000:TCP:SqueezeCenter 10000 tcp (UI)
"9090:TCP"= 9090:TCP:SqueezeCenter 9090 tcp (UI)
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/3/2009 7:09 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/29/2008 8:27 PM 28544]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
R3 dmxfire;DMX6fire WDM Audio;c:\windows\system32\drivers\dmx6fire.sys [8/29/2003 9:30 AM 148724]
R3 dmxsens;dmxsens;c:\windows\system32\drivers\dmxsens.sys [7/22/2003 2:07 PM 403968]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/18/2009 10:26 PM 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 12:21 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 12:21 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 12:21 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 12:21 AM 1324056]
S3 ctgame;Game Port;c:\windows\system32\drivers\CTGAME.SYS [12/29/2002 9:53 PM 12160]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 12:21 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 12:21 AM 72728]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
S3 t556666rr;t556666rr;\??\c:\windows\system32\drivers\t556666rr.sys --> c:\windows\system32\drivers\t556666rr.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 00:09]

2009-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-19 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-06-04 22:04]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Search - c:\program files\Avant Browser\Search.htm
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\xxum8275.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\David\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\David\Application Data\Move Networks\plugins\npqmp071701000008.dll
FF - plugin: c:\program files\Itiva\Itiva Media Accelerator\npima.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 22:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5000)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\documents and settings\David\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\nvidia\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\nvidia\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\PSIService.exe
c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\SQUEEZ~1\server\SQUEEZ~1.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-18 23:02:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 04:02
ComboFix2.txt 2010-01-07 07:40
ComboFix3.txt 2010-01-06 05:48

Pre-Run: 7,949,914,112 bytes free
Post-Run: 8,435,138,560 bytes free

- - End Of File - - F7F57B86C67F19B3E6356607E0ACE854

#48 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 18 January 2010 - 11:20 PM

My system still freezes up when I try to run the full RootRepeal scan.

#49 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:53 PM

Posted 19 January 2010 - 03:27 AM

Just one thing to remove in that log apart from that it looks fine to me, I wouldn't worry about Rootrepeal not running unless you are having
any other problem, it could just be a problem with the program and not malware.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
t556666rr

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
If I have helped you, and you would like to make a donation to me, click here

#50 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 19 January 2010 - 08:32 AM

I think "t556666rr" is something I renamed RootRepeal to one time before running it.
================================================================

ComboFix 10-01-18.02 - David 01/19/2010 8:15.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.415 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\29730101f036533c486c3ad832bfb581\Cwd.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\2c7835a8a10669b6f202e17e474011e1\Process.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\68e97b02af7f01d132cf0e90dd7ad74a\Registry.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\7e677021f75ef44702a9219cd1855b55\List.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\88d0e8c4961b749c8fcc6400ca060fd2\WinError.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\a92e9d0745782753138e6c0f74be7f82\Socket.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\eb55096b87c792ab8b30d6cdefef8d12\Dumper.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\eca2604334cf65a36123562b3bd4a409\Encode.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\f1218e99b70f6a76d1c2fa98cba4ac46\Win32.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-1272\perl58.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\054a515a11c7920cfc4d7faea7af4932\XS.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\12913763d8b9f06d2ca82771fcb306f1\Parser.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\14f8cfecb15e1c87916789ed739489ff\Expat.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\1661c0bf55e937fc17e888420955b231\Byte.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\18eb3d3d937ca6cb5e26d752e5330d95\Registry.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\1b8dbc9967c4559d794e3c3f32351f38\MD5.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\22647639fdd9ac2ac4e37e97d38d3fa3\POSIX.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\27a7d7c14d1dcc61c603e9aa84019c1c\OLE.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\29730101f036533c486c3ad832bfb581\Cwd.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\2c7835a8a10669b6f202e17e474011e1\Process.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\2eca23e437744e1286c6e3c4983737b5\IO.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\3a121330ee88767be4d2a6e2e01021de\File.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\531074183cd92c8ee6e38095fed64379\Detector.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\563d7ead40b59c49009856a0b10f2014\Array.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\5665e9d91ffd5329b4b069811edd98e1\XS.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\68e97b02af7f01d132cf0e90dd7ad74a\Registry.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\6ab3292ea2fe89cb7db3f546c718e6a8\B.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\6ecc81286663495601d2499da7def595\Zlib.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\6f1c2438342f9c681542a4c32ad1f17d\Storable.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\729aebf6338f07961c67068f1ec22bf5\FastCalc.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\776043a051266bed6315875a8a879b49\GD.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\79d2ba91dcd37057e0539ed55a845a5e\HiRes.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\86ca4b17d1dc927226fa1f37ebe2273c\Fcntl.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\88d0e8c4961b749c8fcc6400ca060fd2\WinError.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\899240261dde99660e14431e6d8d1fe9\DBI.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\8f7795dcbafc290e9d71b3cedc3f6470\Util.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\92e8b5997b24c470e95412a86a38765d\Base64.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\935d16d0d9563f34e09919b6d80fb3ed\Unicode.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\a507fccf2be25b878761a66bf411c201\mysql.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\a92e9d0745782753138e6c0f74be7f82\Socket.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\ad76515ff4d1de346e3888790190a3c0\API.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\c8268acd4616fc1069e936b486bd0ccf\vxs.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\cd69c51b5253d9b11bea339b859819b7\ReadKey.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\d21e2f9367d0e3efd5d09cb808f66fd9\File.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\e13cf768ec1b1a37b205ba2cf243710f\Hostname.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\eafccbed965007c129598be76f4f1c36\Peek.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\eca2604334cf65a36123562b3bd4a409\Encode.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\f1218e99b70f6a76d1c2fa98cba4ac46\Win32.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\fa142febd5dc53f93f911452e1a99387\Hebrew.dll
c:\docume~1\David\LOCALS~1\Temp\pdk-David-2192\perl58.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\29730101f036533c486c3ad832bfb581\Cwd.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\2c7835a8a10669b6f202e17e474011e1\Process.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\68e97b02af7f01d132cf0e90dd7ad74a\Registry.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\7e677021f75ef44702a9219cd1855b55\List.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\88d0e8c4961b749c8fcc6400ca060fd2\WinError.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\a92e9d0745782753138e6c0f74be7f82\Socket.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\eb55096b87c792ab8b30d6cdefef8d12\Dumper.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\eca2604334cf65a36123562b3bd4a409\Encode.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\f1218e99b70f6a76d1c2fa98cba4ac46\Win32.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-1272\perl58.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\054a515a11c7920cfc4d7faea7af4932\XS.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\12913763d8b9f06d2ca82771fcb306f1\Parser.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\14f8cfecb15e1c87916789ed739489ff\Expat.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\1661c0bf55e937fc17e888420955b231\Byte.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\18eb3d3d937ca6cb5e26d752e5330d95\Registry.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\1b8dbc9967c4559d794e3c3f32351f38\MD5.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\22647639fdd9ac2ac4e37e97d38d3fa3\POSIX.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\27a7d7c14d1dcc61c603e9aa84019c1c\OLE.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\29730101f036533c486c3ad832bfb581\Cwd.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\2c7835a8a10669b6f202e17e474011e1\Process.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\2eca23e437744e1286c6e3c4983737b5\IO.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\3a121330ee88767be4d2a6e2e01021de\File.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\531074183cd92c8ee6e38095fed64379\Detector.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\563d7ead40b59c49009856a0b10f2014\Array.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\5665e9d91ffd5329b4b069811edd98e1\XS.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\68e97b02af7f01d132cf0e90dd7ad74a\Registry.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\6ab3292ea2fe89cb7db3f546c718e6a8\B.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\6ecc81286663495601d2499da7def595\Zlib.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\6f1c2438342f9c681542a4c32ad1f17d\Storable.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\729aebf6338f07961c67068f1ec22bf5\FastCalc.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\776043a051266bed6315875a8a879b49\GD.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\79d2ba91dcd37057e0539ed55a845a5e\HiRes.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\86ca4b17d1dc927226fa1f37ebe2273c\Fcntl.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\88d0e8c4961b749c8fcc6400ca060fd2\WinError.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\899240261dde99660e14431e6d8d1fe9\DBI.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\8f7795dcbafc290e9d71b3cedc3f6470\Util.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\92e8b5997b24c470e95412a86a38765d\Base64.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\935d16d0d9563f34e09919b6d80fb3ed\Unicode.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\a507fccf2be25b878761a66bf411c201\mysql.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\a92e9d0745782753138e6c0f74be7f82\Socket.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\ad76515ff4d1de346e3888790190a3c0\API.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\c8268acd4616fc1069e936b486bd0ccf\vxs.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\cd69c51b5253d9b11bea339b859819b7\ReadKey.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\d21e2f9367d0e3efd5d09cb808f66fd9\File.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\e13cf768ec1b1a37b205ba2cf243710f\Hostname.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\eafccbed965007c129598be76f4f1c36\Peek.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\eca2604334cf65a36123562b3bd4a409\Encode.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\f1218e99b70f6a76d1c2fa98cba4ac46\Win32.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\fa142febd5dc53f93f911452e1a99387\Hebrew.dll
c:\documents and settings\David\Local Settings\temp\pdk-David-2192\perl58.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_T556666RR
-------\Service_t556666rr


((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-17 21:12 . 2010-01-17 21:14 79360 ----a-w- c:\windows\system32\drivers\kav_nvatabus.sys
2010-01-15 04:56 . 2010-01-15 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-01-15 04:50 . 2010-01-15 04:50 9158 ----a-r- c:\documents and settings\David\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2010-01-15 04:48 . 2008-01-10 02:05 593920 ------w- c:\windows\system32\ati2sgag.exe
2010-01-15 04:48 . 2008-01-10 02:58 307200 ----a-r- c:\windows\system32\atiiiexx.dll
2010-01-15 04:48 . 2008-01-10 03:07 368640 ----a-r- c:\windows\system32\ATIDEMGX.dll
2010-01-15 04:48 . 2008-01-10 02:35 887724 ----a-r- c:\windows\system32\ativva6x.dat
2010-01-15 04:48 . 2008-01-10 02:35 3107788 ----a-r- c:\windows\system32\ativva5x.dat
2010-01-15 04:48 . 2008-01-10 02:35 3107788 ----a-r- c:\windows\system32\ativvaxx.dat
2010-01-15 04:48 . 2008-01-07 14:43 165782 ----a-r- c:\windows\system32\atiicdxx.dat
2010-01-15 04:47 . 2010-01-15 04:52 -------- d-----w- c:\program files\ATI Technologies
2010-01-15 04:38 . 2010-01-15 04:38 -------- d-----w- c:\program files\Phyxion.net
2010-01-14 06:22 . 2004-07-09 09:26 354816 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-01-14 06:22 . 2004-07-09 09:26 354816 ----a-w- c:\windows\system32\psisdecd.dll
2010-01-14 06:22 . 2004-07-09 09:26 52096 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-01-14 06:22 . 2004-07-09 09:26 52096 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-01-14 06:22 . 2004-07-09 09:26 15104 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-01-14 06:22 . 2004-07-09 09:26 15104 ----a-w- c:\windows\system32\drivers\mpe.sys
2010-01-14 06:22 . 2004-07-09 09:26 11392 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2010-01-14 06:22 . 2004-07-09 09:26 11392 ----a-w- c:\windows\system32\drivers\bdasup.sys
2010-01-14 06:21 . 2002-12-12 05:14 46592 ----a-w- c:\windows\system32\dxdllreg.exe
2010-01-12 04:59 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-01-12 04:59 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-01-12 04:59 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-01-12 04:59 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-01-12 04:59 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-01-12 04:59 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-01-12 04:59 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-01-12 04:59 . 2004-08-04 06:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-01-12 04:59 . 2004-08-04 06:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-01-12 04:59 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-01-12 04:57 . 2008-04-13 19:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-01-12 04:56 . 2001-08-17 18:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-01-12 04:55 . 2008-04-14 01:12 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2010-01-12 04:54 . 2001-08-18 03:36 44544 -c--a-w- c:\windows\system32\dllcache\ovui2.dll
2010-01-12 04:53 . 2008-04-13 19:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-01-12 04:52 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-01-12 04:51 . 2001-08-18 03:34 9216 -c--a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2010-01-12 04:50 . 2001-08-17 17:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys
2010-01-12 04:49 . 2001-08-18 03:36 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2010-01-12 04:48 . 2001-08-18 03:36 32256 -c--a-w- c:\windows\system32\dllcache\diapi2NT.dll
2010-01-12 04:47 . 2001-08-17 17:49 9472 -c--a-w- c:\windows\system32\dllcache\ativmdcd.sys
2010-01-12 04:46 . 2008-04-13 19:46 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2010-01-12 04:46 . 2001-08-17 19:55 38400 -c--a-w- c:\windows\system32\dllcache\8514a.dll
2010-01-12 04:46 . 2008-04-13 19:40 12288 -c--a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-01-12 04:46 . 2001-08-17 19:55 689216 -c--a-w- c:\windows\system32\dllcache\3dfxvs.dll
2010-01-12 04:46 . 2001-08-17 17:48 148352 -c--a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-01-12 04:46 . 2001-08-17 19:06 11264 -c--a-w- c:\windows\system32\dllcache\1394vdbg.sys
2010-01-12 04:46 . 2001-08-17 18:28 762780 -c--a-w- c:\windows\system32\dllcache\3cwmcru.sys
2010-01-12 04:46 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-01-09 02:43 . 2010-01-09 02:43 -------- d-----w- C:\_OTL
2010-01-05 05:51 . 2010-01-05 05:52 -------- d-----w- C:\rsit
2010-01-05 05:25 . 2010-01-05 05:25 -------- d-----w- c:\program files\Sun
2010-01-05 05:25 . 2010-01-05 05:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 03:57 . 2010-01-05 05:52 -------- d-----w- c:\program files\trend micro
2010-01-05 03:26 . 2010-01-16 14:53 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 15:23 . 2008-02-14 09:03 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-16 15:23 . 2008-02-14 09:12 168 --sh--r- c:\windows\system32\C875C4C38F.sys
2010-01-16 14:54 . 2009-12-08 09:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 04:56 . 2008-03-06 04:58 -------- d-----w- c:\documents and settings\David\Application Data\ATI
2010-01-15 04:48 . 2004-10-17 14:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-15 04:30 . 2008-03-06 04:54 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-01-07 21:07 . 2009-12-08 09:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-08 09:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 06:43 . 2009-04-01 01:45 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-05 05:25 . 2005-05-01 08:29 -------- d-----w- c:\program files\Java
2010-01-04 05:46 . 2004-10-17 10:51 79360 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2010-01-03 23:48 . 2006-10-17 03:01 -------- d-----w- c:\documents and settings\David\Application Data\Empire Download Manager
2009-12-16 05:40 . 2007-04-14 13:38 -------- d-----w- c:\documents and settings\David\Application Data\uTorrent
2009-12-09 06:42 . 2009-12-09 06:42 -------- d-----w- c:\program files\ESET
2009-12-09 06:42 . 2009-12-09 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-12-08 09:54 . 2009-12-08 09:54 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2009-12-08 09:54 . 2009-12-08 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-08 09:43 . 2009-08-06 03:29 -------- d-----w- c:\documents and settings\David\Application Data\foobar2000
2009-11-14 05:15 . 2009-05-09 16:21 143976 ----a-w- c:\documents and settings\David\Application Data\Move Networks\uninstall.exe
2009-11-14 05:15 . 2009-10-16 04:45 5646272 ----a-w- c:\documents and settings\David\Application Data\Move Networks\plugins\npqmp071701000008.dll
2009-11-14 05:15 . 2009-11-14 05:15 1794376 ----a-w- c:\documents and settings\David\Application Data\Move Networks\MoveMediaPlayerWin_071701000008.exe
2009-11-07 00:38 . 2009-11-07 00:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-04 00:09 . 2009-11-04 00:09 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-04 00:09 . 2009-11-04 00:09 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-04 00:08 . 2009-11-04 00:08 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-04 00:08 . 2009-06-01 05:03 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-04 00:08 . 2009-05-04 05:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-04 00:07 . 2009-11-04 00:07 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-04 00:07 . 2009-11-04 00:07 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-04 00:06 . 2009-11-04 00:06 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-04 00:06 . 2009-11-04 00:06 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-04 00:00 . 2009-07-06 05:03 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2003-12-18 17:33 . 2004-11-14 07:34 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 13:46 . 2004-11-14 07:34 10960 ----a-w- c:\program files\EULA.txt
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-04 22:04 1144712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-04 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-04 1144712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-07-18 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2008-03-05 516096]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"CTHelper"="CTHELPER.EXE" [2006-05-24 17920]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-21 788880]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-28 198160]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-04 25600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-05 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SqueezeCenter Tray Tool.lnk - c:\program files\SqueezeCenter\SqueezeTray.exe [2009-8-13 1814617]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-10-31 00:52 16200 ----a-w- c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Documents and Settings\\David\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp (UI)
"9001:TCP"= 9001:TCP:SqueezeCenter 9001 tcp (UI)
"9002:TCP"= 9002:TCP:SqueezeCenter 9002 tcp (UI)
"9003:TCP"= 9003:TCP:SqueezeCenter 9003 tcp (UI)
"9004:TCP"= 9004:TCP:SqueezeCenter 9004 tcp (UI)
"9005:TCP"= 9005:TCP:SqueezeCenter 9005 tcp (UI)
"9006:TCP"= 9006:TCP:SqueezeCenter 9006 tcp (UI)
"9007:TCP"= 9007:TCP:SqueezeCenter 9007 tcp (UI)
"9008:TCP"= 9008:TCP:SqueezeCenter 9008 tcp (UI)
"9009:TCP"= 9009:TCP:SqueezeCenter 9009 tcp (UI)
"9010:TCP"= 9010:TCP:SqueezeCenter 9010 tcp (UI)
"9100:TCP"= 9100:TCP:SqueezeCenter 9100 tcp (UI)
"8000:TCP"= 8000:TCP:SqueezeCenter 8000 tcp (UI)
"10000:TCP"= 10000:TCP:SqueezeCenter 10000 tcp (UI)
"9090:TCP"= 9090:TCP:SqueezeCenter 9090 tcp (UI)
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/3/2009 7:09 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/29/2008 8:27 PM 28544]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
R3 dmxfire;DMX6fire WDM Audio;c:\windows\system32\drivers\dmx6fire.sys [8/29/2003 9:30 AM 148724]
R3 dmxsens;dmxsens;c:\windows\system32\drivers\dmxsens.sys [7/22/2003 2:07 PM 403968]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/18/2009 10:26 PM 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 12:21 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 12:21 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 12:21 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 12:21 AM 1324056]
S3 ctgame;Game Port;c:\windows\system32\drivers\CTGAME.SYS [12/29/2002 9:53 PM 12160]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 12:21 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 12:21 AM 72728]
S3 DEEPMON;DEEPMON;\??\c:\documents and settings\David\My Documents\Downloads\DeepMonitor.sys --> c:\documents and settings\David\My Documents\Downloads\DeepMonitor.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 00:09]

2009-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-19 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-06-04 22:04]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Search - c:\program files\Avant Browser\Search.htm
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\xxum8275.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\David\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\David\Application Data\Move Networks\plugins\npqmp071701000008.dll
FF - plugin: c:\program files\Itiva\Itiva Media Accelerator\npima.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 08:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3584)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\documents and settings\David\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\nvidia\NetworkAccessManager\bin\nSvcIp.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\nvidia\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\PSIService.exe
c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\progra~1\SQUEEZ~1\server\SQUEEZ~1.EXE
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-19 08:27:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 13:27
ComboFix2.txt 2010-01-19 04:02
ComboFix3.txt 2010-01-07 07:40
ComboFix4.txt 2010-01-06 05:48

Pre-Run: 8,364,064,768 bytes free
Post-Run: 8,337,108,992 bytes free

- - End Of File - - BB662AAFD933AC51DF894CD2A4D38165

#51 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:53 PM

Posted 20 January 2010 - 02:35 AM

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.
Posted Image


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Congratulations! You now appear clean! :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo..........Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then click Apply and Ok.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :(
Syler
Posted Image
If I have helped you, and you would like to make a donation to me, click here

#52 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 20 January 2010 - 11:55 PM

Thanks for your help, and thanks for the tips.

I have a couple questions. Do you think my computer is safe to use for online shopping, or do you think it's been compromised by the malware? Also, do I need to do anything to check my wireless router for malware, or should it be okay?

#53 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:53 PM

Posted 21 January 2010 - 03:31 AM

Your welcome :(

As far as I can see your logs look fine so you should be ok to do your normal computer activities, although with the type of infection you had I can not
guarantee that there isn't something else lurking there, as I can only get what I can see, so the choice is yours, A format and reinstall would be the
only way to guarantee a clean computer.
Posted Image
If I have helped you, and you would like to make a donation to me, click here

#54 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:53 PM

Posted 22 January 2010 - 03:30 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
If I have helped you, and you would like to make a donation to me, click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users