Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adobe Flash/Shockwave Freezes computer


  • This topic is locked This topic is locked
15 replies to this topic

#1 tegiman

tegiman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 11 March 2010 - 02:04 PM

Hi,

I was wondering if anyone had this same problem. A few weeks ago I received some malware/trojans, but eventually quarantine/deleted them with malwarebytes. But then after I did that, everytime I try to watch anything associated with adobe flash player/shockwave, my computer completely freezes up and I have to manually restart the computer. Even on sites like Hulu.com, Youtube, and even facebook videos. Below is the log from Hijackthis. Can someone help me with this? Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:27 PM, on 3/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tony-Til\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [QuickBooksDB18] C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe -n QB_BSC-TONY_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "C:\Documents and Settings\Tony-Til\Local Settings\Application Data\Intuit\QuickBooks\Log\DBStartup.log" -y
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = YMLUSA.COM
O17 - HKLM\Software\..\Telephony: DomainName = YMLUSA.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = YMLUSA.COM
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1caa67320178a6) (gupdate1caa67320178a6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8046 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 13 March 2010 - 06:41 PM

Hi tegiman, and welcome to Bleeping Computer.

Follow the Preparation Guide please and post the logs requested... smile.gif ...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 tegiman

tegiman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 16 March 2010 - 10:57 AM

Hi All,

I was wondering if anyone had this same problem. A few weeks ago I received some malware/trojans, but eventually quarantine/deleted them with malwarebytes. But then after I did that, everytime I try to watch anything associated with adobe flash player/shockwave, my computer completely freezes up and I have to manually restart the computer. Even on sites like Hulu.com, Youtube, and even facebook videos. Below is the log from DDS. Can someone help me with this? Thanks





DDS (Ver_09-12-01.01) - NTFSx86
Run by Tony-Til at 10:45:07.79 on Tue 03/16/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.312 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tony-Til\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [QuickBooksDB18] c:\program files\intuit\quickbooks 2008\qbdbmgrn.exe -n qb_bsc-tony_18 -qs -gd all -gk all -gp 4096 -gu all -ch 64m -c 32m -x tcpip(broadcastlistener=no;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe "c:\documents and settings\tony-til\local settings\application data\intuit\quickbooks\log\DBStartup.log" -y
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tony-til\applic~1\mozilla\firefox\profiles\p03ja4ld.default\
FF - plugin: c:\documents and settings\tony-til\application data\mozilla\firefox\profiles\p03ja4ld.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\tony-til\application data\mozilla\plugins\NPSWF32.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {2F657897-81CE-4EDB-B331-6408C6BB66D5} - c:\documents and settings\tony-til\local settings\application data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 114749]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-26 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100315.003\naveng.sys [2010-3-16 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100315.003\navex15.sys [2010-3-16 1324720]
S2 gupdate1caa67320178a6;Google Update Service (gupdate1caa67320178a6);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 133104]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]

=============== Created Last 30 ================

2010-03-10 14:32:57 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 18:26:16 39904 ----a-w- c:\windows\system32\drivers\cercsr6.sys
2010-03-04 20:39:22 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-03-03 19:22:02 0 d-----w- c:\program files\Trend Micro
2010-03-03 17:24:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-03 17:24:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 20:17:00 0 d-----w- c:\docume~1\tony-til\applic~1\Office Genuine Advantage
2010-03-02 15:37:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-01 20:47:37 0 d-----w- c:\windows\system32\scripting
2010-03-01 20:47:37 0 d-----w- c:\windows\l2schemas
2010-03-01 20:47:36 0 d-----w- c:\windows\system32\en
2010-03-01 20:47:36 0 d-----w- c:\windows\system32\bits
2010-02-26 20:03:58 53248 ----a-w- c:\windows\system32\vbicodec.ax
2010-02-26 20:02:55 364544 -c--a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-02-26 20:01:59 7168 ----a-w- c:\windows\system32\sensapi.dll
2010-02-26 15:02:22 0 d-sh--w- c:\documents and settings\tony-til\IECompatCache
2010-02-25 19:44:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-25 19:44:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 19:44:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-25 19:28:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 19:25:59 5115824 ----a-w- c:\program files\myscan.scr
2010-02-25 18:38:49 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-25 17:40:22 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-25 17:40:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-24 14:45:58 0 d-sh--w- c:\documents and settings\tony-til\PrivacIE
2010-02-24 14:43:29 0 d-sh--w- c:\documents and settings\tony-til\IETldCache
2010-02-24 14:39:50 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-24 14:39:34 0 d-----w- c:\windows\ie8updates
2010-02-24 14:39:03 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-24 14:39:01 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-24 14:36:37 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-18 15:32:09 0 d-----w- c:\docume~1\tony-til\applic~1\Malwarebytes
2010-02-17 14:31:59 120 ----a-w- c:\windows\Ndicihevurijan.dat
2010-02-17 14:31:59 0 ----a-w- c:\windows\Nwexuk.bin

==================== Find3M ====================

2010-02-25 17:09:14 698 ----a-w- c:\program files\Malwarebytes' Anti-Malware.lnk
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

============= FINISH: 10:45:39.34 ===============

Attached Files


Edited by tegiman, 16 March 2010 - 04:07 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,550 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:19 AM

Posted 16 March 2010 - 12:43 PM

Hello tegiman,

I have merged your new topic to your previously existing topic. Please keep all posts regarding this issue to this topic by using the Add Reply button found near the bottom of the topic. Starting new topics confuses things for everyone and delays the assistance you receive.

You are still lacking two of the logs snemelk requested: the Attach.txt produced by DDS and the log from GMER. If you were unable to produce them, please inform snemelk and explain what happened when you tried to get them.

Back to you snemelk,

Orange Blossom fruits_cherry.gif

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript


#5 tegiman

tegiman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 16 March 2010 - 04:08 PM

Hi,

I've edited the post and added the attached.txt and ark.txt.

Thanks

#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 16 March 2010 - 06:11 PM

Hi again tegiman!!.. smile.gif.

QUOTE(Orange Blossom @ Mar 16 2010, 06:43 PM) View Post
Back to you snemelk,

Thank you!.. thumbup2.gif

QUOTE(tegiman @ Mar 16 2010, 10:08 PM) View Post
I've edited the post and added the attached.txt and ark.txt.

Thanks!..

It seems not all malware have been removed by you - still a little to do - we'll use ComboFix here...

I do not see Adobe Flash installed on your computer, we'll re-install it...

Firstly,
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.

Secondly,
To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 tegiman

tegiman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 17 March 2010 - 11:14 AM

Hi Snemelk,

Here is my Combofix.txt. I wasn't able to turn off the Symantec Antivirus for some reason. Let me know what I should do next. Thanks!


ComboFix 10-03-16.05 - Tony-Til 03/17/2010 10:58:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.617 [GMT -5:00]
Running from: c:\documents and settings\Tony-Til\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HelpAssistant\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}
c:\documents and settings\HelpAssistant\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}\chrome.manifest
c:\documents and settings\HelpAssistant\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}\chrome\content\_cfg.js
c:\documents and settings\HelpAssistant\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}\chrome\content\overlay.xul
c:\documents and settings\HelpAssistant\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}\install.rdf

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-15 21:02 . 2010-03-15 21:02 -------- d-----w- c:\documents and settings\Administrator.TCNATTHA\Local Settings\Application Data\Mozilla
2010-03-15 21:00 . 2010-03-15 21:00 -------- d-----w- c:\documents and settings\Administrator.TCNATTHA\Application Data\Malwarebytes
2010-03-10 14:32 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 19:24 . 2010-03-09 19:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-03-09 18:50 . 2010-03-09 18:50 -------- d-----w- c:\program files\NOS
2010-03-09 18:26 . 2005-03-22 01:48 39904 ----a-w- c:\windows\system32\drivers\cercsr6.sys
2010-03-09 17:00 . 2010-03-09 17:00 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Citrix
2010-03-09 16:10 . 2010-03-09 16:10 -------- d-----w- c:\documents and settings\Tony-Til\Local Settings\Application Data\Citrix
2010-03-09 16:08 . 2010-03-09 16:09 -------- d-----w- c:\documents and settings\Tony-Til\Application Data\Download Manager
2010-03-05 19:28 . 2010-03-09 18:29 -------- d-----w- c:\windows\system32\Macromed
2010-03-05 16:42 . 2010-03-09 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-04 20:39 . 2010-03-09 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-03-03 19:22 . 2010-03-03 19:22 -------- d-----w- c:\program files\Trend Micro
2010-03-03 17:24 . 2010-03-03 17:24 -------- d-----w- c:\program files\Common Files\Java
2010-03-03 17:24 . 2010-03-03 17:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 20:17 . 2010-03-02 20:17 -------- d-----w- c:\documents and settings\Tony-Til\Application Data\Office Genuine Advantage
2010-03-02 15:37 . 2010-03-02 15:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-02 15:33 . 2010-03-03 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-01 20:47 . 2010-03-01 20:47 -------- d-----w- c:\windows\system32\scripting
2010-03-01 20:47 . 2010-03-01 20:47 -------- d-----w- c:\windows\l2schemas
2010-03-01 20:47 . 2010-03-01 20:47 -------- d-----w- c:\windows\system32\en
2010-03-01 20:47 . 2010-03-01 20:47 -------- d-----w- c:\windows\system32\bits
2010-02-26 20:03 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\secedit.exe
2010-02-26 20:02 . 2008-04-14 00:12 226816 -c--a-w- c:\windows\system32\dllcache\npdrmv2.dll
2010-02-26 20:01 . 2009-06-25 08:25 56832 ----a-w- c:\windows\system32\secur32.dll
2010-02-26 15:15 . 2010-03-01 15:02 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-26 15:02 . 2010-02-26 15:02 -------- d-sh--w- c:\documents and settings\Tony-Til\IECompatCache
2010-02-25 19:44 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-25 19:44 . 2010-02-25 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 19:44 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 19:28 . 2010-02-25 19:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 19:25 . 2010-02-25 16:29 5115824 ----a-w- c:\program files\myscan.scr
2010-02-25 18:38 . 2010-02-25 18:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-25 17:40 . 2010-03-15 21:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-25 17:40 . 2010-03-15 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-25 14:38 . 2010-02-25 14:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-24 15:00 . 2010-02-24 22:43 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-24 14:58 . 2010-02-24 14:58 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-24 14:48 . 2010-02-24 14:48 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-24 14:45 . 2010-02-24 14:45 -------- d-sh--w- c:\documents and settings\Tony-Til\PrivacIE
2010-02-24 14:43 . 2010-02-24 14:43 -------- d-sh--w- c:\documents and settings\Tony-Til\IETldCache
2010-02-24 14:39 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-24 14:39 . 2010-03-02 22:32 -------- d-----w- c:\windows\ie8updates
2010-02-24 14:39 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-24 14:39 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-24 14:36 . 2010-01-05 10:00 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-23 19:16 . 2010-02-23 19:16 0 ----a-w- c:\windows\nsreg.dat
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Temp
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Symantec
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\PowerDVD DX
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Mozilla
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Intuit
2010-02-23 18:07 . 2010-03-09 19:45 55896 ----a-w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Google
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Apple Computer
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Apple
2010-02-23 18:07 . 2010-02-23 18:07 -------- d-----w- c:\documents and settings\HelpAssistant\Local Settings\Application Data\Adobe
2010-02-23 18:07 . 2004-08-04 10:00 14336 --sha-r- c:\documents and settings\HelpAssistant\Local Settings\Application Data\1025j.exe
2010-02-22 18:17 . 2010-02-22 18:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-18 15:32 . 2010-02-18 15:32 -------- d-----w- c:\documents and settings\Tony-Til\Application Data\Malwarebytes
2010-02-18 15:07 . 2010-02-18 16:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-17 14:31 . 2010-02-22 14:25 120 ----a-w- c:\windows\Ndicihevurijan.dat
2010-02-17 14:31 . 2010-02-22 14:24 0 ----a-w- c:\windows\Nwexuk.bin
2010-02-17 14:31 . 2010-02-17 14:31 -------- d-----w- c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 14:44 . 2007-10-29 16:00 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-09 19:45 . 2009-06-01 16:08 55896 ----a-w- c:\documents and settings\Tony-Til\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-09 16:10 . 2007-03-13 17:58 -------- d-----w- c:\program files\Citrix
2010-03-05 21:15 . 2009-05-05 14:45 -------- d-----w- c:\program files\Google
2010-03-05 20:55 . 2010-03-05 20:55 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-03-05 18:06 . 2010-03-05 18:06 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-03-03 17:24 . 2010-03-03 17:24 503808 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3f4ff0dc-n\msvcp71.dll
2010-03-03 17:24 . 2010-03-03 17:24 348160 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3f4ff0dc-n\msvcr71.dll
2010-03-03 17:24 . 2010-03-03 17:24 499712 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3f4ff0dc-n\jmc.dll
2010-03-03 17:24 . 2010-03-03 17:24 61440 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-67b19b11-n\decora-sse.dll
2010-03-03 17:24 . 2010-03-03 17:24 12800 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-67b19b11-n\decora-d3d.dll
2010-03-03 17:23 . 2007-10-29 15:19 -------- d-----w- c:\program files\Java
2010-03-03 15:29 . 2007-03-13 19:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-02 22:32 . 2010-02-10 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-01 20:49 . 2007-03-13 16:50 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-25 17:09 . 2010-02-25 19:25 698 ----a-w- c:\program files\Malwarebytes' Anti-Malware.lnk
2010-02-23 22:32 . 2009-05-08 19:55 -------- d-----w- c:\program files\DivX
2010-02-23 14:46 . 2009-05-06 19:22 -------- d-----w- c:\program files\Coupons
2010-02-20 01:31 . 2010-03-09 18:50 31936 ----a-w- c:\documents and settings\Tony-Til\Application Data\Mozilla\Firefox\Profiles\p03ja4ld.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-02-20 01:31 . 2010-03-09 18:50 29344 ----a-w- c:\documents and settings\Tony-Til\Application Data\Mozilla\Firefox\Profiles\p03ja4ld.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-02-18 14:43 . 2010-02-18 14:43 24 ----a-w- c:\documents and settings\NetworkService\Application Data\sgcpom.dat
2010-02-18 14:30 . 2010-02-18 14:30 24 ----a-w- c:\documents and settings\LocalService\Application Data\sgcpom.dat
2010-02-10 22:00 . 2010-02-10 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-08 18:09 . 2010-02-08 18:09 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-05 20:59 . 2010-02-05 20:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-09-23 14:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2010-02-26 20:01 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2008-08-16 23:42 . 2008-08-16 23:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 23:42 . 2008-08-16 23:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 23:42 . 2008-08-16 23:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 23:42 . 2008-08-16 23:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 23:43 . 2008-08-16 23:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 23:42 . 2008-08-16 23:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 23:42 . 2008-08-16 23:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 14:41 . 2008-05-21 14:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 14:41 . 2008-05-21 14:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 14:41 . 2008-05-21 14:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 19:58 . 2008-06-05 19:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 23:42 . 2008-08-16 23:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-07 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-07 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-07 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"QuickBooksDB18"="c:\program files\Intuit\QuickBooks 2008\QBDBMgrN.exe" [2006-09-13 128536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-3-13 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 14:51 24638 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"5412:TCP"= 5412:TCP:Services
"3350:TCP"= 3350:TCP:Services

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2010 9:37 AM 102448]
S2 gupdate1caa67320178a6;Google Update Service (gupdate1caa67320178a6);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 9:53 AM 133104]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:53]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Tony-Til\Application Data\Mozilla\Firefox\Profiles\p03ja4ld.default\
FF - plugin: c:\documents and settings\Tony-Til\Application Data\Mozilla\Firefox\Profiles\p03ja4ld.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Tony-Til\Application Data\Mozilla\plugins\NPSWF32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {2F657897-81CE-4EDB-B331-6408C6BB66D5} - c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\netdde.exe
c:\program files\Symantec\pcAnywhere\awhost32.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
.
**************************************************************************
.
Completion time: 2010-03-17 11:12:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 16:12

Pre-Run: 62,985,084,928 bytes free
Post-Run: 63,257,890,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D46DE643ABD35DAE460E396EAEE55530

Edited by tegiman, 17 March 2010 - 11:18 AM.


#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 17 March 2010 - 02:31 PM

Hi again tegiman!!.. smile.gif..

QUOTE(tegiman @ Mar 17 2010, 05:14 PM) View Post
I wasn't able to turn off the Symantec Antivirus for some reason. Let me know what I should do next. Thanks!

OK, fortunately it didn't interfere with ComboFix, it seems...

We're making some progress, still a little to do, though...

Firstly,
Please download HelpAsst_mebroot_fix.exe and save it to your Desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

Secondly,
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\Ndicihevurijan.dat
c:\windows\Nwexuk.bin
Folder::
c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}
Firefox::
FF - ProfilePath - c:\documents and settings\Tony-Til\Application Data\Mozilla\Firefox\Profiles\p03ja4ld.default\
FF - HiddenExtension: XULRunner: {2F657897-81CE-4EDB-B331-6408C6BB66D5} - c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Post it in your next reply.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#9 tegiman

tegiman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 17 March 2010 - 03:10 PM

Hi snemelk,

When I ran the HelpAsst_mebroot_fix.exe program, it didn't find anything. Do you still want me to proceed with the other steps? My computer feels a lot faster/better since I ran the combofix.exe the first time.



#10 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 17 March 2010 - 04:48 PM

Hi again tegiman!.. smile.gif.

QUOTE(tegiman @ Mar 17 2010, 09:10 PM) View Post
When I ran the HelpAsst_mebroot_fix.exe program, it didn't find anything.

Ok... ComboFix probably neutralised an infection (mbr rootkit), however, there are some leftovers still to remove - I hoped HelpAsst_mebroot_fix would show us more information... Apparently, not... ;)..

QUOTE
Do you still want me to proceed with the other steps? My computer feels a lot faster/better since I ran the combofix.exe the first time.

Yes, please run the second step - CFScript with ComboFix (one active infection has to be removed)...

Afterwards, let's run this tool to gather more information about mbr rootkit's leftovers:

Download and run HAMeb_check.exe
Post the contents of the resulting log.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#11 tegiman

tegiman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 18 March 2010 - 08:49 AM

Hi Snemelk!

Here is the Combofix + CFScript.txt below. Again I couldn't turn off the Symantec Antivirus. Hopefully this is ok.
THANKS!


ComboFix 10-03-17.07 - Tony-Til 03/18/2010 8:35.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.505 [GMT -5:00]
Running from: c:\documents and settings\Tony-Til\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tony-Til\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\Ndicihevurijan.dat"
"c:\windows\Nwexuk.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}
c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}\chrome.manifest
c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}\chrome\content\_cfg.js
c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}\chrome\content\overlay.xul
c:\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}\install.rdf
c:\windows\Ndicihevurijan.dat
c:\windows\Nwexuk.bin

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-17 20:03 . 2010-03-17 20:03 -------- d-----w- C:\HelpAsst_backup
2010-03-17 16:42 . 2010-03-17 16:42 -------- d-----w- c:\windows\system32\Macromed
2010-03-15 21:02 . 2010-03-15 21:02 -------- d-----w- c:\documents and settings\Administrator.TCNATTHA\Local Settings\Application Data\Mozilla
2010-03-15 21:00 . 2010-03-15 21:00 -------- d-----w- c:\documents and settings\Administrator.TCNATTHA\Application Data\Malwarebytes
2010-03-10 14:32 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 19:24 . 2010-03-09 19:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-03-09 18:26 . 2005-03-22 01:48 39904 ----a-w- c:\windows\system32\drivers\cercsr6.sys
2010-03-09 16:10 . 2010-03-09 16:10 -------- d-----w- c:\documents and settings\Tony-Til\Local Settings\Application Data\Citrix
2010-03-09 16:08 . 2010-03-09 16:09 -------- d-----w- c:\documents and settings\Tony-Til\Application Data\Download Manager
2010-03-05 20:55 . 2010-03-05 20:55 1955472 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-03-05 16:42 . 2010-03-17 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-04 20:39 . 2010-03-09 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-03-03 19:22 . 2010-03-03 19:22 -------- d-----w- c:\program files\Trend Micro
2010-03-03 17:24 . 2010-03-03 17:24 503808 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3f4ff0dc-n\msvcp71.dll
2010-03-03 17:24 . 2010-03-03 17:24 348160 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3f4ff0dc-n\msvcr71.dll
2010-03-03 17:24 . 2010-03-03 17:24 -------- d-----w- c:\program files\Common Files\Java
2010-03-03 17:24 . 2010-03-03 17:24 499712 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3f4ff0dc-n\jmc.dll
2010-03-03 17:24 . 2010-03-03 17:24 61440 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-67b19b11-n\decora-sse.dll
2010-03-03 17:24 . 2010-03-03 17:24 12800 ----a-w- c:\documents and settings\Tony-Til\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-67b19b11-n\decora-d3d.dll
2010-03-03 17:24 . 2010-03-03 17:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 20:17 . 2010-03-02 20:17 -------- d-----w- c:\documents and settings\Tony-Til\Application Data\Office Genuine Advantage
2010-03-02 15:37 . 2010-03-02 15:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-02 15:33 . 2010-03-03 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-01 20:47 . 2010-03-01 20:47 -------- d-----w- c:\windows\system32\scripting
2010-03-01 20:47 . 2010-03-01 20:47 -------- d-----w- c:\windows\l2schemas
2010-03-01 20:47 . 2010-03-01 20:47 -------- d-----w- c:\windows\system32\en
2010-03-01 20:47 . 2010-03-01 20:47 -------- d-----w- c:\windows\system32\bits
2010-02-26 20:03 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\secedit.exe
2010-02-26 20:02 . 2008-04-14 00:12 226816 -c--a-w- c:\windows\system32\dllcache\npdrmv2.dll
2010-02-26 20:01 . 2009-06-25 08:25 56832 ----a-w- c:\windows\system32\secur32.dll
2010-02-26 15:15 . 2010-03-01 15:02 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-26 15:02 . 2010-02-26 15:02 -------- d-sh--w- c:\documents and settings\Tony-Til\IECompatCache
2010-02-25 19:44 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-25 19:44 . 2010-02-25 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 19:44 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 19:28 . 2010-02-25 19:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-25 19:25 . 2010-02-25 16:29 5115824 ----a-w- c:\program files\myscan.scr
2010-02-25 18:38 . 2010-02-25 18:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-25 17:40 . 2010-03-15 21:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-25 17:40 . 2010-03-15 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-25 14:38 . 2010-02-25 14:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-24 15:00 . 2010-02-24 22:43 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-24 14:58 . 2010-02-24 14:58 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-24 14:48 . 2010-02-24 14:48 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-24 14:45 . 2010-02-24 14:45 -------- d-sh--w- c:\documents and settings\Tony-Til\PrivacIE
2010-02-24 14:43 . 2010-02-24 14:43 -------- d-sh--w- c:\documents and settings\Tony-Til\IETldCache
2010-02-24 14:39 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-24 14:39 . 2010-03-02 22:32 -------- d-----w- c:\windows\ie8updates
2010-02-24 14:39 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-24 14:39 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-24 14:36 . 2010-01-05 10:00 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-23 19:16 . 2010-02-23 19:16 0 ----a-w- c:\windows\nsreg.dat
2010-02-22 18:17 . 2010-02-22 18:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-18 15:32 . 2010-02-18 15:32 -------- d-----w- c:\documents and settings\Tony-Til\Application Data\Malwarebytes
2010-02-18 15:07 . 2010-02-18 16:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 14:44 . 2007-10-29 16:00 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-09 19:45 . 2009-06-01 16:08 55896 ----a-w- c:\documents and settings\Tony-Til\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-09 16:10 . 2007-03-13 17:58 -------- d-----w- c:\program files\Citrix
2010-03-05 21:15 . 2009-05-05 14:45 -------- d-----w- c:\program files\Google
2010-03-03 17:23 . 2007-10-29 15:19 -------- d-----w- c:\program files\Java
2010-03-03 15:29 . 2007-03-13 19:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-02 22:32 . 2010-02-10 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-01 20:49 . 2007-03-13 16:50 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-25 17:09 . 2010-02-25 19:25 698 ----a-w- c:\program files\Malwarebytes' Anti-Malware.lnk
2010-02-23 22:32 . 2009-05-08 19:55 -------- d-----w- c:\program files\DivX
2010-02-23 14:46 . 2009-05-06 19:22 -------- d-----w- c:\program files\Coupons
2010-02-18 14:43 . 2010-02-18 14:43 24 ----a-w- c:\documents and settings\NetworkService\Application Data\sgcpom.dat
2010-02-18 14:30 . 2010-02-18 14:30 24 ----a-w- c:\documents and settings\LocalService\Application Data\sgcpom.dat
2010-02-10 22:00 . 2010-02-10 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-08 18:09 . 2010-02-08 18:09 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-05 20:59 . 2010-02-05 20:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2006-03-04 03:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-09-23 14:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2010-02-26 20:01 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2008-08-16 23:42 . 2008-08-16 23:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 23:42 . 2008-08-16 23:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 23:42 . 2008-08-16 23:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 23:42 . 2008-08-16 23:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 23:43 . 2008-08-16 23:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 23:42 . 2008-08-16 23:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 23:42 . 2008-08-16 23:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 14:41 . 2008-05-21 14:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 14:41 . 2008-05-21 14:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 14:41 . 2008-05-21 14:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 19:58 . 2008-06-05 19:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 23:42 . 2008-08-16 23:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-07 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-07 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-07 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"QuickBooksDB18"="c:\program files\Intuit\QuickBooks 2008\QBDBMgrN.exe" [2006-09-13 128536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-3-13 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 14:51 24638 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2010 9:37 AM 102448]
S2 gupdate1caa67320178a6;Google Update Service (gupdate1caa67320178a6);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 9:53 AM 133104]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:53]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Tony-Til\Application Data\Mozilla\Firefox\Profiles\p03ja4ld.default\
FF - plugin: c:\documents and settings\Tony-Til\Application Data\Mozilla\plugins\NPSWF32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 08:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-18 08:43:17
ComboFix-quarantined-files.txt 2010-03-18 13:43
ComboFix2.txt 2010-03-17 16:12

Pre-Run: 63,205,388,288 bytes free
Post-Run: 63,175,200,768 bytes free

- - End Of File - - F5353D0EFFB90533054015B2952D2E23



And Here is the HAMeb_check.exe log below.



C:\Documents and Settings\Tony-Til\My Documents\Downloads\HAMeb_check.exe
Thu 03/18/2010 at 8:53:16.95

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Edited by tegiman, 18 March 2010 - 08:55 AM.


#12 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 18 March 2010 - 04:02 PM

Hi again tegiman!!.. smile.gif.

Thank you for the logfiles, it looks ok (probably HelpAsst_mebroot_fix.exe removed those leftovers)... smile.gif..
I reckon there are no remaining problems??..

This folder is just a leftover and can be safely deleted manually: c:\documents and settings\HelpAssistant

We need to upload a few malware files.
Download upload.bat to your Desktop.
Then open Notepad and copy and paste next present in the codebox:
CODE
http://www.bleepingcomputer.com/forums/t/301945/adobe-flashshockwave-freezes-computer/
C:\Qoobox\Quarantine\c\windows\Ndicihevurijan.dat.vir
C:\Qoobox\Quarantine\c\windows\Nwexuk.bin.vir
"C:\Qoobox\Quarantine\c\documents and settings\Tony-Til\Local Settings\Application Data\{2F657897-81CE-4EDB-B331-6408C6BB66D5}"

Save this as upload.txt , and place it on your Desktop.

Doubleclick upload.bat and let the script run. A Notepad window with a logfile will open, you may close it. Then a browser window should pop-up, submit a Files_for_submission.zip file (created in the same directory you saved upload.bat at) - browse to that file and click Send File. You may leave two other boxes blank.
Let me know if the file has been uploaded successfully or note any errors encountered.


You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 8.2 first):
http://www.adobe.com/products/acrobat/readstep2.html

Let's perform an online scan to make sure we leave nothing behind:
Please scan your computer with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#13 tegiman

tegiman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 19 March 2010 - 10:08 AM

Hi Snemelk!

I sent the Files_for_submission.zip and update the adobe acrobat reader.

And below is the ESET Onlinescan below. I deleted the C:\Documents and Settings\HelpAssistant while scanning. Not sure if that'll cause a problem.

C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache45510.tmp probably a variant of Java/TrojanDownloader.Agent.NAI trojan deleted - quarantined
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\rdl315.tmp a variant of Win32/Agent.PDZ trojan cleaned by deleting - quarantined


I feel like my computer is running fast now though. Thanks for everything Snemelk!

#14 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,440 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 AM

Posted 19 March 2010 - 06:45 PM

Hi again tegiman!!.. smile.gif..

QUOTE(tegiman @ Mar 19 2010, 04:08 PM) View Post
I sent the Files_for_submission.zip.

Thanks!.. thumbup2.gif

QUOTE
I feel like my computer is running fast now though. Thanks for everything Snemelk!

You're welcome!.. smile.gif.


Firstly,
click Start>Run and type the following bolded command, then hit Enter:

helpasst -cleanup

Secondly,
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually (like log.txt or a zipped file for submission).

Thirdly,
Please, set up a new System Restore point:

Turn off System Restore

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

The to turn it back on
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.


Please check my site - snemelk.hekko.pl. There, you'll find a few steps to make your web browsing safer. thumbup2.gif

Also, I recommend you to read Tony Klein's excellent article: How did I get infected?, With steps so it does not happen again!
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#15 tegiman

tegiman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 22 March 2010 - 10:52 AM

Thanks Snemelk for everything! I did all the things you told me to do. Everything seems fast and back to normal!

Thanks!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users