Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I clean now


  • This topic is locked This topic is locked
11 replies to this topic

#1 david248005

david248005

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 27 November 2008 - 06:11 AM

hi
Could do with someone to analyse this pleae

Thx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:18 AM, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\COMPUTER2007\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZTE Mobile Connection\datacard.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SWQuickLauncher] C:\Program Files\SolarWinds\Engineer's Toolset\SWLauncher.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [User Themes] C:\Program Files\Common Files\Microsoft Shared\DAO\COMPUTER2007\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\VISUAL~1\NTXcontext.htm
O8 - Extra context menu item: Capture image with GKB - C:\Program Files\General Knowledge Base\2.4\CaptureWebImage.htm
O8 - Extra context menu item: Capture web page with GKB - C:\Program Files\General Knowledge Base\2.4\CaptureWebPage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MS-KB - {8b2d996f-b7d1-4961-a929-414d9cf5ba7b} - http://support.microsoft.com/default.aspx?...H;EN-US;KBHOWTO (file missing)
O9 - Extra 'Tools' menuitem: MS-KB - {8b2d996f-b7d1-4961-a929-414d9cf5ba7b} - http://support.microsoft.com/default.aspx?...H;EN-US;KBHOWTO (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\VISUAL~1\NTXtoolbar.htm (HKCU)
O9 - Extra button: Capture web page with GKB - {AB61ECC2-78F0-42B1-956E-6E22FD0181FC} - C:\Program Files\General Knowledge Base\2.4\CaptureWebPage.htm (HKCU)
O9 - Extra 'Tools' menuitem: Capture web page with GKB - {AB61ECC2-78F0-42B1-956E-6E22FD0181FC} - C:\Program Files\General Knowledge Base\2.4\CaptureWebPage.htm (HKCU)
O15 - Trusted Zone: http://www.ebay.co.uk
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cab
O16 - DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} (Remote200 Control) - http://www.chancers.dontexist.com/RemoteWeb.cab
O16 - DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} (CViewerControl Object) - http://www.chancers.dontexist.com/VideoViewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/legacy/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{3712AE91-A8F4-48ED-9043-3655C58BBC7D}: NameServer = 4.2.2.3 4.2.2.4
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7172 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 PM

Posted 14 December 2008 - 12:58 PM

Hello and :thumbsup: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 david248005

david248005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 15 December 2008 - 09:21 AM

Hi Billy and thanks for taking time to have a look. Results as below: Sorry can't find way to attach the attach.txt so just posted it.


DDS (Version 1.0.1) - NTFSx86
Run by davidd at 14:12:48.57 on Mon 12/15/2008
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.58 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BandwidthMonitor\BWMonitor.exe
C:\Program Files\ZTE Mobile Connection\datacard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\davidd\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = ftp=92.41.72.37:80;http=92.41.72.37:80;https=92.41.72.37:80
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {ADECBED6-0366-4377-A739-E69DFBA04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BandwidthMonitor] c:\program files\bandwidthmonitor\BWMonitor.exe
mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Capture image with GKB - c:\program files\general knowledge base\2.4\CaptureWebImage.htm
IE: Capture web page with GKB - c:\program files\general knowledge base\2.4\CaptureWebPage.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {3712AE91-A8F4-48ED-9043-3655C58BBC7D} = 4.2.2.3 4.2.2.4
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidd\applic~1\mozilla\firefox\profiles\xyece5xm.default\
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-10-16 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-10-16 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-10-16 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-10-16 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-10-16 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-10-16 49664]
R2 MBAMService;MBAMService;"c:\program files\malwarebytes' anti-malware\mbamservice.exe" [2008-10-16 170640]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-12 603904]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-10-17 15504]
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\system32\drivers\ASPI32.sys [2008-10-23 16512]
S3 GPU-Z;GPU-Z;\??\c:\docume~1\davidd\locals~1\temp\GPU-Z.sys []
S3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys []
S3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [2007-12-13 231983]
S4 SolarWinds TFTP Server;SolarWinds TFTP Server;"c:\program files\solarwinds\engineer's toolset\SolarWinds TFTP Server.exe" [2007-5-17 46008]

=============== Created Last 30 ================

2008-12-14 15:07 <DIR> --d----- c:\program files\Pure Networks
2008-12-14 15:06 23,992 a------- c:\windows\system32\drivers\pnarp.sys
2008-12-14 15:06 25,272 a------- c:\windows\system32\drivers\purendis.sys
2008-12-14 15:06 <DIR> --d----- c:\program files\common files\Pure Networks Shared
2008-12-14 15:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2008-12-12 13:08 603,904 a------- c:\windows\system32\TUProgSt.exe
2008-12-12 13:07 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2008-12-12 13:07 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-11 22:27 <DIR> --d----- c:\program files\ACD Systems
2008-12-11 11:48 <DIR> --d----- c:\docume~1\davidd\applic~1\CoSoSys
2008-12-10 14:49 207,488 a----r-- c:\windows\system32\drivers\vinyl97.sys
2008-12-10 14:29 <DIR> --d----- c:\program files\Innovative Solutions
2008-12-09 12:01 <DIR> --d----- c:\docume~1\davidd\applic~1\IBP
2008-12-09 01:09 <DIR> --d----- c:\program files\CCProxy
2008-12-06 14:11 <DIR> --d----- c:\docume~1\davidd\applic~1\GlarySoft
2008-12-06 14:05 <DIR> --d----- c:\program files\Glary Utilities
2008-12-05 18:13 <DIR> --d----- c:\program files\Moyea
2008-12-05 18:11 <DIR> --d----- c:\docume~1\davidd\applic~1\Moyea
2008-12-04 17:55 <DIR> --d----- c:\program files\Symantec
2008-12-04 17:40 <DIR> --d----- c:\program files\HD Tune Pro
2008-12-03 15:06 100,864 a------- c:\windows\system32\drivers\ZTEusbser6k.sys
2008-12-03 15:06 100,864 a------- c:\windows\system32\drivers\ZTEusbnmea.sys
2008-12-03 15:06 100,864 a------- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2008-12-03 15:06 <DIR> --d----- c:\windows\system32\SupportApp
2008-12-03 15:06 <DIR> --d----- c:\program files\ZTE Mobile Connection
2008-12-01 18:13 <DIR> --d----- c:\docume~1\davidd\applic~1\Locktime
2008-12-01 18:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Locktime
2008-11-30 19:51 <DIR> --d----- c:\docume~1\davidd\applic~1\BWMonitor
2008-11-30 19:51 <DIR> --d----- c:\program files\BandwidthMonitor
2008-11-29 12:41 <DIR> --d----- c:\windows\5888428E699C4E71BF7194EE06B497DA.TMP
2008-11-28 21:22 97 a------- c:\windows\tninfo.ini
2008-11-28 21:19 <DIR> --d----- c:\program files\Microsoft TechNet
2008-11-27 11:09 <DIR> --d----- c:\program files\Trend Micro
2008-11-27 09:30 578,560 a------- c:\windows\system32\dllcache\user32.dll
2008-11-27 09:27 <DIR> --d----- c:\windows\ERUNT
2008-11-26 23:26 <DIR> --d----- c:\docume~1\davidd\applic~1\KC Softwares
2008-11-26 09:43 39,424 a------- c:\windows\zipinst.exe
2008-11-26 09:43 <DIR> --d----- c:\program files\Mail PassView
2008-11-25 10:36 <DIR> --d----- C:\Deckard
2008-11-22 10:53 <DIR> --d-hr-- C:\$VAULT$.AVG
2008-11-22 02:30 <DIR> --d----- c:\windows\pss
2008-11-20 16:03 <DIR> --d----- c:\program files\XP Codec Pack
2008-11-20 15:58 <DIR> --d----- c:\docume~1\davidd\applic~1\BlueCrestStudios
2008-11-20 15:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BlueCrestStudios
2008-11-20 08:52 <DIR> --d-h--- c:\windows\PIF
2008-11-17 23:44 <DIR> --d----- c:\program files\hpHosts
2008-11-17 08:20 520,192 -------- c:\windows\system32\ati2sgag.exe
2008-11-17 08:20 1,020 a------- c:\windows\ATICIM.INI
2008-11-17 08:20 <DIR> --d----- c:\program files\ATI Technologies
2008-11-17 08:19 <DIR> --d----- C:\ATI
2008-11-17 08:04 139,264 a------- c:\windows\system32\IDEproperty.dll
2008-11-17 08:04 49,024 a------- c:\windows\system32\drivers\sisidex.sys
2008-11-17 08:04 9,472 a------- c:\windows\system32\drivers\sisperf.sys
2008-11-17 08:04 304,128 a------- c:\windows\IsUninst.exe
2008-11-17 08:03 <DIR> --d----- c:\documents and settings\davidd\WINDOWS
2008-11-17 08:03 4,096 a------- c:\windows\system32\drivers\siside.sys
2008-11-17 08:01 179,664 a------- c:\windows\system32\drivers\STAC97.sys
2008-11-17 07:54 1,686,016 a------- c:\windows\system32\clinetsuitex6.ocx
2008-11-17 07:54 427,864 a------- c:\windows\system32\XceedZip.dll
2008-11-17 07:54 <DIR> --d----- c:\program files\Driver-Soft
2008-11-17 05:14 315 a------- c:\windows\EurekaLog.ini
2008-11-16 12:45 <DIR> --d----- c:\program files\CommitCRM
2008-11-16 12:44 <DIR> --d----- C:\Commit

==================== Find3M ====================

2008-12-12 13:08 362,240 a------- c:\windows\system32\TuneUpDefragService.exe
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-20 15:59 360,580 a------- c:\windows\system32\eSellerateEngine.dll
2008-11-12 16:44 27,904 a------- c:\windows\system32\uxtuneup.dll
2008-11-05 12:23 1,044,480 a----r-- c:\windows\system32\roboex32.dll
2008-11-05 12:23 49,152 a----r-- c:\windows\system32\inetwh32.dll
2008-10-26 12:18 10,099 a------- c:\windows\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2008-10-26 12:18 2,857,336 a------- c:\windows\system32\SpoonUninstall.exe
2008-10-26 12:18 14,049 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-10-22 17:34 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-21 11:26 8,192 a------- C:\peboot.bin
2008-10-19 18:20 96,384 a------- c:\windows\system32\drivers\sptd4573.sys
2008-10-16 22:28 499,712 a------- c:\windows\system32\msvcp71.dll
2008-10-16 22:04 223,128 a------- c:\windows\system32\drivers\dtscsi.sys
2008-10-16 22:02 664,064 a------- c:\windows\system32\drivers\sptd.sys
2008-10-16 21:48 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-10-16 20:35 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-16 20:35 23,736 a------- c:\windows\system32\LMImirr.dll
2008-10-16 20:35 10,040 a------- c:\windows\system32\LMImirr2.dll
2008-10-16 20:35 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-15 16:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
1999-04-23 22:22 12 a--sh--- c:\windows\system\WININETICMP32.drv

============= FINISH: 14:13:18.66 ===============

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/16/2008 10:55:07 PM
System Uptime: 12/15/2008 12:23:41 PM (2 hours ago)

Motherboard: NEC COMPUTERS INTERNATIONAL | | GA-8SIMLNF
Processor: Intel® Pentium® 4 CPU 2.50GHz | P4 | 2490/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 90.526 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 3.751 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP113: 12/11/2008 11:52:18 AM - Restore Operation
RP114: 12/11/2008 2:47:50 PM - System Checkpoint
RP115: 12/11/2008 10:24:54 PM - Removed ACDSee Pro 2.
RP116: 12/11/2008 10:26:43 PM - Installed ACDSee Pro 2.5.
RP117: 12/12/2008 1:07:46 PM - Installed TuneUp Utilities 2009
RP118: 12/13/2008 1:58:38 PM - System Checkpoint
RP119: 12/14/2008 2:41:27 PM - System Checkpoint
RP120: 12/14/2008 3:07:07 PM - Installed Cisco Network Magic

==== Installed Programs ======================

µTorrent
ACDSee Pro 2.5
Adobe Flash Player 10 ActiveX
ATI - Software Uninstall Utility
ATI Display Driver
AVG 7.5
Bandwidth Monitor 3.4 build 757
Camfrog Video Chat 5.1
CCleaner (remove only)
CCProxy 6.62
Certification Preparation
Cisco Network Magic
Cisco Networking Academy curriculum 4.0.0.0
Commit Server
CPL All-in-One
dBpoweramp DSP Effects
dBpoweramp Music Converter
Driver Genius Professional Edition
DriverMax 4
FLV Player 2.0, build 24
Foxit Reader
General Knowledge Base
Glary Utilities 2.8.0.366
Google Earth Pro
HD Tune Pro 3.10
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Java™ 6 Update 7
Mail PassView
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft AutoRoute 2007
Microsoft Baseline Security Analyzer 2.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft Press Readiness Review Suite 70-271
Microsoft Virtual PC 2007
Microsoft Visual C++ 2005 Redistributable
Moyea FLV Downloader version 1.16.0.17
Mozilla Firefox (3.0.4)
Mp3tag v2.42
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB927977)
Nero 6 Ultra Edition
Network Magic
nLite 1.4.9.1
Norton PartitionMagic
Norton PartitionMagic 8.0
NotePad++ 3.6
Packet Tracer 5.0
PE Builder 3.1.10a
Pure Networks Platform
RealSpeak Solo for UK English Emily
Recuva (remove only)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
SigmaTel AC97 Audio Drivers
SigmaTel C-Major Audio
Simple Port Forwarding
SIW version 2008-09-09
SolarWinds Engineer's Toolset
TechNet Library - English DVD (October 2008)
The Ultimate Troubleshooter
TuneUp Utilities 2008
TuneUp Utilities 2009
Turbo Lister 2
Tweak UI
UK-Info Pro V11
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Winamp
Windows Internet Explorer 7
Windows Internet Explorer 8 Beta 2
Windows Messenger 5.1
Windows Support Tools
Windows XP Service Pack 3
WinRAR archiver
ZTE Mobile Connection

==== Event Viewer Messages ===================

12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:46:59 PM, error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The Logical Disk Manager service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The Fast User Switching Compatibility service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:46:59 PM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
12/10/2008 9:46:59 PM, error: Service Control Manager [7034] - The Server service terminated unexpectedly. It has done this 1 time(s).
12/10/2008 9:47:15 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
12/11/2008 11:52:05 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'ComboFix.exe' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/12/2008 1:17:33 PM, error: Service Control Manager [7034] - The TuneUp Program Statistics Service service terminated unexpectedly. It has done this 1 time(s).
12/14/2008 11:08:38 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the TuneUp.Defrag service.

==== End Of File ===========================

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 PM

Posted 15 December 2008 - 07:47 PM

Hello, david248005
You appear to have a Registry Cleaner installed!
The following is referring to TuneUp Utilities
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbsup:
In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 david248005

david248005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 16 December 2008 - 04:41 AM

Hi Billy and thanks again. Results from combofix as below:

ComboFix 08-12-15.04 - davidd 2008-12-16 9:34:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.197 [GMT 0:00]
Running from: c:\documents and settings\davidd\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\MabryObj.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-15 17:44 . 2008-12-15 17:44 <DIR> d-------- c:\program files\MindMapper2008
2008-12-15 17:44 . 2007-07-25 13:43 282,624 --a------ c:\windows\system32\TwdFilt.dll
2008-12-15 17:43 . 2008-12-15 17:43 <DIR> d-------- c:\documents and settings\davidd\Application Data\InstallShield
2008-12-15 16:05 . 2008-12-15 16:05 <DIR> d-------- c:\program files\CS Odessa
2008-12-15 16:05 . 2008-12-15 16:05 <DIR> d-------- c:\documents and settings\davidd\Application Data\ConceptDraw MINDMAP 5 Professional
2008-12-15 16:01 . 2008-12-15 16:01 <DIR> d-------- c:\program files\MSECache
2008-12-15 15:13 . 2008-12-15 23:22 <DIR> d-------- c:\documents and settings\davidd\.freemind
2008-12-15 15:12 . 2008-12-15 15:11 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-15 15:01 . 2008-12-15 15:01 <DIR> d-------- c:\program files\FreeMind
2008-12-14 15:07 . 2008-12-14 15:07 <DIR> d-------- c:\program files\Pure Networks
2008-12-14 15:06 . 2008-12-14 15:06 <DIR> d-------- c:\program files\Common Files\Pure Networks Shared
2008-12-14 15:06 . 2008-09-14 18:36 25,272 --a------ c:\windows\system32\drivers\purendis.sys
2008-12-14 15:06 . 2008-09-14 18:36 23,992 --a------ c:\windows\system32\drivers\pnarp.sys
2008-12-14 15:05 . 2008-12-14 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pure Networks
2008-12-12 13:08 . 2008-12-12 13:08 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-12 13:07 . 2008-12-12 13:08 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-12 13:07 . 2008-12-12 13:07 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-11 22:27 . 2008-12-11 22:27 <DIR> d-------- c:\program files\ACD Systems
2008-12-11 11:48 . 2008-12-11 11:48 <DIR> d-------- c:\documents and settings\davidd\Application Data\CoSoSys
2008-12-10 14:49 . 2008-12-14 15:06 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-10 14:49 . 2007-06-27 14:42 207,488 -ra------ c:\windows\system32\drivers\vinyl97.sys
2008-12-10 14:29 . 2008-12-10 14:29 <DIR> d-------- c:\program files\Innovative Solutions
2008-12-09 12:01 . 2008-12-09 12:07 <DIR> d-------- c:\documents and settings\davidd\Application Data\IBP
2008-12-09 01:09 . 2008-12-09 01:15 <DIR> d-------- c:\program files\CCProxy
2008-12-06 14:11 . 2008-12-06 14:11 <DIR> d-------- c:\documents and settings\davidd\Application Data\GlarySoft
2008-12-06 14:05 . 2008-12-06 14:05 <DIR> d-------- c:\program files\Glary Utilities
2008-12-05 18:13 . 2008-12-05 18:13 <DIR> d-------- c:\program files\Moyea
2008-12-05 18:11 . 2008-12-05 18:11 <DIR> d-------- c:\documents and settings\davidd\Application Data\Moyea
2008-12-04 17:55 . 2008-12-04 17:55 <DIR> d-------- c:\program files\Symantec
2008-12-04 17:40 . 2008-12-04 17:40 <DIR> d-------- c:\program files\HD Tune Pro
2008-12-03 15:06 . 2008-12-03 15:06 <DIR> d-------- c:\windows\system32\SupportApp
2008-12-03 15:06 . 2008-12-11 20:01 <DIR> d-------- c:\program files\ZTE Mobile Connection
2008-12-03 15:06 . 2008-01-17 16:50 100,864 --a------ c:\windows\system32\drivers\ZTEusbser6k.sys
2008-12-03 15:06 . 2008-01-17 16:50 100,864 --a------ c:\windows\system32\drivers\ZTEusbnmea.sys
2008-12-03 15:06 . 2008-01-17 16:50 100,864 --a------ c:\windows\system32\drivers\ZTEusbmdm6k.sys
2008-12-01 18:13 . 2008-12-01 18:13 <DIR> d-------- c:\documents and settings\davidd\Application Data\Locktime
2008-12-01 18:12 . 2008-12-01 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2008-11-30 19:51 . 2008-11-30 19:51 <DIR> d-------- c:\program files\BandwidthMonitor
2008-11-30 19:51 . 2008-11-30 19:51 <DIR> d-------- c:\documents and settings\davidd\Application Data\BWMonitor
2008-11-29 12:41 . 2008-11-29 12:42 <DIR> d-------- c:\windows\5888428E699C4E71BF7194EE06B497DA.TMP
2008-11-28 21:22 . 2008-11-28 21:22 97 --a------ c:\windows\tninfo.ini
2008-11-28 21:19 . 2008-11-28 21:19 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET 2003
2008-11-28 21:19 . 2008-11-28 21:19 <DIR> d-------- c:\program files\Microsoft TechNet
2008-11-27 11:09 . 2008-11-27 11:09 <DIR> d-------- c:\program files\Trend Micro
2008-11-27 09:30 . 2008-11-27 09:30 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-11-27 09:27 . 2008-11-27 09:28 <DIR> d-------- c:\windows\ERUNT
2008-11-26 23:26 . 2008-11-26 23:26 <DIR> d-------- c:\documents and settings\davidd\Application Data\KC Softwares
2008-11-26 09:43 . 2008-11-26 09:44 <DIR> d-------- c:\program files\Mail PassView
2008-11-26 09:43 . 2008-11-26 09:43 39,424 --a------ c:\windows\zipinst.exe
2008-11-25 10:36 . 2008-11-25 10:36 <DIR> d-------- C:\Deckard
2008-11-22 10:53 . 2008-11-24 00:45 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-20 16:03 . 2008-11-20 16:04 <DIR> d-------- c:\program files\XP Codec Pack
2008-11-20 15:58 . 2008-11-20 15:58 <DIR> d-------- c:\documents and settings\davidd\Application Data\BlueCrestStudios
2008-11-20 15:58 . 2008-11-20 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\BlueCrestStudios
2008-11-20 08:52 . 2008-11-20 08:52 <DIR> d--h----- c:\windows\PIF
2008-11-17 23:44 . 2008-11-17 23:46 <DIR> d-------- c:\program files\hpHosts
2008-11-17 08:20 . 2008-11-17 08:21 <DIR> d-------- c:\program files\ATI Technologies
2008-11-17 08:20 . 2006-05-03 11:57 520,192 --------- c:\windows\system32\ati2sgag.exe
2008-11-17 08:20 . 2008-11-17 08:20 1,020 --a------ c:\windows\ATICIM.INI
2008-11-17 08:19 . 2008-11-17 08:19 <DIR> d-------- C:\ATI
2008-11-17 08:04 . 1998-01-23 12:22 304,128 --a------ c:\windows\IsUninst.exe
2008-11-17 08:04 . 2002-08-20 14:58 139,264 --a------ c:\windows\system32\IDEproperty.dll
2008-11-17 08:04 . 2002-10-17 15:14 49,024 --a------ c:\windows\system32\drivers\sisidex.sys
2008-11-17 08:04 . 2002-08-20 17:19 9,472 --a------ c:\windows\system32\drivers\sisperf.sys
2008-11-17 08:03 . 2008-11-17 08:03 <DIR> d-------- c:\documents and settings\davidd\WINDOWS
2008-11-17 08:03 . 2003-03-25 17:50 4,096 --a------ c:\windows\system32\drivers\siside.sys
2008-11-17 08:01 . 2002-08-11 15:44 179,664 --a------ c:\windows\system32\drivers\STAC97.sys
2008-11-17 07:54 . 2008-11-17 07:54 <DIR> d-------- c:\program files\Driver-Soft
2008-11-17 07:54 . 2007-09-02 20:56 1,686,016 --a------ c:\windows\system32\clinetsuitex6.ocx
2008-11-17 07:54 . 2004-06-14 14:56 427,864 --a------ c:\windows\system32\XceedZip.dll
2008-11-17 05:14 . 2008-11-17 05:14 315 --a------ c:\windows\EurekaLog.ini
2008-11-16 12:45 . 2008-11-16 12:45 <DIR> d-------- c:\program files\CommitCRM
2008-11-16 12:44 . 2008-11-16 12:44 <DIR> d-------- C:\Commit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 09:12 --------- d-----w c:\documents and settings\davidd\Application Data\AVG7
2008-12-15 17:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 17:42 --------- d-----w c:\documents and settings\davidd\Application Data\uTorrent
2008-12-15 15:11 --------- d-----w c:\program files\Java
2008-12-12 13:08 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-11 22:27 --------- d-----w c:\program files\Common Files\ACD Systems
2008-12-09 17:02 --------- d-----w c:\program files\Support Tools
2008-12-09 17:02 --------- d-----w c:\program files\Microsoft Press Readiness Review Suite
2008-12-04 18:05 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-04 08:07 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-12-03 19:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-03 11:54 --------- d-----w c:\program files\Simple Port Forwarding
2008-12-03 09:04 --------- d-----w c:\program files\VisualTrace
2008-12-01 17:37 --------- d-----w c:\documents and settings\davidd\Application Data\WholeSecurity
2008-11-29 11:38 --------- d-----w c:\documents and settings\davidd\Application Data\Camfrog
2008-11-28 21:23 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-22 10:57 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-20 17:24 --------- d-----w c:\program files\SIW
2008-11-20 15:59 360,580 ----a-w c:\windows\system32\eSellerateEngine.dll
2008-11-18 01:09 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-18 01:06 --------- d-----w c:\program files\eBay
2008-11-18 01:06 --------- d-----w c:\documents and settings\davidd\Application Data\eBay
2008-11-18 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\eBay
2008-11-15 15:40 --------- d-----w c:\program files\FLV Player
2008-11-15 15:27 --------- d-----w c:\program files\Recuva
2008-11-15 11:42 --------- d-----w c:\program files\Camfrog
2008-11-15 11:27 --------- d-----w c:\documents and settings\davidd\Application Data\Webcammax
2008-11-14 00:52 --------- d-----w c:\documents and settings\davidd\Application Data\RoamDrive
2008-11-13 15:52 --------- d-----w c:\documents and settings\davidd\Application Data\Ashampoo
2008-11-13 15:33 --------- d-----w c:\program files\Opera
2008-11-12 16:44 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2008-11-12 16:18 --------- d-----w c:\documents and settings\davidd\Application Data\ACD Systems
2008-11-12 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-09 14:44 --------- d-----w c:\documents and settings\davidd\Application Data\LogMeIn Rescue
2008-11-05 12:23 49,152 ----a-r c:\windows\system32\inetwh32.dll
2008-11-05 12:23 1,044,480 ----a-r c:\windows\system32\roboex32.dll
2008-11-05 07:04 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2008-11-04 23:37 --------- d-----w c:\documents and settings\davidd\Application Data\TuneUp Software
2008-11-04 23:37 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-04 23:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-04 23:22 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-03 18:16 --------- d-----w c:\program files\Mp3tag
2008-11-03 18:16 --------- d-----w c:\documents and settings\davidd\Application Data\Mp3tag
2008-11-02 14:32 --------- d-----w c:\program files\ffdshow
2008-10-26 23:14 --------- d-----w c:\program files\Google
2008-10-26 23:11 --------- d-----w c:\program files\BayGenie
2008-10-26 14:53 --------- d-----w c:\program files\i-CD
2008-10-26 14:51 --------- d-----w c:\program files\TESTOUT
2008-10-26 12:27 --------- d-----w c:\program files\Winamp
2008-10-26 12:27 --------- d-----w c:\documents and settings\davidd\Application Data\Winamp
2008-10-26 12:18 2,857,336 ----a-w c:\windows\system32\SpoonUninstall.exe
2008-10-26 12:18 --------- d-----w c:\documents and settings\davidd\Application Data\AccurateRip
2008-10-26 12:11 --------- d-----w c:\program files\Java(2)
2008-10-26 12:11 --------- d-----w c:\program files\Common Files\Java(2)
2008-10-26 12:11 --------- d-----w c:\program files\Common Files\Java
2008-10-25 18:17 --------- d-----w c:\documents and settings\davidd\Application Data\dBpoweramp
2008-10-25 17:52 --------- d-----w c:\program files\Illustrate
2008-10-25 11:21 --------- d-----w c:\program files\MP3Gain
2008-10-24 12:56 --------- d-----w c:\documents and settings\davidd\Application Data\.myibay
2008-10-23 23:28 --------- d-----w c:\program files\Certification Preparation
2008-10-23 21:34 --------- d-----w c:\program files\nLite
2008-10-23 18:19 --------- d-----w c:\program files\Microsoft AutoRoute
2008-10-23 17:18 --------- d-----w c:\program files\ScanSoft
2008-10-21 11:26 8,192 ----a-w C:\peboot.bin
2008-10-19 20:24 --------- d-----w c:\program files\Common Files\eSellerate
2008-10-19 20:24 --------- d-----w c:\program files\AnswersThatWork
2008-10-19 18:22 --------- d-----w c:\program files\microsoft frontpage
2008-10-19 18:20 96,384 ----a-w c:\windows\system32\drivers\sptd4573.sys
2008-10-19 16:02 --------- d-----w c:\program files\CCleaner
2008-10-19 14:00 --------- d-----w c:\program files\SolarWinds
2008-10-18 17:00 --------- d-----w c:\program files\Microsoft Virtual PC
2008-10-18 12:18 --------- d-----w c:\documents and settings\davidd\Application Data\Symantec
2008-10-17 21:41 --------- d-----w c:\documents and settings\davidd\Application Data\Malwarebytes
2008-10-16 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-16 22:36 --------- d-----w c:\program files\Microsoft Baseline Security Analyzer 2
2008-10-16 22:34 --------- d-----w c:\program files\Common Files\Ahead
2008-10-16 22:34 --------- d-----w c:\program files\Ahead
2008-10-16 22:32 --------- d-----w c:\program files\Foxit Software
2008-10-16 22:30 --------- d-----w c:\program files\General Knowledge Base
2008-10-16 22:30 --------- d-----w c:\documents and settings\davidd\Application Data\General Knowledge Base
2008-10-16 22:28 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-10-16 22:28 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-10-16 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-10-16 22:27 --------- d-----w c:\program files\Packet Tracer 5.0
2008-10-16 22:08 --------- d-----w c:\program files\Microsoft Works
2008-10-16 22:08 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-16 22:08 --------- d-----w c:\program files\Common Files\L&H
2008-10-16 22:07 --------- d-----w c:\program files\Microsoft.NET
2008-10-16 22:04 223,128 ----a-w c:\windows\system32\drivers\dtscsi.sys
2008-10-16 22:04 --------- d-----w c:\program files\DAEMON Tools
2008-10-16 22:02 664,064 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-16 21:47 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-16 21:47 --------- d-----w c:\program files\NotePad++
2008-10-16 21:47 --------- d-----w c:\program files\Foxit
2008-10-16 20:44 --------- d-----w c:\program files\uTorrent
2008-10-16 20:35 87,352 ----a-w c:\windows\system32\LMIinit.dll
2008-10-16 20:35 28,984 ----a-w c:\windows\system32\LMIport.dll
2008-10-16 20:35 23,736 ----a-w c:\windows\system32\LMImirr.dll
2008-10-16 20:35 10,040 ----a-w c:\windows\system32\LMImirr2.dll
1999-04-23 22:22 12 --sha-w c:\windows\system\WININETICMP32.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BandwidthMonitor"="c:\program files\BandwidthMonitor\BWMonitor.exe" [2008-10-07 577536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-06 280779]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-20 590848]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-12-03 399504]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-09-14 705832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-16 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-08-22 c:\windows\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Device Detector"=DevDetect.exe -autorun

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Packet Tracer 5.0\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\SolarWinds\\Engineer's Toolset\\SNMP-Brute-Force-Attack.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\ZTE Mobile Connection\\datacard.exe"=
"c:\\Documents and Settings\\davidd\\Desktop\\uTorrent.exe"=
"c:\\Program Files\\CCProxy\\CCProxy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"25718:TCP"= 25718:TCP:torrent

R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-10-16 170640]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-12 603904]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-10-17 15504]
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-10-23 16512]
S3 GPU-Z;GPU-Z;\??\c:\docume~1\davidd\LOCALS~1\Temp\GPU-Z.sys []
S3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys []
S3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [2007-12-13 231983]
S4 SolarWinds TFTP Server;SolarWinds TFTP Server;"c:\program files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe" [2007-05-17 46008]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea930018-bb2e-11dd-8d2b-000d611077d2}]
\Shell\AutoRun\command - G:\AUTORUN.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-16 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]

2008-12-16 c:\windows\Tasks\User_Feed_Synchronization-{795F5F1D-3F77-44D5-8E2B-95BE1B146B49}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 02:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = ftp=92.41.72.37:80;http=92.41.72.37:80;https=92.41.72.37:80
IE: Capture image with GKB - c:\program files\General Knowledge Base\2.4\CaptureWebImage.htm
IE: Capture web page with GKB - c:\program files\General Knowledge Base\2.4\CaptureWebPage.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
TCP: {3712AE91-A8F4-48ED-9043-3655C58BBC7D} = 4.2.2.3 4.2.2.4

c:\windows\system32\ractrlkeyhook.dll - c:\windows\Downloaded Program Files\CONFLICT.2\LMIGuardianEvt.dll
c:\windows\Downloaded Program Files\CONFLICT.2\LMIGuardianDll.dll
c:\windows\Downloaded Program Files\CONFLICT.2\LMIGuardian.exe
c:\windows\Downloaded Program Files\CONFLICT.2\LMIProxyHelper.exe
c:\windows\Downloaded Program Files\CONFLICT.2\RescueControl.dll
O16 -: {254AA86E-5655-4518-AA87-185D7CC41801}
hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
c:\windows\Downloaded Program Files\CONFLICT.2\RescueControl.inf

c:\windows\Downloaded Program Files\Remote200Web.ocx - O16 -: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C}
hxxp://www.chancers.dontexist.com/RemoteWeb.cab
c:\windows\Downloaded Program Files\RemoteWeb.inf

c:\windows\Downloaded Program Files\VideoViewer.ocx - O16 -: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8}
hxxp://www.chancers.dontexist.com/VideoViewer.cab
c:\windows\Downloaded Program Files\VideoViewer.inf
FF - ProfilePath - c:\documents and settings\davidd\Application Data\Mozilla\Firefox\Profiles\xyece5xm.default\
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 09:37:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2008-12-16 9:39:11
ComboFix-quarantined-files.txt 2008-12-16 09:39:02
ComboFix2.txt 2008-11-25 10:17:26

Pre-Run: 96,617,779,200 bytes free
Post-Run: 96,644,431,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\peboot.bin="Boot BartPE (by PE Builder)"

318

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 PM

Posted 16 December 2008 - 08:12 PM

Hello, david248005
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    EXTRA::
    DDS::
    TCP: {3712AE91-A8F4-48ED-9043-3655C58BBC7D} = 4.2.2.3 4.2.2.4
    uInternet Settings,ProxyServer = ftp=92.41.72.37:80;http=92.41.72.37:80;https=92.41.72.37:80
    REGISTRY::
    O16 -: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8}
    O16 -: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C}
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 david248005

david248005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 16 December 2008 - 08:27 PM

Hi Billy. Combofix log below:

ComboFix 08-12-15.04 - davidd 2008-12-17 1:20:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.181 [GMT 0:00]
Running from: c:\documents and settings\davidd\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\davidd\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-17 01:18 . 2008-12-17 01:19 <DIR> d-------- C:\32788R22FWJFW
2008-12-15 17:44 . 2008-12-15 17:44 <DIR> d-------- c:\program files\MindMapper2008
2008-12-15 17:44 . 2007-07-25 13:43 282,624 --a------ c:\windows\system32\TwdFilt.dll
2008-12-15 17:43 . 2008-12-15 17:43 <DIR> d-------- c:\documents and settings\davidd\Application Data\InstallShield
2008-12-15 16:05 . 2008-12-15 16:05 <DIR> d-------- c:\program files\CS Odessa
2008-12-15 16:05 . 2008-12-15 16:05 <DIR> d-------- c:\documents and settings\davidd\Application Data\ConceptDraw MINDMAP 5 Professional
2008-12-15 16:01 . 2008-12-15 16:01 <DIR> d-------- c:\program files\MSECache
2008-12-15 15:13 . 2008-12-16 18:37 <DIR> d-------- c:\documents and settings\davidd\.freemind
2008-12-15 15:12 . 2008-12-15 15:11 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-15 15:01 . 2008-12-15 15:01 <DIR> d-------- c:\program files\FreeMind
2008-12-14 15:07 . 2008-12-14 15:07 <DIR> d-------- c:\program files\Pure Networks
2008-12-14 15:06 . 2008-12-14 15:06 <DIR> d-------- c:\program files\Common Files\Pure Networks Shared
2008-12-14 15:06 . 2008-09-14 18:36 25,272 --a------ c:\windows\system32\drivers\purendis.sys
2008-12-14 15:06 . 2008-09-14 18:36 23,992 --a------ c:\windows\system32\drivers\pnarp.sys
2008-12-14 15:05 . 2008-12-14 15:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pure Networks
2008-12-12 13:08 . 2008-12-12 13:08 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-12 13:07 . 2008-12-12 13:08 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-12 13:07 . 2008-12-12 13:07 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-11 22:27 . 2008-12-11 22:27 <DIR> d-------- c:\program files\ACD Systems
2008-12-11 11:48 . 2008-12-11 11:48 <DIR> d-------- c:\documents and settings\davidd\Application Data\CoSoSys
2008-12-10 14:49 . 2008-12-14 15:06 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-10 14:49 . 2007-06-27 14:42 207,488 -ra------ c:\windows\system32\drivers\vinyl97.sys
2008-12-10 14:29 . 2008-12-10 14:29 <DIR> d-------- c:\program files\Innovative Solutions
2008-12-09 12:01 . 2008-12-09 12:07 <DIR> d-------- c:\documents and settings\davidd\Application Data\IBP
2008-12-09 01:09 . 2008-12-09 01:15 <DIR> d-------- c:\program files\CCProxy
2008-12-06 14:11 . 2008-12-06 14:11 <DIR> d-------- c:\documents and settings\davidd\Application Data\GlarySoft
2008-12-06 14:05 . 2008-12-06 14:05 <DIR> d-------- c:\program files\Glary Utilities
2008-12-05 18:13 . 2008-12-05 18:13 <DIR> d-------- c:\program files\Moyea
2008-12-05 18:11 . 2008-12-05 18:11 <DIR> d-------- c:\documents and settings\davidd\Application Data\Moyea
2008-12-04 17:55 . 2008-12-04 17:55 <DIR> d-------- c:\program files\Symantec
2008-12-04 17:40 . 2008-12-04 17:40 <DIR> d-------- c:\program files\HD Tune Pro
2008-12-03 15:06 . 2008-12-03 15:06 <DIR> d-------- c:\windows\system32\SupportApp
2008-12-03 15:06 . 2008-12-16 11:23 <DIR> d-------- c:\program files\ZTE Mobile Connection
2008-12-03 15:06 . 2008-01-17 16:50 100,864 --a------ c:\windows\system32\drivers\ZTEusbser6k.sys
2008-12-03 15:06 . 2008-01-17 16:50 100,864 --a------ c:\windows\system32\drivers\ZTEusbnmea.sys
2008-12-03 15:06 . 2008-01-17 16:50 100,864 --a------ c:\windows\system32\drivers\ZTEusbmdm6k.sys
2008-12-01 18:13 . 2008-12-01 18:13 <DIR> d-------- c:\documents and settings\davidd\Application Data\Locktime
2008-12-01 18:12 . 2008-12-01 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2008-11-30 19:51 . 2008-11-30 19:51 <DIR> d-------- c:\program files\BandwidthMonitor
2008-11-30 19:51 . 2008-11-30 19:51 <DIR> d-------- c:\documents and settings\davidd\Application Data\BWMonitor
2008-11-29 12:41 . 2008-11-29 12:42 <DIR> d-------- c:\windows\5888428E699C4E71BF7194EE06B497DA.TMP
2008-11-28 21:22 . 2008-11-28 21:22 97 --a------ c:\windows\tninfo.ini
2008-11-28 21:19 . 2008-11-28 21:19 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET 2003
2008-11-28 21:19 . 2008-11-28 21:19 <DIR> d-------- c:\program files\Microsoft TechNet
2008-11-27 11:09 . 2008-11-27 11:09 <DIR> d-------- c:\program files\Trend Micro
2008-11-27 09:30 . 2008-11-27 09:30 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-11-27 09:27 . 2008-11-27 09:28 <DIR> d-------- c:\windows\ERUNT
2008-11-26 23:26 . 2008-11-26 23:26 <DIR> d-------- c:\documents and settings\davidd\Application Data\KC Softwares
2008-11-26 09:43 . 2008-11-26 09:44 <DIR> d-------- c:\program files\Mail PassView
2008-11-26 09:43 . 2008-11-26 09:43 39,424 --a------ c:\windows\zipinst.exe
2008-11-25 10:36 . 2008-11-25 10:36 <DIR> d-------- C:\Deckard
2008-11-22 10:53 . 2008-11-24 00:45 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-20 16:03 . 2008-11-20 16:04 <DIR> d-------- c:\program files\XP Codec Pack
2008-11-20 15:58 . 2008-11-20 15:58 <DIR> d-------- c:\documents and settings\davidd\Application Data\BlueCrestStudios
2008-11-20 15:58 . 2008-11-20 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\BlueCrestStudios
2008-11-20 08:52 . 2008-11-20 08:52 <DIR> d--h----- c:\windows\PIF
2008-11-17 23:44 . 2008-11-17 23:46 <DIR> d-------- c:\program files\hpHosts
2008-11-17 08:20 . 2008-11-17 08:21 <DIR> d-------- c:\program files\ATI Technologies
2008-11-17 08:20 . 2006-05-03 11:57 520,192 --------- c:\windows\system32\ati2sgag.exe
2008-11-17 08:20 . 2008-11-17 08:20 1,020 --a------ c:\windows\ATICIM.INI
2008-11-17 08:19 . 2008-11-17 08:19 <DIR> d-------- C:\ATI
2008-11-17 08:04 . 1998-01-23 12:22 304,128 --a------ c:\windows\IsUninst.exe
2008-11-17 08:04 . 2002-08-20 14:58 139,264 --a------ c:\windows\system32\IDEproperty.dll
2008-11-17 08:04 . 2002-10-17 15:14 49,024 --a------ c:\windows\system32\drivers\sisidex.sys
2008-11-17 08:04 . 2002-08-20 17:19 9,472 --a------ c:\windows\system32\drivers\sisperf.sys
2008-11-17 08:03 . 2008-11-17 08:03 <DIR> d-------- c:\documents and settings\davidd\WINDOWS
2008-11-17 08:03 . 2003-03-25 17:50 4,096 --a------ c:\windows\system32\drivers\siside.sys
2008-11-17 08:01 . 2002-08-11 15:44 179,664 --a------ c:\windows\system32\drivers\STAC97.sys
2008-11-17 07:54 . 2008-11-17 07:54 <DIR> d-------- c:\program files\Driver-Soft
2008-11-17 07:54 . 2007-09-02 20:56 1,686,016 --a------ c:\windows\system32\clinetsuitex6.ocx
2008-11-17 07:54 . 2004-06-14 14:56 427,864 --a------ c:\windows\system32\XceedZip.dll
2008-11-17 05:14 . 2008-11-17 05:14 315 --a------ c:\windows\EurekaLog.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 12:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 09:12 --------- d-----w c:\documents and settings\davidd\Application Data\AVG7
2008-12-15 17:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 17:42 --------- d-----w c:\documents and settings\davidd\Application Data\uTorrent
2008-12-15 15:11 --------- d-----w c:\program files\Java
2008-12-12 13:08 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-11 22:27 --------- d-----w c:\program files\Common Files\ACD Systems
2008-12-09 17:02 --------- d-----w c:\program files\Support Tools
2008-12-09 17:02 --------- d-----w c:\program files\Microsoft Press Readiness Review Suite
2008-12-04 18:05 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-04 08:07 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-12-03 19:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-03 11:54 --------- d-----w c:\program files\Simple Port Forwarding
2008-12-03 09:04 --------- d-----w c:\program files\VisualTrace
2008-12-01 17:37 --------- d-----w c:\documents and settings\davidd\Application Data\WholeSecurity
2008-11-29 11:38 --------- d-----w c:\documents and settings\davidd\Application Data\Camfrog
2008-11-28 21:23 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-22 10:57 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-20 17:24 --------- d-----w c:\program files\SIW
2008-11-20 15:59 360,580 ----a-w c:\windows\system32\eSellerateEngine.dll
2008-11-18 01:06 --------- d-----w c:\program files\eBay
2008-11-18 01:06 --------- d-----w c:\documents and settings\davidd\Application Data\eBay
2008-11-18 01:06 --------- d-----w c:\documents and settings\All Users\Application Data\eBay
2008-11-16 12:45 --------- d-----w c:\program files\CommitCRM
2008-11-15 15:40 --------- d-----w c:\program files\FLV Player
2008-11-15 15:27 --------- d-----w c:\program files\Recuva
2008-11-15 11:42 --------- d-----w c:\program files\Camfrog
2008-11-15 11:27 --------- d-----w c:\documents and settings\davidd\Application Data\Webcammax
2008-11-14 00:52 --------- d-----w c:\documents and settings\davidd\Application Data\RoamDrive
2008-11-13 15:52 --------- d-----w c:\documents and settings\davidd\Application Data\Ashampoo
2008-11-13 15:33 --------- d-----w c:\program files\Opera
2008-11-12 16:44 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2008-11-12 16:18 --------- d-----w c:\documents and settings\davidd\Application Data\ACD Systems
2008-11-12 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-09 14:44 --------- d-----w c:\documents and settings\davidd\Application Data\LogMeIn Rescue
2008-11-05 12:23 49,152 ----a-r c:\windows\system32\inetwh32.dll
2008-11-05 12:23 1,044,480 ----a-r c:\windows\system32\roboex32.dll
2008-11-05 07:04 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2008-11-04 23:37 --------- d-----w c:\documents and settings\davidd\Application Data\TuneUp Software
2008-11-04 23:37 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-04 23:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-04 23:22 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-03 18:16 --------- d-----w c:\program files\Mp3tag
2008-11-03 18:16 --------- d-----w c:\documents and settings\davidd\Application Data\Mp3tag
2008-11-02 14:32 --------- d-----w c:\program files\ffdshow
2008-10-26 23:14 --------- d-----w c:\program files\Google
2008-10-26 23:11 --------- d-----w c:\program files\BayGenie
2008-10-26 14:53 --------- d-----w c:\program files\i-CD
2008-10-26 14:51 --------- d-----w c:\program files\TESTOUT
2008-10-26 12:27 --------- d-----w c:\program files\Winamp
2008-10-26 12:27 --------- d-----w c:\documents and settings\davidd\Application Data\Winamp
2008-10-26 12:18 2,857,336 ----a-w c:\windows\system32\SpoonUninstall.exe
2008-10-26 12:18 --------- d-----w c:\documents and settings\davidd\Application Data\AccurateRip
2008-10-26 12:11 --------- d-----w c:\program files\Java(2)
2008-10-26 12:11 --------- d-----w c:\program files\Common Files\Java(2)
2008-10-26 12:11 --------- d-----w c:\program files\Common Files\Java
2008-10-25 18:17 --------- d-----w c:\documents and settings\davidd\Application Data\dBpoweramp
2008-10-25 17:52 --------- d-----w c:\program files\Illustrate
2008-10-25 11:21 --------- d-----w c:\program files\MP3Gain
2008-10-24 12:56 --------- d-----w c:\documents and settings\davidd\Application Data\.myibay
2008-10-23 23:28 --------- d-----w c:\program files\Certification Preparation
2008-10-23 21:34 --------- d-----w c:\program files\nLite
2008-10-23 18:19 --------- d-----w c:\program files\Microsoft AutoRoute
2008-10-23 17:18 --------- d-----w c:\program files\ScanSoft
2008-10-21 11:26 8,192 ----a-w C:\peboot.bin
2008-10-19 20:24 --------- d-----w c:\program files\Common Files\eSellerate
2008-10-19 20:24 --------- d-----w c:\program files\AnswersThatWork
2008-10-19 18:22 --------- d-----w c:\program files\microsoft frontpage
2008-10-19 18:20 96,384 ----a-w c:\windows\system32\drivers\sptd4573.sys
2008-10-19 16:02 --------- d-----w c:\program files\CCleaner
2008-10-19 14:00 --------- d-----w c:\program files\SolarWinds
2008-10-18 17:00 --------- d-----w c:\program files\Microsoft Virtual PC
2008-10-18 12:18 --------- d-----w c:\documents and settings\davidd\Application Data\Symantec
2008-10-17 21:41 --------- d-----w c:\documents and settings\davidd\Application Data\Malwarebytes
2008-10-16 22:28 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-10-16 20:35 87,352 ----a-w c:\windows\system32\LMIinit.dll
2008-10-16 20:35 28,984 ----a-w c:\windows\system32\LMIport.dll
2008-10-16 20:35 23,736 ----a-w c:\windows\system32\LMImirr.dll
2008-10-16 20:35 10,040 ----a-w c:\windows\system32\LMImirr2.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
1999-04-23 22:22 12 --sha-w c:\windows\system\WININETICMP32.drv
.

((((((((((((((((((((((((((((( snapshot@2008-12-16_ 9.38.25.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-17 00:48:08 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BandwidthMonitor"="c:\program files\BandwidthMonitor\BWMonitor.exe" [2008-10-07 577536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-06 280779]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-20 590848]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-12-03 399504]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-09-14 648488]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-09-14 705832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-16 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-08-22 c:\windows\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Device Detector"=DevDetect.exe -autorun

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Packet Tracer 5.0\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\SolarWinds\\Engineer's Toolset\\SNMP-Brute-Force-Attack.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\ZTE Mobile Connection\\datacard.exe"=
"c:\\Documents and Settings\\davidd\\Desktop\\uTorrent.exe"=
"c:\\Program Files\\CCProxy\\CCProxy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"25718:TCP"= 25718:TCP:torrent

R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-10-16 170640]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-12 603904]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-10-17 15504]
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-10-23 16512]
S3 GPU-Z;GPU-Z;\??\c:\docume~1\davidd\LOCALS~1\Temp\GPU-Z.sys []
S3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys []
S3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [2007-12-13 231983]
S4 SolarWinds TFTP Server;SolarWinds TFTP Server;"c:\program files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe" [2007-05-17 46008]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea930018-bb2e-11dd-8d2b-000d611077d2}]
\Shell\AutoRun\command - G:\AUTORUN.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]

2008-12-17 c:\windows\Tasks\User_Feed_Synchronization-{795F5F1D-3F77-44D5-8E2B-95BE1B146B49}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 02:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Capture image with GKB - c:\program files\General Knowledge Base\2.4\CaptureWebImage.htm
IE: Capture web page with GKB - c:\program files\General Knowledge Base\2.4\CaptureWebPage.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

c:\windows\system32\ractrlkeyhook.dll - c:\windows\Downloaded Program Files\CONFLICT.2\LMIGuardianEvt.dll
c:\windows\Downloaded Program Files\CONFLICT.2\LMIGuardianDll.dll
c:\windows\Downloaded Program Files\CONFLICT.2\LMIGuardian.exe
c:\windows\Downloaded Program Files\CONFLICT.2\LMIProxyHelper.exe
c:\windows\Downloaded Program Files\CONFLICT.2\RescueControl.dll
O16 -: {254AA86E-5655-4518-AA87-185D7CC41801}
hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
c:\windows\Downloaded Program Files\CONFLICT.2\RescueControl.inf
FF - ProfilePath - c:\documents and settings\davidd\Application Data\Mozilla\Firefox\Profiles\xyece5xm.default\
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.max.tokenizing.time - 1500000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 100
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 01:23:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2008-12-17 1:25:14
ComboFix-quarantined-files.txt 2008-12-17 01:25:06
ComboFix2.txt 2008-12-16 09:39:13
ComboFix3.txt 2008-11-25 10:17:26

Pre-Run: 96,634,134,528 bytes free
Post-Run: 96,637,046,784 bytes free

285

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 PM

Posted 16 December 2008 - 08:38 PM

Hello, david248005
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 11...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows" (OR if you are on a x64 system, "Windows x64")
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (Or "Uninstall a Program" on Vista) and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe (Or jre-6u10-windows-x64.exe for x64 systems)
  • Follow the on screen instructions to install the latest Java version.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 david248005

david248005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 17 December 2008 - 10:35 AM

Hi BILLY Esset scan as below:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3698 (20081217)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=e0456f3cef4b4b41935506ce4d51dc7e
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-17 03:29:53
# local_time=2008-12-17 03:29:53 (+0000, GMT Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=1980680
# found=22
# scan_time=17121
C:\Documents and Settings\davidd\Desktop\Computer Repair Utility Kit\wwwhack.zip multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Documents and Settings\davidd\Desktop\Computer Repair Utility Kit\wwwhack.zip »ZIP »wwwhack.exe Win32/HackTool.WwwHack.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\davidd\Desktop\Computer Repair Utility Kit\wwwhack.zip »ZIP »patch.exe Win32/HackTool.WwwHack trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AnswersThatWork\Troubleshooter\UltimateTroubleshooter.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
D:\#Software\wwwhack.zip multiple infiltrations (deleted) 00000000000000000000000000000000
D:\#Software\wwwhack.zip »ZIP »wwwhack.exe Win32/HackTool.WwwHack.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\#Software\wwwhack.zip »ZIP »patch.exe Win32/HackTool.WwwHack trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\#Software\BootZilla420\BZ 4.2.0\bzsnapshot.zip probably a variant of Win32/Agent trojan (deleted) 00000000000000000000000000000000
D:\#Software\BootZilla420\BZ 4.2.0\bzsnapshot.zip »ZIP »BZ/Malware/ComboFix.exe probably a variant of Win32/Agent trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\#Software\BootZilla420\BZ 4.2.0\BZ\Malware\ComboFix.exe probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\#Software\BootZilla420\BZ 4.2.0\CGT\BZ\Malware\ComboFix.exe probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\#Software\Malware Cleaning Disc ver. 10\System Tools\john171w.zip Win32/HackTool.John.NAA trojan (deleted) 00000000000000000000000000000000
D:\#Software\Malware Cleaning Disc ver. 10\System Tools\john171w.zip »ZIP »john1701/run/john-386.exe Win32/HackTool.John.NAA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\#Software\Powerquest Sstem Tools\Power Quest 2005 (D)\PowerQuestSystemsTools2005\PowerQuest DeltaDeploy 1.01\DDSetup.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
D:\#Software\The Ultimate Trouble Shooter v4.45\The Ultimate Trouble Shooter v4.45.rar probably unknown NewHeur_PE virus (deleted) 00000000000000000000000000000000
D:\#Software\The Ultimate Trouble Shooter v4.45\The Ultimate Trouble Shooter v4.45.rar »RAR »Ultimate.Troubleshooter.v4.45-RES-crk\UltimateTroubleshooter.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\#Software\The Ultimate Trouble Shooter v4.45\The Ultimate Trouble Shooter v4.45\Ultimate.Troubleshooter.v4.45-RES-crk\UltimateTroubleshooter.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
D:\#Software\wwwhack\patch.exe Win32/HackTool.WwwHack trojan (unable to clean - deleted) 00000000000000000000000000000000
D:\#Software\wwwhack\wwwhack.exe Win32/HackTool.WwwHack.A application (unable to clean - deleted) 00000000000000000000000000000000
D:\My Documents Back Up\Autobackup - davidd - 12-15-2008\Archive\Desktop\Computer Repair Utility Kit\wwwhack.zip multiple infiltrations (deleted) 00000000000000000000000000000000
D:\My Documents Back Up\Autobackup - davidd - 12-15-2008\Archive\Desktop\Computer Repair Utility Kit\wwwhack.zip »ZIP »wwwhack.exe Win32/HackTool.WwwHack.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
D:\My Documents Back Up\Autobackup - davidd - 12-15-2008\Archive\Desktop\Computer Repair Utility Kit\wwwhack.zip »ZIP »patch.exe Win32/HackTool.WwwHack trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 PM

Posted 17 December 2008 - 08:34 PM

Hello, david248005
Holy crap :)

Think you had enough password crackers on there?

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 david248005

david248005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 18 December 2008 - 02:01 AM

Thanks very much Billy. I appreciate your effort

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:12 PM

Posted 18 December 2008 - 07:00 PM

Hello, david248005

You're welcome :thumbsup:

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users