Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.winpop, Win32 sdBot.aad


  • This topic is locked This topic is locked
16 replies to this topic

#1 ablair

ablair

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 15 January 2009 - 05:30 PM

Hi,

I guess I should start by explaining that I didn't actually notice anything wrong with my computer, instead, I emailed an attachment to a co-worker 2 days ago and today I received an email from the co-worker telling me that she now has a virus and has to completely wipe her computer. I was very surprised because I hadn't noticed any issues on my own machine. I asked her for some details and she told me that she got a pop up telling her to download "Antivirus 2009" which I am guessing she did and apparently she has been told that infected computers cannot be fixed they must be gutted and rebuilt... I work in a lab and sending emails with data is a big part of my job but obviously no one wants me to do any more of that until either 1) i can establish that i don't have a virus i am going to spread to the rest of the lab or 2) i fix whatever i have if there is something going on.

I have symantec antivirus installed on my computer and I made sure it was updated and ran it and it took over an hour and a half scanning my computer and didn't find anything at all. But just to be sure, I decided to run spybot search and destroy. Spybot is running but I keep getting error messages that it can't find certain definitions so I'm not completely sure it can take care of anything it finds...

Spybot just finished running and what it has told me is that I apprarently have a whole lot of things going on:

I have a bunch of cookies:
Webtrends Live
Adrevolver
Burst Media
Coremetrics
Doubleclick
Hitbox
Zedo
Mediaplex
Statcounter
Tradedoubler

Malware:
Clickspring.outerinfo

Trojan:
Virtumonde.WinPop
Win32 sdbot.aad

Things it can't Identify:
CasaleMedia
FastClick
Internet Speed Monitor
RightMedia

I don't know how to get rid of all of this, because I don't think my spybot is working totally because of all the error messages I got during scanning. Which makes me wonder if there are other things it missed.

I have an Inspiron 6000 dell computer, about 4 years old.

I'm hoping that you can help me figure out what to do about all this. Am I going to have my computer completely reformatted like this individual says she is? I had no idea anything was wrong.

Thanks so much for your help.

Sincerely,

A blair


--------

DDS (Ver_09-01-07.01) - NTFSx86
Run by Alissa Blair at 16:53:44.56 on Thu 01/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1250.420.1033.18.503.25 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSEdge.exe
C:\Program Files\Macromedia\Flash Media Server 2\FMSCore.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Student Backup\BackupClient.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alissa Blair\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://email.brown.edu/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {0d6efcf4-3245-4ce1-3454-4a71b17896c8} - c:\windows\system32\qns.dll
BHO: {428f0665-98d5-b72b-a838-ec2b5b9f8c9f} - c:\windows\system32\zasbmsw.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {586dffda-641c-6fc0-6751-3c71b6719fe8} - c:\windows\system32\nzbqyq.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: {885b1ee5-822f-dbfd-0827-8b9a87fa4cb2} - c:\windows\system32\ktrvh.dll
BHO: {96ad8c62-10fb-4b2f-dc5a-4ce670855ee2} - c:\windows\system32\gbtwngc.dll
BHO: {c1fc8f4a-1ffa-3c58-d25f-3ae6778e5f94} - c:\windows\system32\oje.dll
BHO: {e5b81f07-dbc8-d943-bf5c-8c8a36f128b5} - c:\windows\system32\rrqut.dll
BHO: {e8bc1d76-d092-fa62-b359-fa8a31f87ec4} - c:\windows\system32\wxejqqbq.dll
BHO: {efbc4d73-d6c9-ac63-bb59-fa8a31f82e95} - c:\windows\system32\eurtfkm.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Zyndj] "c:\documents and settings\alissa blair\application data\f?nts\?vchost.exe"
uRun: [Buer] "c:\documents and settings\alissa blair\my documents\??sks\m?dtc.exe"
uRun: [Qkqcsa] "c:\program files\common files\?pppatch\m?iexec.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_08\bin\jusched.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acronis True Image Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [BackupClient.exe] c:\program files\student backup\BackupClient.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms peripherals\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: KATRACK.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alissa~1\applic~1\mozilla\firefox\profiles\7m79g0z6.alissa\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google

============= SERVICES / DRIVERS ===============

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-8-19 14464]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-4 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090115.004\naveng.sys [2009-1-15 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090115.004\navex15.sys [2009-1-15 876112]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R4 FMS;Flash Media Server (FMS);c:\program files\macromedia\flash media server 2\FMSMaster.exe [2006-3-29 884837]
R4 FMSAdmin;Flash Media Administration Server;c:\program files\macromedia\flash media server 2\FMSAdmin.exe [2006-3-29 1171556]
R4 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2005-7-30 14976]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-01-15 13:44 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-08 11:44 <DIR> --d----- C:\A003.1
2008-12-27 19:08 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-27 19:07 <DIR> --d----- c:\windows\system32\cs-CZ
2008-12-27 19:03 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-27 19:01 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-27 19:01 575,488 -------- c:\windows\system32\xpsshhdr.dll
2008-12-27 19:01 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-27 19:01 117,760 -------- c:\windows\system32\prntvpt.dll
2008-12-27 19:01 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-27 19:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2008-12-27 19:01 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2008-12-27 19:01 <DIR> --d----- C:\0d8213edcd2fb2e718614cfe7a54
2008-12-27 18:54 <DIR> --d----- c:\program files\MSXML 6.0

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-01-04 14:11 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-01-31 20:41 438,784 -c------ c:\documents and settings\alissa blair\vftv1138758087222.exe
2006-01-31 20:39 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757998925.exe
2006-01-31 20:39 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757965613.exe
2006-01-31 20:38 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757938644.exe
2006-01-31 20:38 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757896035.exe
2006-01-31 20:37 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757867831.exe

============= FINISH: 16:56:00.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 16 January 2009 - 01:17 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 ablair

ablair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 18 January 2009 - 03:25 PM

Hi,

Thanks so much for your help!

I had a little trouble, because when I downloaded combofix everything was in Czech... I do have the characters for the language installed on my computer because I'm learning how to speak it, but I haven't used them/written in Czech in quite a while, and I've never had anything else download as the Czech version before. So it took me a while to get through the whole thing because I was less certain about what it was telling me to do at each step. BUT I do have a log now!

ComboFix 09-01-17.04 - Alissa Blair 2009-01-18 14:53:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.420.1033.18.503.210 [GMT -5:00]
Spuštěný z: c:\documents and settings\Alissa Blair\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alissa Blair\Application Data\ASEMBL~1
c:\documents and settings\Alissa Blair\Application Data\CROSOF~1
c:\documents and settings\Alissa Blair\Application Data\CROSOF~1.NET
c:\documents and settings\Alissa Blair\Application Data\FNTS~1
c:\documents and settings\Alissa Blair\Application Data\YSTEM~1
c:\documents and settings\Alissa Blair\My Documents\PPPATC~1
c:\documents and settings\Alissa Blair\My Documents\SKS~1
c:\documents and settings\Alissa Blair\My Documents\SSEMBL~1
c:\documents and settings\Alissa Blair\My Documents\YSTEM~1
c:\documents and settings\Alissa Blair\ResErrors.log
c:\program files\Common Files\dobe~1
c:\program files\Common Files\pppatc~1
c:\program files\Common Files\sembly~1
c:\program files\Common Files\ssembl~1
c:\program files\Common Files\ymante~1
c:\program files\pppatc~1
c:\program files\pppatc~1\?dobe\
c:\program files\pppatc~1\attrib.exe
c:\program files\ymbols~1
c:\windows\dobe~1
c:\windows\fnts~1
c:\windows\IE4 Error Log.txt
c:\windows\pppatc~1
c:\windows\system32\bszip.dll
c:\windows\system32\crosof~1
c:\windows\system32\mcroso~1
c:\windows\system32\smante~1
c:\windows\system32\wnsapiisv32.exe
c:\windows\tsks~1
c:\windows\wnsxs~1

.
((((((((((((((((((((((((( Soubory vytvořené od 2008-12-18 do 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-16 01:00 . 2009-01-16 01:00 <DIR> d-------- c:\documents and settings\Alissa Blair\Application Data\Malwarebytes
2009-01-16 01:00 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 00:59 . 2009-01-16 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 00:59 . 2009-01-16 00:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 00:59 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 22:51 . 2009-01-15 22:51 <DIR> d-------- C:\A003.3
2009-01-15 22:33 . 2009-01-15 22:34 <DIR> d-------- C:\A003.2
2009-01-15 13:44 . 2009-01-15 13:50 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:50 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:44 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:44 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-08 11:44 . 2009-01-08 11:45 <DIR> d-------- C:\A003.1
2008-12-27 19:08 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-27 19:07 . 2008-12-27 19:07 <DIR> d-------- c:\windows\system32\cs-CZ
2008-12-27 19:03 . 2008-12-27 19:07 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-27 19:03 . 2008-12-27 19:03 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-27 19:03 . 2008-12-27 19:03 <DIR> d-------- c:\program files\MSBuild
2008-12-27 19:01 . 2008-12-27 19:02 <DIR> d-------- C:\0d8213edcd2fb2e718614cfe7a54
2008-12-27 19:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-12-27 19:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2008-12-27 19:01 . 2008-07-06 05:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-27 19:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-12-27 19:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-27 19:01 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-12-27 19:01 . 2008-07-06 07:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-27 18:54 . 2008-12-27 18:54 <DIR> d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 19:30 --------- d-----w c:\program files\Student Backup
2009-01-16 05:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 05:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 00:09 --------- d-----w c:\program files\Mertus
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-01-04 19:11 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-02-01 01:41 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138758087222.exe
2006-02-01 01:39 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757998925.exe
2006-02-01 01:39 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757965613.exe
2006-02-01 01:38 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757938644.exe
2006-02-01 01:38 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757896035.exe
2006-02-01 01:37 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757867831.exe
2009-01-08 16:26 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 16:26 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 16:26 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 16:26 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-08 16:26 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zyndj"="c:\documents and settings\Alissa Blair\Application Data\F?nts\?vchost.exe" [?]
"Buer"="c:\documents and settings\Alissa Blair\My Documents\??sks\m?dtc.exe" [?]
"Qkqcsa"="c:\program files\Common Files\?ppPatch\m?iexec.exe" [?]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acronis True Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-08-15 419408]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-08-15 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-15 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-06-24 278528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"BackupClient.exe"="c:\program files\Student Backup\BackupClient.exe" [2008-11-19 9201614]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2005-07-30 98304]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-21 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-04 66864]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\program files\Symantec AntiVirus\Rtvscan.exe"= c:\program files\Symantec AntiVirus\Rtvscan.exe:128.148.21.238/255.255.255.255,128.148.177.0/255.255.255.0:Enabled:SAVRtvscan
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 14464]
S2 FMS;Flash Media Server (FMS);c:\program files\Macromedia\Flash Media Server 2\FMSMaster.exe [2006-02-08 884837]
S2 FMSAdmin;Flash Media Administration Server;c:\program files\Macromedia\Flash Media Server 2\FMSAdmin.exe [2006-02-08 1171556]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys [2004-02-23 14976]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-04 99376]


--- Ostatní služby/ovladače v paměti ---

*Deregistered* - AcrSch2Svc
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - ccEvtMgr
*Deregistered* - ccSetMgr
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - DefWatch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fax
*Deregistered* - FMS
*Deregistered* - FMSAdmin
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - ImapiService
*Deregistered* - IntelIde
*Deregistered* - Ip6Fw
*Deregistered* - IpNat
*Deregistered* - iPodService
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LVCOMSer
*Deregistered* - LVPr2Mon
*Deregistered* - LVPrcSrv
*Deregistered* - LVSrvLauncher
*Deregistered* - LVUSBSta
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NICCONFIGSVC
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NWCWorkstation
*Deregistered* - NwlnkIpx
*Deregistered* - NwlnkNb
*Deregistered* - NwlnkSpx
*Deregistered* - NWRDR
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - portD
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SavRoam
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Symantec AntiVirus
*Deregistered* - SymEvent
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - tifsfilter
*Deregistered* - timounter
*Deregistered* - TrkWks
*Deregistered* - tunmp
*Deregistered* - TVICHW32
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32ti

#4 ablair

ablair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 18 January 2009 - 03:30 PM

Hi,

Thanks so much for your help!

I had a little trouble, because when I downloaded combofix everything was in Czech... I do have the characters for the language installed on my computer because I'm learning how to speak it, but I haven't used them/written in Czech in quite a while, and I've never had anything else download as the Czech version before. So it took me a while to get through the whole thing because I was less certain about what it was telling me to do at each step. BUT I do have a log now!

ComboFix 09-01-17.04 - Alissa Blair 2009-01-18 14:53:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.420.1033.18.503.210 [GMT -5:00]
Spuštěný z: c:\documents and settings\Alissa Blair\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alissa Blair\Application Data\ASEMBL~1
c:\documents and settings\Alissa Blair\Application Data\CROSOF~1
c:\documents and settings\Alissa Blair\Application Data\CROSOF~1.NET
c:\documents and settings\Alissa Blair\Application Data\FNTS~1
c:\documents and settings\Alissa Blair\Application Data\YSTEM~1
c:\documents and settings\Alissa Blair\My Documents\PPPATC~1
c:\documents and settings\Alissa Blair\My Documents\SKS~1
c:\documents and settings\Alissa Blair\My Documents\SSEMBL~1
c:\documents and settings\Alissa Blair\My Documents\YSTEM~1
c:\documents and settings\Alissa Blair\ResErrors.log
c:\program files\Common Files\dobe~1
c:\program files\Common Files\pppatc~1
c:\program files\Common Files\sembly~1
c:\program files\Common Files\ssembl~1
c:\program files\Common Files\ymante~1
c:\program files\pppatc~1
c:\program files\pppatc~1\?dobe\
c:\program files\pppatc~1\attrib.exe
c:\program files\ymbols~1
c:\windows\dobe~1
c:\windows\fnts~1
c:\windows\IE4 Error Log.txt
c:\windows\pppatc~1
c:\windows\system32\bszip.dll
c:\windows\system32\crosof~1
c:\windows\system32\mcroso~1
c:\windows\system32\smante~1
c:\windows\system32\wnsapiisv32.exe
c:\windows\tsks~1
c:\windows\wnsxs~1

.
((((((((((((((((((((((((( Soubory vytvořené od 2008-12-18 do 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-16 01:00 . 2009-01-16 01:00 <DIR> d-------- c:\documents and settings\Alissa Blair\Application Data\Malwarebytes
2009-01-16 01:00 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 00:59 . 2009-01-16 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 00:59 . 2009-01-16 00:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 00:59 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 22:51 . 2009-01-15 22:51 <DIR> d-------- C:\A003.3
2009-01-15 22:33 . 2009-01-15 22:34 <DIR> d-------- C:\A003.2
2009-01-15 13:44 . 2009-01-15 13:50 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:50 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:44 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:44 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-08 11:44 . 2009-01-08 11:45 <DIR> d-------- C:\A003.1
2008-12-27 19:08 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-27 19:07 . 2008-12-27 19:07 <DIR> d-------- c:\windows\system32\cs-CZ
2008-12-27 19:03 . 2008-12-27 19:07 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-27 19:03 . 2008-12-27 19:03 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-27 19:03 . 2008-12-27 19:03 <DIR> d-------- c:\program files\MSBuild
2008-12-27 19:01 . 2008-12-27 19:02 <DIR> d-------- C:\0d8213edcd2fb2e718614cfe7a54
2008-12-27 19:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-12-27 19:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2008-12-27 19:01 . 2008-07-06 05:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-27 19:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-12-27 19:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-27 19:01 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-12-27 19:01 . 2008-07-06 07:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-27 18:54 . 2008-12-27 18:54 <DIR> d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 19:30 --------- d-----w c:\program files\Student Backup
2009-01-16 05:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 05:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 00:09 --------- d-----w c:\program files\Mertus
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-01-04 19:11 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-02-01 01:41 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138758087222.exe
2006-02-01 01:39 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757998925.exe
2006-02-01 01:39 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757965613.exe
2006-02-01 01:38 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757938644.exe
2006-02-01 01:38 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757896035.exe
2006-02-01 01:37 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757867831.exe
2009-01-08 16:26 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 16:26 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 16:26 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 16:26 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-08 16:26 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zyndj"="c:\documents and settings\Alissa Blair\Application Data\F?nts\?vchost.exe" [?]
"Buer"="c:\documents and settings\Alissa Blair\My Documents\??sks\m?dtc.exe" [?]
"Qkqcsa"="c:\program files\Common Files\?ppPatch\m?iexec.exe" [?]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acronis True Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-08-15 419408]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-08-15 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-15 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-06-24 278528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"BackupClient.exe"="c:\program files\Student Backup\BackupClient.exe" [2008-11-19 9201614]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2005-07-30 98304]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-21 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-04 66864]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\program files\Symantec AntiVirus\Rtvscan.exe"= c:\program files\Symantec AntiVirus\Rtvscan.exe:128.148.21.238/255.255.255.255,128.148.177.0/255.255.255.0:Enabled:SAVRtvscan
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 14464]
S2 FMS;Flash Media Server (FMS);c:\program files\Macromedia\Flash Media Server 2\FMSMaster.exe [2006-02-08 884837]
S2 FMSAdmin;Flash Media Administration Server;c:\program files\Macromedia\Flash Media Server 2\FMSAdmin.exe [2006-02-08 1171556]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys [2004-02-23 14976]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S3 EraserUtilRebootDrv;EraserUtil

#5 ablair

ablair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 18 January 2009 - 03:39 PM

agh i'm really sorry something must be bad about my connection to the internet i keep getting disconnected before the whole thing is done


ComboFix 09-01-17.04 - Alissa Blair 2009-01-18 14:53:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.420.1033.18.503.210 [GMT -5:00]
Spuštěný z: c:\documents and settings\Alissa Blair\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alissa Blair\Application Data\ASEMBL~1
c:\documents and settings\Alissa Blair\Application Data\CROSOF~1
c:\documents and settings\Alissa Blair\Application Data\CROSOF~1.NET
c:\documents and settings\Alissa Blair\Application Data\FNTS~1
c:\documents and settings\Alissa Blair\Application Data\YSTEM~1
c:\documents and settings\Alissa Blair\My Documents\PPPATC~1
c:\documents and settings\Alissa Blair\My Documents\SKS~1
c:\documents and settings\Alissa Blair\My Documents\SSEMBL~1
c:\documents and settings\Alissa Blair\My Documents\YSTEM~1
c:\documents and settings\Alissa Blair\ResErrors.log
c:\program files\Common Files\dobe~1
c:\program files\Common Files\pppatc~1
c:\program files\Common Files\sembly~1
c:\program files\Common Files\ssembl~1
c:\program files\Common Files\ymante~1
c:\program files\pppatc~1
c:\program files\pppatc~1\?dobe\
c:\program files\pppatc~1\attrib.exe
c:\program files\ymbols~1
c:\windows\dobe~1
c:\windows\fnts~1
c:\windows\IE4 Error Log.txt
c:\windows\pppatc~1
c:\windows\system32\bszip.dll
c:\windows\system32\crosof~1
c:\windows\system32\mcroso~1
c:\windows\system32\smante~1
c:\windows\system32\wnsapiisv32.exe
c:\windows\tsks~1
c:\windows\wnsxs~1

.
((((((((((((((((((((((((( Soubory vytvořené od 2008-12-18 do 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-16 01:00 . 2009-01-16 01:00 <DIR> d-------- c:\documents and settings\Alissa Blair\Application Data\Malwarebytes
2009-01-16 01:00 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 00:59 . 2009-01-16 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 00:59 . 2009-01-16 00:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 00:59 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 22:51 . 2009-01-15 22:51 <DIR> d-------- C:\A003.3
2009-01-15 22:33 . 2009-01-15 22:34 <DIR> d-------- C:\A003.2
2009-01-15 13:44 . 2009-01-15 13:50 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:50 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:44 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:44 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-08 11:44 . 2009-01-08 11:45 <DIR> d-------- C:\A003.1
2008-12-27 19:08 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-27 19:07 . 2008-12-27 19:07 <DIR> d-------- c:\windows\system32\cs-CZ
2008-12-27 19:03 . 2008-12-27 19:07 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-27 19:03 . 2008-12-27 19:03 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-27 19:03 . 2008-12-27 19:03 <DIR> d-------- c:\program files\MSBuild
2008-12-27 19:01 . 2008-12-27 19:02 <DIR> d-------- C:\0d8213edcd2fb2e718614cfe7a54
2008-12-27 19:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-12-27 19:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2008-12-27 19:01 . 2008-07-06 05:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-27 19:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-12-27 19:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-27 19:01 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-12-27 19:01 . 2008-07-06 07:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-27 18:54 . 2008-12-27 18:54 <DIR> d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 19:30 --------- d-----w c:\program files\Student Backup
2009-01-16 05:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 05:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 00:09 --------- d-----w c:\program files\Mertus
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-01-04 19:11 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-02-01 01:41 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138758087222.exe
2006-02-01 01:39 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757998925.exe
2006-02-01 01:39 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757965613.exe
2006-02-01 01:38 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757938644.exe
2006-02-01 01:38 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757896035.exe
2006-02-01 01:37 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757867831.exe
2009-01-08 16:26 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 16:26 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 16:26 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 16:26 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-08 16:26 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zyndj"="c:\documents and settings\Alissa Blair\Application Data\F?nts\?vchost.exe" [?]
"Buer"="c:\documents and settings\Alissa Blair\My Documents\??sks\m?dtc.exe" [?]
"Qkqcsa"="c:\program files\Common Files\?ppPatch\m?iexec.exe" [?]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acronis True Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-08-15 419408]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-08-15 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-15 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-06-24 278528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"BackupClient.exe"="c:\program files\Student Backup\BackupClient.exe" [2008-11-19 9201614]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2005-07-30 98304]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-21 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-04 66864]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\program files\Symantec AntiVirus\Rtvscan.exe"= c:\program files\Symantec AntiVirus\Rtvscan.exe:128.148.21.238/255.255.255.255,128.148.177.0/255.255.255.0:Enabled:SAVRtvscan
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 14464]
S2 FMS;Flash Media Server (FMS);c:\program files\Macromedia\Flash Media Server 2\FMSMaster.exe [2006-02-08 884837]
S2 FMSAdmin;Flash Media Administration Server;c:\program files\Macromedia\Flash Media Server 2\FMSAdmin.exe [2006-02-08 1171556]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys [2004-02-23 14976]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-04 99376]


--- Ostatní služby/ovladače v paměti ---

*Deregistered* - AcrSch2Svc
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - ccEvtMgr
*Deregistered* - ccSetMgr
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - DefWatch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fax
*Deregistered* - FMS
*Deregistered* - FMSAdmin
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - i2omgmt
*Deregistered* - ImapiService
*Deregistered* - IntelIde
*Deregistered* - Ip6Fw
*Deregistered* - IpNat
*Deregistered* - iPodService
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LVCOMSer
*Deregistered* - LVPr2Mon
*Deregistered* - LVPrcSrv
*Deregistered* - LVSrvLauncher
*Deregistered* - LVUSBSta
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NICCONFIGSVC
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NWCWorkstation
*Deregistered* - NwlnkIpx
*Deregistered* - NwlnkNb
*Deregistered* - NwlnkSpx
*Deregistered* - NWRDR
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - PolicyAgent
*Deregistered* - portD
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SavRoam
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Symantec AntiVirus
*Deregistered* - SymEvent
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - tifsfilter
*Deregistered* - timounter
*Deregistered* - TrkWks
*Deregistered* - tunmp
*Deregistered* - TVICHW32
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f4e7c70-5a40-11dd-b5ec-0012f0a3683f}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab53c7d3-afda-11db-b559-0012f0a3683f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e11c4dae-b1bc-11dc-b5a5-0012f0a3683f}]
\Shell\AutoRun\command - E:\AUTORUN.EXE --honordonotbugme
.
Obsah adresáře 'Naplánované úlohy'

2009-01-18 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-18 15:41]

2009-01-17 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-18 15:41]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

BHO-{0D6EFCF4-3245-4CE1-3454-4A71B17896C8} - c:\windows\system32\qns.dll
BHO-{428F0665-98D5-B72B-A838-EC2B5B9F8C9F} - c:\windows\system32\zasbmsw.dll
BHO-{586DFFDA-641C-6FC0-6751-3C71B6719FE8} - c:\windows\system32\nzbqyq.dll
BHO-{885B1EE5-822F-DBFD-0827-8B9A87FA4CB2} - c:\windows\system32\ktrvh.dll
BHO-{96AD8C62-10FB-4B2F-DC5A-4CE670855EE2} - c:\windows\system32\gbtwngc.dll
BHO-{C1FC8F4A-1FFA-3C58-D25F-3AE6778E5F94} - c:\windows\system32\oje.dll
BHO-{E5B81F07-DBC8-D943-BF5C-8C8A36F128B5} - c:\windows\system32\rrqut.dll
BHO-{EFBC4D73-D6C9-AC63-BB59-FA8A31F82E95} - c:\windows\system32\eurtfkm.dll
HKLM-Run-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe


.
------- Doplňkový sken -------
.
uStart Page = hxxp://email.brown.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Alissa Blair\Application Data\Mozilla\Firefox\Profiles\7m79g0z6.Alissa\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
.
------- Asociace souborů -------
.
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 14:59:37
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(8528)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Macromedia\Flash Media Server 2\FMSEdge.exe
c:\program files\Macromedia\Flash Media Server 2\FMSCore.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Java\jre1.5.0_08\bin\jucheck.exe
.
**************************************************************************
.
Celkový čas: 2009-01-18 15:10:54 - počítač byl restartován [Alissa Blair]
ComboFix-quarantined-files.txt 2009-01-18 20:10:43

Před spuštěním: 18,633,506,816 bytes free
Po spuštění: 18,643,501,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

380 --- E O F --- 2009-01-14 20:03:02

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


and here's a new HJT log,

============== Pseudo HJT Report ===============

uStart Page = hxxp://email.brown.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Zyndj] "c:\documents and settings\alissa blair\application data\f?nts\?vchost.exe"
uRun: [Buer] "c:\documents and settings\alissa blair\my documents\??sks\m?dtc.exe"
uRun: [Qkqcsa] "c:\program files\common files\?pppatch\m?iexec.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_08\bin\jusched.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acronis True Image Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [BackupClient.exe] c:\program files\student backup\BackupClient.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms peripherals\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alissa~1\applic~1\mozilla\firefox\profiles\7m79g0z6.alissa\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google

============= SERVICES / DRIVERS ===============

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-8-19 14464]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-4 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090117.006\naveng.sys [2009-1-17 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090117.006\navex15.sys [2009-1-17 876112]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R4 FMS;Flash Media Server (FMS);c:\program files\macromedia\flash media server 2\FMSMaster.exe [2006-3-29 884837]
R4 FMSAdmin;Flash Media Administration Server;c:\program files\macromedia\flash media server 2\FMSAdmin.exe [2006-3-29 1171556]
R4 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2005-7-30 14976]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-01-18 14:49 <DIR> a-dshr-- C:\cmdcons
2009-01-18 14:47 161,792 a------- c:\windows\SWREG.exe
2009-01-18 14:47 98,816 a------- c:\windows\sed.exe
2009-01-16 01:00 <DIR> --d----- c:\docume~1\alissa~1\applic~1\Malwarebytes
2009-01-16 01:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 00:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 00:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 00:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-15 22:51 <DIR> --d----- C:\A003.3
2009-01-15 22:33 <DIR> --d----- C:\A003.2
2009-01-15 13:44 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-08 11:44 <DIR> --d----- C:\A003.1
2008-12-27 19:08 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-27 19:07 <DIR> --d----- c:\windows\system32\cs-CZ
2008-12-27 19:03 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-27 19:01 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-27 19:01 575,488 -------- c:\windows\system32\xpsshhdr.dll
2008-12-27 19:01 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-27 19:01 117,760 -------- c:\windows\system32\prntvpt.dll
2008-12-27 19:01 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-27 19:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2008-12-27 19:01 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2008-12-27 19:01 <DIR> --d----- C:\0d8213edcd2fb2e718614cfe7a54
2008-12-27 18:54 <DIR> --d----- c:\program files\MSXML 6.0

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-01-04 14:11 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-01-31 20:41 438,784 -c------ c:\documents and settings\alissa blair\vftv1138758087222.exe
2006-01-31 20:39 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757998925.exe
2006-01-31 20:39 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757965613.exe
2006-01-31 20:38 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757938644.exe
2006-01-31 20:38 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757896035.exe
2006-01-31 20:37 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757867831.exe

============= FINISH: 15:25:22.26 ===============

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 20 January 2009 - 06:03 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Viewpoint Manager Service

Folder::
c:\documents and settings\Alissa Blair\Application Data\F?nts
c:\documents and settings\Alissa Blair\My Documents\??sks
c:\program files\Common Files\?ppPatch

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zyndj"=-
"Buer"=-
"Qkqcsa"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 ablair

ablair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 20 January 2009 - 01:32 PM

Was this supposed to make it run in English? For some reason it's still all in Czech?

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 21 January 2009 - 05:37 AM

I don't know.. Is your machine is in Czech?.. Just run it first.. My primary concern is to remove malware from that computer :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 ablair

ablair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 21 January 2009 - 05:35 PM

Hi!

So I figured out why it was all in Czech... and now it's not. Wonderful!

This is the Combofix Log:

ComboFix 09-01-17.04 - Alissa Blair 2009-01-21 17:02:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.89 [GMT -5:00]
Running from: c:\documents and settings\Alissa Blair\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alissa Blair\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 17:00 . 2009-01-21 17:00 51,608 --a------ c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-01-16 01:00 . 2009-01-16 01:00 <DIR> d-------- c:\documents and settings\Alissa Blair\Application Data\Malwarebytes
2009-01-16 01:00 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 00:59 . 2009-01-16 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 00:59 . 2009-01-16 00:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 00:59 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 22:51 . 2009-01-15 22:51 <DIR> d-------- C:\A003.3
2009-01-15 22:33 . 2009-01-15 22:34 <DIR> d-------- C:\A003.2
2009-01-15 13:44 . 2009-01-15 13:50 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:50 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:44 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-15 13:44 . 2009-01-15 13:44 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-08 11:44 . 2009-01-08 11:45 <DIR> d-------- C:\A003.1
2008-12-27 19:08 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-27 19:07 . 2008-12-27 19:07 <DIR> d-------- c:\windows\system32\cs-CZ
2008-12-27 19:03 . 2008-12-27 19:07 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-27 19:03 . 2008-12-27 19:03 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-27 19:03 . 2008-12-27 19:03 <DIR> d-------- c:\program files\MSBuild
2008-12-27 19:01 . 2008-12-27 19:02 <DIR> d-------- C:\0d8213edcd2fb2e718614cfe7a54
2008-12-27 19:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-12-27 19:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2008-12-27 19:01 . 2008-07-06 05:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-27 19:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-12-27 19:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-27 19:01 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-12-27 19:01 . 2008-07-06 07:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-27 18:54 . 2008-12-27 18:54 <DIR> d-------- c:\program files\MSXML 6.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 21:58 --------- d-----w c:\program files\Student Backup
2009-01-16 05:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 05:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 00:09 --------- d-----w c:\program files\Mertus
2008-12-11 11:57 333,184 ------w c:\windows\system32\drivers\srv.sys
2008-01-04 19:11 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-02-01 01:41 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138758087222.exe
2006-02-01 01:39 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757998925.exe
2006-02-01 01:39 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757965613.exe
2006-02-01 01:38 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757938644.exe
2006-02-01 01:38 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757896035.exe
2006-02-01 01:37 438,784 -c----w c:\documents and settings\Alissa Blair\vftv1138757867831.exe
2009-01-08 16:26 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 16:26 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 16:26 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 16:26 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-08 16:26 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_15.07.56.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-02 18:09:23 224,816 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-21 21:54:34 224,816 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acronis True Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-08-15 419408]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-08-15 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-15 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-06-24 278528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"BackupClient.exe"="c:\program files\Student Backup\BackupClient.exe" [2008-11-19 9201614]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BounceBack Launcher.lnk - c:\program files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2005-07-30 98304]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-07-21 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-04 66864]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\program files\Symantec AntiVirus\Rtvscan.exe"= c:\program files\Symantec AntiVirus\Rtvscan.exe:128.148.21.238/255.255.255.255,128.148.177.0/255.255.255.0:Enabled:SAVRtvscan
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-08-19 14464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-04 99376]
R4 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2005-07-30 14976]

--- Other Services/Drivers In Memory ---

*Deregistered* - AcrSch2Svc
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - ccEvtMgr
*Deregistered* - ccSetMgr
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - DefWatch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fax
*Deregistered* - FMS
*Deregistered* - FMSAdmin
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - ImapiService
*Deregistered* - iPodService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LVCOMSer
*Deregistered* - LVPrcSrv
*Deregistered* - LVSrvLauncher
*Deregistered* - Netman
*Deregistered* - NICCONFIGSVC
*Deregistered* - Nla
*Deregistered* - NWCWorkstation
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SavRoam
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - ssrtln
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - Symantec AntiVirus
*Deregistered* - SymEvent
*Deregistered* - SYMREDRV
*Deregistered* - SYMTDI
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - Tcpip6
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - tfsnboio
*Deregistered* - tfsncofs
*Deregistered* - tfsndrct
*Deregistered* - tfsndres
*Deregistered* - tfsnifs
*Deregistered* - tfsnopio
*Deregistered* - tfsnpool
*Deregistered* - tfsnudf
*Deregistered* - tfsnudfa
*Deregistered* - Themes
*Deregistered* - tifsfilter
*Deregistered* - timounter
*Deregistered* - TrkWks
*Deregistered* - tunmp
*Deregistered* - TVICHW32
*Deregistered* - UMWdf
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - w32time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f4e7c70-5a40-11dd-b5ec-0012f0a3683f}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab53c7d3-afda-11db-b559-0012f0a3683f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e11c4dae-b1bc-11dc-b5a5-0012f0a3683f}]
\Shell\AutoRun\command - E:\AUTORUN.EXE --honordonotbugme
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-18 15:41]

2009-01-20 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-18 15:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://email.brown.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Alissa Blair\Application Data\Mozilla\Firefox\Profiles\7m79g0z6.Alissa\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 17:10:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Macromedia\Flash Media Server 2\FMSMaster.exe
c:\program files\Macromedia\Flash Media Server 2\FMSAdmin.exe
c:\program files\Macromedia\Flash Media Server 2\FMSEdge.exe
c:\program files\Macromedia\Flash Media Server 2\FMSCore.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Java\jre1.5.0_08\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-01-21 17:22:22 - machine was rebooted [Alissa Blair]
ComboFix-quarantined-files.txt 2009-01-21 22:22:16
ComboFix2.txt 2009-01-18 20:10:57

Pre-Run: 18,474,459,136 bytes free
Post-Run: 18,556,981,248 bytes free

296 --- E O F --- 2009-01-14 20:03:02



And this is my newest HJT log:

============== Pseudo HJT Report ===============

uStart Page = hxxp://email.brown.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_08\bin\jusched.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acronis True Image Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [BackupClient.exe] c:\program files\student backup\BackupClient.exe
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms peripherals\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alissa~1\applic~1\mozilla\firefox\profiles\7m79g0z6.alissa\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google

============= SERVICES / DRIVERS ===============

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2008-8-19 14464]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-4 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090117.006\naveng.sys [2009-1-17 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090117.006\navex15.sys [2009-1-17 876112]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R4 FMS;Flash Media Server (FMS);c:\program files\macromedia\flash media server 2\FMSMaster.exe [2006-3-29 884837]
R4 FMSAdmin;Flash Media Administration Server;c:\program files\macromedia\flash media server 2\FMSAdmin.exe [2006-3-29 1171556]
R4 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2005-7-30 14976]
R4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

=============== Created Last 30 ================

2009-01-21 17:00 51,608 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-01-21 16:59 161,792 a------- c:\windows\SWREG.exe
2009-01-21 16:59 98,816 a------- c:\windows\sed.exe
2009-01-18 14:49 <DIR> a-dshr-- C:\cmdcons
2009-01-16 01:00 <DIR> --d----- c:\docume~1\alissa~1\applic~1\Malwarebytes
2009-01-16 01:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 00:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 00:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 00:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-15 22:51 <DIR> --d----- C:\A003.3
2009-01-15 22:33 <DIR> --d----- C:\A003.2
2009-01-15 13:44 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-15 13:44 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-08 11:44 <DIR> --d----- C:\A003.1
2008-12-27 19:08 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-27 19:07 <DIR> --d----- c:\windows\system32\cs-CZ
2008-12-27 19:03 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-27 19:01 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-27 19:01 575,488 -------- c:\windows\system32\xpsshhdr.dll
2008-12-27 19:01 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-27 19:01 117,760 -------- c:\windows\system32\prntvpt.dll
2008-12-27 19:01 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-27 19:01 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2008-12-27 19:01 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2008-12-27 19:01 <DIR> --d----- C:\0d8213edcd2fb2e718614cfe7a54
2008-12-27 18:54 <DIR> --d----- c:\program files\MSXML 6.0

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\drivers\srv.sys
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-01-04 14:11 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-01-31 20:41 438,784 -c------ c:\documents and settings\alissa blair\vftv1138758087222.exe
2006-01-31 20:39 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757998925.exe
2006-01-31 20:39 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757965613.exe
2006-01-31 20:38 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757938644.exe
2006-01-31 20:38 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757896035.exe
2006-01-31 20:37 438,784 -c------ c:\documents and settings\alissa blair\vftv1138757867831.exe

============= FINISH: 17:23:59.43 ===============



Sincerely,

Alissa

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 22 January 2009 - 03:28 AM

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\documents and settings\Alissa Blair\vftv1138758087222.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.





Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 ablair

ablair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 23 January 2009 - 12:45 AM

Hi,

I had to use VirusTotal because I couldn't get onto the other website. Here's the report I got:

File vftv1138758087222.exe received on 01.23.2009 03:29:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 2/39 (5.13%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.23 -
AhnLab-V3 5.0.0.2 2009.01.22 -
AntiVir 7.9.0.60 2009.01.22 -
Authentium 5.1.0.4 2009.01.22 -
Avast 4.8.1281.0 2009.01.22 -
AVG 8.0.0.229 2009.01.22 -
BitDefender 7.2 2009.01.23 -
CAT-QuickHeal 10.00 2009.01.22 -
ClamAV 0.94.1 2009.01.22 -
Comodo 942 2009.01.22 -
DrWeb 4.44.0.09170 2009.01.23 -
eSafe 7.0.17.0 2009.01.22 -
eTrust-Vet 31.6.6322 2009.01.23 -
F-Prot 4.4.4.56 2009.01.22 -
F-Secure 8.0.14470.0 2009.01.23 -
Fortinet 3.117.0.0 2009.01.22 -
GData 19 2009.01.23 -
Ikarus T3.1.1.45.0 2009.01.23 -
K7AntiVirus 7.10.601 2009.01.22 -
Kaspersky 7.0.0.125 2009.01.23 -
McAfee 5503 2009.01.22 New Malware.ai
McAfee+Artemis 5503 2009.01.22 New Malware.ai
Microsoft 1.4205 2009.01.22 -
NOD32 3791 2009.01.22 -
Norman 5.93.01 2009.01.22 -
nProtect 2009.1.8.0 2009.01.23 -
Panda 9.5.1.2 2009.01.22 -
PCTools 4.4.2.0 2009.01.22 -
Prevx1 V2 2009.01.23 -
Rising 21.13.32.00 2009.01.22 -
SecureWeb-Gateway 6.7.6 2009.01.22 -
Sophos 4.37.0 2009.01.23 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.23 -
TheHacker 6.3.1.5.226 2009.01.22 -
TrendMicro 8.700.0.1004 2009.01.22 -
VBA32 3.12.8.11 2009.01.22 -
ViRobot 2009.1.22.1574 2009.01.22 -
VirusBuster 4.5.11.0 2009.01.22 -
Additional information
File size: 438784 bytes
MD5...: b76ea5f1e79139a0b3728264b6bbf94e
SHA1..: 5d2201a47d2281c1c5e81e71e3366367c295e328
SHA256: a7a0183d343265e68cb94cd3674ad3b42e3ce3362c7d2205a481ad0b4fce4c7f
SHA512: 835206bcd1b7c5c48ba7be9eddf7d143c308d6e6e9d0d50a1b9a2e24e6a3160f
efab5b59202482201db331bca94383f8cafc78571e49140b6363daf7e969dacc
ssdeep: 6144:2q6g6slpacloPlXpuGP9nVzqx9cUma9GPNZJUHdkm7b42rVE3y11ks2VRzV
2C2/4:B/TlD3GP9nOc8GPNcHfHyy1kgCmNG
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403e4d
timedatestamp.....: 0x42cae620 (Tue Jul 05 19:57:20 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7354 0x7400 6.71 ac3672b110411623b50962d350c25df5
.rdata 0x9000 0x3a92 0x3c00 5.29 7f30caea84958fd3a1b9f07f0a8d39ac
.data 0xd000 0x5eabc 0x5e400 7.99 5cddf9dc8491536567de6f58c649746a
.rsrc 0x6c000 0x18e8 0x1a00 3.14 8d7fdf807d7567162fd1c34fd66e682e

( 1 imports )
> KERNEL32.dll: CreateFileA, WaitForSingleObject, GetTickCount, WriteFile, CreateProcessA, GetEnvironmentVariableA, GetShortPathNameA, CreateDirectoryA, GetLongPathNameA, RemoveDirectoryA, GetModuleFileNameA, CloseHandle, GetTempPathA, DeleteFileA, ExitProcess, GetProcAddress, GetModuleHandleA, TerminateProcess, GetCurrentProcess, HeapFree, HeapAlloc, GetStartupInfoA, GetCommandLineA, GetVersionExA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsFree, SetLastError, GetCurrentThreadId, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSection, HeapSize, LoadLibraryA, GetACP, GetOEMCP, GetCPInfo, RtlUnwind, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, VirtualProtect, GetSystemInfo, VirtualQuery

( 0 exports )

and here is the log from the eset scan:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3791 (20090122)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5af75316eae90447b60bc2be2e543a7c
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-23 05:32:37
# local_time=2009-01-23 12:32:37 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=510832
# found=0
# scan_time=7287


thanks!
Alissa

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 23 January 2009 - 07:22 AM

c:\documents and settings\alissa blair\vftv1138758087222.exe
c:\documents and settings\alissa blair\vftv1138757998925.exe
c:\documents and settings\alissa blair\vftv1138757965613.exe
c:\documents and settings\alissa blair\vftv1138757938644.exe
c:\documents and settings\alissa blair\vftv1138757896035.exe
c:\documents and settings\alissa blair\vftv1138757867831.exe



McAfee flash it as New Malware.ai.. Not sure whether its false positive.. Do you know anything about those files?.. If not, just create a new folder on the Desktop, and cut/paste all files above to that new folder.. then observe for a couple of days,.. If your computer is doing fine, just delete the folder and files.. :thumbsup:


Tell me more about it :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 ablair

ablair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 23 January 2009 - 11:46 AM

hi,

so i don't know what those files are... but i looked in my documents and settings folder and i have 12 different versions of them all with different numbers at the end. According to the properties they've been created at different times ranging from November 2007 to December 2008?

I'll move them to my desktop and keep and consider deleting them in a few days.

aside from these mystery files does everything else look okay?

Alissa

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 23 January 2009 - 12:36 PM

Other than that, they all looks great! Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 ablair

ablair
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 31 January 2009 - 02:26 AM

Hi!

So I've been keeping an eye on my computer for the last week to see how it's doing. One thing keeps happening that's making me a bit nervous. I have Symantec Antivirus installed on my computer and it's typically always on "Auto Protect" but every other day or so I keep getting these messages that will suddenly pop up in the bottom of my tool bar in a bubble saying "Your computer may be at risk, Symantec AntiVirus Corporate Edition is not turned on." That's not the exact message word for word, but it's telling me that basic info. So then I will click to fix the problem and it takes me to the windows security screen that shows that while my firewall is still turned on, my antivirus program no longer is. But when I right click on my Symantec AntiVirus icon on the toolbar it still says it's on Auto Protect. The only way to get windows security to stop saying my antivirus is turned off is for me to turn off and then immediately turn back on the auto protect feature of symantec. When I turn it back on suddenly my computer isn't giving me any messages anymore, but then it will happen again a day or two later...

This seems pretty suspicious to me but I don't know what to do.

Alissa




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users