Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumundo


  • This topic is locked This topic is locked
12 replies to this topic

#1 socalmako

socalmako

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 11 February 2009 - 06:27 PM

I originally installed Windows Defender when I discovered the infection. WD found and removed files but not everything as Vundo is regenerating. I have tried Spyware Doctor and VundoFix with the same results. I removed all Java updates (and the current version for now) after reading that the older versions are vulnerable. Thanks in advance for your help!!!

Here is the DDS log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by at 15:01:18.73 on Wed 02/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1625 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jraymer\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [StickyPassword] c:\program files\sticky password\stpass.exe
uRun: [A00F343636.exe] c:\docume~1\jraymer\locals~1\temp\_A00F343636.exe
uRun: [A00F52D70.exe] c:\docume~1\jraymer\locals~1\temp\_A00F52D70.exe
uRun: [A00F5AC64.exe] c:\docume~1\jraymer\locals~1\temp\_A00F5AC64.exe
uRun: [A00F4232DC7.exe] c:\docume~1\jraymer\locals~1\temp\_A00F4232DC7.exe
uRun: [A00F9702562.exe] c:\docume~1\jraymer\locals~1\temp\_A00F9702562.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\jraymer\startm~1\programs\startup\iphone~1.lnk - c:\program files\iphoneringtonemaker\iPhoneRingToneMaker.exe
StartupFolder: c:\docume~1\jraymer\startm~1\programs\startup\palmon~1.lnk - c:\program files\palm\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netpho~1.lnk - c:\oaisys\netphone\netphone.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: galileoprocessing.com\trycera
Trusted Zone: seekerinc.com\secure
Trusted Zone: uci.edu\www.ags
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231443151968
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://63.97.125.197/activex/AxisCamControl.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://satorisoftware.webex.com/client/T26L/webex/ieatgpc.cab
TCP: {2CE79BA9-BA84-4918-962E-E2C2B6A7260F} = 192.168.111.2,68.6.16.30
TCP: {58CF37F6-2F26-4457-B8EA-ABCD2A0716D9} = 192.168.111.3,68.4.16.30
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: c0ced99d530 - c:\windows\system32\ifsutil32.dll
Notify: __c0091590 - c:\windows\system32\__c0091590.dat
Notify: __c00AB5C - c:\windows\system32\__c00AB5C.dat
Notify: __c00AF5F8 - c:\windows\system32\__c00AF5F8.dat
Notify: __c00D499C - c:\windows\system32\__c00D499C.dat
Notify: __c00F5329 - c:\windows\system32\__c00F5329.dat
AppInit_DLLs: c:\windows\system32\ifsutil32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-2-5 160792]
R3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-5 40840]
R3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-5 66952]
R3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-5 81288]
S2 gupdate1c9862b939c9cc0;Google Update Service (gupdate1c9862b939c9cc0);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-5 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-5 1079176]

=============== Created Last 30 ================

2009-02-11 05:41 374,272 a--sh--- c:\windows\system32\6E.tmp
2009-02-10 09:41 374,272 a--sh--- c:\windows\system32\3D.tmp
2009-02-08 20:32 374,272 a--sh--- c:\windows\system32\66.tmp
2009-02-08 00:32 374,272 a--sh--- c:\windows\system32\5A.tmp
2009-02-07 04:32 374,272 a--sh--- c:\windows\system32\54.tmp
2009-02-06 08:32 374,272 a--sh--- c:\windows\system32\16.tmp
2009-02-05 10:01 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-02-05 10:01 <DIR> --d----- c:\program files\common files\PC Tools
2009-02-05 10:01 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-05 10:01 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-05 10:01 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-05 10:01 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-05 10:01 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-05 10:01 <DIR> --d----- c:\docume~1\jraymer\applic~1\PC Tools
2009-02-05 10:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-02-04 12:18 <DIR> --d----- C:\VundoFix Backups
2009-02-04 09:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-04 09:20 0 a------- c:\windows\system32\3A.tmp
2009-02-04 09:20 0 a--sh--- c:\windows\system32\39.tmp
2009-02-03 10:58 9,446 a------- c:\windows\GnuHashes.ini
2009-02-03 10:50 374,272 a--sh--- c:\windows\system32\6C.tmp
2009-02-03 10:50 1,437 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-02-03 10:50 <DIR> --dsh--- c:\windows\system32\LocalService32
2009-02-03 10:50 374,272 a--sh--- c:\windows\system32\68.tmp
2009-02-03 10:49 135,168 a------- c:\windows\system32\ifsutil32.dll
2009-01-19 10:50 <DIR> --d----- c:\program files\Business Objects
2009-01-19 10:49 278,528 a------- c:\windows\system32\rmtprism450.dll
2009-01-19 10:49 262,144 a------- c:\windows\system32\FiltBldr331c.dll
2009-01-19 10:49 155,648 a------- c:\windows\system32\FiltBldr331c.ocx
2009-01-19 10:49 61,440 a------- c:\windows\system32\ObjBwsr200.ocx
2009-01-19 10:49 58,975 a------- c:\windows\system32\filterbuilder.chm
2009-01-19 10:49 40,960 a------- c:\windows\system32\FlRuler21.ocx
2009-01-19 10:49 <DIR> --d----- c:\program files\common files\Firstlogic
2009-01-19 10:48 36,864 a------- c:\windows\system32\SX32W.DLL
2009-01-16 09:31 <DIR> --d----- c:\windows\system32\scripting
2009-01-16 09:31 <DIR> --d----- c:\windows\system32\en
2009-01-16 09:31 <DIR> --d----- c:\windows\l2schemas
2009-01-16 09:31 <DIR> --d----- c:\windows\system32\bits
2009-01-16 09:28 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-02-05 09:07 2,496 a------- c:\windows\system32\d3d8caps.dat
2009-02-04 11:03 2,608 a------- c:\windows\system32\d3d9caps.dat
2009-01-16 09:34 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 15:03:14.42 ===============

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 12 February 2009 - 01:45 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 socalmako

socalmako
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 12 February 2009 - 12:53 PM

Thanks for your quick response. Here's the ComboFix log:

ComboFix 09-02-11.03 - 2009-02-12 9:35:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1572 [GMT -8:00]
Running from: c:\documents and settings\\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jraymer\Application Data\02000000f77ceceb530C.manifest
c:\documents and settings\jraymer\Application Data\02000000f77ceceb530O.manifest
c:\documents and settings\jraymer\Application Data\02000000f77ceceb530P.manifest
c:\documents and settings\jraymer\Application Data\02000000f77ceceb530S.manifest
c:\documents and settings\twright\Application Data\02000000f77ceceb530C.manifest
c:\documents and settings\twright\Application Data\02000000f77ceceb530O.manifest
c:\documents and settings\twright\Application Data\02000000f77ceceb530P.manifest
c:\documents and settings\twright\Application Data\02000000f77ceceb530S.manifest
c:\windows\GnuHashes.ini
c:\windows\IE4 Error Log.txt
c:\windows\system32\__c0026CAE.dat
c:\windows\system32\2
c:\windows\system32\2\BiMMonNT.dll
c:\windows\system32\GroupPolicy000.dat

.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-12 09:40 . 2009-02-12 09:41 374,272 --ahs---- c:\windows\system32\3.tmp
2009-02-11 05:41 . 2009-02-11 05:41 374,272 --ahs---- c:\windows\system32\6E.tmp
2009-02-10 09:41 . 2009-02-10 09:41 374,272 --ahs---- c:\windows\system32\3D.tmp
2009-02-08 20:32 . 2009-02-08 20:32 374,272 --ahs---- c:\windows\system32\66.tmp
2009-02-08 00:32 . 2009-02-08 00:32 374,272 --ahs---- c:\windows\system32\5A.tmp
2009-02-07 04:32 . 2009-02-07 04:32 374,272 --ahs---- c:\windows\system32\54.tmp
2009-02-06 08:32 . 2009-02-06 08:32 374,272 --ahs---- c:\windows\system32\16.tmp
2009-02-05 10:01 . 2009-02-11 15:00 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-05 10:01 . 2009-02-05 10:02 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-05 10:01 . 2009-02-05 10:01 <DIR> d-------- c:\documents and settings\jraymer\Application Data\PC Tools
2009-02-05 10:01 . 2009-02-11 15:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 10:01 . 2009-02-05 10:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-05 10:01 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-02-05 10:01 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-05 10:01 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-05 10:01 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-05 10:01 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-02-05 08:59 . 2009-02-05 08:59 <DIR> d-------- c:\documents and settings\twright
2009-02-04 12:18 . 2009-02-04 12:18 <DIR> d-------- C:\VundoFix Backups
2009-02-04 09:33 . 2009-02-04 09:33 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-04 09:20 . 2009-02-04 09:20 0 --a------ c:\windows\system32\3A.tmp
2009-02-04 09:20 . 2009-02-04 09:20 0 --ahs---- c:\windows\system32\39.tmp
2009-02-04 09:09 . 2009-02-04 09:09 <DIR> d-------- c:\program files\Windows Defender
2009-02-03 10:50 . 2009-02-12 09:41 <DIR> d--hs---- c:\windows\system32\LocalService32
2009-02-03 10:50 . 2009-02-03 10:50 374,272 --ahs---- c:\windows\system32\6C.tmp
2009-02-03 10:50 . 2009-02-03 10:50 374,272 --ahs---- c:\windows\system32\68.tmp
2009-02-03 10:49 . 2009-02-03 10:49 135,168 --a------ c:\windows\system32\ifsutil32.dll
2009-01-19 10:50 . 2009-01-19 10:50 <DIR> d-------- c:\program files\Business Objects
2009-01-19 10:49 . 2009-01-19 10:49 <DIR> d-------- c:\program files\Common Files\Firstlogic
2009-01-19 10:49 . 2004-02-04 17:55 278,528 --a------ c:\windows\system32\rmtprism450.dll
2009-01-19 10:49 . 2004-02-06 13:14 262,144 --a------ c:\windows\system32\FiltBldr331c.dll
2009-01-19 10:49 . 2004-02-12 14:35 155,648 --a------ c:\windows\system32\FiltBldr331c.ocx
2009-01-19 10:49 . 2001-01-25 16:19 61,440 --a------ c:\windows\system32\ObjBwsr200.ocx
2009-01-19 10:49 . 2007-09-19 08:53 58,975 --a------ c:\windows\system32\filterbuilder.chm
2009-01-19 10:49 . 2007-10-01 10:07 40,960 --a------ c:\windows\system32\FlRuler21.ocx
2009-01-19 10:48 . 1995-10-17 16:58 36,864 --a------ c:\windows\system32\SX32W.DLL
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\scripting
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\en
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\bits
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\l2schemas
2009-01-16 09:28 . 2009-01-16 09:28 <DIR> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 17:41 --------- d-----w c:\program files\Sticky Password
2009-02-12 17:41 --------- d-----w c:\documents and settings\jraymer\Application Data\iPhoneRingToneMaker
2009-02-10 23:00 --------- d-----w c:\documents and settings\jraymer\Application Data\AdobeUM
2009-02-09 19:34 --------- d-----w c:\program files\Java
2009-02-09 19:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-04 17:22 --------- d-----w c:\program files\Palm
2009-02-04 17:19 --------- d-----w c:\program files\Common Files\Adobe
2009-02-04 17:18 --------- d-----w c:\program files\Google
2009-02-04 17:14 --------- d-----w c:\program files\InterActual
2009-01-16 20:23 --------- d-----w c:\program files\MSN Messenger
2009-01-15 22:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 20:06 --------- d-----w c:\program files\Microsoft Works
2009-01-09 20:05 --------- d-----w c:\program files\MSBuild
2009-01-09 20:04 --------- d-----w c:\program files\Microsoft.NET
2009-01-09 20:00 --------- d-----w c:\program files\Microsoft Visual Studio 8
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-26 68856]
"StickyPassword"="c:\program files\Sticky Password\stpass.exe" [2008-05-12 1515008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-14 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

c:\documents and settings\jraymer\Start Menu\Programs\Startup\
iPhoneRingToneMaker.lnk - c:\program files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe [2008-02-04 1309184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-24 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Net Phone.lnk - c:\oaisys\netphone\netphone.exe [2005-08-23 1286204]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c0ced99d530]
2009-02-03 10:49 135168 c:\windows\system32\ifsutil32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\ifsutil32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\oaisys\\netphone\\netphone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-02-05 160792]
S2 gupdate1c9862b939c9cc0;Google Update Service (gupdate1c9862b939c9cc0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-05 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-12 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 10:16]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c0026CAE - c:\windows\system32\__c0026CAE.dat
Notify-__c0091590 - c:\windows\system32\__c0091590.dat
Notify-__c00AB5C - c:\windows\system32\__c00AB5C.dat
Notify-__c00AF5F8 - c:\windows\system32\__c00AF5F8.dat
Notify-__c00D499C - c:\windows\system32\__c00D499C.dat
Notify-__c00F5329 - c:\windows\system32\__c00F5329.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: galileoprocessing.com\trycera
Trusted Zone: seekerinc.com\secure
Trusted Zone: uci.edu\www.ags
TCP: {2CE79BA9-BA84-4918-962E-E2C2B6A7260F} = 192.168.111.2,68.6.16.30
TCP: {58CF37F6-2F26-4457-B8EA-ABCD2A0716D9} = 192.168.111.3,68.4.16.30
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 09:41:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\System32\ifsutil32.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'lsass.exe'(752)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-02-12 9:48:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 17:47:32

Pre-Run: 36,301,737,984 bytes free
Post-Run: 36,553,641,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

192 --- E O F --- 2009-01-30 17:45:18

#4 socalmako

socalmako
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 12 February 2009 - 01:19 PM

Update after ComboFix. The machine is running much faster, but I recieved a pop up immediately after opening IE. One was a Google Search page, and the other was an ad for antivirus software. Regards ~JR

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 13 February 2009 - 01:17 AM

Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :services
    
    :files
    c:\windows\system32\??.tmp
    c:\windows\system32\?.tmp
    c:\windows\system32\ifsutil32.dll
    
    :reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c0ced99d530]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.





NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

SkipFix::

DirLook::
c:\windows\system32\LocalService32

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • OTMoveIt3 log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 socalmako

socalmako
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 13 February 2009 - 12:20 PM

Pop-up immediately after launching IE. Here are the logs:

Moveit Log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== FILES ==========
c:\windows\system32\16.tmp moved successfully.
c:\windows\system32\1F.tmp moved successfully.
c:\windows\system32\3.tmp moved successfully.
c:\windows\system32\39.tmp moved successfully.
c:\windows\system32\3A.tmp moved successfully.
c:\windows\system32\3D.tmp moved successfully.
c:\windows\system32\54.tmp moved successfully.
c:\windows\system32\5A.tmp moved successfully.
c:\windows\system32\66.tmp moved successfully.
c:\windows\system32\68.tmp moved successfully.
c:\windows\system32\6C.tmp moved successfully.
c:\windows\system32\6E.tmp moved successfully.
File/Folder c:\windows\system32\?.tmp not found.
DllUnregisterServer procedure not found in c:\windows\system32\ifsutil32.dll
c:\windows\system32\ifsutil32.dll NOT unregistered.
c:\windows\system32\ifsutil32.dll moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c0ced99d530\\ deleted successfully.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02132009_085632


ComboFix Log:

ComboFix 09-02-12.03 - 2009-02-13 9:04:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1589 [GMT -8:00]
Running from: c:\documents and settings\----------\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-----\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicy000.dat

.
((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 08:57 . 2009-02-13 08:57 374,272 --ahs---- c:\windows\system32\3.tmp
2009-02-13 08:56 . 2009-02-13 08:56 <DIR> d-------- C:\_OTMoveIt
2009-02-12 09:50 . 2009-02-12 09:50 24,576 --a------ c:\windows\system32\__c00C4AA6.dat
2009-02-05 10:01 . 2009-02-11 15:00 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-05 10:01 . 2009-02-05 10:02 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-05 10:01 . 2009-02-05 10:01 <DIR> d-------- c:\documents and settings\----------\Application Data\PC Tools
2009-02-05 10:01 . 2009-02-11 15:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 10:01 . 2009-02-05 10:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-05 10:01 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-02-05 10:01 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-05 10:01 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-05 10:01 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-05 10:01 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-02-05 08:59 . 2009-02-05 08:59 <DIR> d-------- c:\documents and settings\twright
2009-02-04 12:18 . 2009-02-04 12:18 <DIR> d-------- C:\VundoFix Backups
2009-02-04 09:33 . 2009-02-04 09:33 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-04 09:09 . 2009-02-04 09:09 <DIR> d-------- c:\program files\Windows Defender
2009-02-03 10:50 . 2009-02-12 09:41 <DIR> d--hs---- c:\windows\system32\LocalService32
2009-02-03 10:49 . 2009-02-13 08:56 135,168 --a------ c:\windows\system32\ifsutil32.dll
2009-01-19 10:50 . 2009-01-19 10:50 <DIR> d-------- c:\program files\Business Objects
2009-01-19 10:49 . 2009-01-19 10:49 <DIR> d-------- c:\program files\Common Files\Firstlogic
2009-01-19 10:49 . 2004-02-04 17:55 278,528 --a------ c:\windows\system32\rmtprism450.dll
2009-01-19 10:49 . 2004-02-06 13:14 262,144 --a------ c:\windows\system32\FiltBldr331c.dll
2009-01-19 10:49 . 2004-02-12 14:35 155,648 --a------ c:\windows\system32\FiltBldr331c.ocx
2009-01-19 10:49 . 2001-01-25 16:19 61,440 --a------ c:\windows\system32\ObjBwsr200.ocx
2009-01-19 10:49 . 2007-09-19 08:53 58,975 --a------ c:\windows\system32\filterbuilder.chm
2009-01-19 10:49 . 2007-10-01 10:07 40,960 --a------ c:\windows\system32\FlRuler21.ocx
2009-01-19 10:48 . 1995-10-17 16:58 36,864 --a------ c:\windows\system32\SX32W.DLL
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\scripting
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\en
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\bits
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\l2schemas
2009-01-16 09:28 . 2009-01-16 09:28 <DIR> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 17:06 --------- d-----w c:\program files\Sticky Password
2009-02-13 17:06 --------- d-----w c:\documents and settings\----------\Application Data\iPhoneRingToneMaker
2009-02-10 23:00 --------- d-----w c:\documents and settings\----------\Application Data\AdobeUM
2009-02-09 19:34 --------- d-----w c:\program files\Java
2009-02-09 19:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-04 17:22 --------- d-----w c:\program files\Palm
2009-02-04 17:19 --------- d-----w c:\program files\Common Files\Adobe
2009-02-04 17:18 --------- d-----w c:\program files\Google
2009-02-04 17:14 --------- d-----w c:\program files\InterActual
2009-01-16 20:23 --------- d-----w c:\program files\MSN Messenger
2009-01-15 22:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 20:06 --------- d-----w c:\program files\Microsoft Works
2009-01-09 20:05 --------- d-----w c:\program files\MSBuild
2009-01-09 20:04 --------- d-----w c:\program files\Microsoft.NET
2009-01-09 20:00 --------- d-----w c:\program files\Microsoft Visual Studio 8
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\LocalService32 ----

2009-02-02 18:16 5088466 --a------ c:\windows\system32\LocalService32\47.music.snd
2009-02-02 17:47 81298 --a------ c:\windows\system32\LocalService32\44.unpack.zip
2009-02-02 17:47 239903 --a------ c:\windows\system32\LocalService32\41.crack.zip
2009-02-02 17:47 163389 --a------ c:\windows\system32\LocalService32\45.keygen.zip
2009-02-02 17:47 162008 --a------ c:\windows\system32\LocalService32\43.setup.zip
2009-02-02 17:47 161205 --a------ c:\windows\system32\LocalService32\46.serial.zip
2009-02-02 17:47 159955 --a------ c:\windows\system32\LocalService32\42.keymaker.zip
2009-02-02 17:43 269 --a------ c:\windows\system32\LocalService32\43.setup.zip.kwd
2009-02-02 17:41 272 --a------ c:\windows\system32\LocalService32\46.serial.zip.kwd
2009-02-02 17:40 270 --a------ c:\windows\system32\LocalService32\45.keygen.zip.kwd
2009-02-02 17:39 204 --a------ c:\windows\system32\LocalService32\41.crack.zip.kwd
2009-02-02 17:37 82 --a------ c:\windows\system32\LocalService32\39.music.mp3.kwd
2009-02-02 16:20 73 --a------ c:\windows\system32\LocalService32\47.music.snd.kwd
2009-01-21 15:39 3545427 --a------ c:\windows\system32\LocalService32\39.music.mp3
2009-01-13 22:00 468 --a------ c:\windows\system32\LocalService32\42.keymaker.zip.kwd
2008-11-22 20:32 6 --a------ c:\windows\system32\LocalService32\44.unpack.zip.kwd


((((((((((((((((((((((((((((( SnapShot@2009-02-12_ 9.46.06.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-12 17:50:14 24,576 ----a-w c:\windows\system32\__c00C4AA6.dat
- 2009-02-05 18:02:45 64,372 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-12 17:44:52 64,372 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-05 18:02:45 409,232 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-12 17:44:52 409,232 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-26 68856]
"StickyPassword"="c:\program files\Sticky Password\stpass.exe" [2008-05-12 1515008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-14 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

c:\documents and settings\----------\Start Menu\Programs\Startup\
iPhoneRingToneMaker.lnk - c:\program files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe [2008-02-04 1309184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-24 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Net Phone.lnk - c:\oaisys\netphone\netphone.exe [2005-08-23 1286204]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c0ced99d530]
2009-02-13 08:56 135168 c:\windows\system32\ifsutil32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C4AA6]
2009-02-12 09:50 24576 c:\windows\system32\__c00C4AA6.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\ifsutil32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\oaisys\\netphone\\netphone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-02-05 160792]
S2 gupdate1c9862b939c9cc0;Google Update Service (gupdate1c9862b939c9cc0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-05 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 10:16]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-A00F965D2.exe - c:\docume~1\----------\LOCALS~1\Temp\_A00F965D2.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: galileoprocessing.com\trycera
Trusted Zone: seekerinc.com\secure
Trusted Zone: uci.edu\www.ags
TCP: {2CE79BA9-BA84-4918-962E-E2C2B6A7260F} = 192.168.111.2,68.6.16.30
TCP: {58CF37F6-2F26-4457-B8EA-ABCD2A0716D9} = 192.168.111.3,68.4.16.30
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 09:06:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\----------\LOCALS~1\Temp\~DF5B60.tmp 16384 bytes
c:\docume~1\----------\LOCALS~1\Temp\~DF7478.tmp 49152 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\System32\ifsutil32.dll
c:\windows\system32\__c00C4AA6.dat
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'lsass.exe'(784)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-02-13 9:13:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-13 17:12:45
ComboFix2.txt 2009-02-12 17:48:13

Pre-Run: 36,598,185,984 bytes free
Post-Run: 36,600,786,944 bytes free

196 --- E O F --- 2009-01-30 17:45:18

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 13 February 2009 - 12:33 PM

Hello.. first of all, DO NOT edit your log for whatever reason or we may unable to help you.. This is important as we don't want to give the wrong fix and end up messed up the computer.. I won't be responsible of any harm done resulting from the edited logs..

example:
c:\documents and settings\----------\Application Data\iPhoneRingToneMaker

I don't know why is the red.. While in your previous logs it looks like this..

c:\documents and settings\jraymer\Application Data\AdobeUM




1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=202700&view=findpost&p=1134316

KillAll::

Collect::
c:\windows\system32\ifsutil32.dll

Rootkit::
c:\docume~1\jraymer\LOCALS~1\Temp\~DF5B60.tmp
c:\docume~1\jraymer\LOCALS~1\Temp\~DF7478.tmp

File::
c:\windows\system32\3.tmp
c:\windows\system32\__c00C4AA6.dat
c:\docume~1\jraymer\LOCALS~1\Temp\~DF5B60.tmp
c:\docume~1\jraymer\LOCALS~1\Temp\~DF7478.tmp

Folder::
c:\windows\system32\LocalService32

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c0ced99d530]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00C4AA6]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

DirLook::
c:\documents and settings\twright

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Edited by fenzodahl512, 13 February 2009 - 01:44 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 13 February 2009 - 01:50 PM

Hello... I've edited my previous instruction and also have send you a private message :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 socalmako

socalmako
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 13 February 2009 - 05:12 PM

Sorry about that...Here you go.

ComboFix Log


ComboFix 09-02-12.03 - jraymer 2009-02-13 13:56:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1528 [GMT -8:00]
Running from: c:\documents and settings\jraymer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jraymer\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\docume~1\jraymer\LOCALS~1\Temp\~DF5B60.tmp
c:\docume~1\jraymer\LOCALS~1\Temp\~DF7478.tmp
c:\windows\system32\__c00C4AA6.dat
c:\windows\system32\3.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jraymer\Application Data\02000000f77ceceb530C.manifest
c:\documents and settings\jraymer\Application Data\02000000f77ceceb530O.manifest
c:\documents and settings\jraymer\Application Data\02000000f77ceceb530P.manifest
c:\documents and settings\jraymer\Application Data\02000000f77ceceb530S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\__c0061A6B.dat
c:\windows\system32\__c00C4AA6.dat
c:\windows\system32\3.tmp
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\ifsutil32.dll
c:\windows\system32\LocalService32
c:\windows\system32\LocalService32\39.music.mp3
c:\windows\system32\LocalService32\39.music.mp3.kwd
c:\windows\system32\LocalService32\41.crack.zip
c:\windows\system32\LocalService32\41.crack.zip.kwd
c:\windows\system32\LocalService32\42.keymaker.zip
c:\windows\system32\LocalService32\42.keymaker.zip.kwd
c:\windows\system32\LocalService32\43.setup.zip
c:\windows\system32\LocalService32\43.setup.zip.kwd
c:\windows\system32\LocalService32\44.unpack.zip
c:\windows\system32\LocalService32\44.unpack.zip.kwd
c:\windows\system32\LocalService32\45.keygen.zip
c:\windows\system32\LocalService32\45.keygen.zip.kwd
c:\windows\system32\LocalService32\46.serial.zip
c:\windows\system32\LocalService32\46.serial.zip.kwd
c:\windows\system32\LocalService32\47.music.snd
c:\windows\system32\LocalService32\47.music.snd.kwd

.
((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 08:56 . 2009-02-13 08:56 <DIR> d-------- C:\_OTMoveIt
2009-02-05 10:01 . 2009-02-11 15:00 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-05 10:01 . 2009-02-05 10:02 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-05 10:01 . 2009-02-05 10:01 <DIR> d-------- c:\documents and settings\jraymer\Application Data\PC Tools
2009-02-05 10:01 . 2009-02-11 15:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-05 10:01 . 2009-02-05 10:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-05 10:01 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-02-05 10:01 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-05 10:01 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-05 10:01 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-05 10:01 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-02-05 08:59 . 2009-02-05 08:59 <DIR> d-------- c:\documents and settings\twright
2009-02-04 12:18 . 2009-02-04 12:18 <DIR> d-------- C:\VundoFix Backups
2009-02-04 09:33 . 2009-02-04 09:33 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-04 09:09 . 2009-02-04 09:09 <DIR> d-------- c:\program files\Windows Defender
2009-01-19 10:50 . 2009-01-19 10:50 <DIR> d-------- c:\program files\Business Objects
2009-01-19 10:49 . 2009-01-19 10:49 <DIR> d-------- c:\program files\Common Files\Firstlogic
2009-01-19 10:49 . 2004-02-04 17:55 278,528 --a------ c:\windows\system32\rmtprism450.dll
2009-01-19 10:49 . 2004-02-06 13:14 262,144 --a------ c:\windows\system32\FiltBldr331c.dll
2009-01-19 10:49 . 2004-02-12 14:35 155,648 --a------ c:\windows\system32\FiltBldr331c.ocx
2009-01-19 10:49 . 2001-01-25 16:19 61,440 --a------ c:\windows\system32\ObjBwsr200.ocx
2009-01-19 10:49 . 2007-09-19 08:53 58,975 --a------ c:\windows\system32\filterbuilder.chm
2009-01-19 10:49 . 2007-10-01 10:07 40,960 --a------ c:\windows\system32\FlRuler21.ocx
2009-01-19 10:48 . 1995-10-17 16:58 36,864 --a------ c:\windows\system32\SX32W.DLL
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\scripting
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\en
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\system32\bits
2009-01-16 09:31 . 2009-01-16 09:31 <DIR> d-------- c:\windows\l2schemas
2009-01-16 09:28 . 2009-01-16 09:28 <DIR> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 22:01 --------- d-----w c:\program files\Sticky Password
2009-02-13 22:01 --------- d-----w c:\documents and settings\jraymer\Application Data\iPhoneRingToneMaker
2009-02-10 23:00 --------- d-----w c:\documents and settings\jraymer\Application Data\AdobeUM
2009-02-09 19:34 --------- d-----w c:\program files\Java
2009-02-09 19:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-04 17:22 --------- d-----w c:\program files\Palm
2009-02-04 17:19 --------- d-----w c:\program files\Common Files\Adobe
2009-02-04 17:18 --------- d-----w c:\program files\Google
2009-02-04 17:14 --------- d-----w c:\program files\InterActual
2009-01-16 20:23 --------- d-----w c:\program files\MSN Messenger
2009-01-15 22:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 20:06 --------- d-----w c:\program files\Microsoft Works
2009-01-09 20:05 --------- d-----w c:\program files\MSBuild
2009-01-09 20:04 --------- d-----w c:\program files\Microsoft.NET
2009-01-09 20:00 --------- d-----w c:\program files\Microsoft Visual Studio 8
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\twright ----

2009-02-13 09:03 1024 --ah----- c:\documents and settings\twright\NTUSER.DAT.LOG
2009-02-09 11:34 1024 --ah----- c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2009-02-09 11:26 262144 --ah----- c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2009-02-05 09:05 786432 --ah----- c:\documents and settings\twright\NTUSER.DAT
2009-02-05 09:05 3775882 --ah----- c:\documents and settings\twright\Local Settings\Application Data\IconCache.db
2009-02-05 09:05 178 --ahs---- c:\documents and settings\twright\ntuser.ini
2009-02-05 09:03 3022 --ahs---- c:\documents and settings\twright\Application Data\Microsoft\Internet Explorer\Desktop.htt
2009-02-05 09:02 81 --a------ c:\documents and settings\twright\Cookies\twright@yahoo[2].txt
2009-02-05 09:02 664 --a------ c:\documents and settings\twright\Cookies\twright@ad.yieldmanager[1].txt
2009-02-05 09:02 5748 --a------ c:\documents and settings\twright\Application Data\Microsoft\Windows\Themes\Custom.theme
2009-02-05 09:02 179 --a------ c:\documents and settings\twright\Cookies\twright@adrevolver[2].txt
2009-02-05 09:02 115 --a------ c:\documents and settings\twright\Cookies\twright@media.adrevolver[1].txt
2009-02-05 09:02 102 --a------ c:\documents and settings\twright\Cookies\twright@atdmt[2].txt
2009-02-05 09:01 405 --a------ c:\documents and settings\twright\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
2009-02-05 09:01 164 --a------ c:\documents and settings\twright\Cookies\twright@www.yahoo[2].txt
2009-02-05 09:00 78924 --a------ c:\documents and settings\twright\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
2009-02-05 09:00 368 --ahs---- c:\documents and settings\twright\Application Data\Microsoft\Protect\S-1-5-21-117609710-1364589140-1417001333-1115\b8f0d2a2-30f1-4057-85ea-d1425e05d106
2009-02-05 09:00 32768 --ahs---- c:\documents and settings\twright\Local Settings\History\History.IE5\MSHist012009020520090206\index.dat
2009-02-05 09:00 32768 --ahs---- c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2009-02-05 09:00 32768 --a------ c:\documents and settings\twright\Cookies\index.dat
2009-02-05 09:00 24 --ahs---- c:\documents and settings\twright\Application Data\Microsoft\Protect\S-1-5-21-117609710-1364589140-1417001333-1115\Preferred
2009-02-05 09:00 24 --ahs---- c:\documents and settings\twright\Application Data\Microsoft\Protect\CREDHIST
2009-02-05 09:00 187 --a------ c:\documents and settings\twright\Cookies\twright@m.webtrends[2].txt
2009-02-05 09:00 16384 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
2009-02-05 09:00 144 --a------ c:\documents and settings\twright\Application Data\Microsoft\Office\Groove12.pip
2009-02-05 09:00 134 --a------ c:\documents and settings\twright\Cookies\twright@google[1].txt
2009-02-05 08:59 887 --a------ c:\documents and settings\twright\My Documents\My Pictures\Sample Pictures.lnk
2009-02-05 08:59 8662 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt
2009-02-05 08:59 8662 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.bak
2009-02-05 08:59 857 --a------ c:\documents and settings\twright\My Documents\My Music\Sample Music.lnk
2009-02-05 08:59 79840 --a------ c:\documents and settings\twright\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-05 08:59 79 --a------ c:\documents and settings\twright\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
2009-02-05 08:59 788 --a------ c:\documents and settings\twright\Start Menu\Programs\Windows Media Player.lnk
2009-02-05 08:59 78 --ahs---- c:\documents and settings\twright\My Documents\desktop.ini
2009-02-05 08:59 779 --a------ c:\documents and settings\twright\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
2009-02-05 08:59 774 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Address Book.lnk
2009-02-05 08:59 767 --a------ c:\documents and settings\twright\Start Menu\Programs\Internet Explorer.lnk
2009-02-05 08:59 75838 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Media Player\wmdbexport.xml
2009-02-05 08:59 738 --a------ c:\documents and settings\twright\Start Menu\Programs\Outlook Express.lnk
2009-02-05 08:59 720896 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb
2009-02-05 08:59 67 ---hs---- c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds Cache\Z6EN06BY\desktop.ini
2009-02-05 08:59 67 ---hs---- c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds Cache\YX26NHK9\desktop.ini
2009-02-05 08:59 67 ---hs---- c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds Cache\SBI1Q8EH\desktop.ini
2009-02-05 08:59 67 ---hs---- c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini
2009-02-05 08:59 67 ---hs---- c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds Cache\94U7VMKU\desktop.ini
2009-02-05 08:59 62 --ahs---- c:\documents and settings\twright\Local Settings\desktop.ini
2009-02-05 08:59 542 --ahs---- c:\documents and settings\twright\Start Menu\Programs\Accessories\desktop.ini
2009-02-05 08:59 5120 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms
2009-02-05 08:59 32768 --a------ c:\documents and settings\twright\Local Settings\History\History.IE5\index.dat
2009-02-05 08:59 28672 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
2009-02-05 08:59 28672 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
2009-02-05 08:59 234 --ahs---- c:\documents and settings\twright\Start Menu\Programs\desktop.ini
2009-02-05 08:59 185 --ahs---- c:\documents and settings\twright\My Documents\My Pictures\Desktop.ini
2009-02-05 08:59 183 --ahs---- c:\documents and settings\twright\My Documents\My Music\Desktop.ini
2009-02-05 08:59 150 --ahs---- c:\documents and settings\twright\Recent\Desktop.ini
2009-02-05 08:59 133 --a------ c:\documents and settings\twright\Favorites\Microsoft Websites\Welcome to IE7.url
2009-02-05 08:59 133 --a------ c:\documents and settings\twright\Favorites\Microsoft Websites\Microsoft At Work.url
2009-02-05 08:59 133 --a------ c:\documents and settings\twright\Favorites\Microsoft Websites\Microsoft At Home.url
2009-02-05 08:59 133 --a------ c:\documents and settings\twright\Favorites\Microsoft Websites\Marketplace.url
2009-02-05 08:59 133 --a------ c:\documents and settings\twright\Favorites\Microsoft Websites\IE site on Microsoft.com.url
2009-02-05 08:59 133 --a------ c:\documents and settings\twright\Favorites\Microsoft Websites\IE Add-on site.url
2009-02-05 08:59 133 --a------ c:\documents and settings\twright\Favorites\Links\Customize Links.url
2009-02-05 08:59 122 --ahs---- c:\documents and settings\twright\Favorites\Desktop.ini
2009-02-05 08:59 119 --ahs---- c:\documents and settings\twright\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
2009-02-05 08:59 0 --a------ c:\documents and settings\twright\SendTo\My Documents.mydocs
2009-02-05 08:59 0 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds Cache\YX26NHK9\fwlink[1]
2009-02-05 08:59 0 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Feeds Cache\SBI1Q8EH\fwlink[1]
2009-02-05 08:59 0 --a------ c:\documents and settings\twright\Local Settings\Application Data\Apple Computer\QuickTime\QuickTime.qtp
2005-08-22 10:09 67 --ahs---- c:\documents and settings\twright\Local Settings\Temporary Internet Files\desktop.ini
2005-08-22 10:09 113 --ahs---- c:\documents and settings\twright\Local Settings\History\History.IE5\desktop.ini
2005-08-22 10:09 113 --ahs---- c:\documents and settings\twright\Local Settings\History\desktop.ini
2005-08-22 10:06 84 --ahs---- c:\documents and settings\twright\Start Menu\Programs\Startup\desktop.ini
2005-08-22 10:06 84 --ahs---- c:\documents and settings\twright\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2005-08-22 10:06 386 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
2005-08-22 10:06 348 --ahs---- c:\documents and settings\twright\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2005-08-22 10:06 1599 --a------ c:\documents and settings\twright\Start Menu\Programs\Remote Assistance.lnk
2005-08-22 10:06 1555 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Command Prompt.lnk
2005-08-22 10:06 1539 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
2005-08-22 10:06 1532 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
2005-08-22 10:06 1527 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Tour Windows XP.lnk
2005-08-22 10:06 1525 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
2005-08-22 10:06 1519 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Synchronize.lnk
2005-08-22 10:06 1519 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Notepad.lnk
2005-08-22 10:06 1501 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
2005-08-22 10:05 498 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD
2005-08-22 10:05 141 --a------ c:\documents and settings\twright\Application Data\Microsoft\Internet Explorer\brndlog.txt
2005-08-22 10:05 12784 --a------ c:\documents and settings\twright\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
2005-08-22 10:05 113 --a------ c:\documents and settings\twright\Application Data\Microsoft\Internet Explorer\brndlog.bak
2005-08-22 10:04 181 --ahs---- c:\documents and settings\twright\SendTo\desktop.ini
2005-08-22 10:04 1487 --a------ c:\documents and settings\twright\Start Menu\Programs\Accessories\Windows Explorer.lnk
2005-08-22 10:04 0 --a------ c:\documents and settings\twright\SendTo\Mail Recipient.MAPIMail
2005-08-22 10:04 0 --a------ c:\documents and settings\twright\SendTo\Desktop (create shortcut).DeskLink
2005-08-22 10:04 0 --a------ c:\documents and settings\twright\SendTo\Compressed (zipped) Folder.ZFSendToTarget
2005-08-22 02:36 62 --ahs---- c:\documents and settings\twright\Start Menu\desktop.ini
2005-08-22 02:36 62 --ahs---- c:\documents and settings\twright\Application Data\desktop.ini
2004-08-04 04:00 58 --a------ c:\documents and settings\twright\Templates\sndrec.wav
2004-08-04 04:00 57 -ra------ c:\documents and settings\twright\Templates\wordpfct.wpg
2004-08-04 04:00 5632 --a------ c:\documents and settings\twright\Templates\excel.xls
2004-08-04 04:00 461 --a------ c:\documents and settings\twright\Templates\presenta.shw
2004-08-04 04:00 4608 --a------ c:\documents and settings\twright\Templates\winword.doc
2004-08-04 04:00 4570 --a------ c:\documents and settings\twright\Templates\amipro.sam
2004-08-04 04:00 4017 --a------ c:\documents and settings\twright\Templates\quattro.wb2
2004-08-04 04:00 30 -ra------ c:\documents and settings\twright\Templates\wordpfct.wpd
2004-08-04 04:00 2448 --a------ c:\documents and settings\twright\Templates\lotus.wk4
2004-08-04 04:00 1769 --a------ c:\documents and settings\twright\Templates\winword2.doc
2004-08-04 04:00 1518 --a------ c:\documents and settings\twright\Templates\excel4.xls
2004-08-04 04:00 12288 --a------ c:\documents and settings\twright\Templates\powerpnt.ppt


((((((((((((((((((((((((((((( SnapShot@2009-02-12_ 9.46.06.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-05 18:02:45 64,372 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-12 17:44:52 64,372 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-05 18:02:45 409,232 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-12 17:44:52 409,232 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-26 68856]
"StickyPassword"="c:\program files\Sticky Password\stpass.exe" [2008-05-12 1515008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-14 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

c:\documents and settings\jraymer\Start Menu\Programs\Startup\
iPhoneRingToneMaker.lnk - c:\program files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe [2008-02-04 1309184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-24 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Net Phone.lnk - c:\oaisys\netphone\netphone.exe [2005-08-23 1286204]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\oaisys\\netphone\\netphone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-02-05 160792]
S2 gupdate1c9862b939c9cc0;Google Update Service (gupdate1c9862b939c9cc0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-05 356920]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 10:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: galileoprocessing.com\trycera
Trusted Zone: seekerinc.com\secure
Trusted Zone: uci.edu\www.ags
TCP: {2CE79BA9-BA84-4918-962E-E2C2B6A7260F} = 192.168.111.2,68.6.16.30
TCP: {58CF37F6-2F26-4457-B8EA-ABCD2A0716D9} = 192.168.111.3,68.4.16.30
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 14:00:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'lsass.exe'(780)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-02-13 14:07:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-13 22:07:15
ComboFix2.txt 2009-02-13 17:13:20
ComboFix3.txt 2009-02-12 17:48:13

Pre-Run: 36,442,136,576 bytes free
Post-Run: 36,442,939,392 bytes free

299 --- E O F --- 2009-01-30 17:45:18


HJ Log


DDS (Ver_09-02-01.01) - NTFSx86
Run by jraymer at 14:08:29.10 on 2009-02-13
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1590 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sticky Password\stpass.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\jraymer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [StickyPassword] c:\program files\sticky password\stpass.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\docume~1\jraymer\startm~1\programs\startup\iphone~1.lnk - c:\program files\iphoneringtonemaker\iPhoneRingToneMaker.exe
StartupFolder: c:\docume~1\jraymer\startm~1\programs\startup\palmon~1.lnk - c:\program files\palm\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netpho~1.lnk - c:\oaisys\netphone\netphone.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: galileoprocessing.com\trycera
Trusted Zone: seekerinc.com\secure
Trusted Zone: uci.edu\www.ags
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231443151968
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://63.97.125.197/activex/AxisCamControl.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://satorisoftware.webex.com/client/T26L/webex/ieatgpc.cab
TCP: {2CE79BA9-BA84-4918-962E-E2C2B6A7260F} = 192.168.111.2,68.6.16.30
TCP: {58CF37F6-2F26-4457-B8EA-ABCD2A0716D9} = 192.168.111.3,68.4.16.30
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-2-5 160792]
S2 gupdate1c9862b939c9cc0;Google Update Service (gupdate1c9862b939c9cc0);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-5 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-5 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-5 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-5 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-5 1079176]

=============== Created Last 30 ================

2009-02-13 08:56 <DIR> --d----- C:\_OTMoveIt
2009-02-12 09:34 <DIR> a-dshr-- C:\cmdcons
2009-02-12 09:32 161,792 a------- c:\windows\SWREG.exe
2009-02-12 09:32 98,816 a------- c:\windows\sed.exe
2009-02-05 10:01 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-02-05 10:01 <DIR> --d----- c:\program files\common files\PC Tools
2009-02-05 10:01 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-05 10:01 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-05 10:01 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-05 10:01 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-05 10:01 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-05 10:01 <DIR> --d----- c:\docume~1\jraymer\applic~1\PC Tools
2009-02-05 10:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-02-04 12:18 <DIR> --d----- C:\VundoFix Backups
2009-02-04 09:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-19 10:50 <DIR> --d----- c:\program files\Business Objects
2009-01-19 10:49 278,528 a------- c:\windows\system32\rmtprism450.dll
2009-01-19 10:49 262,144 a------- c:\windows\system32\FiltBldr331c.dll
2009-01-19 10:49 155,648 a------- c:\windows\system32\FiltBldr331c.ocx
2009-01-19 10:49 61,440 a------- c:\windows\system32\ObjBwsr200.ocx
2009-01-19 10:49 58,975 a------- c:\windows\system32\filterbuilder.chm
2009-01-19 10:49 40,960 a------- c:\windows\system32\FlRuler21.ocx
2009-01-19 10:49 <DIR> --d----- c:\program files\common files\Firstlogic
2009-01-19 10:48 36,864 a------- c:\windows\system32\SX32W.DLL
2009-01-16 09:31 <DIR> --d----- c:\windows\system32\scripting
2009-01-16 09:31 <DIR> --d----- c:\windows\system32\en
2009-01-16 09:31 <DIR> --d----- c:\windows\l2schemas
2009-01-16 09:31 <DIR> --d----- c:\windows\system32\bits
2009-01-16 09:28 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-02-05 09:07 2,496 a------- c:\windows\system32\d3d8caps.dat
2009-02-04 11:03 2,608 a------- c:\windows\system32\d3d9caps.dat
2009-01-16 09:34 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 14:08:57.84 ===============

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 13 February 2009 - 05:33 PM

Looks a lot better.. Lets do an online scan to make sure we get them all...


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 socalmako

socalmako
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 13 February 2009 - 11:07 PM

I lost the log before I could copy it....Crap!!! :) It found 37 infections but had trouble removing at least one. trojan.oaf I think. I didn't catch the file path. I ran the scanner again and it didn't find any infections. :thumbup2: I have navigated around in IE and so far haven't had a popup!! I'm worried about that one file though. Have a good weekend. ~JR

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 14 February 2009 - 02:59 AM

I ran the scanner again and it didn't find any infections


It means ESET has successfully deleted it.. Don't worry, you can always run fullscan with your own antivirus :thumbup2:


Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Edited by fenzodahl512, 14 February 2009 - 03:01 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 socalmako

socalmako
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 16 February 2009 - 01:02 PM

The machine seems to be running good!!! Thanks a million, you guys are providing an amazing service.

Regards

~JR




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users