Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo/Trojan/etc.


  • This topic is locked This topic is locked
39 replies to this topic

#1 Mathew=

Mathew=

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 27 February 2009 - 02:46 PM

Hi, recently I got a trojan and I don't know what site it was from or when exactly it happened.
I used the system restore point from 4 days earlier and I still have 30+ IE popping up and it won't stop unless I stop it's process tree using the task manager.
My sister had and essay to write (we share the same computer) and was annoyed by the pop ups that she decided to try fixing it herself. She used combofix and as I believe, you're not supposed to do so without proper guidance from you guys, I saved the log anyway. This after noon I turned on the computer, opened firefox and suddenly 200+ IE windows popped up. I didn't see what site it was directing to I just wanted to stop it so I ended the process.

Below are the DDS logs:



DDS (Ver_09-02-01.01) - NTFSx86
Run by cAssiE at 14:08:27.68 on Fri 02/27/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.422 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\dldfcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell AIO Printer 948\dldfmon.exe
C:\Program Files\Dell AIO Printer 948\memcard.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\cAssiE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
BHO: {07d26144-99fc-4d8c-8086-c0d96e6119d9} - c:\windows\system32\tawaluvu.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: BS.Player ControlBar: {2c688203-7eb3-4327-9995-1cb417ba23f9} - c:\program files\bs.player controlbar\BSToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [dldfmon.exe] "c:\program files\dell aio printer 948\dldfmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell aio printer 948\memcard.exe"
mRun: [Dell AIO Printer 948 Fax Server] "c:\program files\dell aio printer 948\fm3032.exe" /s
mRun: [lepewabuzu] Rundll32.exe "c:\windows\system32\yifiroso.dll",s
mRun: [CPM2756a56e] Rundll32.exe "c:\windows\system32\hofalobu.dll",a
mRun: [Malwarebytes Anti-Malware Reboot] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [246596f2] rundll32.exe "c:\windows\system32\jonotama.dll",b
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
AppInit_DLLs: c:\windows\system32\rulisofo.dll c:\windows\system32\hofalobu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hofalobu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\hofalobu.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli c:\windows\system32\rulisofo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cassie\applic~1\mozilla\firefox\profiles\3oyetvi1.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-14 201320]
R2 dldf_device;dldf_device;c:\windows\system32\dldfcoms.exe -service --> c:\windows\system32\dldfcoms.exe -service [?]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-14 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-1-14 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-14 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-14 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-14 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-14 40488]
S4 dldfCATSCustConnectService;dldfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldfserv.exe [2008-4-12 98952]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-14 695624]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-26 19:08 <DIR> --d----- C:\ComboFix(2)
2009-02-08 18:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-02-08 17:32 <DIR> --d----- C:\ProgramData
2009-02-08 17:32 1,888 a------- c:\windows\system32\ealregsnapshot1.reg

==================== Find3M ====================

2009-02-27 14:02 84,992 -------- c:\windows\system32\hofalobu.dll
2009-02-27 14:02 79,872 -------- c:\windows\system32\jonotama.dll
2009-02-08 17:34 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-08 10:08 54,803 a------- c:\windows\system32\nnnljkIb.dll
2008-12-21 13:50 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-04-20 15:05 0 ac------ c:\program files\temp01
2008-04-12 00:45 1,377,872 ac------ c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2008-02-17 13:41 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-01-24 19:13 60,968 a------- c:\documents and settings\cassie\GoToAssistDownloadHelper.exe
2008-03-04 21:33 88 a--shr-- c:\windows\system32\2E467607E3.sys
2008-03-04 21:34 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\tawaluvu.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\yifiroso.dll

============= FINISH: 14:09:40.54 ===============


I'll be on the laptop for a while as I'm scared to touch anything on this.

I appreciate the consideration.

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 PM

Posted 11 March 2009 - 12:42 AM

Hi Mathew=,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have run any tool or have made a major change to the system since your last post. Also tell me how is the current condition of your computer.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized).
  • Please copy and paste the content of just log.txt to your reply. No need for info.txt

    Note 1: If you have difficulty finding the log, the logs is in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.

You might want to save this page on your favorites, so you can find it again when you return.

#3 Mathew=

Mathew=
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 12 March 2009 - 08:44 AM

tried getting rid of them through rededit, run malwarebytes and NoAdware just to see where they're located.
Installed Windows Defender and tried updating it, tried updating McAfee, my sis downloaded Virtumundobegone and VundoFix. After boot up and the desktop appears RUNDLL pop's up and says "Error loading C:\WINDOWS\system32\nobupize.dll specified module cannot be found"

It was sort of fine with the occasional Mcafee notification pop-up every 2hrs or so, then yesterday it started popping up every 6 seconds for maybe 10-15 minutes.

below is the log.txt

Logfile of random's system information tool 1.05 (written by random/random)
Run by cAssiE at 2009-03-12 09:42:17
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 16 GB (7%) free of 235 GB
Total RAM: 1022 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:41 AM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell AIO Printer 948\dldfmon.exe
C:\Program Files\Dell AIO Printer 948\memcard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\dldfcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\cAssiE\Desktop\RSIT.exe
C:\Program Files\trend micro\cAssiE.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [dldfmon.exe] "C:\Program Files\Dell AIO Printer 948\dldfmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell AIO Printer 948\memcard.exe"
O4 - HKLM\..\Run: [Dell AIO Printer 948 Fax Server] "C:\Program Files\Dell AIO Printer 948\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CPM2756a56e] Rundll32.exe "C:\WINDOWS\system32\nobupize.dll",a
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O20 - AppInit_DLLs: C:\WINDOWS\system32\rulisofo.dll c:\windows\system32\kewevuro.dll c:\windows\system32\vunewite.dll c:\windows\system32\nobupize.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dldf_device - - C:\WINDOWS\system32\dldfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 4989 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2008-08-13 206064]
"dldfmon.exe"=C:\Program Files\Dell AIO Printer 948\dldfmon.exe [2007-07-03 455304]
"MemoryCardManager"=C:\Program Files\Dell AIO Printer 948\memcard.exe [2007-07-03 410248]
"Dell AIO Printer 948 Fax Server"=C:\Program Files\Dell AIO Printer 948\fm3032.exe [2007-07-03 307848]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-14 98304]
"CPM2756a56e"=C:\WINDOWS\system32\nobupize.dll []
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Yahoo! Pager"=C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-08-30 4670704]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe [2009-02-06 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\rulisofo.dll c:\windows\system32\kewevuro.dll c:\windows\system32\vunewite.dll c:\windows\system32\nobupize.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~3\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\rulisofo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"="C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\WINDOWS\system32\dldfcoms.exe"="C:\WINDOWS\system32\dldfcoms.exe:*:Enabled:Dell Communications System"
"C:\Program Files\Dell AIO Printer 948\dldfmon.exe"="C:\Program Files\Dell AIO Printer 948\dldfmon.exe:*:Enabled:Printer Device Monitor"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\dldfpswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\dldfpswx.exe:*:Enabled:Printer Status Window Interface"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\dldftime.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\dldftime.exe:*:Enabled:Time Executable"
"C:\Program Files\Dell AIO Printer 948\dldfaiox.exe"="C:\Program Files\Dell AIO Printer 948\dldfaiox.exe:*:Enabled:AIOC exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\dldfjswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\dldfjswx.exe:*:Enabled:Job Status Window Interface"
"C:\WINDOWS\system32\dldfcfg.exe"="C:\WINDOWS\system32\dldfcfg.exe:*:Enabled:Printer Communication System"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\dldfwbgw.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\dldfwbgw.exe:*:Enabled:Dell Web Gateway"
"C:\Program Files\Dell AIO Printer 948\DLDFFax.exe"="C:\Program Files\Dell AIO Printer 948\DLDFFax.exe:*:Enabled:Fax Solutions Software"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Dell AIO Printer 948\dldfafcn.exe"="C:\Program Files\Dell AIO Printer 948\dldfafcn.exe:LocalSubNet:Enabled: "
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\McAfee\VirusScan\mcvsshld.exe"="C:\Program Files\McAfee\VirusScan\mcvsshld.exe:*:Enabled:mcvsshld"
"C:\Program Files\Dell AIO Printer 948\memcard.exe"="C:\Program Files\Dell AIO Printer 948\memcard.exe:*:Enabled:memcard"
"C:\WINDOWS\system32\ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe:*:Enabled:ctfmon"
"C:\Program Files\Dell Support Center\bin\sprtcmd.exe"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe:*:Enabled:sprtcmd"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 3 months======

2009-03-12 09:42:17 ----D---- C:\rsit
2009-03-07 02:52:07 ----D---- C:\Program Files\Windows Defender
2009-03-04 20:34:51 ----SH---- C:\WINDOWS\system32\fazotene.dll
2009-03-04 20:34:30 ----SH---- C:\WINDOWS\system32\howibovu.dll
2009-03-04 20:34:30 ----SH---- C:\WINDOWS\system32\dobonede.dll
2009-03-04 08:34:43 ----SH---- C:\WINDOWS\system32\yoyijite.dll
2009-03-01 12:36:56 ----D---- C:\VundoFix Backups
2009-03-01 12:36:56 ----A---- C:\VundoFix.txt
2009-02-28 13:07:48 ----D---- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2009-02-28 13:02:18 ----D---- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2009-02-27 20:38:59 ----SH---- C:\WINDOWS\system32\valalafo.dll
2009-02-27 20:38:59 ----SH---- C:\WINDOWS\system32\fuwoduke.dll
2009-02-27 19:58:46 ----A---- C:\ComboFix.txt
2009-02-27 19:15:49 ----SHD---- C:\RECYCLER
2009-02-26 20:08:24 ----D---- C:\ComboFix(2)
2009-02-24 19:01:10 ----DC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-12 01:51:32 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-08 19:21:14 ----D---- C:\Documents and Settings\All Users\Application Data\Electronic Arts
2009-02-08 18:35:06 ----D---- C:\Documents and Settings\cAssiE\Application Data\SPORE Creature Creator
2009-02-08 18:34:22 ----RHD---- C:\Documents and Settings\cAssiE\Application Data\SecuROM
2009-02-08 18:32:27 ----D---- C:\ProgramData
2009-02-08 18:28:25 ----D---- C:\Program Files\Electronic Arts
2009-01-14 11:56:42 ----A---- C:\WINDOWS\CIS_Setup_3.5.57173.439_XP_Vista_x32.INI
2009-01-13 19:02:19 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-11 02:52:11 ----A---- C:\Boot.bak
2009-01-11 02:52:00 ----RASHD---- C:\cmdcons
2009-01-11 02:46:55 ----A---- C:\WINDOWS\zip.exe
2009-01-11 02:46:55 ----A---- C:\WINDOWS\VFIND.exe
2009-01-11 02:46:55 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-01-11 02:46:55 ----A---- C:\WINDOWS\SWSC.exe
2009-01-11 02:46:55 ----A---- C:\WINDOWS\SWREG.exe
2009-01-11 02:46:55 ----A---- C:\WINDOWS\sed.exe
2009-01-11 02:46:55 ----A---- C:\WINDOWS\NIRCMD.exe
2009-01-11 02:46:55 ----A---- C:\WINDOWS\grep.exe
2009-01-11 02:46:55 ----A---- C:\WINDOWS\fdsv.exe
2009-01-11 02:46:36 ----D---- C:\WINDOWS\ERDNT
2009-01-11 02:46:36 ----D---- C:\Qoobox
2009-01-08 14:08:10 ----D---- C:\Documents and Settings\cAssiE\Application Data\DataSafeOnline
2009-01-08 11:53:37 ----D---- C:\Program Files\AskBarDis
2009-01-08 11:53:27 ----AC---- C:\WINDOWS\system32\2f46528c-.txt
2009-01-08 11:08:33 ----A---- C:\WINDOWS\system32\nnnljkIb.dll
2008-12-21 14:50:50 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-21 14:50:50 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-21 14:50:50 ----A---- C:\WINDOWS\system32\java.exe
2008-12-21 14:50:50 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-18 01:46:57 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2008-12-15 02:01:09 ----A---- C:\WINDOWS\system32\spmsg.dll
2008-12-15 02:01:07 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2008-12-14 12:34:22 ----D---- C:\Program Files\Sony
2008-12-14 02:23:12 ----D---- C:\Documents and Settings\All Users\Application Data\acccore
2008-12-13 18:23:59 ----D---- C:\Documents and Settings\cAssiE\Application Data\Sony Corporation
2008-12-13 18:16:18 ----D---- C:\Program Files\Common Files\Sony Shared
2008-12-13 18:12:09 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2008-12-13 18:11:23 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2008-12-13 00:03:44 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-13 00:03:31 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-13 00:01:42 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-13 00:01:37 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-13 00:01:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 3 months======

2009-03-12 09:42:41 ----D---- C:\Program Files\Trend Micro
2009-03-12 09:42:35 ----D---- C:\WINDOWS\Temp
2009-03-12 09:42:22 ----D---- C:\WINDOWS\Prefetch
2009-03-12 09:36:57 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-12 09:36:55 ----SD---- C:\WINDOWS\Tasks
2009-03-12 09:35:14 ----D---- C:\Program Files\Mozilla Firefox
2009-03-12 09:34:08 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-03-12 00:20:07 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-10 23:09:44 ----D---- C:\Documents and Settings\cAssiE\Application Data\Azureus
2009-03-09 22:49:08 ----D---- C:\The Lime
2009-03-09 22:46:09 ----D---- C:\Documents and Settings\cAssiE\Application Data\LimeWire
2009-03-09 22:44:36 ----D---- C:\Incomplete
2009-03-09 21:08:47 ----D---- C:\Documents and Settings
2009-03-09 21:01:36 ----D---- C:\WINDOWS\system32
2009-03-08 11:42:59 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-07 12:27:02 ----RD---- C:\Manga
2009-03-07 02:52:30 ----D---- C:\Config.Msi
2009-03-07 02:52:26 ----SHD---- C:\WINDOWS\Installer
2009-03-07 02:52:11 ----HD---- C:\WINDOWS\inf
2009-03-07 02:52:07 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-03-07 02:52:07 ----D---- C:\Program Files
2009-03-05 18:26:32 ----D---- C:\Program Files\Azureus
2009-03-01 13:09:43 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-03-01 02:23:26 ----SHD---- C:\WINDOWS\system32\dllcache
2009-02-28 14:57:17 ----D---- C:\Documents and Settings\cAssiE\Application Data\dvdcss
2009-02-28 13:07:20 ----D---- C:\Documents and Settings\cAssiE\Application Data\GameHouse
2009-02-27 19:59:10 ----D---- C:\WINDOWS\system32\drivers
2009-02-27 19:58:48 ----D---- C:\WINDOWS
2009-02-27 19:54:55 ----A---- C:\WINDOWS\system.ini
2009-02-27 19:52:51 ----D---- C:\WINDOWS\system32\config
2009-02-27 19:50:53 ----D---- C:\WINDOWS\AppPatch
2009-02-27 19:50:46 ----D---- C:\Program Files\Common Files
2009-02-26 20:18:01 ----D---- C:\WINDOWS\system32\CatRoot
2009-02-26 20:13:12 ----D---- C:\WINDOWS\system32\wbem
2009-02-26 20:13:11 ----D---- C:\WINDOWS\Registration
2009-02-26 20:12:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-24 18:11:39 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-20 02:05:54 ----D---- C:\Documents and Settings\cAssiE\Application Data\Skype
2009-02-20 01:03:01 ----D---- C:\Documents and Settings\cAssiE\Application Data\skypePM
2009-02-19 19:27:01 ----D---- C:\Program Files\McAfee
2009-02-19 16:09:57 ----RD---- C:\MUSIC
2009-02-19 14:33:56 ----D---- C:\WINDOWS\Minidump
2009-02-12 01:51:37 ----A---- C:\WINDOWS\imsins.BAK
2009-02-10 00:24:45 ----SD---- C:\Documents and Settings\cAssiE\Application Data\Microsoft
2009-02-08 18:34:21 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2009-02-08 18:32:39 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-31 14:06:33 ----A---- C:\WINDOWS\win.ini
2009-01-14 11:54:00 ----RD---- C:\Set ups
2009-01-11 12:28:29 ----D---- C:\Program Files\Dell AIO Printer 948
2009-01-11 02:52:11 ----RASH---- C:\boot.ini
2009-01-09 18:48:53 ----D---- C:\MDT
2009-01-08 11:52:12 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-01-08 11:30:54 ----A---- C:\rapport.txt
2009-01-08 11:24:56 ----AC---- C:\WINDOWS\system32\tmp.txt
2009-01-07 13:21:59 ----D---- C:\Documents and Settings\cAssiE\Application Data\Google
2009-01-06 22:34:50 ----D---- C:\picturezs bleepezs!
2008-12-28 04:27:54 ----D---- C:\walawen
2008-12-26 20:14:10 ----RSD---- C:\WINDOWS\assembly
2008-12-26 20:12:57 ----D---- C:\WINDOWS\Microsoft.NET
2008-12-26 19:56:17 ----D---- C:\WINDOWS\WinSxS
2008-12-26 19:55:24 ----D---- C:\Program Files\Internet Explorer
2008-12-21 14:50:09 ----D---- C:\Program Files\Java
2008-12-19 01:59:50 ----A---- C:\YServer.txt
2008-12-16 00:05:08 ----D---- C:\Program Files\Zoom Player
2008-12-15 16:54:18 ----D---- C:\WINDOWS\SxsCaPendDel
2008-12-14 03:56:39 ----D---- C:\Program Files\AIM6
2008-12-14 02:22:03 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-12-13 18:12:23 ----D---- C:\Program Files\Windows Media Player
2008-12-13 18:11:34 ----D---- C:\WINDOWS\system32\LogFiles
2008-12-13 18:08:22 ----D---- C:\WINDOWS\security

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2006-08-11 12920]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2006-08-11 51768]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-10-07 2455040]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-07-19 254872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-07-16 4403712]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2008-02-18 96256]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 axerin5z;axerin5z; C:\WINDOWS\system32\drivers\axerin5z.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD); C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-11-08 12006784]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe [2004-04-07 1135728]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-10-07 483328]
R2 dldf_device;dldf_device; C:\WINDOWS\system32\dldfcoms.exe [2007-06-26 598664]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-21 152984]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\Program Files\McAfee\VirusScan\McShield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2007-11-26 23880]
R2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S4 dldfCATSCustConnectService;dldfCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldfserv.exe [2007-06-26 98952]
S4 GoogleDesktopManager;GoogleDesktopManager; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-01-14 1838592]
S4 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2006-11-02 174656]
S4 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S4 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []

-----------------EOF-----------------


Thanks in advance farbar

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 PM

Posted 12 March 2009 - 10:00 AM

Seems you have run Combofix.

Go to Start => Run => Copy and paste the following text in the run box and click OK.

cmd /c dir /o:d /a "C:\Qoobox" > "%userprofile%\desktop\log1.txt"

A text file (log1.txt) will be created on your desktop. Copy and paste the content of it to your reply.[/list]

#5 Mathew=

Mathew=
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 12 March 2009 - 11:19 AM

Well, yes we have, she was irritated.

Volume in drive C is HUGE
Volume Serial Number is 2465-965D

Directory of C:\Qoobox

01/11/2009 02:53 AM <DIR> Quarantine
01/11/2009 03:04 AM 763,674 snapshot@2009-01-11_ 2.04.52.17.dat
01/11/2009 03:04 AM 714,750 snapshot@2009-01-11_ 2.04.52.17_B.dat
01/11/2009 03:05 AM 12,664 ComboFix4.txt
01/16/2009 09:57 AM 12,643 ComboFix3.txt
02/27/2009 02:52 PM 766,626 SnapShot_2009-02-27_13.52.35.95.dat
02/27/2009 02:52 PM 717,540 SnapShot_2009-02-27_13.52.35.95_B.dat
02/27/2009 02:53 PM 14,066 ComboFix2.txt
02/27/2009 07:48 PM <DIR> BackEnv
02/27/2009 07:58 PM 5,143 Add-Remove Programs.txt
02/27/2009 07:58 PM 4,147 ComboFix-quarantined-files.txt
02/27/2009 07:59 PM <DIR> .
02/27/2009 07:59 PM <DIR> ..
9 File(s) 3,011,253 bytes
4 Dir(s) 16,584,818,688 bytes free

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 PM

Posted 12 March 2009 - 12:24 PM

Well, yes we have, she was irritated.


I didn't get it.
Anyway let her know we clean this and she doesn't have to worry about it.

Please go to start -> Run => Copy and paste the bold line in the run-box and click OK:

C:\Qoobox\ComboFix4.txt

A text file opens, copy and paste the content to your reply.

#7 Mathew=

Mathew=
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 12 March 2009 - 12:50 PM

ComboFix 09-01-10.02 - cAssiE 2009-01-11 1:53:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.620 [GMT -5:00]
Running from: c:\documents and settings\cAssiE\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\404Fix.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekatkbgomet.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\estmukft.dll
c:\windows\system32\feihhnyn.dll
c:\windows\system32\geBrrRiI.dll
c:\windows\system32\gkrvbv.dll
c:\windows\system32\ibkieyhw.ini
c:\windows\system32\IEDFix.exe
c:\windows\system32\IiRrrBeg.ini
c:\windows\system32\IiRrrBeg.ini2
c:\windows\system32\lcfmxols.ini
c:\windows\system32\legdqkcy.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\pgcbmtse.ini
c:\windows\system32\pmnnKEVM.dll
c:\windows\system32\Process.exe
c:\windows\system32\qrbmwb.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamoqbarmk.dll
c:\windows\system32\sloxmfcl.dll
c:\windows\system32\smp
c:\windows\system32\smp\msrc.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\srlvcwds.dll
c:\windows\system32\tfkumtse.ini
c:\windows\system32\tmp.reg
c:\windows\system32\tpqqlchn.ini
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\userconfig9x.dll
c:\windows\winsystem.exe
c:\documents and settings\cAssiE\Cookies\??????????????????????????? . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-08 13:08 . 2009-01-08 13:08 <DIR> d-------- c:\documents and settings\cAssiE\Application Data\DataSafeOnline
2009-01-08 12:28 . 2009-01-08 12:28 <DIR> d-------- c:\documents and settings\Owner
2009-01-08 10:53 . 2009-01-08 10:53 <DIR> d-------- c:\program files\AskBarDis
2009-01-08 10:32 . 2009-01-08 10:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-08 10:08 . 2009-01-08 10:08 54,803 --a------ c:\windows\system32\nnnljkIb.dll
2009-01-08 10:03 . 2009-01-08 10:03 45,568 --a------ c:\windows\system32\fcccYqQH.dll
2008-12-21 13:50 . 2008-12-21 13:50 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-14 11:34 . 2008-12-14 11:34 <DIR> d-------- c:\program files\Sony
2008-12-14 01:23 . 2008-12-14 01:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-13 17:23 . 2008-12-13 17:23 <DIR> d-------- c:\documents and settings\cAssiE\Application Data\Sony Corporation
2008-12-13 17:16 . 2008-12-13 17:16 <DIR> d-------- c:\program files\Common Files\Sony Shared
2008-12-13 17:11 . 2008-12-14 11:05 <DIR> d-------- c:\windows\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 06:08 --------- d-----w c:\documents and settings\cAssiE\Application Data\LimeWire
2009-01-11 05:04 --------- d-----w c:\documents and settings\cAssiE\Application Data\Azureus
2009-01-08 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-08 15:35 --------- d-----w c:\program files\McAfee
2008-12-21 18:50 --------- d-----w c:\program files\Java
2008-12-16 04:05 --------- d-----w c:\program files\Zoom Player
2008-12-14 07:56 --------- d-----w c:\program files\AIM6
2008-12-14 06:22 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-07 23:31 --------- d-----w c:\program files\Mobius
2008-12-07 20:58 --------- d-----w c:\program files\METIN2US
2008-12-03 21:33 --------- d-----w c:\documents and settings\cAssiE\Application Data\dvdcss
2008-12-02 04:54 --------- d-----w c:\documents and settings\cAssiE\Application Data\Winamp
2008-11-29 01:09 --------- d-----w c:\program files\Common Files\aolshare
2008-11-29 01:09 --------- d-----w c:\program files\Common Files\AOL
2008-11-29 01:09 --------- d-----w c:\program files\AOL Companion
2008-11-29 01:09 --------- d-----w c:\program files\America Online 9.0
2008-11-29 01:09 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-29 01:08 --------- d-----w c:\program files\Winamp Toolbar
2008-11-29 01:08 --------- d-----w c:\program files\Winamp
2008-11-29 01:08 --------- d-----w c:\program files\Crawler(2)
2008-11-29 01:08 --------- d-----w c:\program files\Common Files\muvee Technologies
2008-11-29 01:08 --------- d-----w c:\documents and settings\All Users\Application Data\YAHOO
2008-11-29 01:08 --------- d-----w c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-11-29 01:04 --------- d-----w c:\program files\Yahoo!
2008-11-29 00:59 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-11-29 00:58 --------- d-----w c:\program files\MSXML 4.0
2008-11-29 00:57 --------- d-----w c:\program files\LimeWire
2008-11-29 00:45 --------- d-----w c:\documents and settings\cAssiE\Application Data\BSplayer
2008-11-29 00:45 --------- d-----w c:\documents and settings\cAssiE\Application Data\AVSMedia
2008-11-29 00:45 --------- d-----w c:\documents and settings\cAssiE\Application Data\acccore
2008-11-29 00:45 --------- d-----w c:\documents and settings\cAssiE\Application Data\948 Series
2008-11-28 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-04-20 20:05 0 -c--a-w c:\program files\temp01
2008-04-12 05:45 1,377,872 -c--a-w c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
2008-02-17 18:41 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-01-25 00:13 60,968 ----a-w c:\documents and settings\cAssiE\GoToAssistDownloadHelper.exe
2008-03-05 02:33 88 --sha-r c:\windows\system32\2E467607E3.sys
2008-03-05 02:34 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=qrbmwb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\geBrrRiI

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dldfcoms.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldftime.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfjswx.exe"=
"c:\\WINDOWS\\system32\\dldfcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfwbgw.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\DLDFFax.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys --> c:\program files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [?]
S4 dldf_device;dldf_device;c:\windows\system32\dldfcoms.exe -service --> c:\windows\system32\dldfcoms.exe -service [?]
S4 dldfCATSCustConnectService;dldfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldfserv.exe [2008-04-12 98952]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\McAfee\MQC\QcConsol.exe [2007-12-04 12:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2009-01-11 c:\windows\Tasks\zwarkqwj.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{46B3B362-E2B1-481B-A04E-7DCD359134E3} - c:\windows\system32\geBrrRiI.dll
BHO-{a543d7ba-0aa6-4830-95f8-f3698db4c996} - c:\windows\system32\qrbmwb.dll


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com
FF - ProfilePath - c:\documents and settings\cAssiE\Application Data\Mozilla\Firefox\Profiles\3oyetvi1.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 02:01:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-01-11 2:05:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-11 07:05:45

Pre-Run: 17,068,400,640 bytes free
Post-Run: 17,005,768,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=2,3,4,5
223 --- E O F --- 2008-12-18 05:47:05

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 PM

Posted 12 March 2009 - 01:00 PM

Thanks for the log.
  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Open Windows Defender.
    • Click on Tools, Options.
    • Scroll down the list of options to select "Real-time Protection Options."
    • Uncheck "Use Real-Time Protection (Recommended)".
    • After you uncheck this, click on the Save button and close Windows Defender.

      Note:After all of the fixes are complete and I give you the clean sign you enable Real-time Protection again.
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Delete your copy of Combofix from your desktop if you still have it. Download the latest update of ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

    Close any open browsers.

    Open notepad and copy/paste the text in the code box below into it:

    File::
    C:\WINDOWS\system32\howibovu.dll
    C:\WINDOWS\system32\fazotene.dll
    C:\WINDOWS\system32\dobonede.dll
    C:\WINDOWS\system32\yoyijite.dll
    C:\WINDOWS\system32\nnnljkIb.dll
    C:\WINDOWS\system32\rulisofo.dll
    c:\windows\system32\kewevuro.dll
    c:\windows\system32\vunewite.dll
    Registry::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Notification Packages"=hex(7):73,63,65,63,6C,69,00,00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "CPM2756a56e"=-
    Driver::
    dump_wmimmc
    Viewpoint Manager Service

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Run Hijackthis. If you don't know how go to start > Run and copy and paste the following and click OK:

    "C:\Program Files\trend micro\cAssiE.exe"

    Click "Do a system scan and safe a logfile". Post the content of the log.
Please include in your next reply:
  • The log of MBAM.
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went and the current condition of the computer.

Edited by farbar, 12 March 2009 - 01:05 PM.


#9 Mathew=

Mathew=
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 12 March 2009 - 01:35 PM

I couldn't really tell any difference in the performance.

--------------------------

MBAM log:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/12/2009 2:15:49 PM
mbam-log-2009-03-12 (14-15-49).txt

Scan type: Quick Scan
Objects scanned: 70141
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2756a56e (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\howibovu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnljkIb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

--------------------



COMBOFIX log:


ComboFix 09-03-10.03 - cAssiE 2009-03-12 14:19:59.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -4:00]
Running from: c:\documents and settings\cAssiE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cAssiE\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\dobonede.dll
c:\windows\system32\fazotene.dll
c:\windows\system32\howibovu.dll
c:\windows\system32\kewevuro.dll
c:\windows\system32\nnnljkIb.dll
c:\windows\system32\rulisofo.dll
c:\windows\system32\vunewite.dll
c:\windows\system32\yoyijite.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dobonede.dll
c:\windows\system32\fazotene.dll
c:\windows\system32\yoyijite.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DUMP_WMIMMC


((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-12 14:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 14:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 09:42 . 2009-03-12 09:42 <DIR> d-------- C:\rsit
2009-03-07 02:52 . 2009-03-07 02:52 <DIR> d-------- c:\program files\Windows Defender
2009-03-01 12:36 . 2009-03-01 12:36 <DIR> d-------- C:\VundoFix Backups
2009-02-28 13:07 . 2009-02-28 13:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-02-28 13:02 . 2009-02-28 13:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-02-27 20:38 . 2009-02-27 20:38 2,098 ---hs---- c:\windows\system32\valalafo.dll
2009-02-27 20:38 . 2009-02-27 20:38 2,098 ---hs---- c:\windows\system32\fuwoduke.dll
2009-02-26 20:08 . 2009-02-26 20:12 <DIR> d-------- C:\ComboFix(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 18:09 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-12 13:42 --------- d-----w c:\program files\Trend Micro
2009-03-11 03:09 --------- d-----w c:\documents and settings\cAssiE\Application Data\Azureus
2009-03-10 02:46 --------- d-----w c:\documents and settings\cAssiE\Application Data\LimeWire
2009-03-05 22:26 --------- d-----w c:\program files\Azureus
2009-02-28 18:57 --------- d-----w c:\documents and settings\cAssiE\Application Data\dvdcss
2009-02-28 17:07 --------- d-----w c:\documents and settings\cAssiE\Application Data\GameHouse
2009-02-20 06:05 --------- d-----w c:\documents and settings\cAssiE\Application Data\Skype
2009-02-20 05:03 --------- d-----w c:\documents and settings\cAssiE\Application Data\skypePM
2009-02-19 23:27 --------- d-----w c:\program files\McAfee
2009-02-15 17:45 --------- d-----w c:\documents and settings\cAssiE\Application Data\SPORE Creature Creator
2009-02-08 23:21 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-08 22:34 --------- d--h--r c:\documents and settings\cAssiE\Application Data\SecuROM
2009-02-08 22:32 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 22:32 --------- d-----w c:\program files\Electronic Arts
2008-04-20 20:05 0 -c--a-w c:\program files\temp01
2008-04-12 05:45 1,377,872 -c--a-w c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
2008-02-17 18:41 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-05 02:33 88 --sha-r c:\windows\system32\2E467607E3.sys
2008-03-05 02:34 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-02-27_13.52.35.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2009-02-27 18:41:40 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-12 18:07:00 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-27 18:41:40 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-12 18:07:00 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:07 295,424 ----a-w c:\windows\system32\dllcache\termsrv.dll
- 2008-12-26 23:58:26 63,540 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-08 15:43:00 63,540 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-26 23:58:26 403,374 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-08 15:43:00 403,374 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-12 18:25:26 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"dldfmon.exe"="c:\program files\Dell AIO Printer 948\dldfmon.exe" [2007-07-03 455304]
"MemoryCardManager"="c:\program files\Dell AIO Printer 948\memcard.exe" [2007-07-03 410248]
"Dell AIO Printer 948 Fax Server"="c:\program files\Dell AIO Printer 948\fm3032.exe" [2007-07-03 307848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-14 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dldfcoms.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldftime.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfjswx.exe"=
"c:\\WINDOWS\\system32\\dldfcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfwbgw.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\DLDFFax.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\memcard.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R2 dldf_device;dldf_device;c:\windows\system32\dldfcoms.exe -service --> c:\windows\system32\dldfcoms.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S4 dldfCATSCustConnectService;dldfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldfserv.exe [2008-04-12 98952]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\McAfee\MQC\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\cAssiE\Application Data\Mozilla\Firefox\Profiles\3oyetvi1.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 14:25:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4110109682-1179019529-858777644-1007\Software\SecuROM\License information*]
"datasecu"=hex:8e,bf,3e,86,d3,c9,e7,f4,9d,d2,7e,5a,6d,80,5c,5c,1b,3f,2d,df,28,
3f,64,49,30,40,77,8c,8c,10,32,74,00,cd,b6,ac,7e,9b,fb,27,e5,e8,0d,76,53,a9,\
"rkeysecu"=hex:08,e2,c3,c2,10,b5,cc,65,31,75,61,62,41,70,2c,11
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\dldfcoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-03-12 14:31:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 18:30:59
ComboFix2.txt 2009-02-27 23:58:46
ComboFix3.txt 2009-02-27 18:53:41
ComboFix4.txt 2009-01-16 13:57:50
ComboFix5.txt 2009-03-12 18:19:18

Pre-Run: 16,513,114,112 bytes free
Post-Run: 16,462,204,928 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
210 --- E O F --- 2009-03-12 18:27:36


-------------------------



HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:25 PM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\dldfcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell AIO Printer 948\dldfmon.exe
C:\Program Files\Dell AIO Printer 948\memcard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\trend micro\cAssiE.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [dldfmon.exe] "C:\Program Files\Dell AIO Printer 948\dldfmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell AIO Printer 948\memcard.exe"
O4 - HKLM\..\Run: [Dell AIO Printer 948 Fax Server] "C:\Program Files\Dell AIO Printer 948\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dldf_device - - C:\WINDOWS\system32\dldfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 4556 bytes

-----------------------

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 PM

Posted 12 March 2009 - 02:04 PM

I couldn't really tell any difference in the performance.


You should not be getting any "not found messages" at the start up.
  • Malwarebytes' Anti-Malware 1.34
    Database version: 1749


    As you see MBAM is not updated. The data base should read: 1841. Please follow the instruction a


  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/207000/infected-with-vundotrojanetc/
    
    Collect::[66]
    c:\windows\system32\valalafo.dll
    c:\windows\system32\fuwoduke.dll

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


#11 Mathew=

Mathew=
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 12 March 2009 - 02:24 PM

Sorry, I thought I just did.

----------------

MBAM 1841 log:

Malwarebytes' Anti-Malware 1.34
Database version: 1841
Windows 5.1.2600 Service Pack 3

3/12/2009 3:12:15 PM
mbam-log-2009-03-12 (15-12-15).txt

Scan type: Quick Scan
Objects scanned: 72200
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------------------

COMBOFIX log:

ComboFix 09-03-10.03 - cAssiE 2009-03-12 15:16:43.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -4:00]
Running from: c:\documents and settings\cAssiE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cAssiE\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fuwoduke.dll
c:\windows\system32\valalafo.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-12 14:29 . 2009-03-12 14:29 <DIR> d-------- c:\windows\LastGood
2009-03-12 14:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 14:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 09:42 . 2009-03-12 09:42 <DIR> d-------- C:\rsit
2009-03-07 02:52 . 2009-03-07 02:52 <DIR> d-------- c:\program files\Windows Defender
2009-03-01 12:36 . 2009-03-01 12:36 <DIR> d-------- C:\VundoFix Backups
2009-02-28 13:07 . 2009-02-28 13:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-02-28 13:02 . 2009-02-28 13:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-02-26 20:08 . 2009-02-26 20:12 <DIR> d-------- C:\ComboFix(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 18:34 --------- d-----w c:\program files\Trend Micro
2009-03-12 18:09 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-11 03:09 --------- d-----w c:\documents and settings\cAssiE\Application Data\Azureus
2009-03-10 02:46 --------- d-----w c:\documents and settings\cAssiE\Application Data\LimeWire
2009-03-05 22:26 --------- d-----w c:\program files\Azureus
2009-02-28 18:57 --------- d-----w c:\documents and settings\cAssiE\Application Data\dvdcss
2009-02-28 17:07 --------- d-----w c:\documents and settings\cAssiE\Application Data\GameHouse
2009-02-20 06:05 --------- d-----w c:\documents and settings\cAssiE\Application Data\Skype
2009-02-20 05:03 --------- d-----w c:\documents and settings\cAssiE\Application Data\skypePM
2009-02-19 23:27 --------- d-----w c:\program files\McAfee
2009-02-15 17:45 --------- d-----w c:\documents and settings\cAssiE\Application Data\SPORE Creature Creator
2009-02-08 23:21 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-02-08 22:34 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-02-08 22:34 --------- d--h--r c:\documents and settings\cAssiE\Application Data\SecuROM
2009-02-08 22:32 1,888 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-02-08 22:32 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 22:32 --------- d-----w c:\program files\Electronic Arts
2008-12-21 18:50 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-04-20 20:05 0 -c--a-w c:\program files\temp01
2008-04-12 05:45 1,377,872 -c--a-w c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
2008-02-17 18:41 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-05 02:33 88 --sha-r c:\windows\system32\2E467607E3.sys
2008-03-05 02:34 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-02-27_13.52.35.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2009-02-27 18:41:40 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-12 18:07:00 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-27 18:41:40 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-12 18:07:00 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:07 295,424 ----a-w c:\windows\system32\dllcache\termsrv.dll
- 2008-12-26 23:58:26 63,540 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-08 15:43:00 63,540 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-26 23:58:26 403,374 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-08 15:43:00 403,374 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-12 18:25:26 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"dldfmon.exe"="c:\program files\Dell AIO Printer 948\dldfmon.exe" [2007-07-03 455304]
"MemoryCardManager"="c:\program files\Dell AIO Printer 948\memcard.exe" [2007-07-03 410248]
"Dell AIO Printer 948 Fax Server"="c:\program files\Dell AIO Printer 948\fm3032.exe" [2007-07-03 307848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-14 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dldfcoms.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldftime.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\dldfaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfjswx.exe"=
"c:\\WINDOWS\\system32\\dldfcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldfwbgw.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\DLDFFax.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Dell AIO Printer 948\\memcard.exe"=
"c:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R2 dldf_device;dldf_device;c:\windows\system32\dldfcoms.exe -service --> c:\windows\system32\dldfcoms.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S4 dldfCATSCustConnectService;dldfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldfserv.exe [2008-04-12 98952]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\McAfee\MQC\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\cAssiE\Application Data\Mozilla\Firefox\Profiles\3oyetvi1.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 15:19:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4110109682-1179019529-858777644-1007\Software\SecuROM\License information*]
"datasecu"=hex:8e,bf,3e,86,d3,c9,e7,f4,9d,d2,7e,5a,6d,80,5c,5c,1b,3f,2d,df,28,
3f,64,49,30,40,77,8c,8c,10,32,74,00,cd,b6,ac,7e,9b,fb,27,e5,e8,0d,76,53,a9,\
"rkeysecu"=hex:08,e2,c3,c2,10,b5,cc,65,31,75,61,62,41,70,2c,11
.
Completion time: 2009-03-12 15:21:03
ComboFix-quarantined-files.txt 2009-03-12 19:21:01
ComboFix2.txt 2009-03-12 18:31:09
ComboFix3.txt 2009-02-27 23:58:46
ComboFix4.txt 2009-02-27 18:53:41
ComboFix5.txt 2009-03-12 19:16:08

Pre-Run: 16,444,362,752 bytes free
Post-Run: 16,425,066,496 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
180 --- E O F --- 2009-03-12 18:27:36

I disabled mcafee's virus scan and firewall but it still seemed to be running along with combofix

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:54 PM

Posted 12 March 2009 - 03:01 PM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. We are not here to pass judgment on file-sharing as a concept. But file-sharing is used to infect users as tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p (Azureus, LimeWhire, etc...) download folders. They might contain infected files. Please avoid using these p2p applications or uninstall them. Using these applications at this stage might lead to reinfection or infecting other users.

  • I see on the log Ask Toolbar is installed on your computer:

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Ask Toolbar

    Also remove the folder in bold: C:\Program Files\AskSBar

  • You have Java™ 6 Update 11 and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 6
    Java™ 6 Update 5
    Java™ 6 Update 7


  • Please use Internet Explorer to perform a BitDefender Online Virus and Malware Scan
    • Click on I Agree.
    • Under SCANNING OPTIONS, under Settings section click click here.
    • Under Action Options:
      • Select Disinfect.
      • Expand Second Option select Delete
      • Click OK.
    • Now Click On Start Scan. Please wait as it might take some time.
    • When it finished click Click here to export the scan report
    • Give the report a name (like scanlog) and save it. The file will be scanlog.HTML
    • Please attach the file to your reply.
    • To attach the file press ADDREPLY, under the reply window press Browse... show the path to the file on your computer.
    • Highlight the file and click Open then press the green UPLOAD button.
  • Tell me also if you still have any problem.


#13 Mathew=

Mathew=
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 12 March 2009 - 09:09 PM

it took 3hrs and 50 min to scan every file on C: and now it says that the estimated time left is 6:51 and that it's currently scaning C:\ no directory or particular file... is it rechecking or something?

Edited by Mathew=, 12 March 2009 - 09:18 PM.


#14 Mathew=

Mathew=
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 12 March 2009 - 10:54 PM

okay... the scan finished after 5hrs and I was about to shed tears till I tried uploading it. Seems like the log takes forever to upload, and after 30 or more minutes it says "You have not selected a file to upload."

Will be trying again in 14 hrs. thanks farbar.

Edited by Mathew=, 12 March 2009 - 10:55 PM.


#15 Mathew=

Mathew=
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The bottom of the well
  • Local time:08:54 AM

Posted 13 March 2009 - 01:56 PM

I've tried 3 times last night and after 30 minutes it just stops and says I didn't upload anything. I've tried today 4 times and it still isn't working, there are no other applications running. Is there some other way I can give you the logs?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users