Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

<user>.exe opening popups for windows 2009


  • This topic is locked This topic is locked
14 replies to this topic

#1 panic788

panic788

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 20 March 2009 - 12:09 AM

I started noticing my PC slowdown dramatically in the last day or so. The last thing I can recall before the slow down was an update of java (which looked legitimate, but may have not been). Now I have noticed "Mike.exe" opening and closing multiple instances of itself while looking at the running processes. I have also started to get a few popups in Internet Explorer, although my browser of choice is firefox. It is usually preceeded by a popup warning for being vulnerable to spyware and malware, though not always to the best of my knowledge. The url of the popup window is http://spywareprotectiontool.com/2009/....... In addition the browsers both get pointed at a proxy, which when I follow links from searches in google first take me to hxfindmyworld.com and then to some other search. That was bypassed by de-clicking the proxy option, but reverts back after a reboot. This occurs in both IE and firefox. There appear to be a number of scan omissions in the event log for Symantec AntiVirus dating back to 03.19.09 around 9am, again, in line when I first noticed the issue. The threat history of the antivirus shows two hits closely related in the morning at 08:45: netsik.sys, and 731|3[1].exe. Then between 09:08 of the 19th and 00:16 of the 20th it shows another 15 entries: crack.exe, 943C082Fd01, ksi32sk.sys, nicsk32.sys, acpi32.sys, ws2_32sik.sys, ati64si.sys, ws2_32sik.sys, ati64si.sys, port135sik.sys, ati64si.sys, JFGkod.exe, PELoader.exe, i386si.sys, ws2_32sik.sys.

I have tried running spybot-search and destroy, though it did not seem to help much.

I installed ad-aware, but did not yet run it in an attempt to fix anything.

attached is my dds log

I will check back, and in the meantime try to leave this computer off and just work from my laptop to keep any further malware infection to a minimum.

Thanks in advance for your help.

Attached Files

  • Attached File  DDS.txt   9.39KB   23 downloads


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:03 AM

Posted 20 March 2009 - 06:20 AM

Hello panic788

Welcome to BleepingComputer :thumbup2:
========================
Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.

c:\documents and settings\studio\Mike.exe
c:\windows\ld02.exe
c:\windows\pp04.exe
c:\program files\common files\windows\mc-110-12-0000230.exe
c:\progra~1\common~1\roor\roorm.exe



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to samples.

Click Here to upload the files please.

==============================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 panic788

panic788
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 20 March 2009 - 08:53 AM

Thank you for your quick response and help.

I completed all of the steps you suggested, and will attach the log file to this reply from combofix.

I will await further instructions on what should be done, or the okay that all has been fixed to the best of everyone's abilities.

Attached Files



#4 panic788

panic788
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 20 March 2009 - 09:00 AM

Just before I logged off, I had another IE popup for windowsspywareprotection2009 and a warning box. I quickly clicked the x on them as a reaction. If it happens again, I will let them stay open and take down the information from them and edit this post with the new info.

Edit: Also the browser was hijacked again. I had to change it from using the proxy it setup. It sets the proxy to localhost port 7171 which funnels all traffic to hxfindmyworld.com.

Edit2: Popup warning:
Title bar"Microsoft Internet Explorer"
Warning Message"Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs."
[OK] [Cancel]

I hit the [x] box for that warning and an IE popup window opens.

hxxp://protectionreads.com

and another warning box
"Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it to secure your PC."
[OK] [Cancel]

Edited by kahdah, 20 March 2009 - 12:54 PM.
removed live malware link


#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:03 AM

Posted 20 March 2009 - 12:56 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/212471/userexe-opening-popups-for-windows-2009/?p=1185114

Driver::
acpi32
ati64si
i386si
ksi32sk
netsik
nicsk32
ws2_32sik
port135sik


Collect::
c:\windows\system32\JFGkod.exe
c:\windows\system32\drivers\acpi32.sys 
c:\windows\system32\drivers\ati64si.sys 
c:\windows\system32\drivers\i386si.sys 
c:\windows\system32\drivers\ksi32sk.sys
c:\windows\system32\drivers\netsik.sys 
c:\windows\system32\drivers\nicsk32.sys
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\drivers\ws2_32sik.sys
c:\windows\system32\nfr.gpref
c:\windows\system32\nfr.assembly
c:\windows\system32\dll32.dll
c:\windows\pp04.exe
c:\windows\t55ft2951f44.dat
c:\windows\ld02.exe
c:\windows\tt_1237556511.exe
C:\dll32.bat

Folder::
c:\windows\9g234sdfdfgjf23

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01E46D8A-F557-85A7-0800-060408040303}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Lgqyc"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dll"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"=-
"7171:TCP"=-
Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\quarantined files\Submit(time and date will be here).zip

Click Here to upload the submit.zip please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 panic788

panic788
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 20 March 2009 - 06:56 PM

Below is the logfile you requested. I was not sure if it uploaded the necessary zip file, so I followed your directions and submitted it myself.

ComboFix 09-03-19.01 - Mike 2009-03-20 19:39:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.114 [GMT -4:00]
Running from: c:\documents and settings\Studio\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Studio\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9g234sdfdfgjf23\
c:\windows\ld02.exe
c:\windows\pp04.exe
c:\windows\system32\dll32.dll
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\t55ft2951f44.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_acpi32
-------\Service_ati64si
-------\Service_i386si
-------\Service_ksi32sk
-------\Service_netsik
-------\Service_nicsk32
-------\Service_port135sik
-------\Service_ws2_32sik


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-20 00:17 . 2009-03-20 00:17 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-19 18:39 . 2009-03-19 18:39 <DIR> d-------- c:\program files\CounterPath
2009-03-19 18:39 . 2009-03-19 18:39 <DIR> d-------- c:\program files\Common Files\Intel
2009-03-19 09:38 . 2009-03-20 10:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-19 09:13 . 2009-03-19 09:13 <DIR> d-------- c:\program files\Trend Micro
2009-03-19 08:47 . 2009-03-19 08:47 1 --a------ c:\windows\9g234sdfdfgjf23
2009-03-19 08:35 . 2009-03-19 08:34 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-05 17:31 . 2009-03-18 08:33 <DIR> d-------- c:\program files\Yahoo!
2009-02-20 22:54 . 2009-02-24 01:10 5,120 --ahs---- c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 23:46 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-20 14:23 --------- d-----w c:\documents and settings\Studio\Application Data\Lavasoft
2009-03-20 14:22 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 12:34 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-18 12:33 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-03-13 05:36 --------- d-----w c:\program files\Trillian
2009-03-11 20:47 --------- d-----w c:\documents and settings\Studio\Application Data\uTorrent
2009-03-05 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-05 21:28 --------- d-----w c:\documents and settings\Studio\Application Data\skypePM
2009-02-23 12:40 --------- d-----w c:\program files\Common Files\LogiShrd
2009-02-15 15:47 --------- d-----w c:\documents and settings\Studio\Application Data\Apple Computer
2009-02-12 00:56 --------- d-----w c:\program files\iTunes
2009-02-12 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-12 00:55 --------- d-----w c:\program files\iPod
2009-02-12 00:55 --------- d-----w c:\program files\Common Files\Apple
2009-02-12 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-12 00:54 --------- d-----w c:\program files\QuickTime
2009-02-12 00:54 --------- d-----w c:\program files\Bonjour
2009-02-12 00:50 --------- d-----w c:\program files\Apple Software Update
2009-02-12 00:49 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-30 02:19 --------- d-----w c:\program files\Winamp
2006-09-21 12:32 784 -c--a-w c:\documents and settings\Studio\Application Data\mpauth.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-20_ 9.45.07.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-20 23:44:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 67184]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-12-30 120640]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-03-10 35328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2006-12-15 435736]

c:\documents and settings\Studio\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2005-03-15 1646592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.xvid"= xvid.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 14:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 03:56 1667584 c:\program files\messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 17:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\VPTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\drivers\uacflt.sys [2005-09-20 21276]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-12-30 153416]
.
Contents of the 'Scheduled Tasks' folder

2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-sysldtray - c:\windows\ld02.exe
HKLM-Run-pp - c:\windows\pp04.exe


.
------- Supplementary Scan -------
.
uStart Page =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - c:\documents and settings\Studio\Application Data\Mozilla\Firefox\Profiles\93p8ihcg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 19:45:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-20 19:51:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 23:50:36
ComboFix2.txt 2009-03-20 13:48:52

Pre-Run: 43,107,905,536 bytes free
Post-Run: 43,095,994,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

178

Edited by panic788, 20 March 2009 - 06:57 PM.


#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:03 AM

Posted 21 March 2009 - 07:17 AM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\9g234sdfdfgjf23
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================
Please post these logs in your next reply:
  • Ot Move it log
  • Malware Bytes log
  • New DDS log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 panic788

panic788
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 21 March 2009 - 11:24 AM

Logs


========== FILES ==========
c:\windows\9g234sdfdfgjf23 moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Studio\LOCALS~1\Temp\etilqs_adKZrgJadQrhYx2ebv6q scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Studio\LOCALS~1\Temp\Perflib_Perfdata_d84.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7bc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Studio\Local Settings\Application Data\Mozilla\Firefox\Profiles\93p8ihcg.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Studio\Local Settings\Application Data\Mozilla\Firefox\Profiles\93p8ihcg.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03212009_120932

Files moved on Reboot...
File C:\DOCUME~1\Studio\LOCALS~1\Temp\etilqs_adKZrgJadQrhYx2ebv6q not found!
File C:\DOCUME~1\Studio\LOCALS~1\Temp\Perflib_Perfdata_d84.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_7bc.dat not found!
C:\Documents and Settings\Studio\Local Settings\Application Data\Mozilla\Firefox\Profiles\93p8ihcg.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Studio\Local Settings\Application Data\Mozilla\Firefox\Profiles\93p8ihcg.default\XUL.mfl moved successfully.




Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/21/2009 1:36:33 PM
mbam-log-2009-03-21 (13-36-33).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 150419
Time elapsed: 1 hour(s), 8 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_09-03-16.01) - NTFSx86
Run by Mike at 13:37:44.36 on Sat 03/21/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.40 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Studio\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x092f -f video -m logitech -d 10.5.0.1091
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\studio\applic~1\mozilla\firefox\profiles\93p8ihcg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-21 12:25 <DIR> --d----- c:\docume~1\studio\applic~1\Malwarebytes
2009-03-21 12:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 12:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-21 12:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-21 12:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 12:09 <DIR> --d----- C:\_OTMoveIt
2009-03-20 19:36 <DIR> a-dshr-- C:\cmdcons
2009-03-20 09:31 161,792 a------- c:\windows\SWREG.exe
2009-03-20 09:31 98,816 a------- c:\windows\sed.exe
2009-03-20 00:17 <DIR> --d----- c:\program files\Enigma Software Group
2009-03-19 18:39 <DIR> --d----- c:\program files\common files\Intel
2009-03-19 18:39 <DIR> --d----- c:\program files\CounterPath
2009-03-19 09:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-19 09:13 <DIR> --d----- c:\program files\Trend Micro
2009-03-19 08:35 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-05 17:31 <DIR> --d----- c:\program files\Yahoo!
2009-02-20 22:54 5,120 a--sh--- c:\windows\system32\Thumbs.db

==================== Find3M ====================

2009-03-19 08:34 410,984 a------- c:\windows\system32\deploytk.dll
2006-09-21 08:32 784 ac------ c:\docume~1\studio\applic~1\mpauth.dat

============= FINISH: 13:46:36.90 ===============

Edited by panic788, 21 March 2009 - 12:52 PM.


#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:03 AM

Posted 21 March 2009 - 01:55 PM

Please go HERE to run Panda's ActiveScan 2.0
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the yellow bar to install the active x control.
  • Then click Install.
  • It will begin to download and scan.
  • When the scan completes, click on the Export now button then save the file to your desktop.
  • Close Active scan 2.0

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 panic788

panic788
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 21 March 2009 - 06:14 PM

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-21 19:13:58
PROTECTIONS: 1
MALWARE: 26
SUSPECTS: 5
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec AntiVirus Corporate Edition 9.0.3.1000 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.trafficmp.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\iddd7l4r.slt\cookies.txt[.atdmt.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.tribalfusion.com/]
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.anm.co.uk/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.azjmp.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\iddd7l4r.slt\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.bs.serving-sys.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.adtech.de/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Application Data\Mozilla\Profiles\default\2cdpmjak.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\iddd7l4r.slt\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\iddd7l4r.slt\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.questionmarket.com/]
00192311 Adware/IST.ISTBar Adware No 1 Yes No C:\Documents and Settings\Mike\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-1acbfb0e.zip[javainstaller/InstallerApplet.class]
00251936 Adware/Maxifiles Adware No 1 No No C:\WINDOWS\system32\removefunc.ram[C:\WINDOWS\system32\removefunc.ram][mc-110-12-0000230.exe]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Mike\Application Data\Mozilla\Profiles\default\2cdpmjak.slt\cookies.txt[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Studio\Application Data\Mozilla\Profiles\default\3675r89i.slt\cookies.txt[.atwola.com/]
00263785 Adware/PurityScan Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\YSTEM~1\svchost.exe.vir
00277243 Adware/Maxifiles Adware No 1 Yes No C:\WINDOWS\system32\removefunc.ram
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{0451BE39-EEBA-4EB8-B5D5-635DACC5D490}\RP3\A0000323.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{0451BE39-EEBA-4EB8-B5D5-635DACC5D490}\RP2\A0000066.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{0451BE39-EEBA-4EB8-B5D5-635DACC5D490}\RP3\A0000292.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{0451BE39-EEBA-4EB8-B5D5-635DACC5D490}\RP2\A0000026.sys
03074964 Trj/CI.A Virus/Trojan No 0 No No C:\WINDOWS\system32\removefunc.ram[C:\WINDOWS\system32\removefunc.ram][manager.exe]
03074964 Trj/CI.A Virus/Trojan No 0 No No C:\Documents and Settings\Studio\Desktop\samples.cab[c:\windows\ld02.exe]
03074964 Trj/CI.A Virus/Trojan No 0 No No C:\Documents and Settings\Studio\Desktop\samples.cab[c:\windows\pp04.exe]
03582573 Generic Malware Virus/Trojan No 0 Yes No C:\Studio\n-Track.Studio.4.0.4.Build.1811_CRK-FFF.zip[crack.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location 6p
;===================================================================================================================================================================================
No C:\Documents and Settings\Mike\Application Data\Mozilla\Profiles\default\2cdpmjak.slt\Cache\846B082Fd01[Crack.exe]
No C:\Documents and Settings\Mike\Application Data\Mozilla\Profiles\default\2cdpmjak.slt\Cache\D7CDAE5Ed01[Crack.exe]
No C:\Documents and Settings\Studio\Desktop\ComboFix.exe 6p
No C:\Qoobox\Quarantine\C\WINDOWS\system32\digeste.dll.vir 6p
No C:\Studio\n-Track.Studio.4.0.5.Build.1846_CRK-FFF.zip[Crack.exe] 6p
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 6p
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 6p
184379 MEDIUM MS08-001 6p
182048 HIGH MS07-069 6p
182046 HIGH MS07-067 6p
182043 HIGH MS07-064 6p
179553 HIGH MS07-061 6p
176382 HIGH MS07-057 6p
176383 HIGH MS07-058 6p
170911 HIGH MS07-050 6p
170907 HIGH MS07-046 6p
170906 HIGH MS07-045 6p
170904 HIGH MS07-043 6p
164915 HIGH MS07-035 6p
164913 HIGH MS07-033 6p
164911 HIGH MS07-031 6p
160623 HIGH MS07-027 6p
157262 HIGH MS07-022 6p
157261 HIGH MS07-021 6p
157260 HIGH MS07-020 6p
157259 HIGH MS07-019 6p
156477 HIGH MS07-017 6p
150253 HIGH MS07-016 6p
150249 HIGH MS07-013 6p
150248 HIGH MS07-012 6p
150247 HIGH MS07-011 6p
150243 HIGH MS07-008 6p
150242 HIGH MS07-007 6p
150241 MEDIUM MS07-006 6p
141034 HIGH MS06-076 6p
141033 MEDIUM MS06-075 6p
141030 HIGH MS06-072 6p
137571 HIGH MS06-070 6p
137568 HIGH MS06-067 6p
133387 MEDIUM MS06-065 6p
133386 MEDIUM MS06-064 6p
133385 MEDIUM MS06-063 6p
133379 HIGH MS06-057 6p
131654 HIGH MS06-055 6p
129977 MEDIUM MS06-053 6p
129976 MEDIUM MS06-052 6p
126093 HIGH MS06-051 6p
126092 MEDIUM MS06-050 6p
126087 HIGH MS06-046 6p
126086 MEDIUM MS06-045 6p
126083 HIGH MS06-042 6p
126082 HIGH MS06-041 6p
126081 HIGH MS06-040 6p
123421 HIGH MS06-036 6p
123420 HIGH MS06-035 6p
120825 MEDIUM MS06-032 6p
120823 MEDIUM MS06-030 6p
120818 HIGH MS06-025 6p
120815 HIGH MS06-022 6p
120814 HIGH MS06-021 6p
117384 MEDIUM MS06-018 6p
114666 HIGH MS06-015 6p
114664 HIGH MS06-013 6p
108744 MEDIUM MS06-008 6p
108743 MEDIUM MS06-007 6p
108742 MEDIUM MS06-006 6p
104567 HIGH MS06-002 6p
104237 HIGH MS06-001 6p
96574 HIGH MS05-053 6p
93395 HIGH MS05-051 6p
93394 HIGH MS05-050 6p
93454 MEDIUM MS05-049 6p
;===================================================================================================================================================================================

Edited by panic788, 21 March 2009 - 06:17 PM.


#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:03 AM

Posted 21 March 2009 - 08:15 PM

  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\WINDOWS\system32\removefunc.ram
    C:\Documents and Settings\Studio\Desktop\samples.cab
    C:\Studio\n-Track.Studio.4.0.4.Build.1811_CRK-FFF.zip
    C:\Documents and Settings\Mike\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-1acbfb0e.zip
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Using cracked software will 9 times out of 10 get you infected.
Please do not use that type of software if you want to stay clean.

After that opst one more dds log and let me know how things are running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 panic788

panic788
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 22 March 2009 - 04:19 AM

========== FILES ==========
C:\WINDOWS\system32\removefunc.ram moved successfully.
File/Folder C:\Documents and Settings\Studio\Desktop\samples.cab moved successfully.
C:\Studio\n-Track.Studio.4.0.4.Build.1811_CRK-FFF.zip moved successfully.
C:\Documents and Settings\Mike\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-1acbfb0e.zip moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03222009_051625


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mike at 5:20:16.72 on Sun 03/22/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.104 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Studio\Desktop\OTMoveIt3.exe
C:\Documents and Settings\Studio\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x092f -f video -m logitech -d 10.5.0.1091
StartupFolder: c:\docume~1\studio\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\studio\applic~1\mozilla\firefox\profiles\93p8ihcg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-10 255600]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-10 243312]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-12-30 1107784]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\drivers\uacflt.sys [2005-9-20 21276]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090320.003\naveng.sys [2009-3-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090320.003\navex15.sys [2009-3-20 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-10 87664]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-12-30 153416]

=============== Created Last 30 ================

2009-03-21 19:20 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-03-21 16:13 <DIR> --d----- c:\program files\Panda Security
2009-03-21 12:25 <DIR> --d----- c:\docume~1\studio\applic~1\Malwarebytes
2009-03-21 12:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 12:25 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-21 12:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-21 12:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 12:09 <DIR> --d----- C:\_OTMoveIt
2009-03-20 19:36 <DIR> a-dshr-- C:\cmdcons
2009-03-20 09:31 161,792 a------- c:\windows\SWREG.exe
2009-03-20 09:31 98,816 a------- c:\windows\sed.exe
2009-03-20 00:17 <DIR> --d----- c:\program files\Enigma Software Group
2009-03-19 18:39 <DIR> --d----- c:\program files\common files\Intel
2009-03-19 18:39 <DIR> --d----- c:\program files\CounterPath
2009-03-19 09:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-19 09:13 <DIR> --d----- c:\program files\Trend Micro
2009-03-19 08:35 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-05 17:31 <DIR> --d----- c:\program files\Yahoo!
2009-02-20 22:54 5,120 a--sh--- c:\windows\system32\Thumbs.db

==================== Find3M ====================

2009-03-19 08:34 410,984 a------- c:\windows\system32\deploytk.dll
2006-09-21 08:32 784 ac------ c:\docume~1\studio\applic~1\mpauth.dat

============= FINISH: 5:21:08.91 ===============


Things seem to be working well again.

Edited by panic788, 22 March 2009 - 04:22 AM.


#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:03 AM

Posted 22 March 2009 - 07:51 AM

Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Delete\uninstall anything else that we have used.

Including this folder C:\Rsit

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbup2:


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 panic788

panic788
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 22 March 2009 - 08:49 AM

Thanks a bunch for all of your help. :thumbup2:

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:03 AM

Posted 22 March 2009 - 08:57 AM

You are welcome :thumbup2:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users