Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

background sound advertisements


  • This topic is locked This topic is locked
12 replies to this topic

#1 sbg711

sbg711

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 20 April 2009 - 07:31 AM

Seems like this is the second time I got infected with this. Last time I had to format my root drive to get rid of it as no anti-virus/spyware/adware/etc could detect it. Yet now I'm stuck with it again and don't feel like formatting my drives anymore >.<

Here's the deal. By random, I get background sound advertisements in Chinese (as in even when I have no apps running with a clean and tidy desktop, it suddenly starts broadcasting some chinese news guy in the background, sometimes just plain music, sometimes wardrobe advertisements in english). I also constantly keep hearing the 'IE page refresh' sound in between the advertisements. Yet iexplorer.exe isn't running in the processes. (nor any other browser)

So far I probably tried all possible methods I could find to solve the problem, and alas, none of them worked out so far.
Hope you guys can help...

here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:37 PM, on 4/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
d:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\mstmpxmldown.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\taskmagr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Skype Control Class - {9018F6A8-2495-45DF-9F16-C738F8F3C8FF} - C:\WINDOWS\system32\SkypeComm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - d:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Flashget] D:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UVS12 Preload] d:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - https://secwebclinic.ahnlab.com/asp/cab/mkdplus.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlusŪ Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c95d70f04b015c) (gupdate1c95d70f04b015c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - d:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Microsoft NtfsSvc Manager Service (NtfsSvc) - Unknown owner - C:\WINDOWS\System32\mstmpxmldown.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Oniblade Drivers Auto Removal (pr2anwwb) (pr2anwwb) - 1C: Multimedia - C:\WINDOWS\system32\pr2anwwb.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6920 bytes

Thanks in advance

Edited by sbg711, 20 April 2009 - 07:32 AM.


BC AdBot (Login to Remove)

 


#2 sbg711

sbg711
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 20 April 2009 - 09:34 AM

ok I finally seem to have found the cause which is nvsvc32.exe. The sound stops as soon as I end it's process via the task manager, yet it instantly restarts the process on it's own. Deleting it from the system32 folder and blocking it via hijackthis doesn't seem to work.
Any suggestions?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:33 PM

Posted 20 April 2009 - 10:43 AM

Hello sbg711,

Posted Image

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Skype Control Class - {9018F6A8-2495-45DF-9F16-C738F8F3C8FF} - C:\WINDOWS\system32\SkypeComm.dll


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following file(s)(if they exist):

C:\WINDOWS\system32\SkypeComm.dll

Reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 sbg711

sbg711
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 22 April 2009 - 09:08 AM

Thanks and I did everything as you suggested. Here are the logs.

Malwarebytes' Anti-Malware 1.36
Database version: 2025
Windows 5.1.2600 Service Pack 2

4/22/2009 4:59:25 PM
mbam-log-2009-04-22 (16-59-25).txt

Scan type: Quick Scan
Objects scanned: 87966
Time elapsed: 13 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\timeprotect (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\timeprotect (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\timeprotect (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\TimeProtect.sys (Rootkit.Agent) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:49 PM, on 4/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - d:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Flashget] D:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4587 bytes



#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:33 PM

Posted 22 April 2009 - 10:11 AM

Hello,

You're welcome. :thumbup2: How is it running now please? Has the original problem stopped?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 sbg711

sbg711
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 23 April 2009 - 11:29 PM

Well I still keep hearing the page refresh sounds out of nowhere, but the ads themselves seem to be gone.
I guess you can close the thread and incase the problem will show itself again, I'll just open a new one :thumbup2:
And thanks again for your help.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:33 PM

Posted 24 April 2009 - 12:51 PM

No no! I just wanted to know how it was running. I'm not done with you yet. :thumbup2:

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

I'd like to see another run with MBAM to be sure those files that say "Delete on reboot" are really gone. If not we need to do something different. Post the report if they're still there. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 sbg711

sbg711
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 24 April 2009 - 01:58 PM

doesn't seem like they're gone >.<

Malwarebytes' Anti-Malware 1.36
Database version: 2025
Windows 5.1.2600 Service Pack 2

4/24/2009 9:57:44 PM
mbam-log-2009-04-24 (21-57-38).txt

Scan type: Quick Scan
Objects scanned: 105910
Time elapsed: 14 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\timeprotect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\timeprotect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\timeprotect (Rootkit.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\TimeProtect.sys (Rootkit.Agent) -> No action taken.


(p.s. i didn't reboot this time as it didn't work last time anyways :thumbup2: )

Edited by sbg711, 24 April 2009 - 01:59 PM.


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:33 PM

Posted 24 April 2009 - 02:20 PM

Hi there,

Thanks for that. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to fluffycloud.exe and try it again. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 sbg711

sbg711
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 25 April 2009 - 04:23 AM

ComboFix 09-04-25.A1 - Shinra 04/25/2009 12:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.390 [GMT 3:00]
Running from: c:\documents and settings\Shinra\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-24 05:43 . 2009-04-24 05:43 221184 ----a-w c:\windows\system32\nvsvc32.exe
2009-04-23 15:27 . 2009-04-23 15:27 -------- d-----w c:\program files\DirectVobSub
2009-04-22 14:03 . 2009-04-22 14:03 4480 ----a-w c:\windows\system32\drivers\TimeProtect.sys
2009-04-22 13:44 . 2009-04-22 13:44 -------- d-----w c:\documents and settings\Shinra\Application Data\Malwarebytes
2009-04-22 13:44 . 2009-04-06 12:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-22 13:44 . 2009-04-06 12:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 13:44 . 2009-04-22 13:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 13:44 . 2009-04-22 13:44 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-20 15:29 . 2009-04-20 15:29 123 ----a-w c:\windows\rootkitno.ini
2009-04-20 15:29 . 2009-04-20 15:29 -------- d-----w C:\RootkitNO
2009-04-20 15:28 . 2009-04-20 15:29 -------- d-----w c:\program files\UnHackMe
2009-04-20 15:19 . 2009-04-20 15:19 195 ----a-w c:\windows\system32\Partizan.RRI
2009-04-20 15:19 . 2009-04-20 15:19 -------- d-----w c:\windows\RestoreSafeDeleted
2009-04-20 15:16 . 2009-04-20 15:16 2 --shatr c:\windows\winstart.bat
2009-04-20 15:14 . 2009-04-20 15:14 -------- d-----w c:\documents and settings\Shinra\Application Data\Regrun
2009-04-20 15:14 . 2009-04-20 15:14 -------- d-----w C:\backreg
2009-04-20 15:14 . 2003-09-06 12:55 57556 ----a-w c:\windows\guard.bmp
2009-04-19 16:01 . 2006-06-20 08:56 225280 ----a-w c:\windows\system32\rewire.dll
2009-04-19 16:01 . 2002-07-07 22:14 1294336 ----a-w c:\windows\system32\vorbis.acm
2009-04-19 16:01 . 2009-04-19 16:02 -------- d-----w c:\program files\Image-Line
2009-04-19 16:00 . 2009-04-19 16:00 -------- d-----w c:\program files\Outsim
2009-04-18 10:32 . 2009-04-18 10:32 -------- d-----w c:\program files\URUSoft
2009-04-17 17:06 . 2009-04-17 17:06 -------- d-s---w c:\documents and settings\Shinra\UserData
2009-04-17 17:00 . 2004-08-03 21:56 78336 ----a-w c:\windows\system32\browsewm.dll
2009-04-17 17:00 . 2004-08-03 21:56 53760 ----a-w c:\windows\system32\cryptext.dll
2009-04-17 17:00 . 2004-08-03 20:01 114688 ----a-w c:\windows\system32\asctrls.ocx
2009-04-17 16:55 . 2002-08-30 13:00 16384 ----a-w c:\windows\system32\icfgnt5.dll
2009-04-17 16:55 . 2004-08-03 21:56 81920 ----a-w c:\windows\system32\isign32.dll
2009-04-17 16:55 . 2004-08-03 21:56 73728 ----a-w c:\windows\system32\icwdial.dll
2009-04-17 16:55 . 2004-08-03 21:56 65536 ----a-w c:\windows\system32\icwphbk.dll
2009-04-17 16:55 . 2004-08-03 21:56 274432 ----a-w c:\windows\system32\inetcfg.dll
2009-04-15 14:10 . 2009-04-15 14:10 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-15 14:10 . 2009-04-15 14:10 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-15 14:09 . 2009-04-15 14:09 -------- d-sh--w c:\documents and settings\Shinra\IETldCache
2009-04-15 14:08 . 2009-04-15 14:08 -------- d-----w c:\windows\ie8updates
2009-04-15 14:07 . 2009-04-15 14:07 1374 ----a-w c:\windows\imsins.BAK
2009-04-15 14:05 . 2009-04-15 14:07 -------- dc-h--w c:\windows\ie8
2009-04-15 14:01 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-13 10:16 . 2009-04-13 10:16 -------- d-----w c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2009-04-13 07:49 . 2009-04-13 07:49 -------- d-----w c:\program files\CCleaner
2009-04-12 08:04 . 2009-04-12 08:04 -------- d-----w c:\documents and settings\LocalService\Application Data\DivX
2009-04-12 07:44 . 2009-04-12 07:44 -------- d-sh--w C:\found.000
2009-04-11 20:12 . 2009-04-11 20:12 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-11 18:43 . 2009-04-19 07:44 664 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\d3d9caps.dat
2009-04-11 18:43 . 2009-04-11 18:43 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2009-04-11 18:03 . 2009-04-11 18:03 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-04-11 10:07 . 2009-04-11 10:34 -------- d-----w C:\Downloads
2009-04-07 05:48 . 2009-04-01 21:14 2804893 ----a-w c:\windows\system32\GameMon.des
2009-03-28 16:21 . 2009-03-28 16:21 -------- d-----w c:\documents and settings\NetworkService\Application Data\Xfire
2009-03-28 16:16 . 2009-03-28 17:31 -------- d-----w c:\documents and settings\Shinra\Application Data\Xfire
2009-03-28 14:56 . 2009-03-28 14:56 -------- d-----w c:\documents and settings\Shinra\Application Data\Megaupload
2009-03-28 14:56 . 2009-03-28 14:56 -------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2009-03-28 14:56 . 2009-03-28 14:56 -------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2009-03-28 14:56 . 2009-03-28 14:56 -------- d-----w c:\program files\MegauploadToolbar
2009-03-28 14:56 . 2009-03-28 14:56 -------- d-----w c:\documents and settings\Shinra\Application Data\MegauploadToolbar
2009-03-28 14:56 . 2009-03-28 14:56 -------- d-----w c:\documents and settings\Shinra\Application Data\EmailNotifier
2009-03-28 14:55 . 2009-03-28 14:55 -------- d-----w c:\program files\Megaupload
2009-03-28 14:09 . 2009-03-28 14:09 -------- d-----w c:\program files\uTorrent
2009-03-28 14:09 . 2009-04-23 15:14 -------- d-----w c:\documents and settings\Shinra\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 19:10 . 2008-10-03 21:01 2568 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-24 19:01 . 2008-10-03 03:59 59936 ----a-w c:\documents and settings\Shinra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-24 15:59 . 2009-02-05 15:54 -------- d-----w c:\documents and settings\Shinra\Application Data\Skype
2009-04-24 13:41 . 2008-10-10 06:04 -------- d-----w c:\documents and settings\Shinra\Application Data\dvdcss
2009-04-24 13:02 . 2009-02-05 15:55 -------- d-----w c:\documents and settings\Shinra\Application Data\skypePM
2009-04-24 06:15 . 2008-10-03 03:22 106496 ----a-w c:\windows\system32\mnmsrvc.exe
2009-04-20 18:52 . 2009-03-21 20:21 -------- d-----w c:\documents and settings\Shinra\Application Data\Aegisub
2009-04-20 15:11 . 2009-01-13 17:43 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-20 14:03 . 2008-10-26 13:46 -------- d-----w c:\program files\Google
2009-04-16 04:01 . 2009-03-15 07:52 73728 ----a-w c:\windows\system32\imcomm.dll
2009-04-13 20:07 . 2009-02-25 05:57 -------- d-----w c:\documents and settings\Shinra\Application Data\tor
2009-04-13 20:07 . 2008-10-05 15:49 -------- d-----w c:\documents and settings\Shinra\Application Data\DNA
2009-04-13 11:23 . 2009-02-25 05:56 -------- d-----w c:\documents and settings\Shinra\Application Data\Vidalia
2009-04-13 07:57 . 2008-10-05 15:49 -------- d-----w c:\program files\DNA
2009-04-04 10:40 . 2009-03-19 18:03 -------- d-----w c:\documents and settings\Shinra\Application Data\vlc
2009-03-28 14:55 . 2008-10-03 03:45 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 16:23 . 2009-03-25 16:23 129 ----a-w c:\documents and settings\Shinra\Local Settings\Application Data\fusioncache.dat
2009-03-25 09:34 . 2009-03-25 09:34 -------- d-----w c:\program files\Common Files\DirectX
2009-03-25 06:08 . 2009-03-25 06:08 -------- d-----w c:\program files\Eltima Software
2009-03-25 05:59 . 2009-03-25 05:59 -------- d-----w c:\program files\Extract SWF!
2009-03-25 05:17 . 2009-03-25 05:15 -------- d-----w c:\program files\Speed Video Splitter
2009-03-24 20:57 . 2009-03-24 20:57 -------- d-----w c:\program files\Boilsoft Video Splitter
2009-03-21 22:50 . 2008-10-24 12:16 102984 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-21 15:31 . 2009-03-21 15:31 -------- d-----w c:\program files\DivXLand
2009-03-21 15:28 . 2009-03-21 15:28 -------- d-----w c:\program files\Subtitles Creator
2009-03-21 07:55 . 2009-01-11 17:36 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-20 22:25 . 2009-03-20 22:25 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-03-17 18:44 . 2009-03-17 18:44 -------- d-----w c:\program files\Musitek
2009-03-15 13:23 . 2009-01-14 17:37 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-13 11:36 . 2009-03-13 11:36 -------- d-----w c:\program files\Gabest
2009-03-13 11:34 . 2009-03-13 11:33 -------- d-----w c:\program files\VisualSubSync
2009-03-09 18:42 . 2004-07-17 08:36 163644 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-03-09 06:25 . 2008-12-28 10:15 -------- d-----w c:\program files\ICQ6.5
2009-03-08 01:33 . 2004-08-03 21:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 01:22 . 2002-08-30 13:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-07 12:48 . 2009-01-06 18:41 -------- d-----w c:\program files\Opera
2009-03-07 10:17 . 2009-03-07 10:17 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-07 10:17 . 2009-03-07 10:17 -------- d-----w c:\program files\NOS
2009-03-04 05:50 . 2009-03-04 05:42 -------- d-----w c:\program files\Common Files\Common Share
2009-03-04 05:39 . 2009-03-04 05:39 -------- d-----w c:\program files\Kingdia Software
2009-03-02 16:10 . 2009-03-02 16:10 -------- d-----w c:\program files\mkvtoavis
2009-02-25 05:56 . 2009-02-25 05:56 -------- d-----w c:\program files\Vidalia Bundle
2009-02-25 05:53 . 2009-02-25 05:16 -------- d-----w c:\program files\ProxyWay
2009-02-06 16:52 . 2009-02-06 16:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-31 10:31 . 2008-10-02 20:03 98304 ----a-w c:\windows\DUMP738a.tmp
2008-10-03 21:10 . 2008-10-03 21:01 88 --sh--r c:\windows\system32\734EA540A2.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-20_15.49.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-03 03:21 . 2002-08-30 13:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2008-10-02 20:08 . 2009-04-25 08:01 2297808 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
2007-05-16 05:05 163840 ----a-w d:\program files\FlashGet\getflash.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792]
"AdobeBridge"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"Flashget"="d:\program files\FlashGet\FlashGet.exe" [2007-06-29 1990704]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]

c:\documents and settings\Shinra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"d:\\Program Files\\SmartHide\\SmartHide.exe"=
"d:\\Program Files\\FlashGet\\flashget.exe"=
"d:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"d:\\xampp\\mysql\\bin\\mysqld.exe"=
"d:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\ProxyWay\\proxyway.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\CABAL Online (SG MY)\\launcher\\update\\ESTdnheadless.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [2008-10-17 131072]
R3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2008-10-17 79104]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-04-01 2804893]
R3 XDva219;XDva219; [x]
R3 XDva224;XDva224; [x]
R3 XDva269;XDva269; [x]
R4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S0 pe3anwwb;Oniblade Environment Driver (pe3anwwb);c:\windows\system32\drivers\pe3anwwb.sys [2007-11-08 64624]
S0 pf2anwwb;Oniblade File System Driver (pf2anwwb);c:\windows\system32\drivers\pf2anwwb.sys [2007-11-08 83568]
S0 ps7anwwb;Oniblade Synchronization Driver (ps7anwwb);c:\windows\system32\drivers\ps7anwwb.sys [2007-11-08 68216]
S1 TimeProtect;TimeProtect;c:\windows\system32\drivers\TimeProtect.sys [2009-04-22 4480]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\DRIVERS\tap0801.sys [2007-10-12 55808]

.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - d:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - d:\program files\FlashGet\jc_link.htm
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\COMMON~1\Skype\SKYPE4~1.DLL
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
FF - ProfilePath - c:\documents and settings\Shinra\Application Data\Mozilla\Firefox\Profiles\h55s9ysp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 12:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1336601894-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{78A80EFE-540E-3B82-5E09-66A576170C1A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oakaibnfmhhhokoafkcbpggianpako"=hex:6a,61,68,68,70,6b,65,70,67,68,6d,69,6e,6b,
6c,6e,65,64,66,65,00,5d
"naibcfllagnlbjagdibcjonikoon"=hex:6a,61,68,68,62,6b,6b,6e,68,68,61,68,67,61,
6d,6f,66,65,6c,67,00,5d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2688)
d:\program files\FlashGet\fgmgr.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-04-25 12:22
ComboFix-quarantined-files.txt 2009-04-25 09:22
ComboFix2.txt 2009-04-20 15:50

Pre-Run: 6,385,451,008 bytes free
Post-Run: 6,967,009,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

258



#11 sbg711

sbg711
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 27 April 2009 - 07:06 AM

also started getting this thingy after running those progs.
Attached File  mvc.png   7KB   14 downloads

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:33 PM

Posted 29 April 2009 - 11:48 AM

Hello,

Well, with eveything you've run on your own, plus the torrents, plus the malware, I'm not surprised. Check Nvidia. You also ran ComboFix twice, so I can't see what happened the first time. :thumbup2: You may have to reinstall your video card and/or drivers.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\timeprotect]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\timeprotect]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\timeprotect]

File::
C:\WINDOWS\system32\drivers\TimeProtect.sys

Driver::
TimeProtect


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:33 PM

Posted 08 May 2009 - 01:35 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users