Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected PC


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dee1234

Dee1234

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 24 May 2009 - 06:42 AM

Hi

I've run the Combofix file which has produced the following log data. Could you please advise what I should do now?

Many thanks
Dee

ComboFix 09-05-23.04 - DAN 24/05/2009 12:04.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1014.593 [GMT 1:00]
Running from: c:\users\DAN\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
PEV Error: CacheFile
PEV Error: CacheFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\zip32.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 11:11 . 2009-05-24 11:11 -------- dc----w c:\users\DAN\AppData\Local\temp
2009-05-23 22:07 . 2009-05-23 22:07 -------- dc----w C:\Virus
2009-05-23 09:48 . 2009-05-23 09:48 -------- d-sh--w C:\found.000
2009-05-23 09:20 . 2009-05-23 09:20 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-05-23 09:20 . 2009-05-23 09:20 -------- d-----w c:\users\DAN\AppData\Roaming\skypePM
2009-05-23 09:14 . 2009-05-23 09:14 -------- dc----w c:\users\DAN\AppData\Local\NOS
2009-05-23 09:14 . 2009-05-23 09:14 -------- dc----w c:\programdata\NOS
2009-05-23 09:14 . 2009-05-23 09:14 -------- dc----w c:\program files\NOS
2009-05-23 09:06 . 2009-05-23 09:06 -------- dc----w c:\program files\Common Files\Skype
2009-05-23 09:06 . 2009-05-23 09:06 -------- dc----r c:\program files\Skype
2009-05-12 20:08 . 2009-05-12 20:08 390664 ----a-w c:\users\DAN\AppData\Roaming\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-07 15:17 . 2009-04-14 00:39 4656976 -c--a-w c:\programdata\Microsoft\Windows Defender\Definition Updates\{538E792B-F2C9-4641-A27F-47C0CC818E93}\mpengine.dll
2009-05-03 21:57 . 2001-10-26 21:16 16384 ----a-w c:\windows\system32\FileOps.exe
2009-05-03 21:56 . 2009-05-03 21:56 -------- d-----w c:\windows\system32\Adobe
2009-05-03 21:43 . 2009-05-03 21:43 -------- d-----w c:\windows\Adobe Illustrator CS
2009-05-03 01:57 . 2009-05-03 01:57 -------- dc----w c:\program files\Microsoft Silverlight
2009-04-24 23:59 . 2009-04-24 23:59 -------- d-----w c:\users\DAN\AppData\Roaming\Vodafone
2009-04-24 23:58 . 2008-03-07 12:46 101504 ----a-w c:\windows\system32\drivers\ewusbmdm.sys
2009-04-24 23:56 . 2009-04-24 23:56 -------- dc----w c:\programdata\Vodafone
2009-04-24 23:55 . 2009-04-24 23:55 -------- dc----w c:\program files\Vodafone
2009-04-24 23:24 . 2009-04-24 23:25 -------- dc----w c:\users\DAN\AppData\Local\{DA6A30CA-2668-4F5F-93A5-9BDA19E3CCC4}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 11:03 . 2009-04-12 17:27 -------- dc----w c:\program files\KeyNote
2009-05-24 10:29 . 2008-02-03 00:31 -------- d-----w c:\users\DAN\AppData\Roaming\ndxCards
2009-05-24 10:26 . 2008-03-22 18:57 256 ----a-w c:\windows\system32\pool.bin
2009-05-24 10:24 . 2009-05-24 10:24 4096 ----a-w c:\windows\system32\03BF6.tmp
2009-05-24 10:06 . 2009-05-24 10:06 4096 ----a-w c:\windows\system32\02A1B.tmp
2009-05-23 11:58 . 2008-05-11 02:00 6324 -c--a-w c:\users\DAN\AppData\Local\d3d9caps.dat
2009-05-23 11:32 . 2009-05-23 11:32 4096 ----a-w c:\windows\system32\0A0D0.tmp
2009-05-23 10:40 . 2009-05-23 10:40 4096 ----a-w c:\windows\system32\01F42.tmp
2009-05-23 10:31 . 2008-03-21 23:08 -------- d-----w c:\users\DAN\AppData\Roaming\Skype
2009-05-23 09:51 . 2009-05-23 09:51 4096 ----a-w c:\windows\system32\06A27.tmp
2009-05-23 09:35 . 2008-05-20 18:38 -------- dc----w c:\program files\Common Files\Adobe
2009-05-23 09:11 . 2008-01-07 09:08 -------- dc----w c:\program files\Google
2009-05-23 09:06 . 2008-03-21 23:06 -------- dc----w c:\programdata\Skype
2009-05-22 08:06 . 2009-05-22 08:06 4096 ----a-w c:\windows\system32\0557E.tmp
2009-05-20 22:30 . 2009-05-20 22:30 4096 ----a-w c:\windows\system32\05A9D.tmp
2009-05-20 10:00 . 2009-05-20 10:00 4096 ----a-w c:\windows\system32\06315.tmp
2009-05-18 22:38 . 2009-05-18 22:38 4096 ----a-w c:\windows\system32\06E2D.tmp
2009-05-14 22:55 . 2009-05-14 22:55 4096 ----a-w c:\windows\system32\07934.tmp
2009-05-13 18:33 . 2009-05-13 18:33 4096 ----a-w c:\windows\system32\06F93.tmp
2009-05-11 11:12 . 2009-05-11 11:12 4096 ----a-w c:\windows\system32\0582D.tmp
2009-05-08 14:47 . 2009-05-08 14:47 4096 ----a-w c:\windows\system32\052FF.tmp
2009-05-07 21:20 . 2009-05-07 21:20 4096 ----a-w c:\windows\system32\01A0B.tmp
2009-05-03 21:50 . 2007-05-30 12:56 -------- dc-h--w c:\program files\InstallShield Installation Information
2009-04-30 09:39 . 2009-01-11 12:22 -------- dc----w c:\programdata\Outlook Data
2009-04-30 08:47 . 2007-05-31 14:27 -------- dc----w c:\programdata\Microsoft Help
2009-04-29 10:45 . 2009-03-31 20:54 -------- d-----w c:\users\DAN\AppData\Roaming\FileZilla
2009-04-12 17:05 . 2009-04-12 16:53 -------- dc----w c:\program files\gnucash
2009-04-12 15:19 . 2009-04-12 15:18 -------- dc----w c:\program files\Quasar
2009-04-12 14:42 . 2009-04-12 14:24 -------- d-----w c:\users\DAN\AppData\Roaming\KompoZer
2009-04-06 09:57 . 2008-06-07 11:27 -------- dc----w c:\program files\ZipItFree
2009-04-04 19:19 . 2009-04-04 19:19 -------- dc----w c:\programdata\Sandlot Games
2009-03-31 07:52 . 2009-03-31 07:38 -------- dc----w c:\program files\Dell AIO Printer A940
2009-03-17 03:16 . 2009-04-15 21:17 14848 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-15 21:17 25600 ----a-w c:\windows\system32\amxread.dll
2009-03-03 04:24 . 2009-04-15 21:17 3469280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:24 . 2009-04-15 21:17 3503584 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:20 . 2009-04-15 21:17 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:19 . 2009-04-15 21:17 158720 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:19 . 2009-04-15 21:17 549888 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:19 . 2009-04-15 21:17 24576 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-15 21:16 56320 ----a-w c:\windows\system32\iesetup.dll
2009-03-03 04:16 . 2009-04-15 21:17 37888 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:16 . 2009-04-15 21:17 97280 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:16 . 2009-04-15 21:17 53248 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:16 . 2009-04-15 21:17 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:15 . 2009-04-15 21:17 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-03 02:40 . 2009-04-15 21:17 654336 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:08 . 2009-04-15 21:16 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-03 00:44 . 2009-04-15 21:16 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-02 14:51 . 2009-03-02 14:31 94104 -c--a-w c:\programdata\WebEx\ieatgpc.dll
2009-03-02 14:51 . 2009-03-02 14:31 34120 -c--a-w c:\programdata\WebEx\atinst.exe
2009-03-02 14:51 . 2009-03-02 14:31 111944 -c--a-w c:\programdata\WebEx\atmgr.exe
2009-03-02 14:32 . 2009-03-02 14:32 38216 -c--a-w c:\programdata\WebEx\WebEx\724\WbxDLDrv.exe
2009-03-02 14:31 . 2009-03-02 14:31 241664 -c--a-w c:\programdata\WebEx\WebEx\724\msess.dll
2009-03-02 14:31 . 2009-03-02 14:31 221184 -c--a-w c:\programdata\WebEx\WebEx\724\ataudio.dll
2009-03-02 14:31 . 2009-03-02 14:31 69632 -c--a-w c:\programdata\WebEx\WebEx\724\atnote.dll
2009-03-02 14:31 . 2009-03-02 14:31 254005 -c--a-w c:\programdata\WebEx\WebEx\724\msvcrt.dll
2009-03-02 14:31 . 2009-03-02 14:31 65536 -c--a-w c:\programdata\WebEx\WebEx\724\wbxcrypt.dll
2009-03-02 14:31 . 2009-03-02 14:31 401462 -c--a-w c:\programdata\WebEx\WebEx\724\msvcp60.dll
2009-03-02 14:31 . 2009-03-02 14:31 315392 -c--a-w c:\programdata\WebEx\WebEx\724\atwbxui5.dll
2009-03-02 14:31 . 2009-03-02 14:31 107928 -c--a-w c:\programdata\WebEx\atgpcext.dll
2009-03-02 14:31 . 2009-03-02 14:31 44360 -c--a-w c:\programdata\WebEx\atgpcdec.dll
2009-02-23 15:24 . 2009-02-23 15:24 38400 ----a-w c:\users\DAN\AppData\Roaming\Juniper Networks\Host Checker\AV\McAfeeAV.dll
2009-02-23 15:24 . 2009-02-23 15:24 49951 ----a-w c:\users\DAN\AppData\Roaming\Juniper Networks\Host Checker\uninstall.exe
2009-02-13 07:26 . 2009-04-15 21:17 158003 --sha-r c:\windows\System32\bdiqb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-13 1232896]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-21 433840]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2006-11-02 49664]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-23 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-05-16 509496]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-26 538744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 577536]
"Desktop SMS"="c:\program files\IDM\Desktop SMS\DesktopSMS.exe" [2007-01-19 1507328]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-27 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-27 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-27 133912]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 413696]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-03-13 33048]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2007-09-12 492912]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-07 185896]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"dlbamon.exe"="c:\program files\Dell AIO Printer A940\dlbamon.exe" [2007-03-05 435696]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-03-13 2060288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NDSTray.exe"="NDSTray.exe" [BU]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-05-25 1826816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\DAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ndxCards.lnk - c:\program files\ndxCards\ndxCards.exe [2008-2-3 2498560]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
wkcalrem.LNK - c:\program files\Common Files\microsoft shared\Works Shared\WkCalRem.exe [2005-8-18 21504]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2008-3-1 44384]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-3 110592]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-2 1283608]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-9-12 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-9-12 51984]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-4-13 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2FDDE26F-17A2-4DB6-8CF0-1040A8127ADD}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{426FBA8C-10AC-40D4-8338-AA7023BC4F55}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E329E027-E2E2-4665-9D5B-A692AC11AA26}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{01317150-633E-4C04-82DD-DAA036F1846D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6FAAC35F-D7CF-43FD-AB93-6DA1E3EF90F8}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{EE20D8C4-290E-455B-B13F-AAAF8BD11AE1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D37E298A-B021-4126-938A-B45A1E4AC0E9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{985D08AB-05A1-46FC-A4C4-6ED1C34FFF09}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{EE70CA88-FA76-49DF-A61E-3028C045261E}"= TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{5ACF7D5C-396B-48FF-AD53-80C68E00D297}"= UDP:c:\windows\System32\dlbacoms.exe:Lexmark Communications System
"{1426BAD9-EF2B-4A9A-AE1A-F49D77EEF0ED}"= TCP:c:\windows\System32\dlbacoms.exe:Lexmark Communications System
"{45D72458-E729-4920-A3C8-5F5DAB3DA0AF}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\dlbapswx.exe:Printer Status Window
"{09614E9B-5C43-45CD-8354-786F86A2059A}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\dlbapswx.exe:Printer Status Window
"{01ACE98F-D71A-4F73-8070-99E1FDD2E565}"= UDP:c:\program files\Dell AIO Printer A940\DLBAmon.exe:Device Monitor
"{0531063B-7975-4F7D-A88B-D04DDCBED1D3}"= TCP:c:\program files\Dell AIO Printer A940\DLBAmon.exe:Device Monitor
"{A8B8002F-7350-4292-B7CD-C2A0254BA45B}"= UDP:c:\program files\Dell AIO Printer A940\DLBAaiox.exe:All In One Center
"{CE49FCED-6F84-46D8-A63D-5982106E62DB}"= TCP:c:\program files\Dell AIO Printer A940\DLBAaiox.exe:All In One Center
"{437AD903-FB5E-480F-96D6-036341E16EF7}"= UDP:c:\program files\gnucash\bin\gnucash-bin.exe:GnuCash Free Finance Manager
"{62FE5C68-E54E-414A-BF76-D3FB3BA93C8F}"= TCP:c:\program files\gnucash\bin\gnucash-bin.exe:GnuCash Free Finance Manager
"{BF28C6E0-C8D6-4ED7-B0D3-2BD9B11CDC24}"= UDP:c:\program files\gnucash\bin\gconfd-2.exe:GConf Settings Manager
"{83DD6AC7-7DBA-4408-A58E-98362B435378}"= TCP:c:\program files\gnucash\bin\gconfd-2.exe:GConf Settings Manager
"{DE9ADD5E-38B0-4247-B2D4-97207848E72D}"= UDP:6776:aquif
"{69D124C1-D1D0-4342-B36C-DC204827092F}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\System32\drivers\iaNvStor.sys [Wed 30/05/2007 14:36 210432]
R3 QIOMem;Generic IO & Memory Access;c:\windows\System32\drivers\QIOMem.sys [Mon 09/04/2007 15:13 8192]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080114.001\IDSvix86.sys [Mon 14/01/2008 20:04 180272]
S2 bhymulus;Microsoft Image;c:\windows\system32\svchost.exe -k netsvcs [Thu 02/11/2006 09:35 22016]
S2 BroadWaveService;BroadWave Service;c:\program files\NCH Swift Sound\BroadWave\broadwave.exe [Fri 28/12/2007 01:07 401412]
S2 dlba_device;dlba_device;c:\windows\system32\dlbacoms.exe -service --> c:\windows\system32\dlbacoms.exe -service [?]
S2 gupdate1c9db85f03e7480;Google Update Service (gupdate1c9db85f03e7480);c:\program files\Google\Update\GoogleUpdate.exe [Sat 23/05/2009 10:07 133104]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [Thu 13/03/2008 19:08 24576]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [Sat 23/05/2009 10:14 33176]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\System32\drivers\Ph3xIB32.sys [Thu 02/11/2006 11:32 1083520]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [Fri 03/10/2008 15:14 37936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bhymulus
.
Contents of the 'Scheduled Tasks' folder

2009-05-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-05-24 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-23 09:06]

2009-05-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - DAN.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 01:09]

2009-05-24 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-12-07 06:29]

2009-05-24 c:\windows\Tasks\User_Feed_Synchronization-{73ABC6A9-0B43-4C27-AE82-CE4A342963F1}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = 172.16.228.253:80
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 12:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????!?|?D??8???`????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bhymulus]
"ServiceDll"="c:\windows\system32\bdiqb.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-24 12:16
ComboFix-quarantined-files.txt 2009-05-24 11:16

Pre-Run: 29,267,668,992 bytes free
Post-Run: 29,240,852,480 bytes free

309 --- E O F --- 2009-05-07 15:20

BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 06 June 2009 - 08:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 17 June 2009 - 02:06 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users