Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with RECYCLER Trojan


  • This topic is locked This topic is locked
20 replies to this topic

#1 chixdigit

chixdigit

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 June 2009 - 02:17 AM

On June 1st, I was infected with the RECYCLER virus. The root menus for all of my drives suddenly had a new folder named RECYCLER + and autorun.inf file. These would just reappear after deleting them. I've run Dr. Web on my computer a few times using the COMPLETE scan and each time it will find more instances of the virus or infected files. I've read that the virus in question changes your registry. I don't want to attempt to clean the registry out myself as I'm afraid I may delete something important. My concern is that this virus or others (there are other infections that came along with RECYCLER such as "BackDoor.Tdss.213," etc.) may be lurking somewhere in my system and I want to get rid of all traces of the infection.

Thank you for helping.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Cristoforo at 0:00:23.35 on Thu 06/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.337 [GMT -7:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Internet Security *disabled* {825036E0-9F94-4752-8789-8B92454AF49B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Rainlendar Lite 2.5\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Documents and Settings\Cristoforo\Desktop\Downloads\launch.exe
C:\DOCUME~1\CRISTO~1\LOCALS~1\Temp\RarSFX3\9489w4.exe
C:\DOCUME~1\CRISTO~1\LOCALS~1\Temp\RarSFX3\t2n9l.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Cristoforo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://owa.spe.sony.com/exchweb/bin/auth/o...placeCurrent=1#
BHO: ClickCatcher MSIE handler: {16664845-0e00-11d2-8059-000000000000} - c:\program files\common files\reget shared\Catcher.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: ReGet Bar: {17939a30-18e2-471e-9d3a-56dd725f1215} - c:\program files\reget software\reget deluxe 5.2\IEBar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Rainlendar2] c:\program files\rainlendar lite 2.5\Rainlendar2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [sHotKey] "c:\program files\sony\shotkey\sHotKey.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VAIO Update 3] "c:\program files\sony\vaio update 3\VAIOUpdt.exe" /Stationary
StartupFolder: c:\docume~1\cristo~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
uPolicies-explorer: NoLogoff = 00000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: Do&wnload by ReGet Deluxe - c:\program files\common files\reget shared\CC_Link.htm
IE: Download A&ll by ReGet Deluxe - c:\program files\common files\reget shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://my.spe.sony.com/InternalSite/WhlCompMgr.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
TCP: NameServer = 85.255.112.86,85.255.112.8
TCP: {DFA216F3-0C7B-4497-AFF1-D7A07DADC78F} = 85.255.112.86,85.255.112.8
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: {16664848-0E00-11D2-8059-000000000000} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cristo~1\applic~1\mozilla\firefox\profiles\gcy6ejqn.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\divx web player\divx web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2009-5-16 305288]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\savrtpel.sys [2009-5-16 37000]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2009-5-16 255648]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2009-5-16 218736]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2009-5-16 235168]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-3-31 14336]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2009-5-16 158848]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2009-5-16 94290]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090527.003\NAVENG.Sys [2009-6-2 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090527.003\NavEx15.Sys [2009-6-2 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2009-5-16 87712]
S3 DMService;Whale Component Manager;c:\windows\downlo~1\DMService.exe [2009-5-26 428184]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-17 33176]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVSCAN.EXE [2009-5-16 194272]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-06-03 12:45 178,928 a------- c:\windows\system32\drivers\dwshd.sys
2009-06-03 01:48 2,524 a------- C:\autorun.PNF
2009-06-03 01:31 67,054,290 -------- C:\SYM_REGISTRY_BACKUP.reg
2009-06-03 00:21 <DIR> --d----- c:\program files\Trend Micro
2009-06-02 12:32 <DIR> --d----- c:\program files\Autorun Eater
2009-06-02 02:37 <DIR> --d----- c:\documents and settings\cristoforo\DoctorWeb
2009-06-02 02:13 <DIR> --d-h--- c:\windows\PIF
2009-05-31 19:55 <DIR> --d----- c:\program files\Taskbar Repair Tool Plus!
2009-05-31 04:04 <DIR> --d----- c:\program files\AsfTools 3.1
2009-05-31 04:02 413,760 a------- c:\windows\system32\MPG4c32.dll
2009-05-31 04:02 <DIR> --d----- c:\program files\VirtualDub v1.4c
2009-05-31 00:03 152,844 ac------ c:\windows\system32\dllcache\framdit.ttf
2009-05-31 00:03 135,984 ac------ c:\windows\system32\dllcache\framd.ttf
2009-05-30 08:05 <DIR> --d----- c:\program files\1-4a Rename
2009-05-30 07:43 <DIR> --d----- c:\program files\Lame for Audacity
2009-05-30 07:33 <DIR> --d----- c:\program files\Audacity
2009-05-28 13:44 <DIR> --d----- c:\windows\system32\NtmsData
2009-05-28 08:20 <DIR> --d-h--- c:\program files\InstallJammer Registry
2009-05-28 04:18 160,640 a------- c:\windows\system32\drivers\a347bus.sys
2009-05-28 04:18 5,248 a------- c:\windows\system32\drivers\a347scsi.sys
2009-05-28 04:18 <DIR> --d----- c:\program files\Alcohol Soft
2009-05-27 04:15 <DIR> --d----- c:\docume~1\cristo~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-27 00:36 <DIR> --d----- c:\docume~1\cristo~1\applic~1\ReGet Software
2009-05-27 00:34 57 a------- c:\windows\english.lng
2009-05-27 00:34 <DIR> --d----- c:\program files\common files\ReGet Shared
2009-05-27 00:34 <DIR> --d----- c:\program files\ReGet Software
2009-05-26 12:20 <DIR> --d----- c:\program files\Whale Communications
2009-05-25 15:48 <DIR> --d----- c:\program files\InterVideo
2009-05-25 15:47 38 a------- c:\windows\pbMv.INI
2009-05-24 21:13 58 a------- c:\windows\system32\DonationCoder_UnicodeImageMaker_InstallInfo.dat
2009-05-24 21:13 <DIR> --d----- c:\program files\UnicodeImageMaker
2009-05-24 18:01 <DIR> --d----- c:\docume~1\cristo~1\applic~1\IcoFX
2009-05-24 18:01 <DIR> --d----- c:\program files\IcoFX 1.6
2009-05-24 16:18 <DIR> --dsh--- c:\documents and settings\cristoforo\IECompatCache
2009-05-24 16:18 <DIR> --d----- C:\n e w z
2009-05-24 16:18 <DIR> --d----- C:\b l a a g s
2009-05-24 16:14 <DIR> --dsh--- c:\documents and settings\cristoforo\PrivacIE
2009-05-24 16:01 <DIR> --dsh--- c:\documents and settings\cristoforo\IETldCache
2009-05-24 14:38 <DIR> --d----- c:\windows\ie8updates
2009-05-24 14:34 <DIR> -cd-h--- c:\windows\ie8
2009-05-24 14:32 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-24 09:08 <DIR> --d----- c:\docume~1\cristo~1\applic~1\avidemux
2009-05-24 09:07 <DIR> --d----- c:\program files\Avidemux 2.4
2009-05-23 22:37 3,249 a------- c:\windows\system32\wbem\Outlook_01c9dc31ca5ba362.mof
2009-05-23 14:59 <DIR> --d----- C:\TEMP
2009-05-23 12:34 129,520 -------- c:\windows\system32\pxafs.dll
2009-05-23 05:31 4,128 a------- C:\INFCACHE.1
2009-05-23 04:59 815,104 a------- c:\windows\system32\xvidcore.dll
2009-05-23 04:59 77,824 a------- c:\windows\system32\xvid.ax
2009-05-23 04:59 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-05-23 04:55 <DIR> --d----- c:\program files\VirtualDubMod v1.5.10.2 All Inclusive
2009-05-23 02:50 <DIR> --d----- C:\f o n t s
2009-05-23 02:34 <DIR> --d----- c:\program files\GiPo@Utilities
2009-05-23 02:34 <DIR> --d----- c:\program files\common files\Gibinsoft Shared
2009-05-23 02:33 647,872 a------- c:\windows\system32\mscomct2.ocx
2009-05-23 02:33 61,440 a------- c:\windows\system32\digitbox.ocx
2009-05-23 02:33 140,488 a------- c:\windows\system32\comdlg32.ocx
2009-05-23 02:33 <DIR> --d----- c:\program files\Alarm
2009-05-23 02:24 <DIR> --d----- c:\program files\Folder View Master 3
2009-05-22 23:13 <DIR> --d----- c:\docume~1\cristo~1\applic~1\Final Draft
2009-05-22 23:08 1,073,152 a----r-- c:\windows\system32\cdintf210.dll
2009-05-22 23:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Final Draft
2009-05-22 23:07 <DIR> --d----- c:\program files\Final Draft Tagger
2009-05-22 23:07 <DIR> --d----- c:\program files\Final Draft 7
2009-05-22 23:07 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-22 18:50 <DIR> --d----- c:\program files\Font Xplorer
2009-05-22 15:08 40 a---h--- c:\windows\system32\ivireg.ivr
2009-05-22 15:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-05-22 04:40 88 ---shr-- c:\docume~1\alluse~1\applic~1\856BF078A1.sys
2009-05-22 04:40 3,350 ---sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-05-22 04:39 10,368 a------- c:\windows\system32\drivers\iviaspi.sys
2009-05-22 04:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-05-22 04:37 <DIR> --d----- c:\program files\common files\Protexis
2009-05-22 04:36 <DIR> --d----- c:\program files\Corel
2009-05-22 02:52 <DIR> --d----- c:\program files\common files\xing shared
2009-05-21 23:56 <DIR> --d----- c:\program files\common files\Real
2009-05-21 23:17 <DIR> --d----- C:\DECCHECK
2009-05-21 22:27 <DIR> --d----- c:\windows\Logs
2009-05-21 21:57 <DIR> --d----- c:\program files\MagicISO
2009-05-21 17:27 <DIR> --d----- c:\program files\Pazera Free FLV to AVI Converter v1.2
2009-05-21 02:54 110,592 a------- c:\windows\system32\cpnotify.ax
2009-05-21 02:11 0 a------- c:\windows\VAIOUpdt.INI
2009-05-21 00:27 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-05-21 00:25 <DIR> --d----- c:\program files\MSECACHE
2009-05-20 23:44 <DIR> --d----- c:\windows\pss
2009-05-20 22:02 <DIR> --d----- c:\windows\system32\scripting
2009-05-20 22:02 <DIR> --d----- c:\windows\l2schemas
2009-05-20 22:02 <DIR> --d----- c:\windows\system32\en
2009-05-20 21:51 <DIR> --d----- c:\windows\network diagnostic
2009-05-20 20:46 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-05-20 14:48 831 a------- c:\windows\system32\NvApps.xml
2009-05-20 14:40 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-05-20 14:33 <DIR> --d----- c:\windows\SHELLNEW
2009-05-20 14:33 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-05-20 14:27 <DIR> --d----- c:\windows\nview
2009-05-20 04:44 <DIR> --d----- c:\windows\LastGood(2)
2009-05-20 04:15 <DIR> --d----- c:\windows\nview(2)
2009-05-19 18:00 <DIR> --d----- c:\windows\SHELLNEW(2)
2009-05-19 17:56 <DIR> --d----- C:\MSOCache(2)
2009-05-19 15:52 <DIR> --d----- c:\program files\DAMN NFO Viewer
2009-05-19 15:10 <DIR> --d----- c:\documents and settings\cristoforo\IAG Remote Access Agent
2009-05-19 14:43 <DIR> --d----- c:\program files\Moon Software
2009-05-19 13:09 414 a----r-- c:\windows\system32\lame_acm.xml
2009-05-19 13:09 700,416 a------- c:\windows\system32\LameACM.acm
2009-05-19 04:51 <DIR> --d----- c:\program files\Lame mp3 Encoder v3.98.2
2009-05-19 03:44 <DIR> --d----- c:\program files\Xvid
2009-05-18 03:18 268,648 a------- c:\windows\system32\mucltui.dll
2009-05-18 03:18 208,744 a------- c:\windows\system32\muweb.dll
2009-05-18 03:18 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-05-18 03:06 266,360 a------- c:\windows\system32\TweakUI.exe
2009-05-18 03:06 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-05-18 03:04 <DIR> --d----- c:\program files\IrfanView
2009-05-17 20:21 <DIR> --d----- c:\program files\common files\DivX Shared
2009-05-17 20:21 <DIR> --d----- c:\program files\DivX Web Player
2009-05-17 18:45 <DIR> --d----- c:\windows\system32\Adobe
2009-05-17 17:30 <DIR> --d----- c:\documents and settings\all users\VAIO Media Integrated Server
2009-05-17 17:14 <DIR> --d----- c:\documents and settings\cristoforo\.rainlendar2
2009-05-17 17:14 <DIR> --d----- c:\program files\Rainlendar Lite 2.5
2009-05-17 06:49 168,448 -c------ c:\windows\system32\dllcache\wmerror.dll
2009-05-17 06:48 10,240 -------- c:\windows\system32\drivers\sffp_mmc.sys
2009-05-17 06:47 193,024 -------- c:\windows\system32\napmontr.dll
2009-05-17 06:46 457,607 -c------ c:\windows\system32\dllcache\mdlib.wmv
2009-05-17 06:46 290,816 -c------ c:\windows\system32\dllcache\l3codeca.acm
2009-05-17 06:46 37,376 -------- c:\windows\system32\l2gpstore.dll
2009-05-17 06:46 61,440 -------- c:\windows\system32\kmsvc.dll
2009-05-17 06:46 6,144 -------- c:\windows\system32\kbdpash.dll
2009-05-17 06:46 6,144 -------- c:\windows\system32\kbdnepr.dll
2009-05-17 06:46 6,144 -------- c:\windows\system32\kbdiultn.dll
2009-05-17 06:46 6,144 -------- c:\windows\system32\kbdbhc.dll
2009-05-17 06:44 57,856 -------- c:\windows\system32\dot3cfg.dll
2009-05-17 05:36 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-05-17 05:34 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-05-17 05:34 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-05-17 05:34 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-05-17 05:34 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-05-17 05:34 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-05-17 05:34 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-05-17 05:34 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-05-17 05:33 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-17 05:33 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-17 05:33 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-16 19:31 <DIR> --d----- c:\docume~1\cristo~1\applic~1\BitTorrent
2009-05-16 19:31 <DIR> --d----- c:\program files\BitTorrent
2009-05-16 17:00 446,464 a------- c:\windows\system32\nvudisp.exe
2009-05-16 17:00 446,464 a------- c:\windows\system32\NVUNINST.EXE
2009-05-16 16:59 <DIR> --d----- C:\NVIDIA
2009-05-16 16:55 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-05-16 16:53 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-16 16:53 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-16 13:28 <DIR> --d----- c:\program files\msn gaming zone
2009-05-16 13:24 <DIR> --d----- c:\windows\system32\wbem\AutoRecover
2009-05-16 12:41 <DIR> --d----- c:\windows\peernet
2009-05-16 12:41 <DIR> --d----- c:\windows\provisioning
2009-05-16 12:37 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-16 11:46 <DIR> --d----- c:\program files\Yahoo!
2009-05-16 05:43 <DIR> --d----- c:\docume~1\cristo~1\applic~1\Rainlendar
2009-05-16 04:48 <DIR> --d----- c:\program files\VideoLAN
2009-05-16 04:37 <DIR> --d----- c:\program files\Western Digital
2009-05-16 04:36 <DIR> --d----- c:\program files\Western Digital Corporation
2009-05-16 04:36 20,992 a------- c:\windows\jestertb.dll
2009-05-16 04:06 11,264 -------- c:\windows\system32\spnpinst.exe
2009-05-16 04:06 9,271,864 -c------ c:\windows\system32\dllcache\ehcir.ird
2009-05-16 04:06 67,866 -------- c:\windows\system32\drivers\netwlan5.img
2009-05-16 04:06 7,208 -------- c:\windows\system32\secupd.sig
2009-05-16 04:06 4,569 -------- c:\windows\system32\secupd.dat
2009-05-16 03:43 <DIR> --d----- c:\windows\system32\PreInstall
2009-05-16 03:43 <DIR> --d-h--- c:\windows\$hf_mig$
2009-05-16 03:42 <DIR> --d----- c:\windows\system32\bits
2009-05-16 03:42 354,304 a------- c:\windows\system32\winhttp.dll
2009-05-16 03:42 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-05-16 03:42 8,192 -------- c:\windows\system32\bitsprx2.dll
2009-05-16 03:42 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-05-16 03:40 <DIR> --dsh--- c:\documents and settings\cristoforo\UserData
2009-05-16 03:36 156,672 ac------ c:\windows\system32\dllcache\winzm.ime
2009-05-16 03:30 35,328 a------- c:\windows\system32\iprip.dll
2009-05-16 03:30 18,944 ac------ c:\windows\system32\dllcache\simptcp.dll
2009-05-16 03:30 18,944 a------- c:\windows\system32\simptcp.dll
2009-05-16 03:15 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-16 03:10 2,560 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-05-16 03:10 2,432 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-16 03:07 <DIR> --d----- C:\Click to DVD 2
2009-05-16 02:48 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-05-16 02:46 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-05-16 02:46 183,296 a------- c:\windows\system32\wuaueng1.dll
2009-05-16 02:46 165,888 a------- c:\windows\system32\wuauclt1.exe
2009-05-16 02:33 539,648 a------- c:\windows\system32\comuid.dll
2009-05-16 02:33 428,032 a------- c:\windows\system32\msdtcprx.dll
2009-05-16 02:33 161,792 a------- c:\windows\system32\msdtcuiu.dll
2009-05-16 02:33 956,928 a------- c:\windows\system32\msdtctm.dll
2009-05-16 02:33 584,704 a------- c:\windows\system32\rpcrt4.dll
2009-05-16 02:33 101,376 a------- c:\windows\system32\txflog.dll
2009-05-16 02:33 110,592 a------- c:\windows\system32\clbcatex.dll
2009-05-16 02:32 45,056 a------- c:\windows\system32\wbem\cmdevtgprov.dll
2009-05-16 02:32 40,960 a------- c:\windows\system32\mf3216.dll
2009-05-16 02:32 265,728 a------- c:\windows\system32\h323.tsp
2009-05-16 02:32 614,912 a------- c:\windows\system32\h323msp.dll
2009-05-16 02:32 331,264 a------- c:\windows\system32\ipnathlp.dll
2009-05-16 02:31 376 a------- c:\windows\ODBC.INI
2009-05-16 02:31 28,040 a------- c:\windows\system32\mdimon.dll
2009-05-16 02:24 110,080 -------- c:\windows\system32\pxinsi64.exe
2009-05-16 02:24 109,056 -------- c:\windows\system32\pxcpyi64.exe
2009-05-16 02:21 306,688 a------- c:\windows\IsUninst.exe
2009-05-16 02:20 316,416 a------- c:\windows\system32\uninst.exe
2009-05-16 02:18 590,336 ac------ c:\windows\system32\dllcache\d3dramp.dll
2009-05-16 02:18 436,224 ac------ c:\windows\system32\dllcache\d3dim.dll
2009-05-16 02:18 350,208 ac------ c:\windows\system32\dllcache\d3drm.dll
2009-05-16 02:18 47,616 ac------ c:\windows\system32\dllcache\d3dxof.dll
2009-05-16 02:18 34,816 ac------ c:\windows\system32\dllcache\d3dpmesh.dll
2009-05-16 02:18 10,496 ac------ c:\windows\system32\dllcache\dxapi.sys
2009-05-16 02:18 467,968 ac------ c:\windows\system32\dllcache\diactfrm.dll
2009-05-16 02:18 223,232 ac------ c:\windows\system32\dllcache\gcdef.dll
2009-05-16 02:18 44,032 ac------ c:\windows\system32\dllcache\dimap.dll
2009-05-16 02:17 344,064 a----r-- c:\windows\system32\msvcr70.dll
2009-05-16 02:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VAIO Media Platform
2009-05-16 02:13 2 -------- c:\windows\system32\Px.ini
2009-05-16 02:13 <DIR> --d----- c:\program files\drag'n drop cd+dvd
2009-05-16 02:12 <DIR> --d----- c:\program files\common files\InterVideo
2009-05-16 02:11 221,184 a------- c:\windows\system32\wmpns.dll
2009-05-16 02:11 <DIR> --d----- c:\documents and settings\Cristoforo
2009-05-16 02:11 <DIR> --d----- c:\docume~1\cristo~1\applic~1\Symantec
2009-05-16 02:10 0 a---hr-- c:\windows\system32\drivers\Sony_VGC-RA710G(UC).mrk

==================== Find3M ====================

2009-05-21 23:56 348,160 a------- c:\windows\system32\msvcr71.dll
2009-05-21 23:56 499,712 a------- c:\windows\system32\msvcp71.dll
2009-05-20 22:11 97,135 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 0:01:11.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:29 AM

Posted 05 June 2009 - 09:22 PM

Hello chixdigit,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2_01
    Java™ 6 Update 13
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 05 June 2009 - 09:35 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 chixdigit

chixdigit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 06 June 2009 - 05:35 AM

Hi SifuMike,

Thanks for helping me out. Here is the full MBAM report that you requested:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/6/2009 3:27:03 AM
mbam-log-2009-06-06 (03-27-03).txt

Scan type: Full Scan (C:\|J:\|K:\|)
Objects scanned: 248755
Time elapsed: 2 hour(s), 39 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify (Disabled.SecurityCenter)

-> Bad: (1) Good: (0) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security

Center\FirewallDisableNotify (Disabled.SecurityCenter)

-> Bad: (1) Good: (0) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tc

pip\Parameters\NameServer (Trojan.DNSChanger) -> Data:

85.255.112.86,85.255.112.8 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tc

pip\Parameters\Interfaces\{dfa216f3-0c7b-4497-aff1-

d7a07dadc78f}\NameServer (Trojan.DNSChanger) -> Data:

85.255.112.86,85.255.112.8 -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Services\Tcpip\Parameters\NameServer

(Trojan.DNSChanger) -> Data: 85.255.112.86,85.255.112.8

-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Services\Tcpip\Parameters\Interfaces\{dfa216f3-0c7b-

4497-aff1-d7a07dadc78f}\NameServer (Trojan.DNSChanger)

-> Data: 85.255.112.86,85.255.112.8 -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Services\Tcpip\Parameters\NameServer

(Trojan.DNSChanger) -> Data: 85.255.112.86,85.255.112.8

-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Services\Tcpip\Parameters\Interfaces\{dfa216f3-0c7b-

4497-aff1-d7a07dadc78f}\NameServer (Trojan.DNSChanger)

-> Data: 85.255.112.86,85.255.112.8 -> Quarantined and

deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-

3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and

deleted successfully.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:29 AM

Posted 06 June 2009 - 10:06 AM

Hi chixdigit,

Database version: 2182 is old database.
The latest is Database version is 2232.
You need to update Malwarebytes and run it again and post the log.



We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Norton Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 06 June 2009 - 10:10 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 chixdigit

chixdigit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 06 June 2009 - 05:59 PM

SifuMike,

Here is the MBAM log after updating to the latest version (2238) + the ComboFix log.

Malwarebytes' Anti-Malware 1.37
Database version: 2238
Windows 5.1.2600 Service Pack 3

6/6/2009 3:54:07 PM
mbam-log-2009-06-06 (15-54-07).txt

Scan type: Full Scan (C:\|J:\|K:\|)
Objects scanned: 252157
Time elapsed: 2 hour(s), 24 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and

settings\cristoforo\doctorweb\quarantine\License.v.3.41

2[1].exe (Trojan.DNSChanger) -> Quarantined and deleted

successfully.
c:\documents and

settings\cristoforo\doctorweb\quarantine\server.exe

(Trojan.DNSChanger) -> Quarantined and deleted

successfully.

*******************************************************************************
ComboFix 09-06-06.01 - Cristoforo 06/06/2009 16:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.395 [GMT -7:00]
Running from: c:\documents and settings\Cristoforo\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: Norton Internet Security *disabled* {825036E0-9F94-4752-8789-8B92454AF49B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll
c:\windows\setup.exe
c:\windows\system32\drivers\Sony_VGC-RA710G(UC).mrk
c:\windows\system32\MPG4c32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))
.

2009-06-06 07:42 . 2009-06-06 07:42 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\Malwarebytes
2009-06-06 07:42 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 07:42 . 2009-06-06 07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 07:42 . 2009-06-06 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-06 07:42 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-03 10:47 . 2009-06-03 11:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-06-03 10:44 . 2009-06-03 10:44 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-03 10:41 . 2009-06-03 10:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-03 10:39 . 2009-06-03 10:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-03 07:21 . 2009-06-03 07:21 -------- d-----w- c:\program files\Trend Micro
2009-06-02 19:32 . 2009-06-02 19:47 -------- d-----w- c:\program files\Autorun Eater
2009-06-02 11:06 . 2009-06-02 11:06 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-06-02 09:37 . 2009-06-02 09:37 -------- d-----w- c:\documents and settings\Cristoforo\DoctorWeb
2009-06-02 09:13 . 2009-06-02 09:13 -------- d--h--w- c:\windows\PIF
2009-06-01 02:55 . 2009-06-01 02:55 -------- d-----w- c:\program files\Taskbar Repair Tool Plus!
2009-05-31 11:04 . 2009-05-31 11:04 -------- d-----w- c:\program files\AsfTools 3.1
2009-05-31 11:02 . 2009-06-01 07:48 -------- d-----w- c:\program files\VirtualDub v1.4c
2009-05-31 08:11 . 2009-05-31 08:11 -------- d-----w- c:\documents and settings\Cristoforo\Local Settings\Application Data\Help
2009-05-30 15:05 . 2009-05-31 08:11 -------- d-----w- c:\program files\1-4a Rename
2009-05-30 14:43 . 2009-05-31 08:11 -------- d-----w- c:\program files\Lame for Audacity
2009-05-30 14:33 . 2009-05-31 08:11 -------- d-----w- c:\program files\Audacity
2009-05-28 20:44 . 2009-06-03 08:48 -------- d-----w- c:\windows\system32\NtmsData
2009-05-28 15:20 . 2009-05-28 15:20 -------- d--h--w- c:\program files\InstallJammer Registry
2009-05-28 11:18 . 2004-04-30 16:37 160640 ----a-w- c:\windows\system32\drivers\a347bus.sys
2009-05-28 11:18 . 2004-04-30 16:33 5248 ----a-w- c:\windows\system32\drivers\a347scsi.sys
2009-05-28 11:18 . 2009-05-28 11:18 -------- d-----w- c:\program files\Alcohol Soft
2009-05-27 11:15 . 2009-05-27 11:15 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-27 11:15 . 2009-05-27 11:16 38208 ----a-w- c:\documents and settings\Cristoforo\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-27 08:48 . 2009-05-27 11:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-27 07:36 . 2009-06-06 14:23 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\ReGet Software
2009-05-27 07:34 . 2009-05-27 11:11 -------- d-----w- c:\program files\Common Files\ReGet Shared
2009-05-27 07:34 . 2009-05-27 07:37 -------- d-----w- c:\program files\ReGet Software
2009-05-26 19:20 . 2009-05-26 19:20 -------- d-----w- c:\program files\Whale Communications
2009-05-25 22:48 . 2009-05-25 22:48 -------- d-----w- c:\program files\InterVideo
2009-05-25 22:48 . 2009-05-25 22:48 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\InstallShield
2009-05-25 04:13 . 2009-05-25 04:13 58 ----a-w- c:\windows\system32\DonationCoder_UnicodeImageMaker_InstallInfo.dat
2009-05-25 04:13 . 2009-05-25 04:13 58 ----a-w- c:\documents and settings\Cristoforo\Local Settings\Application Data\DonationCoder_UnicodeImageMaker_InstallInfo.dat
2009-05-25 04:13 . 2009-05-25 04:46 -------- d-----w- c:\program files\UnicodeImageMaker
2009-05-25 01:01 . 2009-05-25 01:02 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\IcoFX
2009-05-25 01:01 . 2009-05-25 01:01 -------- d-----w- c:\program files\IcoFX 1.6
2009-05-24 23:18 . 2009-05-24 23:18 -------- d-sh--w- c:\documents and settings\Cristoforo\IECompatCache
2009-05-24 23:14 . 2009-05-24 23:14 -------- d-sh--w- c:\documents and settings\Cristoforo\PrivacIE
2009-05-24 23:01 . 2009-05-24 23:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-24 23:01 . 2009-05-24 23:01 -------- d-sh--w- c:\documents and settings\Cristoforo\IETldCache
2009-05-24 21:38 . 2009-05-24 21:38 -------- d-----w- c:\windows\ie8updates
2009-05-24 21:34 . 2009-05-24 21:36 -------- dc-h--w- c:\windows\ie8
2009-05-24 21:32 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-24 16:08 . 2009-05-31 08:11 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\gtk-2.0
2009-05-24 16:08 . 2009-05-24 16:09 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\avidemux
2009-05-24 16:07 . 2009-05-31 00:20 -------- d-----w- c:\program files\Avidemux 2.4
2009-05-23 21:59 . 2009-05-23 21:59 -------- d-----w- C:\TEMP
2009-05-23 19:34 . 2008-08-20 17:58 129520 ------w- c:\windows\system32\pxafs.dll
2009-05-23 19:34 . 2009-05-31 08:10 -------- d-----w- c:\program files\Winamp
2009-05-23 19:34 . 2009-05-30 12:44 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\Winamp
2009-05-23 11:59 . 2008-12-05 04:42 815104 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-23 11:59 . 2008-12-05 04:46 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-05-23 11:55 . 2009-05-27 08:54 -------- d-----w- c:\program files\VirtualDubMod v1.5.10.2 All Inclusive
2009-05-23 09:50 . 2009-05-31 07:02 -------- d-----w- C:\f o n t s
2009-05-23 09:34 . 2009-05-23 09:34 -------- d-----w- c:\program files\GiPo@Utilities
2009-05-23 09:34 . 2009-05-23 09:34 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-05-23 09:33 . 2009-05-23 09:33 -------- d-----w- c:\program files\Alarm
2009-05-23 09:24 . 2009-05-23 09:37 -------- d-----w- c:\program files\Folder View Master 3
2009-05-23 06:13 . 2009-05-23 06:13 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\Final Draft
2009-05-23 06:08 . 2005-07-05 18:47 1073152 ----a-r- c:\windows\system32\cdintf210.dll
2009-05-23 06:08 . 2009-05-23 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Final Draft
2009-05-23 06:08 . 2009-05-23 06:08 51712 ----a-r- c:\documents and settings\Cristoforo\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2009-05-23 06:08 . 2009-05-23 06:08 51712 ----a-r- c:\documents and settings\Cristoforo\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2009-05-23 06:08 . 2009-05-23 06:08 51712 ----a-r- c:\documents and settings\Cristoforo\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2009-05-23 06:08 . 2009-05-23 06:08 27648 ----a-r- c:\documents and settings\Cristoforo\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-23 06:07 . 2009-05-23 06:21 -------- d-----w- c:\program files\Final Draft 7
2009-05-23 06:07 . 2009-05-23 06:07 -------- d-----w- c:\program files\Final Draft Tagger
2009-05-23 06:07 . 2009-05-23 06:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-23 01:50 . 2009-05-31 07:17 -------- d-----w- c:\program files\Font Xplorer
2009-05-22 22:00 . 2009-05-22 22:00 -------- d-----w- c:\program files\MSXML 4.0
2009-05-22 11:40 . 2009-05-28 11:23 3350 --sh--w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-22 11:40 . 2009-05-23 12:39 88 --sh--r- c:\documents and settings\All Users\Application Data\856BF078A1.sys
2009-05-22 11:40 . 2009-05-22 11:44 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\Corel
2009-05-22 11:39 . 2005-09-21 00:27 10368 ----a-w- c:\windows\system32\drivers\iviaspi.sys
2009-05-22 11:37 . 2009-05-25 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-05-22 11:37 . 2009-05-22 11:37 -------- d-----w- c:\program files\Common Files\Protexis
2009-05-22 11:36 . 2009-05-22 11:36 -------- d-----w- c:\program files\Corel
2009-05-22 09:52 . 2009-05-22 09:52 -------- d-----w- c:\program files\Common Files\xing shared
2009-05-22 09:52 . 2009-05-22 09:52 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\InterVideo
2009-05-22 06:56 . 2009-05-22 06:56 -------- d-----w- c:\program files\Real
2009-05-22 06:56 . 2009-05-22 09:52 -------- d-----w- c:\program files\Common Files\Real
2009-05-22 06:48 . 2009-05-22 06:48 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\Apple Computer
2009-05-22 06:17 . 2009-05-22 09:52 -------- d-----w- C:\DECCHECK
2009-05-22 05:27 . 2009-05-22 05:27 -------- d-----w- c:\windows\Logs
2009-05-22 04:57 . 2009-05-22 09:52 -------- d-----w- c:\program files\MagicISO
2009-05-22 00:27 . 2009-05-22 00:29 -------- d-----w- c:\program files\Pazera Free FLV to AVI Converter v1.2
2009-05-22 00:04 . 2009-05-29 07:09 -------- d-----w- c:\documents and settings\Cristoforo\Application Data\dvdcss
2009-05-21 21:57 . 2009-05-22 01:03 -------- d-----w- c:\documents and settings\Cristoforo\Local Settings\Application Data\WMTools Downloaded Files
2009-05-21 07:27 . 2009-05-21 07:27 3584 ----a-r- c:\documents and settings\Cristoforo\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-05-21 07:27 . 2009-05-21 07:27 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-05-21 07:25 . 2009-05-21 07:25 -------- d-----w- c:\program files\MSECACHE
2009-05-21 05:02 . 2009-05-21 05:02 -------- d-----w- c:\windows\system32\scripting
2009-05-21 05:02 . 2009-05-21 05:02 -------- d-----w- c:\windows\l2schemas
2009-05-21 05:02 . 2009-05-21 05:02 -------- d-----w- c:\windows\system32\en
2009-05-21 03:46 . 2009-05-21 03:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-05-20 21:40 . 2009-05-20 21:40 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-20 21:33 . 2009-05-21 07:42 -------- d-----w- c:\windows\SHELLNEW
2009-05-20 21:33 . 2009-05-20 21:33 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-05-20 21:32 . 2009-05-20 21:32 -------- d--h--r- C:\MSOCache
2009-05-20 21:27 . 2009-05-20 21:27 -------- d-----w- c:\windows\nview
2009-05-20 11:44 . 2009-05-20 21:26 -------- d-----w- c:\windows\LastGood(2)
2009-05-20 11:15 . 2009-05-20 11:46 -------- d-----w- c:\windows\nview(2)
2009-05-20 01:00 . 2009-05-20 01:02 -------- d-----w- c:\windows\SHELLNEW(2)
2009-05-20 00:56 . 2009-05-20 21:32 -------- d-----w- C:\MSOCache(2)
2009-05-19 22:52 . 2009-05-22 05:01 -------- d-----w- c:\program files\DAMN NFO Viewer
2009-05-19 22:10 . 2009-05-19 22:10 -------- d-----w- c:\documents and settings\Cristoforo\IAG Remote Access Agent
2009-05-19 21:43 . 2009-05-19 21:43 -------- d-----w- c:\program files\Moon Software
2009-05-19 12:32 . 2009-05-22 00:28 -------- d-----w- c:\program files\FLV Player
2009-05-19 11:51 . 2009-05-20 21:39 -------- d-----w- c:\program files\Lame mp3 Encoder v3.98.2
2009-05-19 10:44 . 2009-05-23 11:59 -------- d-----w- c:\program files\Xvid
2009-05-18 10:18 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-18 10:18 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-05-18 10:06 . 2003-06-25 23:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2009-05-18 10:04 . 2009-05-18 10:04 -------- d-----w- c:\program files\IrfanView
2009-05-18 04:22 . 2009-05-18 04:22 167376 ----a-w- c:\documents and settings\Cristoforo\Application Data\Mozilla\Firefox\Profiles\gcy6ejqn.default\FlashGot.exe
2009-05-18 03:21 . 2009-05-18 03:21 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-18 03:21 . 2009-05-23 11:02 -------- d-----w- c:\program files\DivX Web Player
2009-05-18 01:45 . 2009-05-18 01:45 -------- d-----w- c:\windows\system32\Adobe
2009-05-18 01:43 . 2009-05-18 01:44 -------- d-----w- c:\program files\QuickTime
2009-05-18 01:43 . 2009-05-18 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-18 01:43 . 2009-05-18 01:43 -------- d-----w- c:\documents and settings\Cristoforo\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 07:34 . 2004-04-01 02:21 76520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:08 . 2004-04-01 21:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-25 22:31 . 2004-04-01 19:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-25 22:31 . 2004-04-01 20:42 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-05-25 22:30 . 2004-04-01 20:48 -------- d-----w- c:\program files\Sony
2009-05-22 06:56 . 2009-04-28 09:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-22 06:56 . 2009-04-28 09:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-05-21 05:11 . 2004-04-01 02:14 97135 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-16 23:52 . 2004-04-01 20:41 -------- d-----w- c:\program files\Java
2009-05-16 11:21 . 2004-04-01 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-05-16 09:21 . 2009-05-16 09:21 -------- d-----w- c:\windows\Fonts\Fonts
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar Lite 2.5\Rainlendar2.exe" [2009-02-21 4333568]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-09-06 70840]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-16 551032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-06 148888]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\Cristoforo\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 00000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=

R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [5/16/2009 2:15 AM 94290]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [5/26/2009 12:20 PM 428184]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/17/2009 6:39 PM 33176]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-06-06 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2009-05-16 01:22]

2009-06-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-04-01 02:38]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{16664848-0E00-11D2-8059-000000000000} - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = https://owa.spe.sony.com/exchweb/bin/auth/o...placeCurrent=1#
IE: Do&wnload by ReGet Deluxe - c:\program files\Common Files\ReGet Shared\CC_Link.htm
IE: Download A&ll by ReGet Deluxe - c:\program files\Common Files\ReGet Shared\CC_All.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Cristoforo\Application Data\Mozilla\Firefox\Profiles\gcy6ejqn.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\DivX Web Player\DivX Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 16:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,71,3f,27,72,c9,93,4a,a2,43,25,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,71,3f,27,72,c9,93,4a,a2,43,25,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1400)
c:\progra~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\eHome\ehsched.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Sony\vaio media integrated server\Video\GPVSvr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
c:\program files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-06-06 16:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-06 23:36

Pre-Run: 87,352,791,040 bytes free
Post-Run: 88,389,222,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

304 --- E O F --- 2009-06-02 06:30

Edited by chixdigit, 06 June 2009 - 06:43 PM.


#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:29 AM

Posted 06 June 2009 - 09:36 PM

Hi chixdigit,



Your system is infected with a Flash Drive infector

Warning: Any flash / jump drives you have connected to this system since your infection have been compromised by a flash drive infector.
We are going to run a tool as part of the following fix which will disinfect your machine, as well as clean any flash drives connected to the system.
It is advised you connect any flash drives that have been connected to this machine during this time frame to this system for the following fix, in order to disinfect them.

Please let owners of other machines to which you have connected any flash media or drives that their machines may now be infected.

We need to remove the Flash Drive infector


What will Flash Disinfector Do
- Clean up junks created by flash malwares
- Deletes autorun.inf from every root folder
- Fix back damages done to your system
- Creates an autorun.inf folder in the root of your system drives


Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.

Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 chixdigit

chixdigit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 06 June 2009 - 10:20 PM

SifuMike,

My anti-virus is going crazy when I try to download the Flash_Disinfector.exe file. It says that it contains a Trojan virus. Should I disable Norton Anti-Virus and proceed? Are you sure that this disinfector is safe/clean? I'll wait until I hear back from you before proceeding.

Thanks.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:29 AM

Posted 06 June 2009 - 10:31 PM

Should I disable Norton Anti-Virus and proceed?


Yes, disable it.

Are you sure that this disinfector is safe/clean?


Yes, it is safe. Many of our tools set off the antivirus programs. It been used by many thousands of people.

Edited by SifuMike, 06 June 2009 - 10:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 chixdigit

chixdigit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 07 June 2009 - 07:34 AM

SifuMike,

Here are the results of the Kaspersky Online Scanner:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 07, 2009 06:40:42
Records in database: 2321076
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan statistics:
Files scanned: 272981
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 07:24:22


File name / Threat name / Threats count
C:\System Volume Information\_restore{22736186-57A4-4FC6-8A70-56A81AF14013}\RP214\A0159891.dll Infected: Trojan.Win32.Agent2.kit 1

The selected area was scanned.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:29 AM

Posted 07 June 2009 - 11:25 AM

chixdigit,

Good. :thumbup2: Kapspersky found only one file in the System Restore folder. We will be reseting the system restore file shortly. That will remove the file.

I think we have you clean.

How is the computer running?

We still have some program update to do.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 chixdigit

chixdigit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 07 June 2009 - 03:35 PM

SifuMike,

That's great news! You're awesome, man! Thank you for all of your help. My computer seems to be running OK, but I'm worried that another instance of this virus will pop up again. When I initially became infected, all of my virus detection/protection software was running and up to date (as far as I know). Norton gave me a warning that it detected a trojan virus and that it couldn't be removed. How was the virus able to get past my anti-virus software and install itself? I'm ready whenever you are to remove this last instance of the virus from the System Restore folder. Just let me know... And thanks again.

Edited by chixdigit, 07 June 2009 - 03:57 PM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:29 AM

Posted 07 June 2009 - 04:12 PM

Hi chixdigit,

Your very welcome. :thumbup2:

Where is Norton finding the virus? It may be in the System Restore folder. Post the exact location.

Edited by SifuMike, 07 June 2009 - 04:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 chixdigit

chixdigit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 07 June 2009 - 04:47 PM

SifuMike,


Where is Norton finding the virus? It may be in the System Restore folder. Post the exact location.


Norton isn't giving any alerts now. What I'm saying is that when my computer first became infected (June 1st or 2nd), all of my anti-virus and real-time protection software was running and up to date. Somehow, the Trojan virus was able to bypass my anti-virus software. Although Norton alerted me that a Trojan virus had been found on my system, it was already too late as the virus had already installed itself. How can I better protect myself from this happening again in the future?

Thanks.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:29 AM

Posted 07 June 2009 - 05:05 PM

Hi chixdigit,

Sometimes the antivirus programs are not enough.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTMoveIt3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

If ComboFix is still on your desktop, let me know and we will remove it manually.

Please read and follow

Simple and easy ways to keep your computer safe and secure on the Internet
as well
Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again, as well as
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 chixdigit

chixdigit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 07 June 2009 - 05:46 PM

SifuMike,

I get an error message when trying to uninstall. PNG of error message is attached.

FYI - I deleted the ComboFix icon from my desktop immediately after I ran it/posted the report.

*Please ignore the above. I redownloaded ComboFix to my desktop and then uninstalled the program per your instructions.

Attached Files


Edited by chixdigit, 07 June 2009 - 11:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users