Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't show hidden files, Flash Drive Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 tattoi

tattoi

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 28 June 2009 - 07:53 PM

Hi.

I've been experiencing a lot of problems.

For one, the computer does not show hidden files. If I tick the show hidden files option box, it would just return to Do not show hidden fiels and folders.

Another problem is that Flash Drives can't be opened with double click. The Flash Drive does not contain any Flash Drive Disinfector though.

Lastly, I can't access some websites related to antiviruses and anti malwares. Websites like Malwarebytes, Panda Security, and the like.

Hope you guys can help me with my problem.

Thanks.

DDS Log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 8:36:42.04 on Mon 06/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.99 [GMT 8:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Administrator\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [Actual Transparent Window] "c:\program files\pivot stickfigure animator\actual transparent window\ActualTransparentWindowCenter.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxps://my.levelupgames.ph/keycrypt/npkcx.cab
DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.leonardotravelebooks.com/ebooks/DIGITALDM2.cab
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-7-23 11840]
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-7-23 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-7-23 147201]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-7-23 49472]
S2 cqjgfl;System Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-19 33176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-06-27 23:45 <DIR> --d----- c:\docume~1\admini~1\applic~1\Actual Tools
2009-06-09 21:19 <DIR> --d----- c:\program files\Vstplugins
2009-06-09 21:08 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-09 21:05 14,048 -------- c:\windows\system32\spmsg2.dll
2009-06-09 20:58 23,856 a------- c:\windows\system32\spupdsvc.exe
2009-06-09 16:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\uTorrent
2009-06-07 04:39 <DIR> --d----- c:\windows\pss
2009-06-06 23:30 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-06-06 23:30 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-06-06 23:30 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-05-30 22:54 1,970,176 a------- c:\windows\system32\d3dx9.dll
2009-05-30 22:54 679,936 a------- c:\windows\system32\D3DX81ab.dll
2009-05-30 22:54 <DIR> --d----- c:\program files\Cheat Engine

==================== Find3M ====================

2009-05-22 10:12 12,838 a------- c:\documents and settings\administrator\file.exe
2008-07-23 16:52 234,842 ---sh--- c:\windows\resources\themes\damek ultrablue\irunin.dat
2004-08-04 06:56 157,680 a--shr-- c:\windows\system32\dqgrxm.dll

============= FINISH: 8:37:15.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:53 AM

Posted 02 July 2009 - 11:34 AM

Hello tattoi and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 tattoi

tattoi
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 02 July 2009 - 10:18 PM

Hi guys.

No biggie for the delay, I fully understand that you're working double time just to help everybody. Please know that I really appreciate everything you've done to all of us. Thank you very much.

On topic, I was able to download MBAM from another source. It detected Conficker, Dropper, and several others. MBAM deleted everything. However, the Conficker keeps on reappearing each time I perform a scan. If I am not mistaken, the conficker virus prevents me from accessing certain websites.

I'll include the last MBAM log.

MBAM Log:
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/1/2009 5:58:20 PM
mbam-log-2009-07-01 (17-58-20).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 248638
Time elapsed: 2 hour(s), 57 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
g:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 (Trojan.Conficker.H) -> Quarantined and deleted successfully.

Files Infected:
G:\autorun.inf (Trojan.Conficker.H) -> Quarantined and deleted successfully.
g:\RECYCLER\s-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (Trojan.Conficker.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f786c47f-35d4-44c3-83c6-05370ad4e52a}\RP9\A0005084.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.



DDS:
DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 11:12:01.29 on Fri 07/03/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.43 [GMT 8:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pivot Stickfigure Animator\Actual Transparent Window\ActualTransparentWindowCenter.exe
C:\Documents and Settings\Administrator\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Mic Test\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Actual Transparent Window] "c:\program files\pivot stickfigure animator\actual transparent window\ActualTransparentWindowCenter.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - hxxps://my.levelupgames.ph/keycrypt/npkcx.cab
DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.leonardotravelebooks.com/ebooks/DIGITALDM2.cab
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-7-23 11840]
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-7-23 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-7-23 147201]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-7-23 49472]
S2 cqjgfl;System Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-19 33176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-07-01 14:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-07-01 14:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 14:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-01 14:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-27 23:45 <DIR> --d----- c:\docume~1\admini~1\applic~1\Actual Tools
2009-06-09 21:19 <DIR> --d----- c:\program files\Vstplugins
2009-06-09 21:08 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-09 21:05 14,048 -------- c:\windows\system32\spmsg2.dll
2009-06-09 20:58 23,856 a------- c:\windows\system32\spupdsvc.exe
2009-06-09 16:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\uTorrent
2009-06-07 04:39 <DIR> --d----- c:\windows\pss
2009-06-06 23:30 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-06-06 23:30 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-06-06 23:30 60,273 a------- c:\windows\system32\pthreadGC2.dll

==================== Find3M ====================

2008-07-23 16:52 234,842 ---sh--- c:\windows\resources\themes\damek ultrablue\irunin.dat
2004-08-04 06:56 157,680 a--shr-- c:\windows\system32\dqgrxm.dll

============= FINISH: 11:12:40.07 ===============

Hope you guys can help me. Thank you very much.

Attached Files


Edited by tattoi, 03 July 2009 - 01:59 AM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 04 July 2009 - 03:49 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

These Conficker infections can be really tough sometimes. Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 tattoi

tattoi
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 05 July 2009 - 06:08 AM

Hi Panda or PP for Short. No, I have not made any significant change in my Computer since my last reply. I really appreciate everything you guys are doing. Thank you very much.

As requested, here are the logs.

ComboFix Log:

ComboFix 09-07-04.04 - Administrator 07/05/2009 12:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.96 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\k-1-3542-4232123213-7676767-8888886
c:\recycler\k-1-3542-4232123213-7676767-8888886\xv.exe
c:\windows\system32\dqgrxm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CQJGFL
-------\Service_cqjgfl


((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-05 04:31 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\setup.exe
2009-07-05 04:31 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ar00000\install.exe
2009-07-01 06:16 . 2009-07-01 06:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-01 06:16 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 06:16 . 2009-07-01 06:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 06:16 . 2009-07-01 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 06:16 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 15:45 . 2009-06-27 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Actual Tools
2009-06-20 12:45 . 2009-06-20 12:45 -------- d-----w- c:\documents and settings\8 Commonly Used Herbs and their Healing Properties on Yahoo! Health_files\CAS5EVOH_files
2009-06-20 12:45 . 2009-06-20 12:45 -------- d-----w- c:\documents and settings\8 Commonly Used Herbs and their Healing Properties on Yahoo! Health_files\CA2PUPC1_files
2009-06-20 12:44 . 2009-06-20 12:45 -------- d-----w- c:\documents and settings\8 Commonly Used Herbs and their Healing Properties on Yahoo! Health_files
2009-06-09 13:26 . 2009-06-09 13:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Publish Providers
2009-06-09 13:25 . 2009-06-09 13:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sony
2009-06-09 13:25 . 2009-06-09 13:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony
2009-06-09 13:19 . 2009-06-09 13:19 -------- d-----w- c:\program files\Vstplugins
2009-06-09 13:19 . 2009-06-09 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-06-09 13:14 . 2009-06-09 13:14 -------- d-----w- c:\program files\MSBuild
2009-06-09 13:14 . 2009-06-09 13:14 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-09 13:08 . 2009-06-09 13:08 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-09 13:06 . 2009-06-09 13:06 -------- d-----w- c:\program files\Reference Assemblies
2009-06-09 13:05 . 2006-06-29 05:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-06-09 12:58 . 2006-10-16 08:10 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2009-06-09 12:23 . 2009-06-09 12:57 52770576 ----a-w- c:\documents and settings\Administrator\Application Data\Sony Setup\64993CD0-67D1-4244-A2BC-FD73F4DA5B62\dotnetfx3.exe
2009-06-09 11:50 . 2009-06-09 11:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Setup
2009-06-09 08:58 . 2009-06-09 15:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-06-08 21:59 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\Upgrade\setup2.exe
2009-06-08 21:58 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\Upgrade\install2.exe
2009-06-08 20:53 . 2009-06-08 20:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\magicJack
2009-06-06 15:30 . 2009-06-06 04:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-06-06 15:30 . 2009-06-06 04:00 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 04:32 . 2009-05-19 12:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\mjusbsp
2009-07-03 10:00 . 2009-04-06 13:53 -------- d-----w- c:\program files\Norton Security Scan
2009-06-30 10:05 . 2001-01-02 09:46 -------- d-----w- c:\program files\Pivot Stickfigure Animator
2009-06-29 10:16 . 2009-04-06 13:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-21 08:05 . 2008-07-29 22:34 -------- d-----w- c:\program files\Gravity
2009-06-15 09:26 . 2009-05-15 02:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-10 17:40 . 2008-07-24 02:55 66576 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 09:03 . 2009-05-30 14:54 -------- d-----w- c:\program files\Cheat Engine
2009-05-24 17:31 . 2009-05-24 17:30 -------- d-----w- c:\program files\Veoh Networks
2009-05-24 13:53 . 2008-07-23 04:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 10:35 . 2008-07-29 23:30 -------- d-----w- c:\program files\Perfect World
2009-05-23 06:35 . 2009-05-22 17:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-05-21 08:15 . 2009-05-21 08:13 -------- d-----w- c:\program files\Common Files\Macromedia
2009-05-21 08:14 . 2009-05-21 08:13 -------- d-----w- c:\program files\Macromedia
2009-05-21 08:13 . 2009-05-21 08:13 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{91057632-CA70-413C-B628-2D3CDBBB906B}\ARPPRODUCTICON.exe
2009-05-21 08:13 . 2009-05-21 08:13 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2009-05-19 00:55 . 2009-05-19 00:55 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-19 00:53 . 2008-08-22 08:02 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-19 00:43 . 2009-05-19 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-19 00:05 . 2009-05-19 00:05 -------- d-----w- c:\program files\NOS
2009-05-18 19:02 . 2009-05-18 19:02 -------- d-----w- c:\program files\TechSmith
2009-05-18 16:59 . 2009-05-18 16:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-05-18 16:56 . 2009-05-18 16:56 -------- d-----w- c:\program files\VideoLAN
2009-05-17 07:43 . 2009-05-17 06:46 -------- d-----w- c:\program files\EasyToon 1.9.8 EN
2009-05-16 05:11 . 2009-05-15 02:09 -------- d-----w- c:\program files\Game Cam V2
2009-05-14 17:54 . 2009-05-14 17:52 -------- d-----w- c:\program files\Game Cam
2009-04-10 13:58 . 2009-04-10 13:58 86360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\magicJack.dll
2009-04-10 13:58 . 2009-04-10 13:58 6327408 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\setup.exe
2009-04-10 13:58 . 2009-04-10 13:58 412784 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJackLoader.exe
2009-04-10 13:58 . 2009-04-10 13:58 480608 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\octvqe1_apiw.dll
2009-04-10 13:58 . 2009-04-10 13:58 214360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\TjVista.dll
2009-04-10 13:58 . 2009-04-10 13:58 325040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\TjIpSys.dll
2009-04-10 13:57 . 2009-04-10 13:57 398696 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\SJHandsetTigerJet.dll
2009-04-10 13:57 . 2009-04-10 13:57 87384 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\mjsetup.exe
2009-04-10 13:57 . 2009-04-10 13:57 86360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\magicJack.dll
2009-04-10 13:57 . 2009-04-10 13:57 86360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJack.dll
2009-04-10 13:56 . 2009-04-10 13:56 11871576 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJack.exe
2009-04-10 13:55 . 2009-04-10 13:55 725296 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\install.exe
2009-04-10 13:55 . 2009-04-10 13:55 87384 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\mjsetup.exe
2009-04-10 13:55 . 2009-04-10 13:55 86360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\magicJack.dll
2009-04-10 13:53 . 2009-04-10 13:53 456040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-04-10 13:53 . 2009-04-10 13:53 456040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-04-10 13:53 . 2009-04-10 13:53 456040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJackSplash.exe
2009-04-10 13:53 . 2009-04-10 13:53 456040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-04-10 13:53 . 2009-04-10 13:53 50520 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe
2008-07-23 08:52 . 2008-07-23 08:53 234842 --sh--w- c:\windows\Resources\Themes\DameK UltraBlue\irunin.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2009-04-10 50520]
"Actual Transparent Window"="c:\program files\Pivot Stickfigure Animator\Actual Transparent Window\ActualTransparentWindowCenter.exe" [2009-03-31 788992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2009-1-19 327680]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Level Up! Games\\Grand Chase PH\\main.exe"=
"c:\\Program Files\\CS Games\\Quake 3 Arena Coliseum\\quake3.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Pivot Stickfigure Animator\\utorrent.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5695:TCP"= 5695:TCP:vygrxwkf

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/19/2009 8:05 AM 33176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{26KLN5J0-4OPX-11WE-AAX3-24EF1F387272}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\xv.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-12 11:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.leonardotravelebooks.com/ebooks/DIGITALDM2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 12:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2864)
c:\program files\Pivot Stickfigure Animator\Actual Transparent Window\atwemb.dll
c:\windows\system32\msi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-07-05 12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 04:39
ComboFix2.txt 2009-01-10 03:36
ComboFix3.txt 2009-01-10 02:20

Pre-Run: 10,263,425,024 bytes free
Post-Run: 10,885,734,400 bytes free

190



GMER Scan Log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-05 19:00:01
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT F992C1DC ZwCreateThread
SSDT F992C1C8 ZwOpenProcess
SSDT F992C1CD ZwOpenThread
SSDT F992C1D7 ZwTerminateProcess
SSDT F992C1D2 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 4A3 804E3174 1 Byte [D2]
? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9E8YRL94\9086-2[1].1941782 3743 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AMIXPP0I\quant[1].js 3450 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\MPEG.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\andreas_78er.matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\andreas_doppelte_99er.matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\andreas_einfache_99er.matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Bulletproof's Heavy Compression Matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Bulletproof's High Quality Matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\CG-Animation Matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\eqm_autogk_sharp.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\eqm_avc_hr.cfg 910 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\eqm_v1.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\eqm_v3ehr.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\eqm_v3hr.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\eqm_v3lr.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\eqm_v3uhr_rev2.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\eqm_v3ulr_rev3.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\hvs-best-picture.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\hvs-better-picture.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\hvs-good-picture.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Low Bitrate Matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\pvcd.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\q_matrix.cfg 2697 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\q_matrix2.cfg 1244 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\q_matrix_def.cfg 1244 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Soulhunters V3.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Soulhunters V5.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Standard.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Ultimate Matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Ultra Low Bitrate Matrix.xcm 128 bytes
File C:\Program Files\Pivot Stickfigure Animator\ffdshow\custom matrices\Very Low Bitrate Matrix.xcm 128 bytes

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 05 July 2009 - 08:43 AM

Hello.

That looks better.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5695:TCP"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{26KLN5J0-4OPX-11WE-AAX3-24EF1F387272}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update Java to Version 6 Update 14
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Also take a new DDS.txt log from after the updates.

With Regards,
The Panda

#7 tattoi

tattoi
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 06 July 2009 - 12:29 AM

Hi Panda or PP for short. Thank you so much for all the help.

I uninstalled every instances of Java and installed Version 6 Update 14.

Here are the logs.

ComboFix Log:

ComboFix 09-07-04.04 - Administrator 07/06/2009 12:48.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.86 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 04:43 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\setup.exe
2009-07-06 04:43 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ar00000\install.exe
2009-07-01 06:16 . 2009-07-01 06:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-01 06:16 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 06:16 . 2009-07-01 06:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 06:16 . 2009-07-01 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 06:16 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 15:45 . 2009-06-27 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Actual Tools
2009-06-20 12:45 . 2009-06-20 12:45 -------- d-----w- c:\documents and settings\8 Commonly Used Herbs and their Healing Properties on Yahoo! Health_files\CAS5EVOH_files
2009-06-20 12:45 . 2009-06-20 12:45 -------- d-----w- c:\documents and settings\8 Commonly Used Herbs and their Healing Properties on Yahoo! Health_files\CA2PUPC1_files
2009-06-20 12:44 . 2009-06-20 12:45 -------- d-----w- c:\documents and settings\8 Commonly Used Herbs and their Healing Properties on Yahoo! Health_files
2009-06-09 13:26 . 2009-06-09 13:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Publish Providers
2009-06-09 13:25 . 2009-06-09 13:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sony
2009-06-09 13:25 . 2009-06-09 13:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony
2009-06-09 13:19 . 2009-06-09 13:19 -------- d-----w- c:\program files\Vstplugins
2009-06-09 13:19 . 2009-06-09 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-06-09 13:14 . 2009-06-09 13:14 -------- d-----w- c:\program files\MSBuild
2009-06-09 13:14 . 2009-06-09 13:14 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-09 13:08 . 2009-06-09 13:08 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-09 13:06 . 2009-06-09 13:06 -------- d-----w- c:\program files\Reference Assemblies
2009-06-09 13:05 . 2006-06-29 05:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-06-09 12:58 . 2006-10-16 08:10 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2009-06-09 12:23 . 2009-06-09 12:57 52770576 ----a-w- c:\documents and settings\Administrator\Application Data\Sony Setup\64993CD0-67D1-4244-A2BC-FD73F4DA5B62\dotnetfx3.exe
2009-06-09 11:50 . 2009-06-09 11:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Setup
2009-06-09 08:58 . 2009-06-09 15:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-06-08 21:59 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\Upgrade\setup2.exe
2009-06-08 21:58 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Administrator\Application Data\mjusbsp\Upgrade\install2.exe
2009-06-08 20:53 . 2009-06-08 20:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\magicJack
2009-06-06 15:30 . 2009-06-06 04:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-06-06 15:30 . 2009-06-06 04:00 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 04:44 . 2009-05-19 12:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\mjusbsp
2009-07-05 10:00 . 2009-04-06 13:53 -------- d-----w- c:\program files\Norton Security Scan
2009-06-30 10:05 . 2001-01-02 09:46 -------- d-----w- c:\program files\Pivot Stickfigure Animator
2009-06-29 10:16 . 2009-04-06 13:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-21 08:05 . 2008-07-29 22:34 -------- d-----w- c:\program files\Gravity
2009-06-15 09:26 . 2009-05-15 02:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-10 17:40 . 2008-07-24 02:55 66576 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 09:03 . 2009-05-30 14:54 -------- d-----w- c:\program files\Cheat Engine
2009-05-24 17:31 . 2009-05-24 17:30 -------- d-----w- c:\program files\Veoh Networks
2009-05-24 13:53 . 2008-07-23 04:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-24 10:35 . 2008-07-29 23:30 -------- d-----w- c:\program files\Perfect World
2009-05-23 06:35 . 2009-05-22 17:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRightToGo
2009-05-21 08:15 . 2009-05-21 08:13 -------- d-----w- c:\program files\Common Files\Macromedia
2009-05-21 08:14 . 2009-05-21 08:13 -------- d-----w- c:\program files\Macromedia
2009-05-21 08:13 . 2009-05-21 08:13 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{91057632-CA70-413C-B628-2D3CDBBB906B}\ARPPRODUCTICON.exe
2009-05-21 08:13 . 2009-05-21 08:13 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2009-05-19 00:55 . 2009-05-19 00:55 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-19 00:53 . 2008-08-22 08:02 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-19 00:43 . 2009-05-19 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-19 00:05 . 2009-05-19 00:05 -------- d-----w- c:\program files\NOS
2009-05-18 19:02 . 2009-05-18 19:02 -------- d-----w- c:\program files\TechSmith
2009-05-18 16:59 . 2009-05-18 16:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-05-18 16:56 . 2009-05-18 16:56 -------- d-----w- c:\program files\VideoLAN
2009-05-17 07:43 . 2009-05-17 06:46 -------- d-----w- c:\program files\EasyToon 1.9.8 EN
2009-05-16 05:11 . 2009-05-15 02:09 -------- d-----w- c:\program files\Game Cam V2
2009-05-14 17:54 . 2009-05-14 17:52 -------- d-----w- c:\program files\Game Cam
2009-04-10 13:58 . 2009-04-10 13:58 86360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\magicJack.dll
2009-04-10 13:58 . 2009-04-10 13:58 6327408 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\setup.exe
2009-04-10 13:58 . 2009-04-10 13:58 412784 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJackLoader.exe
2009-04-10 13:58 . 2009-04-10 13:58 480608 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\octvqe1_apiw.dll
2009-04-10 13:58 . 2009-04-10 13:58 214360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\TjVista.dll
2009-04-10 13:58 . 2009-04-10 13:58 325040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\TjIpSys.dll
2009-04-10 13:57 . 2009-04-10 13:57 398696 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\SJHandsetTigerJet.dll
2009-04-10 13:57 . 2009-04-10 13:57 87384 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\mjsetup.exe
2009-04-10 13:57 . 2009-04-10 13:57 86360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\magicJack.dll
2009-04-10 13:57 . 2009-04-10 13:57 86360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJack.dll
2009-04-10 13:56 . 2009-04-10 13:56 11871576 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJack.exe
2009-04-10 13:55 . 2009-04-10 13:55 725296 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\install.exe
2009-04-10 13:55 . 2009-04-10 13:55 87384 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\mjsetup.exe
2009-04-10 13:55 . 2009-04-10 13:55 86360 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\magicJack.dll
2009-04-10 13:53 . 2009-04-10 13:53 456040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-04-10 13:53 . 2009-04-10 13:53 456040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-04-10 13:53 . 2009-04-10 13:53 456040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\magicJackSplash.exe
2009-04-10 13:53 . 2009-04-10 13:53 456040 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-04-10 13:53 . 2009-04-10 13:53 50520 ----a-w- c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe
2008-07-23 08:52 . 2008-07-23 08:53 234842 --sh--w- c:\windows\Resources\Themes\DameK UltraBlue\irunin.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"cdloader"="c:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2009-04-10 50520]
"Actual Transparent Window"="c:\program files\Pivot Stickfigure Animator\Actual Transparent Window\ActualTransparentWindowCenter.exe" [2009-03-31 788992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2009-1-19 327680]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Level Up! Games\\Grand Chase PH\\main.exe"=
"c:\\Program Files\\CS Games\\Quake 3 Arena Coliseum\\quake3.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Pivot Stickfigure Animator\\utorrent.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/19/2009 8:05 AM 33176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-12 11:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.leonardotravelebooks.com/ebooks/DIGITALDM2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 12:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3056)
c:\windows\system32\msi.dll
.
Completion time: 2009-07-06 13:00
ComboFix-quarantined-files.txt 2009-07-06 05:00
ComboFix2.txt 2009-07-05 04:39
ComboFix3.txt 2009-01-10 03:36
ComboFix4.txt 2009-01-10 02:20

Pre-Run: 10,637,201,408 bytes free
Post-Run: 10,735,771,648 bytes free

166



DDS:
DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 13:23:42.03 on Mon 07/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.94 [GMT 8:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Administrator\Desktop\Mic Test\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Actual Transparent Window] "c:\program files\pivot stickfigure animator\actual transparent window\ActualTransparentWindowCenter.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.leonardotravelebooks.com/ebooks/DIGITALDM2.cab
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-7-23 11840]
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-7-23 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-7-23 147201]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-7-23 49472]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-19 33176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-07-06 13:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-06 13:21 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-05 12:37 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-05 12:18 155,136 a------- c:\windows\PEV.exe
2009-07-01 14:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-07-01 14:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 14:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-01 14:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-27 23:45 <DIR> --d----- c:\docume~1\admini~1\applic~1\Actual Tools
2009-06-09 21:19 <DIR> --d----- c:\program files\Vstplugins
2009-06-09 21:08 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-09 21:05 14,048 -------- c:\windows\system32\spmsg2.dll
2009-06-09 20:58 23,856 a------- c:\windows\system32\spupdsvc.exe
2009-06-09 16:58 <DIR> --d----- c:\docume~1\admini~1\applic~1\uTorrent
2009-06-07 04:39 <DIR> --d----- c:\windows\pss
2009-06-06 23:30 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-06-06 23:30 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-06-06 23:30 60,273 a------- c:\windows\system32\pthreadGC2.dll

==================== Find3M ====================

2008-07-23 16:52 234,842 ---sh--- c:\windows\resources\themes\damek ultrablue\irunin.dat

============= FINISH: 13:24:06.14 ===============

Attached Files



#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 06 July 2009 - 08:07 AM

Hello.

It doesn't look like all the available updates were installed. DDS shows your computer is still at Service Pack 2.

With Regards,
The Panda

#9 tattoi

tattoi
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 06 July 2009 - 02:25 PM

Hi Panda or PP for short.

I checked the update website and received this error:

[Error number: 0x8DDD0018]
The site cannot continue because one or more of these Windows services is not running:
Automatic Updates (allows the site to find, download and install high-priority updates for your computer)
Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted)
Event Log (keeps a record of updating activities to help with troubleshooting, if needed)

To make sure these services are running:
1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, double-click on Automatic Updates and then click Properties.
4. In the Startup type list, select Automatic and click Apply.
5. Verify that the Service status is started, if the Service Status is Stopped click on the Start Button.
6. In the list of services, double-click on Background Intelligent Transfer Service (BITS) and then click Properties.
7. In the Startup type list, select Manual and click Apply.
8. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.
9. In the list of services, double-click on Event Log and then click Properties.
10. In the Startup type list, select Automatic and click Apply.
11. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.


This may seem a bit off-topic but I have a question with regard to removable devices. Is it safe to run Flash_Disinfector (which can be downloaded HERE)? I have removable devices in this computer and MBAM (in my second post in this topic) first detected Conficker in one of the removable devices. I was wondering how can I protect these removable devices as well.

Thanks.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 06 July 2009 - 03:04 PM

Hello.

Had you tried following the directions to check the services?

Flash Disinfector is safe to run.

You can't provent malicious files from being put on the drive, but you can prevent autorun worms from travelling through them using Flash Disinfector.

With Regards,
The Panda

#11 tattoi

tattoi
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 06 July 2009 - 03:28 PM

Hi Panda or PP for short. It is amazing to note that you always start with Hello and always end with The Panda. It's pretty cool.

Yup, I tried it once, reloaded the page, and got the same error message (although I am not sure if it's the same error number). Then I tried it again (this time I opened a new window), now I'm in the "Checking for the latest updates for your computer..." part. So far so good.

There, it says that updates are being downloaded and installed. Weeee.

Again, thanks so much for all the help.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 06 July 2009 - 04:15 PM

Okay. Tell me how it goes.

The Panda

#13 tattoi

tattoi
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 07 July 2009 - 12:16 AM

Hi Panda or PP for Short.

I left the computer on while downloading the updates. I'm not sure what happened but I received this error "The product key found on this computer is a Volume License Key (VLK) that has been blocked." The computer is still in service 2.

Also, I was defragmenting Volume C at that time and Avira detected TR/Trash.Gen [trojan].

Virus or unwanted program 'TR/Trash.Gen [trojan]'
detected in file 'C:\System Volume Information\_restore{F786C47F-35D4-44C3-83C6-05370AD4E52A}\RP9\A0005116.exe.
Action performed: Deny access


Hope you can help me on this. Thank you very much.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 07 July 2009 - 08:21 AM

Hello.

Avira detected an item in the System Restore Cache. We'll empty those out later.

Check Windows
  • Please download MGADiag and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Click Continue. Then, click Copy.
  • Go to Start -> Run and type in "Notepad"
  • Go to Edit -> Paste in notepad.
  • Remove the line containing Windows Product Key.
  • Copy and paste that log here.

With Regards,
The Panda

#15 tattoi

tattoi
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 07 July 2009 - 09:49 AM

Hi Panda or PP for short.

Here is the log. I already removed the line that contains the Windows Product Key:

Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Blocked VLK
Validation Code: 3
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key Hash: EF9FLLW9MoBtuIKI/P5UHESO+Gc=
Windows Product ID: 55274-646-2448872-23314
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {491F6108-2280-4521-AD62-0704AB234170}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
Microsoft Office FrontPage 2003 - 100 Genuine
Microsoft Office Visio Professional 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{491F6108-2280-4521-AD62-0704AB234170}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-H7P6W</PKey><PID>55274-646-2448872-23314</PID><PIDType>1</PIDType><SID>S-1-5-21-839522115-1677128483-682003330</SID><SYSTEM><Manufacturer>IBM</Manufacturer><Model>830313A</Model></SYSTEM><BIOS><Manufacturer>IBM</Manufacturer><Version>24KT28AUS</Version><SMBIOSVersion major="2" minor="31"/><Date>20021009000000.000000+000</Date></BIOS><HWID>28DD3B4F0184204E</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>China Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57373</Pid><PidType>14</PidType></Product><Product GUID="{90170409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office FrontPage 2003</Name><Ver>11</Ver><Val>5EA9C3672EB0500</Val><Hash>GZD+9sfb5ecL3RxyV4F75a86u2M=</Hash><Pid>72079-640-0000106-55464</Pid><PidType>14</PidType></Product><Product GUID="{90510409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Professional 2003</Name><Ver>11</Ver><Val>5EA9C3672EB0500</Val><Hash>GZD+9sfb5ecL3RxyV4F75a86u2M=</Hash><Pid>72085-640-0000106-55248</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="17" Version="11" Result="100"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/><App Id="51" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 102BB:GENUINE C&C INC|12F45:IBM
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users