Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected ..


  • This topic is locked This topic is locked
14 replies to this topic

#1 ballmoney

ballmoney

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 17 July 2009 - 05:26 PM

Hello everyone. I've been infected for awhile, I'm not quite sure what it is but its used to hack and used csrss.exe, winlogon.exe and others as they show up with to user in the task manager. A month ago I was changed a few thousand on my palpal account, luckly I was able to get that back. I find my computer has pauses a lot and it a bit takes longer to logon. All virus progrmas aren't able to pick it up , I've tryed remormatting and active kill disk. Here are my hijack results. Thanks so much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:50 PM, on 11/10/2001
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\RunOnce: [PCDrProfiler] C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe -r
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [OCA_MRK] c:\hp\bin\cloaker.exe c:\windows\system32\cmd.exe /c c:\hp\bin\OCA\install.cmd
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8671 bytes

BC AdBot (Login to Remove)

 


#2 ballmoney

ballmoney
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 19 July 2009 - 04:51 PM

DDS (Ver_09-06-26.01) - NTFSx86
Run by Anthony at 18:50:07.39 on 13/10/2001
Internet Explorer: 7.0.6000.16386
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.2.1033.18.3070.2099 [GMT -3:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
C:\WINDOWS\System32\rundll32.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Anthony\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [<NO NAME>]
mRun: [SnapfishMediaDetector] c:\program files\snapfish media detector\SnapfishMediaDetector.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] "c:\program files\common files\symantec shared\opc\{31011d49-d90c-4da0-878b-78d28ad507af}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish media detector\SnapfishMediaDetector.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

============= SERVICES / DRIVERS ===============

R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2001-10-11 446976]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-5-24 354432]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-5-24 255488]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070108.003\IDSvix86.sys [2007-5-24 212280]

=============== Created Last 30 ================

2001-10-13 17:57 <DIR> --d----- c:\programdata\Yahoo! Companion
2001-10-13 17:53 1,854 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_GC674AA-ABA m8120n_YC_0Pavi_QMXF730_E73NAv3PrA1_49_IBasswood3G_SASUSTek Computer INC._V1.05_B5.09_T070608_WUH0_L409_M3070_J320_7Intel_8Core2 Quad_92.4_#011011_N8086104B_Z14F12F20_G10DE01D0.MRK
2001-10-13 17:52 <DIR> --d----- c:\program files\common files\Windows Live
2001-10-11 17:59 <DIR> --d----- c:\program files\Trend Micro
2001-10-11 17:59 1,524,736 a------- c:\windows\system32\wucltux.dll
2001-10-11 17:58 162,064 a------- c:\windows\system32\wuwebv.dll
2001-10-11 17:58 31,232 a------- c:\windows\system32\wuapp.exe
2001-10-11 17:57 446,976 a------- c:\windows\system32\drivers\athrusb.sys
2001-10-11 17:46 <DIR> --d----- c:\users\Anthony
2001-10-11 17:41 <DIR> --dsh--- c:\programdata\Documents
2001-10-11 17:41 <DIR> --dsh--- C:\Documents and Settings

==================== Find3M ====================

2007-05-24 21:15 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 09:50 174 a--sh--- c:\program files\desktop.ini
2006-11-02 09:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 09:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 09:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 06:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 06:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 06:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 06:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2001-10-11 17:57 86,016 a------- c:\windows\inf\infstrng.dat
2001-10-11 17:57 51,200 a------- c:\windows\inf\infpub.dat
2001-10-11 17:57 86,016 a------- c:\windows\inf\infstor.dat

============= FINISH: 18:50:23.88 ===============

Attached Files


Edited by ballmoney, 19 July 2009 - 07:47 PM.
Merged topics. ~ OB


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 23 July 2009 - 01:21 PM

Hi ballmoney,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

I will be back soon with the first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 23 July 2009 - 01:28 PM

Okay, the DDS is clean but your event manager and your description of the problems point to rootkits which don't make themselves helpfully visible.

First please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Next

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Then

We need to create an OTL Report
  • Please download OTL from the mirror:
    [http://oldtimer.geekstogo.com/OTL.exe]This is THE Mirror[/url]
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:[list]
    OTListIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Let's see what appears from that lot. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 ballmoney

ballmoney
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 23 July 2009 - 05:20 PM

Malwarebytes' Anti-Malware 1.39
Database version: 2489
Windows 6.0.6000

17/10/2001 6:42:24 PM
mbam-log-2001-10-17 (18-42-24).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 199696
Time elapsed: 34 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


RootRepeal

I was unable to open rootrepeal as I got these errors. (I tried to run it in adminstrator mode to)

Screen Shots
Posted Image
Posted Image
Posted Image

Notepad
ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00429430
Attempt to write to address: 0x00d85000

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x77c61f2a
Attempt to read from address: 0x516cd77d

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 23 July 2009 - 05:22 PM

Crashing rootkit scanners everywhere!!

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 ballmoney

ballmoney
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 23 July 2009 - 06:25 PM

Here are my results. I'd also like to put in that I wasen't allowed to start any programs becuse it said I they were not in the registry so I restarted and everything is back to normal.



ComboFix 09-07-23.02 - Anthony 17/10/2001 19:51.1.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.3070.2129 [GMT -3:00]
Running from: c:\users\Anthony\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3544500132-1891469370-124352283-500
c:\windows\Installer\3d562.msi

.
((((((((((((((((((((((((( Files Created from 2001-09-17 to 2001-10-17 )))))))))))))))))))))))))))))))
.

2007-05-25 00:55 . 2001-10-13 20:53 -------- d--h--w- C:\hp
2007-05-25 00:48 . 2001-10-11 20:56 -------- d-----w- c:\programdata\Hewlett-Packard
2007-05-25 00:40 . 2001-10-17 22:57 -------- d-----w- c:\windows\SMINST
2007-05-25 00:37 . 2001-10-17 22:55 -------- d-----w- c:\program files\Norton Internet Security
2007-05-25 00:37 . 2007-05-25 00:38 115000 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2007-05-25 00:37 . 2007-05-25 00:38 -------- d-----w- c:\program files\Symantec
2007-05-25 00:37 . 2001-10-17 22:54 -------- d-----w- c:\programdata\Symantec
2007-05-25 00:37 . 2001-10-17 22:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2007-05-25 00:36 . 2007-05-25 00:36 -------- d-----w- c:\program files\Yahoo!
2007-05-25 00:34 . 2007-05-25 00:34 -------- d-----w- c:\program files\earthlink totalaccess
2007-05-25 00:32 . 2007-05-25 00:32 -------- d-----w- c:\programdata\PC-Doctor
2007-05-25 00:32 . 2007-05-25 00:43 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2007-05-25 00:31 . 2006-11-29 20:33 321108 ----a-w- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\mia.dll
2007-05-25 00:30 . 2007-05-25 00:31 -------- d-----w- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
2007-05-25 00:30 . 2006-11-29 20:33 2538535 ----a-w- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe
2007-05-25 00:30 . 2007-05-25 00:30 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2007-05-25 00:30 . 2006-10-27 02:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2007-05-25 00:30 . 2007-05-25 00:30 -------- d-----w- c:\windows\PCHEALTH
2007-05-25 00:30 . 2007-05-25 00:30 -------- d-----w- c:\program files\Microsoft.NET
2007-05-25 00:29 . 2007-05-25 00:30 -------- d-----w- c:\programdata\Microsoft Help
2007-05-25 00:29 . 2007-05-25 00:29 -------- d--h--r- C:\MSOCache
2007-05-25 00:29 . 2007-05-25 00:30 -------- d-----w- c:\program files\Microsoft Works
2007-05-25 00:28 . 2007-05-25 00:28 -------- d-----w- c:\program files\Snapfish Media Detector
2007-05-25 00:27 . 2007-05-25 00:27 -------- d-----w- c:\program files\Common Files\Adobe
2007-05-25 00:26 . 2007-05-25 00:26 -------- d-----w- c:\program files\muvee Technologies
2007-05-25 00:26 . 2007-05-25 00:27 -------- d-----w- c:\program files\Common Files\muvee Technologies
2007-05-25 00:26 . 2007-05-25 00:26 -------- d-----w- c:\programdata\muvee Technologies
2007-05-25 00:26 . 2007-05-25 00:26 -------- d-----w- c:\program files\Common Files\xing shared
2007-05-25 00:26 . 2007-05-25 00:26 -------- d-----w- c:\program files\Common Files\Real
2007-05-25 00:26 . 2007-05-25 00:26 -------- d-----w- c:\program files\Real
2007-05-25 00:25 . 2007-05-25 00:26 -------- d-----w- c:\program files\Rhapsody
2007-05-25 00:25 . 2007-05-25 00:25 -------- d---a-w- c:\program files\Common Files\LightScribe
2007-05-25 00:25 . 2007-05-25 00:25 -------- d---a-w- c:\program files\Common Files\LS Getting Started
2007-05-25 00:25 . 2007-05-25 00:25 -------- d-----w- c:\program files\Common Files\SureThing Shared
2007-05-25 00:24 . 2007-05-25 00:24 -------- d-----w- c:\programdata\Sonic
2007-05-25 00:24 . 2007-05-25 00:24 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2007-05-25 00:24 . 2007-05-25 00:25 -------- d-----w- c:\program files\Common Files\Sonic Shared
2007-05-25 00:24 . 2007-05-25 00:24 -------- d-----w- c:\programdata\Roxio
2007-05-25 00:24 . 2007-05-25 00:25 -------- d-----w- c:\program files\Roxio
2007-05-25 00:24 . 2007-05-25 00:24 -------- d-----w- c:\program files\Common Files\Roxio Shared
2007-05-25 00:20 . 2007-05-25 00:28 -------- d-----w- c:\program files\HP
2007-05-25 00:20 . 2007-05-25 00:20 -------- d-----w- c:\program files\Common Files\HP
2007-05-25 00:19 . 2007-05-25 00:20 103521 ----a-w- c:\windows\hpqins13.dat
2007-05-25 00:19 . 2007-05-25 00:20 -------- d-----w- c:\programdata\HP
2007-05-25 00:19 . 2007-01-03 13:31 4779376 ----a-w- c:\programdata\WildTangent\oem-eula.exe
2007-05-25 00:17 . 2007-05-25 00:19 -------- d-----w- c:\program files\HP Games
2007-05-25 00:17 . 2007-05-25 00:19 -------- d-----w- c:\programdata\WildTangent
2007-05-25 00:17 . 2007-05-25 00:17 -------- d-----w- c:\windows\system32\Macromed
2007-05-25 00:12 . 2007-05-25 00:12 -------- d-----w- c:\windows\system32\RTCOM
2007-05-25 00:11 . 2007-03-12 20:37 90191 ----a-w- c:\windows\system32\nvsvc.dll
2007-05-25 00:09 . 2007-05-25 00:09 4153344 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2007-05-25 00:09 . 2007-05-25 00:09 1686016 ----a-w- c:\windows\system32\gameux.dll
2007-05-25 00:09 . 2007-05-25 00:09 414208 ----a-w- c:\windows\system32\msscp.dll
2007-05-25 00:09 . 2007-05-25 00:09 146944 ----a-w- c:\windows\system32\MMDevAPI.dll
2007-05-25 00:09 . 2007-05-25 00:09 84480 ----a-w- c:\windows\system32\dnsrslvr.dll
2007-05-25 00:09 . 2007-05-25 00:09 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2007-05-25 00:08 . 2007-05-25 00:08 135680 ----a-w- c:\windows\system32\wusa.exe
2007-05-25 00:08 . 2007-05-25 00:08 974336 ----a-w- c:\windows\system32\crypt32.dll
2007-05-25 00:08 . 2007-05-25 00:08 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2007-05-25 00:08 . 2007-05-25 00:08 74752 ----a-w- c:\windows\system32\drivers\rasl2tp.sys
2007-05-25 00:08 . 2007-05-25 00:08 60928 ----a-w- c:\windows\system32\drivers\raspptp.sys
2007-05-25 00:08 . 2007-05-25 00:08 229888 ----a-w- c:\windows\system32\msshsq.dll
2007-05-25 00:07 . 2007-05-25 00:07 292352 ----a-w- c:\windows\system32\psisdecd.dll
2007-05-25 00:07 . 2007-05-25 00:07 8704 ----a-w- c:\windows\system32\hccoin.dll
2007-05-25 00:07 . 2007-05-25 00:07 73216 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2007-05-25 00:07 . 2007-05-25 00:07 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2007-05-25 00:07 . 2007-05-25 00:07 38400 ----a-w- c:\windows\system32\drivers\usbehci.sys
2007-05-25 00:07 . 2007-05-25 00:07 22528 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2007-05-25 00:07 . 2007-05-25 00:07 223744 ----a-w- c:\windows\system32\drivers\usbport.sys
2007-05-25 00:07 . 2007-05-25 00:07 191488 ----a-w- c:\windows\system32\drivers\usbhub.sys
2007-05-25 00:06 . 2007-05-25 00:06 53760 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2007-05-25 00:06 . 2007-02-12 15:01 61440 ----a-w- c:\windows\system32\OsdRemove.exe
2007-05-25 00:06 . 2007-05-25 00:34 -------- d-----w- c:\program files\Hewlett-Packard
2007-05-25 00:06 . 2005-12-12 17:27 19072 ----a-w- c:\windows\system32\drivers\PS2.sys
2007-05-25 00:05 . 2007-02-08 10:40 253952 ----a-w- c:\windows\system32\cPC_DMIRD.dll
2007-05-25 00:04 . 2006-07-16 21:23 327680 ----a-w- c:\windows\system32\pythoncom24.dll
2007-05-25 00:04 . 2006-07-16 21:15 102400 ----a-w- c:\windows\system32\pywintypes24.dll
2007-05-25 00:03 . 2006-09-07 17:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2007-05-25 00:03 . 2006-09-07 17:13 1060864 ----a-w- c:\windows\system32\mfc71.dll
2007-05-25 00:03 . 2001-10-17 22:57 -------- d-sh--w- c:\windows\Installer
2007-05-24 23:57 . 2007-05-24 23:57 -------- d-----w- c:\program files\CONEXANT
2007-05-24 23:57 . 2001-10-11 20:41 -------- d-----w- c:\windows\Debug
2007-02-06 23:04 . 2007-02-06 23:04 158456 ----a-w- c:\windows\system32\pxwma.dll
2007-02-06 23:03 . 2007-02-06 23:03 129784 ----a-w- c:\windows\system32\PxAFS.DLL
2007-02-02 10:00 . 2007-02-02 10:00 9464 ----a-w- c:\windows\system32\drivers\cdralw2k.sys
2007-02-02 10:00 . 2007-02-02 10:00 9336 ----a-w- c:\windows\system32\drivers\cdr4_xp.sys
2007-02-02 10:00 . 2007-02-02 10:00 43528 ----a-w- c:\windows\system32\drivers\pxhelp20.sys
2007-01-26 17:08 . 2007-01-26 17:08 287256 ----a-r- c:\windows\system32\AbaleZip.dll
2007-01-26 17:08 . 2007-01-26 17:08 2560 ----a-r- c:\programdata\HP\Digital Imaging\Data\hpqd_cul_s.dll
2007-01-12 14:07 . 2007-01-12 14:07 90112 ----a-w- c:\windows\system32\CddbWOManagerRoxio.dll
2007-01-12 14:07 . 2007-01-12 14:07 770048 ----a-w- c:\windows\system32\CDDBUIRoxio.dll
2007-01-12 14:07 . 2007-01-12 14:07 643072 ----a-w- c:\windows\system32\CDDBControlRoxio.dll
2007-01-12 14:07 . 2007-01-12 14:07 585728 ----a-w- c:\windows\system32\CddbMusicIDRoxio.dll
2007-01-12 14:07 . 2007-01-12 14:07 520192 ----a-w- c:\windows\system32\CddbPlaylist2Roxio.dll
2007-01-12 14:07 . 2007-01-12 14:07 204800 ----a-w- c:\windows\system32\CddbFileTaggerRoxio.dll
2007-01-12 14:07 . 2007-01-12 14:07 147456 ----a-w- c:\windows\system32\CddbCleanRoxio.dll
2007-01-12 00:26 . 2007-01-12 00:26 106496 ----a-w- c:\windows\system32\cdrtc.dll
2007-01-12 00:26 . 2007-01-12 00:26 81920 ----a-w- c:\windows\system32\cdral.dll
2007-01-09 14:32 . 2007-01-09 14:32 40120 ----a-w- c:\windows\system32\drivers\symids.sys
2007-01-09 14:32 . 2007-01-09 14:32 38200 ----a-w- c:\windows\system32\drivers\symndisv.sys
2007-01-09 14:32 . 2007-01-09 14:32 27576 ----a-w- c:\windows\system32\drivers\symredrv.sys
2007-01-09 14:32 . 2007-01-09 14:32 191544 ----a-w- c:\windows\system32\drivers\symtdi.sys
2007-01-09 14:32 . 2007-01-09 14:32 145976 ----a-w- c:\windows\system32\drivers\symfw.sys
2007-01-09 14:32 . 2007-01-09 14:32 12984 ----a-w- c:\windows\system32\drivers\symdns.sys
2006-11-02 13:05 . 2001-10-17 19:17 -------- d-----w- c:\windows\system32\wbem\Performance
2006-11-02 12:52 . 2006-11-02 13:01 -------- d-----w- c:\windows\system32\wbem\MOF
2006-11-02 12:43 . 2006-11-02 09:52 902248 ----a-w- c:\windows\system32\winresume.exe
2006-11-02 12:43 . 2006-11-02 09:52 940648 ----a-w- c:\windows\system32\winload.exe
2006-11-02 12:37 . 2006-11-02 12:37 -------- d-----w- c:\windows\twain_32
2006-11-02 12:36 . 2006-11-02 12:36 68096 ----a-w- c:\windows\system32\DFDWiz.exe
2006-11-02 12:35 . 2006-11-02 12:35 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2006-11-02 12:34 . 2006-11-02 12:34 7168 ----a-w- c:\windows\system32\getuname.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 16:36 . 2001-10-17 18:37 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 16:36 . 2001-10-17 18:37 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-05-25 00:38 . 2007-05-25 00:37 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2007-05-25 00:38 . 2007-05-25 00:37 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2007-05-25 00:33 . 2007-05-25 00:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2007-05-25 00:20 . 2007-05-25 00:12 -------- d-----w- c:\program files\Common Files\InstallShield
2007-05-25 00:15 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2007-05-25 00:13 . 2007-05-25 00:13 -------- d-----w- c:\programdata\Intel
2007-05-25 00:13 . 2007-05-25 00:13 -------- d-----w- c:\program files\Common Files\Intel
2007-05-25 00:13 . 2007-05-25 00:11 -------- d-----w- c:\program files\Intel
2007-05-25 00:12 . 2007-05-25 00:12 319456 ----a-w- c:\windows\DIFxAPI.dll
2007-05-25 00:12 . 2007-05-25 00:12 315392 ----a-w- c:\windows\HideWin.exe
2007-05-25 00:12 . 2007-05-25 00:12 -------- d-----w- c:\program files\Realtek
2007-05-25 00:09 . 2007-05-25 00:09 356576 ----a-w- c:\windows\Fonts\monbaiti.ttf
2007-05-25 00:08 . 2006-11-02 08:30 134760 ----a-w- c:\windows\system32\halacpi.dll
2007-05-25 00:08 . 2006-11-02 08:30 160872 ----a-w- c:\windows\system32\halmacpi.dll
2007-03-01 16:21 . 2007-05-25 00:12 1744928 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2007-03-01 15:38 . 2007-05-25 00:12 4390912 ----a-w- c:\windows\RtHDVCpl.exe
2007-03-01 14:30 . 2007-05-25 00:12 1840640 ----a-w- c:\windows\system32\RtkAPO.dll
2007-02-06 14:55 . 2007-05-25 00:12 494080 ----a-w- c:\windows\system32\RtkPgExt.dll
2007-01-25 18:22 . 2007-05-25 00:12 17920 ----a-w- c:\windows\system32\RtkCoInst.dll
2007-01-16 10:39 . 2007-05-25 00:12 1191936 ----a-w- c:\windows\RtlUpd.exe
2007-01-15 07:43 . 2007-05-25 00:12 174716 ----a-w- c:\windows\system32\drivers\hcw18enc.rom
2007-01-15 07:43 . 2007-05-25 00:12 16382 ----a-w- c:\windows\system32\drivers\hcw18mlC.rom
2007-01-15 07:43 . 2007-05-25 00:12 14264 ----a-w- c:\windows\system32\drivers\hcw18mlB.rom
2007-01-15 07:43 . 2007-05-25 00:12 141200 ----a-w- c:\windows\system32\drivers\hcw18apu.rom
2007-01-15 07:43 . 2007-05-25 00:12 354432 ----a-w- c:\windows\system32\drivers\hcw18bda.sys
2007-01-15 07:43 . 2007-05-25 00:12 66048 ----a-w- c:\windows\system32\hcwxds.dll
2007-01-12 16:54 . 2007-05-25 00:12 520192 ----a-w- c:\windows\RtlExUpd.dll
2007-01-09 18:47 . 2007-01-09 18:47 13054 ----a-w- c:\windows\system32\drivers\SymRedir.cat
2007-01-09 14:32 . 2007-01-09 14:32 1357 ----a-w- c:\windows\system32\drivers\SymRedir.inf
2007-01-08 21:24 . 2007-05-25 00:33 96368 ----a-w- c:\windows\Fonts\HP PSG.otf
2007-01-04 16:41 . 2007-05-25 00:54 255488 ----a-w- c:\windows\system32\drivers\netr73.sys
2006-12-13 10:30 . 2007-05-25 00:12 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2006-12-07 15:04 . 2007-05-25 00:54 258048 ----a-w- c:\windows\system32\drivers\HSXHWBS2.sys
2006-12-07 15:04 . 2007-05-25 00:54 659968 ----a-w- c:\windows\system32\drivers\HSX_CNXT.sys
2006-12-07 15:03 . 2007-05-25 00:54 985600 ----a-w- c:\windows\system32\drivers\HSX_DP.sys
2006-12-07 14:29 . 2007-05-25 00:54 144201 ----a-w- c:\windows\system32\drivers\HSFProf.cty
2006-11-30 10:14 . 2001-10-11 20:57 446976 ----a-w- c:\windows\system32\drivers\athrusb.sys
2006-11-29 18:47 . 2007-05-25 00:12 135168 ----a-w- c:\windows\system32\SRSWOW.dll
2006-11-29 10:14 . 2007-05-25 00:54 172032 ----a-w- c:\windows\system32\UCI32m15.dll
2006-11-28 16:44 . 2007-05-25 00:54 386560 ----a-w- c:\windows\system32\drivers\XAudio.exe
2006-11-28 16:44 . 2007-05-25 00:54 8192 ----a-w- c:\windows\system32\drivers\XAudio.sys
2006-11-16 20:35 . 2007-05-25 00:11 126976 ----a-w- c:\windows\system32\Imsmudlg.exe
2006-11-02 12:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2006-11-02 12:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2006-11-02 12:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2006-11-02 12:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2006-11-02 12:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2006-11-02 12:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2006-11-02 12:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2006-11-02 12:42 . 2006-11-02 12:42 30674 ----a-w- c:\windows\inf\PERFLIB\0409\perfd.dat
2006-11-02 12:42 . 2006-11-02 12:42 30674 ----a-w- c:\windows\inf\PERFLIB\0409\perfc.dat
2006-11-02 12:42 . 2006-11-02 12:42 287440 ----a-w- c:\windows\inf\PERFLIB\0409\perfi.dat
2006-11-02 12:42 . 2006-11-02 12:42 287440 ----a-w- c:\windows\inf\PERFLIB\0409\perfh.dat
2006-11-02 12:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Reference Assemblies
2006-11-02 12:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2006-11-02 12:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Microsoft Games
2006-11-02 12:37 . 2001-10-11 20:46 -------- d-----w- c:\users\Anthony\AppData\Roaming\Media Center Programs
2006-11-02 12:37 . 2006-11-02 12:37 30808 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2006-11-02 12:37 . 2006-11-02 12:37 29779 ----a-w- c:\windows\Fonts\GlobalSerif.CompositeFont
2006-11-02 12:37 . 2006-11-02 12:37 26489 ----a-w- c:\windows\Fonts\GlobalSansSerif.CompositeFont
2006-11-02 12:37 . 2006-11-02 12:37 26040 ----a-w- c:\windows\Fonts\GlobalMonospace.CompositeFont
2006-11-02 12:35 . 2006-11-02 12:35 767488 ----a-w- c:\windows\system32\WMVSENCD.DLL
2006-11-02 12:34 . 2006-11-02 12:34 43008 ----a-w- c:\windows\system32\AltTab.dll
2006-11-02 09:51 . 2006-11-02 08:36 3502184 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-11-02 09:50 . 2006-11-02 08:51 140392 ----a-w- c:\windows\system32\drivers\scsiport.sys
2006-11-02 09:49 . 2006-11-02 08:54 32872 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2006-11-02 09:47 . 2006-11-02 08:31 1162656 ----a-w- c:\windows\system32\ntdll.dll
2006-11-02 09:47 . 2006-11-02 08:45 228968 ----a-w- c:\windows\system32\rsaenh.dll
2006-11-02 09:47 . 2006-11-02 08:45 165992 ----a-w- c:\windows\system32\dssenh.dll
2006-11-02 09:47 . 2006-11-02 08:43 121960 ----a-w- c:\windows\system32\basecsp.dll
2006-11-02 09:47 . 2006-11-02 07:12 991232 ----a-w- c:\windows\system32\Narrator.exe
2006-11-02 09:47 . 2006-11-02 08:57 98816 ----a-w- c:\windows\system32\NAPHLPR.DLL
2006-11-02 09:47 . 2006-11-02 08:57 39936 ----a-w- c:\windows\system32\NAPCRYPT.DLL
2006-11-02 09:45 . 2006-11-02 08:44 34304 ----a-w- c:\windows\system32\wlrmdr.exe
2006-11-02 09:44 . 2006-11-02 08:58 83968 ----a-w- c:\windows\system32\cmstp.exe
2006-11-02 09:43 . 2006-11-02 07:01 7680 ----a-w- c:\windows\system32\spwizres.dll
2006-11-02 09:43 . 2006-11-02 07:01 5963264 ----a-w- c:\windows\system32\spwizimg.dll
2006-11-02 09:43 . 2006-11-02 06:59 57344 ----a-w- c:\windows\system32\nlsbres.dll
2006-11-02 09:43 . 2006-11-02 08:43 5120 ----a-w- c:\windows\system32\security.dll
2006-11-02 09:43 . 2006-11-02 08:58 2560 ----a-w- c:\windows\system32\rnr20.dll
2006-11-02 09:42 . 2006-11-02 09:02 107520 ----a-w- c:\windows\system32\RDPENCDD.dll
2006-11-02 09:42 . 2006-11-02 07:03 17408 ----a-w- c:\windows\system32\prflbmsg.dll
2006-11-02 09:42 . 2006-11-02 08:11 229376 ----a-w- c:\windows\system32\odbcint.dll
2006-11-02 09:41 . 2006-11-02 07:21 2048 ----a-w- c:\windows\system32\netmsg.dll
2006-11-02 09:41 . 2006-11-02 07:40 15360 ----a-w- c:\windows\system32\netevent.dll
2006-11-02 09:41 . 2006-11-02 07:21 2048 ----a-w- c:\windows\system32\neth.dll
2006-11-02 09:41 . 2006-11-02 08:26 2048 ----a-w- c:\windows\system32\msxml6r.dll
2006-11-02 09:41 . 2006-11-02 08:26 2048 ----a-w- c:\windows\system32\msxml3r.dll
2006-11-02 09:41 . 2006-11-02 08:29 61440 ----a-w- c:\windows\system32\msvcrt40.dll
2006-11-02 09:41 . 2006-11-02 06:52 58368 ----a-w- c:\windows\system32\msobjs.dll
2006-11-02 09:40 . 2006-11-02 08:58 3072 ----a-w- c:\windows\system32\msafd.dll
2006-11-02 09:40 . 2006-11-02 06:52 145920 ----a-w- c:\windows\system32\msaudite.dll
2006-11-02 09:23 . 2006-11-02 08:56 93184 ----a-w- c:\windows\system32\drivers\bridge.sys
2006-11-02 09:20 . 2006-11-02 10:25 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2006-11-02 09:20 . 2006-11-02 10:33 287440 ----a-w- c:\windows\system32\perfi009.dat
2006-11-02 09:20 . 2006-11-02 10:22 287440 ----a-w- c:\windows\inf\PERFLIB\0000\perfi.dat
2006-11-02 09:20 . 2006-11-02 10:22 287440 ----a-w- c:\windows\inf\PERFLIB\0000\perfh.dat
2006-11-02 09:20 . 2006-11-02 10:33 30674 ----a-w- c:\windows\system32\perfd009.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-11-02 1196032]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-13 1773568]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-03-12 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-12 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-03-12 81920]
"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-01 4390912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-3-2 1441792]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9315856B-AC49-481D-8B11-BD7A3FC47606}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{D1BC2CFC-AD95-411D-B4EE-F70A8C03E83F}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{AD8681B7-393F-4DDE-8903-CAF6912C1283}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{E36F2D4A-CAC8-4821-A339-2A0A80811E2B}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{6C5C9D66-AE43-4A95-9725-30212418B65B}"= UDP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{6DC1F8B1-FE0B-4D05-B30A-0E7B8DACA577}"= TCP:c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{C5E8A1D1-34D4-4F68-81B2-81367C91BC3F}"= TCP:9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{203F0511-B745-40B0-9968-3656029D7703}"= TCP:1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{AFF5A196-A141-42D7-91A6-7AB8F2150335}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{823922DA-714D-4DB6-AFE2-FFCCADF20F3D}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C12245C2-3D5C-4221-A21B-EC8011C0C85A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C1C40625-D3B4-4F14-A7FE-DB3DD22DD330}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{DD9E2B46-3BA2-481E-8A80-D80500ED0FE5}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{809B0D1C-3DDB-4E12-BCF6-0F835F0AF135}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3E72FAE8-9297-4C91-8163-39249BA93F50}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3195E19C-F7F3-4A97-A657-3DCFD0F4F85C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [03/09/2006 2:32 PM 208896]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\System32\drivers\hcw18bda.sys [24/05/2007 9:12 PM 354432]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\System32\drivers\netr73.sys [24/05/2007 9:54 PM 255488]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [10/05/2006 1:13 PM 29696]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [11/10/2001 5:57 PM 446976]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=desktop
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3772)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\conime.exe
.
**************************************************************************
.
Completion time: 2001-10-17 19:59 - machine was rebooted
ComboFix-quarantined-files.txt 2001-10-17 22:59

Pre-Run: 281,669,435,392 bytes free
Post-Run: 282,173,038,592 bytes free

336

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 23 July 2009 - 07:05 PM

Okay, that's removed the main infection which has been stopping the rootkit scans.

Please run MBAM. I know you have it already so here's the run instructions only.

Double click the .exe file to start.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Then

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 ballmoney

ballmoney
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 23 July 2009 - 11:34 PM

Malwarebytes' Anti-Malware 1.39
Database version: 2489
Windows 6.0.6000

18/10/2001 1:01:14 AM
mbam-log-2001-10-18 (01-01-14).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 198312
Time elapsed: 33 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Bit Defender
No virus were found.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 24 July 2009 - 07:03 AM

Nice blank logs :thumbup2:

How is the PC now?

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Then post new DDS logs for me to see if we've got everything.
Posted Image
m0le is a proud member of UNITE

#11 ballmoney

ballmoney
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 24 July 2009 - 10:48 AM

ATF Cleaner
Run and cleaned.



Csrss.exe and winlogon.exe still run without users but they takeup less memory now. Should I still be worried about this ?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 24 July 2009 - 12:16 PM

Csrss.exe and winlogon.exe still run without users but they takeup less memory now. Should I still be worried about this ?


csrss.exe has to run on boot. It runs the operating system's graphic instruction sets. In short, without it running you will be looking at the blue screen of death.

The legitimate winlogon.exe file will be running before the user logs in. It needs to be running before the log in as it is the process that controls the function of logging in and out.

Nothing to worry about at all.

Anyway, we have reached that time...

Your PC is clean! Good stuff! :thumbup2:

Let's firstly do some housekeeping

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it ballmoney, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#13 ballmoney

ballmoney
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 24 July 2009 - 01:03 PM

Thanks a million man your the best.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 24 July 2009 - 02:16 PM

Thanks ballmoney. Appreciate it :thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:44 PM

Posted 29 July 2009 - 04:08 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users