Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Troj / Rustok-N


  • This topic is locked This topic is locked
37 replies to this topic

#1 Frank7777

Frank7777

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 23 July 2009 - 03:30 AM

I have adaware lavasoft running but I can't get my other two programs to open and run.I ran a smitfraud report . Here it is.SmitFraudFix v2.423

Scan done at 4:03:08.97, Thu 07/23/2009
Run from C:\Documents and Settings\Frank\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

DNS Before Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 85.255.112.26
DNS Server Search Order: 85.255.112.73

HKLM\SYSTEM\CCS\Services\Tcpip\..\{41676C37-515E-4C02-854E-352A5F28A72F}: DhcpNameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CCS\Services\Tcpip\..\{41676C37-515E-4C02-854E-352A5F28A72F}: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CCS\Services\Tcpip\..\{648C4EDC-7A15-48C0-B3F9-F5297B7F2E2F}: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS2\Services\Tcpip\..\{41676C37-515E-4C02-854E-352A5F28A72F}: DhcpNameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS2\Services\Tcpip\..\{41676C37-515E-4C02-854E-352A5F28A72F}: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS2\Services\Tcpip\..\{648C4EDC-7A15-48C0-B3F9-F5297B7F2E2F}: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS3\Services\Tcpip\..\{648C4EDC-7A15-48C0-B3F9-F5297B7F2E2F}: DhcpNameServer=68.87.74.162 68.87.68.162 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.112.26,85.255.112.73
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.74.162 68.87.68.162 68.87.73.242

DNS After Fix

HKLM\SYSTEM\CCS\Services\Tcpip\..\{41676C37-515E-4C02-854E-352A5F28A72F}: DhcpNameServer=85.255.112.26,85.255.112.73

Any help would be appreciated. Thanks.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:30 PM

Posted 29 July 2009 - 12:17 PM

Hello Frank7777,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.



If MBAM (Malwarebytes) will not install, please rename the installer mbam-setup.exe. Example: newtool2.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool4.exe, double click newtool4.exe to proceed in running a Quick scan.
.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.
* If you dont have Hijackthis installed, then do this:
Download HijackThis here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php
Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.
Please post it.



Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 31 July 2009 - 11:11 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Frank7777

Frank7777
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 31 July 2009 - 07:51 AM

Thank you so much for your help.I hope this is where you would like me to post . Here is the info.Results of screen317's Security Check version 0.98.7
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!


``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
Java™ 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!


``````````````````````````````
DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````
Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

7/31/2009 8:37:04 AM
mbam-log-2009-07-31 (08-37-04).txt

Scan type: Quick Scan
Objects scanned: 67286
Time elapsed: 13 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{41676c37-515e-4c02-854e-352a5f28a72f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{648c4edc-7a15-48c0-b3f9-f5297b7f2e2f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{41676c37-515e-4c02-854e-352a5f28a72f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{648c4edc-7a15-48c0-b3f9-f5297b7f2e2f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{41676c37-515e-4c02-854e-352a5f28a72f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{648c4edc-7a15-48c0-b3f9-f5297b7f2e2f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.26,85.255.112.73 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:30 PM

Posted 31 July 2009 - 11:16 AM

Hi Frank,

What antivirus are you running on the computer?



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 13
    Java™ 6 Update 3
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.


You forgot to post a Hiajckthis log. :thumbup2:

If you dont have Hijackthis on your computer, then do this:
1. Download HijackThis here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.
Please post it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Frank7777

Frank7777
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 31 July 2009 - 01:51 PM

Once again many thanks and I will be contributing once I take care of this. I updated the Java and took a mbam scan and another security check run. Hijackthis would not install and run for some reason . I am going into safe mode and see if I can open it and run it. Here are the posts.Results of screen317's Security Check version 0.98.7
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!


``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
Java™ 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!


``````````````````````````````
DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````
Malwarebytes' Anti-Malware 1.39
Database version: 2535
Windows 5.1.2600 Service Pack 3

7/31/2009 1:46:11 PM
mbam-log-2009-07-31 (13-46-11).txt

Scan type: Quick Scan
Objects scanned: 141845
Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> Delete on reboot.
Thanks

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:30 PM

Posted 31 July 2009 - 02:05 PM

Hi Frank,

What antivirus are you running on this computer? I am not seeing any :thumbup2:

If you dont have an anvirus installed then please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.





I did not say to post the Security Check log and Malwarebytes log.
Please post only the logs I ask. Thanks. :)

Dont run Hijackthis in the Safe Mode, as it will not show all the running processes like that.
It must be run in the Normal Mode.


Occasionally malware hides itself from HijackThis.
Navigate to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file.
Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter
Scan with HijackThis (fluffybunny.exe) again and post a new HijackThis log..

Edited by SifuMike, 31 July 2009 - 02:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:30 PM

Posted 31 July 2009 - 02:07 PM

Hi Frank,


Did you install Java 6 Update 14?

You forgot to uninstall Java 6 Update 13. Please do it now. :thumbup2:

Edited by SifuMike, 31 July 2009 - 02:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Frank7777

Frank7777
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 02 August 2009 - 12:24 AM

Avira AntiVir Personal
Report file date: Saturday, August 01, 2009 16:28

Scanning for 1584543 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : FRANK-4DE38A9E7

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 14:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 20:12:06
ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 7/19/2009 20:12:25
ANTIVIR3.VDF : 7.1.5.57 445952 Bytes 7/31/2009 20:12:30
Engineversion : 8.2.0.238
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 16:52:04
AESCRIPT.DLL : 8.1.2.22 450938 Bytes 8/1/2009 20:12:49
AESCN.DLL : 8.1.2.4 127348 Bytes 8/1/2009 20:12:47
AERDL.DLL : 8.1.2.4 430452 Bytes 8/1/2009 20:12:46
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 21:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 8/1/2009 20:12:44
AEHEUR.DLL : 8.1.0.147 1884536 Bytes 8/1/2009 20:12:42
AEHELP.DLL : 8.1.5.3 233846 Bytes 8/1/2009 20:12:34
AEGEN.DLL : 8.1.1.53 356724 Bytes 8/1/2009 20:12:33
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 8/1/2009 20:12:31
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, G:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Saturday, August 01, 2009 16:28

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ESQULserv.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ESQULserv.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ESQULserv.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ESQULserv.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ESQULserv.sys\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{648C4EDC-7A15-48C0-B3F9-F5297B7F2E2F}\ntecontextlist
[INFO] The registry entry is invisible.
'7930' objects were checked, '6' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'hpqgalry.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'QuickDCF2.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'VTTimer.exe' - '1' Module(s) have been scanned
Scan process 'raid_tool.exe' - '1' Module(s) have been scanned
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'SyncServicesBasics.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'savedump.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\VistaAntivirus.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\Frank Pileggi\Application Data\Sun\Java\Deployment\cache\6.0\36\710cee4-4c34595a
[0] Archive type: ZIP
--> Java2SE.class
[DETECTION] Is the TR/Dldr.Java.OpenConnection.AR Trojan
C:\Downloads\Line Of Sight Vietnam v1.01 RIP [ENG]\Line_of_Sight_Vietnam.part1.rar
[0] Archive type: RAR
--> Line of Sight Vietnam\LOSV.ACE
[1] Archive type: ACE
--> Miles\mssmp3.asi
[WARNING] Out of memory! The virus or unwanted program was not deleted!
--> Miles\mssvoice.asi
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Downloads\Line Of Sight Vietnam v1.01 RIP [ENG]\Line of Sight Vietnam\LOSV.ACE
[0] Archive type: ACE
--> Miles\mssmp3.asi
[WARNING] Out of memory! The virus or unwanted program was not deleted!
--> Miles\mssvoice.asi
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\iamfamous.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\ios.dat.vir
[DETECTION] Is the TR/FakeAV.GH.1 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_gaopdxpodvpwmn_.sys.zip
[0] Archive type: ZIP
--> gaopdxpodvpwmn.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\RECYCLER\S-1-5-21-1390067357-573735546-725345543-1004\Dc6474\Internet Security 2005\Quarantine\42.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\RECYCLER\S-1-5-21-1390067357-573735546-725345543-1004\Dc6474\Internet Security 2005\Quarantine\42.tmp
[DETECTION] Contains recognition pattern of the WORM/Rbot.174080 worm
C:\RECYCLER\S-1-5-21-1390067357-573735546-725345543-1004\Dc6474\Internet Security 2005\Quarantine\4ECF.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\RECYCLER\S-1-5-21-1390067357-573735546-725345543-1004\Dc6474\Internet Security 2005\Quarantine\4ECF.tmp
[DETECTION] Contains recognition pattern of the WORM/Rbot.174080 worm
C:\WINDOWS\system32\atmvjz.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\jvsfyphm.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\ohifmhcv.exe
[DETECTION] Is the TR/Obfuscated.GX.1214 Trojan
C:\WINDOWS\Temp\tempo-237136765.tmp
[DETECTION] Is the TR/MyDNS.ND Trojan
Begin scan in 'G:\' <Old HDD>

Beginning disinfection:
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\VistaAntivirus.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4ae80170.qua'!
C:\Documents and Settings\Frank Pileggi\Application Data\Sun\Java\Deployment\cache\6.0\36\710cee4-4c34595a
[NOTE] The file was moved to '4aa50138.qua'!
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\iamfamous.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4ae20169.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\ios.dat.vir
[DETECTION] Is the TR/FakeAV.GH.1 Trojan
[NOTE] The file was moved to '4ae80177.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_gaopdxpodvpwmn_.sys.zip
[NOTE] The file was moved to '4ad6016f.qua'!
C:\RECYCLER\S-1-5-21-1390067357-573735546-725345543-1004\Dc6474\Internet Security 2005\Quarantine\42.tmp
[NOTE] The file was moved to '4aa3013a.qua'!
C:\RECYCLER\S-1-5-21-1390067357-573735546-725345543-1004\Dc6474\Internet Security 2005\Quarantine\4ECF.tmp
[NOTE] The file was moved to '4ab8014d.qua'!
C:\WINDOWS\system32\atmvjz.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4ae2017c.qua'!
C:\WINDOWS\system32\jvsfyphm.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4ae8017f.qua'!
C:\WINDOWS\system32\ohifmhcv.exe
[DETECTION] Is the TR/Obfuscated.GX.1214 Trojan
[NOTE] The file was moved to '4ade0171.qua'!
C:\WINDOWS\Temp\tempo-237136765.tmp
[DETECTION] Is the TR/MyDNS.ND Trojan
[NOTE] The file was moved to '4ae2016e.qua'!


End of the scan: Saturday, August 01, 2009 22:59
Used time: 2:38:02 Hour(s)

The scan has been canceled!

10706 Scanned directories
390031 Files were scanned
10 Viruses and/or unwanted programs were found
1 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
11 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
390018 Files not concerned
4155 Archives were scanned
7 Warnings
13 Notes
7930 Objects were scanned with rootkit scan
6 Hidden objects were found

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:19:53, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {868EEE72-F90B-4CE0-9694-6DC75FA82D8F} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227732780623
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6395 bytes

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:30 PM

Posted 02 August 2009 - 07:46 AM

Hi Frank,

You did not tell me you ran Combofix on your own! :thumbup2:
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.

How is the computer running?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Frank7777

Frank7777
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 02 August 2009 - 01:37 PM

I have to admit I wasn't thinking correctly when I tried to troubleshoot this myself.DUH..........There is still something in here . My clock keeps turning to military time. That tells me something is not right. I am scanning virus right now. Malware found a threat and froze when it tried to reboot. I had to manually turn it off and restart. Then Avira started to scan. I keep getting a " Browser is under threat of infection. Windows require yor permission to install online protection tool. I have not done so for fear it may be a scam. Sorry for "...acting stupidly"

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:30 PM

Posted 02 August 2009 - 01:45 PM

Hi Frank,

Never run ComboFix on your own!
It is NOT for use by untrained user, as the many warnings told you. :thumbup2:

I have seen cases where the user had to reformat and reload because they ran ComboFix incorrectly.

Post the last ComboFix log. It should be at C:\ComboFix.txt

Edited by SifuMike, 02 August 2009 - 01:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Frank7777

Frank7777
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 02 August 2009 - 05:14 PM

Can't seem to find it.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:30 PM

Posted 02 August 2009 - 05:15 PM

It will be there unless you deleted it. Keep looking.

Do a files search.

Edited by SifuMike, 02 August 2009 - 05:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:30 PM

Posted 02 August 2009 - 05:47 PM

Lets try this:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind 
    combofix.txt
    :folderfind
    c:\qoobox
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

Edited by SifuMike, 02 August 2009 - 05:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Frank7777

Frank7777
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 03 August 2009 - 01:25 PM

ComboFix 09-02-14.01 - Frank 2009-02-15 7:53:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.762 [GMT -5:00]
Running from: c:\documents and settings\Frank\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\bold.log
c:\documents and settings\Frank\Desktop\Cheap Pharmacy Online.url
c:\documents and settings\Frank\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\Frank\Favorites\Search Online.url
c:\documents and settings\Frank\Favorites\SMS TRAP.url
c:\documents and settings\Frank\Favorites\VIP Casino.url
c:\documents and settings\Frank\Start Menu\Cheap Pharmacy Online.url
c:\documents and settings\Frank\Start Menu\Programs\freshplay
c:\documents and settings\Frank\Start Menu\Search Online.url
c:\documents and settings\Frank\Start Menu\SMS TRAP.url
c:\documents and settings\Frank\Start Menu\VIP Casino.url
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\program files\outlook
c:\recycler\S-0-4-27-100011487-100001166-100030843-1260.com
c:\windows\ios.dat
c:\windows\system32\c.ico
c:\windows\system32\dbfb.dll
c:\windows\system32\drivers\gaopdxpodvpwmn.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxkjepaqea.dll
c:\windows\system32\m.ico
c:\windows\system32\p.ico
c:\windows\system32\s.ico
F:\Autorun.inf
f:\recycler\S-0-4-27-100011487-100001166-100030843-1260.com
f:\recycler\S-4-0-56-100029898-100006410-100026070-5527.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games


((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-14 16:03 . 2009-02-14 16:03 0 --ah----- c:\windows\SwSys2.bmp
2009-02-14 16:03 . 2009-02-14 16:03 0 --ah----- c:\windows\SwSys1.bmp
2009-02-14 14:32 . 2009-02-14 14:32 19,214 --a------ c:\windows\system32\sf.ico
2009-02-14 14:32 . 2009-02-14 14:32 13,942 --a------ c:\windows\system32\m3.ico
2009-02-07 11:00 . 2009-02-07 13:24 <DIR> d-------- c:\program files\Return to Castle Wolfenstein DEMO
2009-02-06 03:40 . 2009-02-06 11:28 <DIR> d-------- c:\program files\Super Internet TV
2009-02-03 05:03 . 2009-02-03 05:03 <DIR> d-------- c:\documents and settings\Frank\Application Data\SpinTop Games
2009-02-03 03:46 . 2009-02-03 03:46 <DIR> d-------- c:\documents and settings\Frank\Application Data\DriverCure
2009-02-03 03:46 . 2009-02-03 03:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\ParetoLogic
2009-02-03 03:46 . 2009-02-03 03:56 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\DriverCure
2009-02-01 13:04 . 2009-02-01 13:04 <DIR> d-------- c:\documents and settings\Frank\Application Data\RobinsonCrusoe
2009-01-26 18:56 . 2009-01-26 19:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2009-01-22 12:53 . 2009-01-22 12:53 <DIR> d-------- c:\program files\Seagate
2009-01-22 12:53 . 2009-01-22 12:53 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Seagate
2009-01-21 22:45 . 2009-01-22 12:01 <DIR> d-------- c:\program files\FlashGet
2009-01-21 18:59 . 2009-01-21 19:03 <DIR> d-------- c:\program files\Universal Math Solver
2009-01-20 02:46 . 2009-01-20 02:46 <DIR> d-------- C:\PSFONTS
2009-01-20 02:45 . 2009-01-20 03:28 <DIR> d-------- c:\program files\Finale 2009
2009-01-17 10:35 . 2000-08-21 00:00 1,693,968 --a------ c:\windows\system32\VBA6.DLL
2009-01-17 01:02 . 2009-02-14 13:46 <DIR> d-------- c:\program files\TextAloud
2009-01-16 21:14 . 2009-01-16 21:14 <DIR> d-------- c:\documents and settings\Frank\Application Data\Media Player Classic
2009-01-16 21:05 . 2009-01-16 21:05 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-01-16 21:05 . 2008-01-10 13:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2009-01-16 21:05 . 2006-09-24 16:11 389,120 --a------ c:\windows\system32\lameACM.acm
2009-01-16 21:05 . 2004-01-25 17:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2009-01-16 21:05 . 2007-09-04 17:56 164,352 --a------ c:\windows\system32\unrar.dll
2009-01-16 21:05 . 2008-01-10 13:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2009-01-16 21:05 . 2007-09-21 01:52 118,784 --a------ c:\windows\system32\ac3acm.acm
2009-01-16 21:05 . 2007-12-24 13:49 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-01-16 21:05 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-01-16 21:05 . 2007-10-03 16:03 414 --a------ c:\windows\system32\lame_acm.xml
2009-01-16 21:01 . 2009-01-16 21:18 <DIR> d-------- c:\program files\Real Alternative
2009-01-15 09:35 . 2009-01-15 09:35 <DIR> d-------- c:\program files\ASIO4ALL v2
2009-01-15 09:31 . 2009-01-15 09:31 <DIR> d-------- c:\documents and settings\Frank\Application Data\eJamming
2009-01-15 09:29 . 2009-01-15 09:29 <DIR> d-------- c:\program files\eJamming

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 06:06 --------- d-----w c:\program files\Apple Software Update
2009-02-06 16:28 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-01-27 22:28 --------- d-----w c:\documents and settings\Frank\Application Data\U3
2009-01-27 00:02 --------- d-----w c:\documents and settings\Frank\Application Data\Apple Computer
2009-01-26 23:57 --------- d-----w c:\program files\QuickTime
2009-01-22 17:53 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-22 13:58 41,352 ----a-w c:\documents and settings\Frank\Application Data\GDIPFONTCACHEV1.DAT
2009-01-20 08:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-19 19:16 --------- d-----w c:\program files\Microsoft Games
2009-01-17 17:00 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-17 02:29 --------- d-----w c:\program files\BurstCopy
2009-01-17 02:04 --------- d-----w c:\program files\DivX
2009-01-16 16:52 --------- d-----w c:\documents and settings\Frank\Application Data\Roxio
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 18:28 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\BurstCopy Labs
2009-01-13 05:29 4,012 ----a-w c:\documents and settings\Frank\Application Data\mindhabits.dat
2009-01-13 03:33 --------- d-----w c:\program files\BrainTrainAge
2009-01-12 07:42 --------- d-----w c:\documents and settings\Frank\Application Data\Scooter Software
2008-12-23 06:52 --------- d-----w c:\program files\InterActual
2008-12-23 06:13 --------- d-----w c:\program files\PowerStatus
2008-12-23 05:28 --------- d-----w c:\documents and settings\Frank\Application Data\IGN_DLM
2008-12-23 05:24 --------- d-----w c:\program files\Zards software
2008-12-16 20:13 --------- d-----w c:\program files\VirtualDJ
2007-11-07 00:18 143,368 -c--a-w c:\documents and settings\Frank Pileggi\Application Data\GDIPFONTCACHEV1.DAT
2008-06-07 18:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060720080608\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2004-10-11 589824]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]
"VTTimer"="VTTimer.exe" [2006-09-14 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2007-04-25 c:\windows\system32\VTTrayp.exe]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-12-12 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2008-04-24 14020608]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2006-08-14 00:07 102400 c:\program files\Roxio\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 12:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-07-31 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-08-10 11:10 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam-dor.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2006-10-18 17920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-0-4-27-100011487-100001166-100030843-1260.com c:\
\Shell\Open\command - c:\recycler\S-0-4-27-100011487-100001166-100030843-1260.com c:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-0-4-27-100011487-100001166-100030843-1260.com f:\
\Shell\Open\command - f:\recycler\S-0-4-27-100011487-100001166-100030843-1260.com f:\
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\WebReg 20080520134349.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-28 21:47]

2009-02-14 c:\windows\Tasks\WebReg 20080601112329.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-28 21:47]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{868EEE72-F90B-4CE0-9694-6DC75FA82D8F} - (no file)
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
FF - ProfilePath - c:\documents and settings\Frank\Application Data\Mozilla\Firefox\Profiles\4dmfl8p4.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 08:03:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-573735546-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2615C0A3-7425-345A-93ED-D787A29508DF}*]
"lajcpoipdmnhbkdclomeonod"=hex:6a,61,6c,69,6a,61,62,6b,63,68,6e,65,65,64,64,6b,
6d,6e,67,69,00,00
"majcpoipdmlhphiegnhapgggbn"=hex:6a,61,6c,69,6a,61,62,6b,63,68,6e,65,65,64,64,
6b,6d,6e,67,69,00,c4
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-02-15 8:09:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 13:09:30
ComboFix2.txt 2007-05-11 05:12:22

Pre-Run: 10,651,549,696 bytes free
Post-Run: 11,582,316,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
226 --- E O F --- 2009-02-12 08:05:16
Alos when I run MBAM I find an infection titled C:\Windows\System32\ESQUL z counter When it tries to delete it and reboot the system freezes. Again I had to reboot and now I am writing and sending this in Safe mode. Thanks again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users