Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure what is the cause


  • This topic is locked This topic is locked
26 replies to this topic

#1 iops

iops

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 24 July 2009 - 01:46 PM

For information about the problems, please read this topic: http://www.bleepingcomputer.com/forums/t/243557/pc-infected/ ~ OB

Here is the logfile I have from hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:57 AM, on 7/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: CryptSvc - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wired AutoConfig (Dot3svc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Extensible Authentication Protocol Service (EapHost) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Health Key and Certificate Management Service (hkmsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Access Protection Agent (napagent) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Routing and Remote Access (RemoteAccess) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 10191 bytes

Edited by Orange Blossom, 24 July 2009 - 05:42 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 04 August 2009 - 02:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 iops

iops
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 05 August 2009 - 04:10 PM

Symptoms

1) system restore not doable
seems every way I've tried ends up in one of two messages
System restore will not protect your computer
1068 error The Dependency Service or Group Failed To Start
I've tried turning off system restore and that won't work either
tried safe mode to system restore no good either
tried through services start won't work as well as cmd


2)I cannot go on the internet I keep getting page load error, I know this is because of whatever I downloaded because previous to turning off my computer I could use the internet

Also I'm using the same internet but on my laptop since the desktop is infected with something

3) When I go to control panel and click on user accounts the user accounts window shows up with only back/forward and home

4) I try to run ad aware and I get an ad aware 1007 an error occured
Event SSL DOWNLOAD FAILED

SUGGESTED ACTION
RUN WEBUPDATE

Can't do that internet not working on the desktop seems whatever infected my computer won't let me do any anti virus check my windows firewall or go on internet =/


5) Taskbar stays empty
can't change start up items


6) I can't move,paste desktop items or anything else really except text
it seems I can copy desktop items but when I try to paste it is grayed out


I tried to do this
Open Internet Explorer>Tools>Internet Options>Security tab. Highlight the "Internet" Icon, click the Custom Level button and make sure that "Drag and drop or copy and paste files" is enabled, click Apply/OK


That is enabled but no good still



I think something is wrong with the boot.ini because I cannot change anything really in msconfig before getting the error
An Access Denied error was returned while attempting to change a service. You may need to log on using an administrator account to make the specified changes.

I am the administrator =/



So basically I can't use the internet,can't copy,paste,move desktop items, taskbar stays empty, can't customize startup, can't do system restore


Please help I don't want to lose my videos,pictures, and other files


DDS log
DDS (Ver_09-07-30.01) - NTFSx86
Run by Tpoyoy at 14:02:44.59 on Wed 08/05/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tpoyoy\applic~1\mozilla\firefox\profiles\1zq8fss0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mail.com/
FF - plugin: c:\documents and settings\tpoyoy\application data\mozilla\firefox\profiles\1zq8fss0.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-24 11:31 <DIR> --d----- c:\program files\Trend Micro
2009-07-24 11:29 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 11:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-24 11:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 11:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-24 11:26 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-24 11:18 39,424 a------- c:\windows\system32\grpconv.exe
2009-07-24 11:17 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-07-24 11:05 219,648 a------- c:\windows\PEV.exe
2009-07-24 11:05 161,792 a------- c:\windows\SWREG.exe
2009-07-24 11:05 98,816 a------- c:\windows\sed.exe
2009-07-24 11:04 <DIR> --d----- c:\docume~1\tpoyoy\applic~1\AVG8
2009-07-21 11:44 169,472 a------- c:\windows\system32\rxI08Qio.dll
2009-07-21 11:31 196,610 a------- c:\windows\system32\pvG32Ogm.exe
2009-07-21 11:30 80,191 a------- c:\windows\system32\qgclnoj0ej5n .exe
2009-07-21 11:30 29,184 a------- c:\windows\system32\ryojqed.exe
2009-07-21 11:30 29,184 ----h--- c:\documents and settings\tpoyoy\ytjix.exe
2009-07-11 15:45 7,552 ac------ c:\windows\system32\dllcache\sonypvu1.sys
2009-07-11 15:45 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS

==================== Find3M ====================

2009-07-21 20:07 27,660 a------- c:\windows\system32\igfxtray.exe
2009-07-21 20:07 27,660 a------- c:\windows\system32\ctfmon.exe
2009-07-21 19:55 27,660 a------- c:\windows\system32\hkcmd.exe
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 14:03:16.56 ===============


the attach log
==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Ad-Aware 2007
Adobe Acrobat 9 Pro Extended - English, Franšais, Deutsch
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Agere Systems PCI Soft Modem
AllToAVI v4 r5394
Apple Mobile Device Support
Apple Software Update
BitComet 1.03
Bonjour
Canon MP Navigator 2.0
Canon MP150
Canon Utilities Easy-PhotoPrint EX
Compact Wireless-G USB Adapter
Critical Update for Windows Media Player 11 (KB959772)
DAP Premium
Diablo II
DirectX for Managed Code Update (Summer 2004)
Hero Editor V0.96
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImTOO Download YouTube Video
ImTOO PSP Video Converter
ImTOO Video to Audio Converter
ImTOO YouTube to iPod Converter
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Adapters and Drivers
iTunes
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.11)
MSXML 6.0 Parser (KB925673)
PDF Settings
PowerISO
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb971933)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VeryPDF PDF2Word v3.0
VideoLAN VLC media player 0.8.1
Viewpoint Media Player
WebFldrs XP
WindowBlinds
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall
XviD4PSP 5.0

==== End Of File ===========================

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 06 August 2009 - 03:31 AM

Hello ,
And :thumbup2: to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

Sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime Please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 06 August 2009 - 10:19 AM

Hello iops,


P2P WARNING
-------------------
Going over your logs I noticed that you have BitComet installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a sm÷rgňsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitComet, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • DAP premium
  • Viewpoint Media Player
If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


Before we continue, please note the following. You mention you have internet problems on your infected computer. This means you will have to transfer different files from another computer with working internet connection to your infected computer during the fixing process. I strongly recommend you use Flash Disinfector each time you do this to prevent infecting other computers. Please follow the instructions below each time you have to use a flash drive.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


COMBOFIX
---------------
Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************
Download ComboFix from one of these locations:

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to where you see "Step 1: Download the Setup disk program"

Select the download that's appropriate for your Operating System. Note, if you have Service Pack 3 installed, select the Service Pack 2 download.

Download the file & save it as it's originally named.

---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    Posted Image
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.


Now please, look if you can find the following file C:\QOOBOX\Combofix2.txt (note, the number may be different) and post that log as well.

In your next reply, please include the following:
  • Combofix.txt
  • C:\QOOBOX\Combofix2.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 iops

iops
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 06 August 2009 - 01:49 PM

Tried to transfer the downloaded files combo fix and the windows recovery but I can't move them to the desktop of the infected computer, neither can I move any item around on my desktop or copy and paste (infected computer). One of my symptoms


heres the combo fix I got without recovery console

ComboFix 09-07-23.04 - Tpoyoy 08/06/2009 11:44.2.2 - NTFSx86
Running from: L:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-07-24 18:31 . 2009-07-24 18:31 -------- d-----w- c:\program files\Trend Micro
2009-07-24 18:29 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 18:29 . 2009-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 18:29 . 2009-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 18:29 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 18:18 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-24 18:17 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-24 18:04 . 2009-07-24 18:04 -------- d-----w- c:\documents and settings\Tpoyoy\Application Data\AVG8
2009-07-21 18:44 . 2009-07-21 18:44 169472 ----a-w- c:\windows\system32\rxI08Qio.dll
2009-07-21 18:31 . 2009-07-21 18:31 196610 ----a-w- c:\windows\system32\pvG32Ogm.exe
2009-07-21 18:30 . 2009-07-21 18:30 80191 ----a-w- c:\windows\system32\qgclnoj0ej5n .exe
2009-07-21 18:30 . 2009-07-21 18:30 29184 ---h--w- c:\documents and settings\Tpoyoy\ytjix.exe
2009-07-21 18:30 . 2009-07-21 18:30 29184 ----a-w- c:\windows\system32\ryojqed.exe
2009-07-11 22:45 . 2001-08-17 20:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-07-11 22:45 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 18:44 . 2008-10-29 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-06 18:42 . 2008-08-21 18:39 -------- d-----w- c:\program files\DAP Premium
2009-07-22 03:07 . 2008-08-09 04:19 27660 ----a-w- c:\windows\system32\igfxtray.exe
2009-07-22 03:07 . 2004-08-04 12:00 27660 ----a-w- c:\windows\system32\ctfmon.exe
2009-07-22 02:55 . 2008-08-09 04:19 27660 ----a-w- c:\windows\system32\hkcmd.exe
2009-07-15 20:42 . 2008-08-08 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-19 01:18 . 2008-12-27 03:21 -------- d-----w- c:\documents and settings\julieee ly\Application Data\Canon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-18 20:32 . 2008-09-05 16:50 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-07-22 27660]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-08-20 07:09 229376 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^Tpoyoy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Tpoyoy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\ryojqed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23070:TCP"= 23070:TCP:BitComet 23070 TCP
"23070:UDP"= 23070:UDP:BitComet 23070 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-08-19 3768]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\At1.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At10.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At11.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At12.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At13.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At14.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At15.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At16.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At17.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At18.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At19.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At2.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At20.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At21.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At22.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At23.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At24.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At3.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At4.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At5.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At6.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At7.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At8.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At9.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Tpoyoy\Application Data\Mozilla\Firefox\Profiles\1zq8fss0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mail.com/
FF - plugin: c:\documents and settings\Tpoyoy\Application Data\Mozilla\Firefox\Profiles\1zq8fss0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 11:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-08-06 11:48
ComboFix-quarantined-files.txt 2009-08-06 18:48
ComboFix2.txt 2009-07-24 18:27

Pre-Run: 46,986,743,808 bytes free
Post-Run: 46,973,616,128 bytes free

161 --- E O F --- 2009-07-15 20:42



Thank you Elise for helping

Edited by PropagandaPanda, 06 August 2009 - 05:14 PM.
Remove uneeded quote.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 07 August 2009 - 12:16 AM

Hello iops,

First of all, please do NOT quote my previous posts, its really not necessary and can make things quite messy, since logs can already be long enough.

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In your next reply, please include the following
  • OTListIt.txt
  • Please tell me if you have your XP installation CD at hand
  • Please tell me the exact filename of the file I asked you to download from the Microsoft website in my previous post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 iops

iops
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 07 August 2009 - 09:47 PM

I couldn't save the things you told me to download to the desktop of the infected pc, nor can I move or copy and paste any items. Heres what you requested.



OTL logfile created on: 8/7/2009 7:32:16 PM - Run 1
OTL by OldTimer - Version 3.0.10.5 Folder = L:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.73 Mb Total Physical Memory | 250.90 Mb Available Physical Memory | 49.91% Memory free
1.20 Gb Paging File | 1.00 Gb Available in Paging File | 83.73% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 43.77 Gb Free Space | 23.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 4.44 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 1.86 Gb Total Space | 1.78 Gb Free Space | 95.78% Space Free | Partition Type: FAT

Computer Name: NKCA
Current User Name: Tpoyoy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2007/06/05 17:23:28 | 00,561,152 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2005/07/04 16:46:04 | 00,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
PRC - [2005/12/14 11:32:24 | 05,247,488 | ---- | M] (Linksys) -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
PRC - [2008/04/13 17:12:19 | 01,036,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/10/21 14:20:10 | 00,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2009/07/21 20:07:40 | 00,027,660 | ---- | M] () -- C:\WINDOWS\System32\ctfmon.exe
PRC - [2008/04/13 17:12:16 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ctfmon .exe
PRC - [2009/08/07 19:12:18 | 00,513,536 | ---- | M] (OldTimer Tools) -- L:\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/06/05 17:23:28 | 00,561,152 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice [Auto | Running])
SRV - [2008/08/31 18:05:59 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/04/13 03:20:52 | 00,033,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/04/13 03:21:18 | 00,068,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/05/01 23:42:37 | 00,651,720 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Stopped])
SRV - [2006/10/30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2006/11/17 13:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework [Unknown | Stopped])
SRV - [2007/08/24 06:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2006/10/30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/12/02 18:34:30 | 00,074,384 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2008/10/27 14:58:20 | 00,004,096 | -H-- | M] () -- ._.Trashes -- (wuauserv [Auto | Stopped])
SRV - File not found -- -- (WUSB54GCSVC [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2007/06/04 15:18:48 | 00,009,344 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\NSDriver.sys -- (Ad-Watch Connect Filter [On_Demand | Stopped])
DRV - [2008/08/08 14:42:41 | 00,020,747 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2004/06/29 09:07:18 | 01,268,204 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2004/02/10 15:49:14 | 00,154,112 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/04/13 09:36:05 | 00,144,384 | ---- | M] (Windows « Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2004/10/08 07:54:56 | 00,752,093 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2004/10/27 17:24:52 | 02,297,984 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/08/19 15:46:30 | 00,003,768 | ---- | M] (Windows « 2000 DDK provider) -- C:\WINDOWS\System32\DRIVERS\MovRVDrv32.sys -- (MovRVDrv32 [On_Demand | Stopped])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/14 03:00:00 | 00,043,840 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2005/11/24 19:51:38 | 00,245,248 | ---- | M] (Ralink Technology, Corp.) -- C:\WINDOWS\System32\DRIVERS\rt73.sys -- (RT73 [On_Demand | Stopped])
DRV - [2007/04/09 05:27:07 | 00,031,548 | ---- | M] (PowerISO Computing, Inc.) -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu [System | Running])
DRV - [2008/04/13 09:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/08/19 15:46:28 | 00,023,096 | ---- | M] (Windows « Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\SndTDriverV32.sys -- (SndTDriverV32 [On_Demand | Stopped])
DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
DRV - [2008/08/19 15:41:01 | 00,715,248 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2008/11/07 15:23:30 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/04/13 11:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-842925246-1202660629-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-842925246-1202660629-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-842925246-1202660629-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-842925246-1202660629-839522115-1003\S-1-5-21-842925246-1202660629-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-842925246-1202660629-839522115-1003\S-1-5-21-842925246-1202660629-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.mail.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.2
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.3
FF - prefs.js..extensions.enabledItems: {89506680-e3f4-484c-a2c0-ed711d481eda}:0.9.5
FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:3.19
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20090325
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11
FF - prefs.js..extensions.enabledItems: {57407AE0-868F-11DC-AD21-49A755D89593}:3.0.0
FF - prefs.js..extensions.enabledItems: {e213bb8f-8ebd-11db-96b7-005056c00008}:3.0.0.32
FF - prefs.js..extensions.enabledItems: {07b2a769-ed19-4483-87ce-c643914c81bb}:3.0.0.34
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/06/18 13:33:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/06 11:44:50 | 00,000,000 | ---D | M]

[2008/09/05 09:50:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Extensions
[2008/09/05 09:50:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/21 19:58:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions
[2009/05/05 16:19:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}
[2008/09/05 11:56:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\{57407AE0-868F-11DC-AD21-49A755D89593}
[2008/12/14 23:09:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
[2009/05/05 16:20:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2009/05/05 16:20:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/05/05 16:20:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/05/05 16:20:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\{e213bb8f-8ebd-11db-96b7-005056c00008}
[2009/05/05 16:20:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}
[2008/11/24 18:58:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tpoyoy\Application Data\mozilla\Firefox\Profiles\1zq8fss0.default\extensions\moveplayer@movenetworks.com
[2008/09/05 09:50:15 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/18 13:33:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/18 13:32:54 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/18 13:32:54 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/06/18 13:32:58 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2008/06/11 22:45:28 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/09/14 16:09:03 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/09/14 16:09:03 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/09/14 16:09:03 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/09/14 16:09:03 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/09/14 16:09:03 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/09/14 16:09:03 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/09/14 16:09:03 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2008/07/02 09:31:38 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/07/02 09:31:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/07/02 09:31:38 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/14 10:36:14 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/07/02 09:31:38 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/07/02 09:31:38 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/07/02 09:31:38 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-842925246-1202660629-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-842925246-1202660629-839522115-1003..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe ()
O4 - Startup: C:\Documents and Settings\julieee ly\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-842925246-1202660629-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-842925246-1202660629-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-842925246-1202660629-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-842925246-1202660629-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-842925246-1202660629-839522115-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\WBSrv: DllName - C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll - C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll (Stardock Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/08 14:35:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/06/07 05:12:42 | 00,000,175 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2009/08/06 11:19:16 | 00,000,000 | RHSD | M] - L:\autorun.inf -- [ FAT ]
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- [2006/12/04 09:31:42 | 01,095,224 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\*.tmp files]
[2009/08/06 11:43:44 | 00,219,648 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/08/06 11:43:44 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/08/06 11:43:44 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/08/06 11:43:44 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/08/06 11:43:44 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/08/06 11:43:44 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/08/06 11:43:44 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/08/06 11:43:44 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/08/06 11:43:23 | 00,000,000 | --SD | C] -- C:\ComboFix
[2009/08/06 11:39:01 | 00,000,286 | ---- | C] () -- C:\Documents and Settings\Tpoyoy\Desktop\Shortcut to ComboFix.exe.lnk
[2009/07/25 10:10:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/07/24 11:31:40 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Tpoyoy\Desktop\HijackThis.lnk
[2009/07/24 11:31:40 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/07/24 11:29:55 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/24 11:29:53 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/24 11:29:51 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/24 11:29:51 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/24 11:29:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/07/24 11:28:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/07/24 11:26:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/07/24 11:18:42 | 00,039,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\grpconv.exe
[2009/07/24 11:17:57 | 00,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\beep.sys
[2009/07/24 11:05:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/07/24 11:04:59 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/07/24 11:04:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tpoyoy\Application Data\AVG8
[2009/07/21 11:44:54 | 00,169,472 | ---- | C] (TODO: <Company name>) -- C:\WINDOWS\System32\rxI08Qio.dll
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2009/07/21 11:31:45 | 00,196,610 | ---- | C] () -- C:\WINDOWS\System32\pvG32Ogm.exe
[2009/07/21 11:31:45 | 00,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2009/07/21 11:30:52 | 00,080,191 | ---- | C] () -- C:\WINDOWS\System32\qgclnoj0ej5n .exe
[2009/07/21 11:30:50 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\ryojqed.exe
[2009/07/21 11:08:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Tpoyoy\Desktop\hope
[2009/07/21 11:05:24 | 00,836,464 | ---- | C] (WinRecovery Software ) -- C:\Documents and Settings\Tpoyoy\Desktop\cardrecovery_setup.exe
[2009/07/21 10:52:46 | 01,661,760 | ---- | C] (Pro Data Doctor Pvt. Ltd. ) -- C:\Documents and Settings\Tpoyoy\Desktop\PSPMemoryCardDataRecovery.exe
[2009/07/11 15:45:29 | 00,007,552 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\drivers\SONYPVU1.SYS
[2009/07/11 15:45:29 | 00,007,552 | ---- | C] (Sony Corporation) -- C:\WINDOWS\System32\dllcache\sonypvu1.sys
[2009/04/18 22:18:29 | 00,000,203 | ---- | C] () -- C:\WINDOWS\pdf2word.INI
[2008/09/25 13:41:44 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/09/25 13:41:44 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/09/21 21:26:39 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/21 20:39:25 | 00,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/08/29 11:35:16 | 00,000,055 | ---- | C] () -- C:\WINDOWS\videotoaudio.ini
[2008/08/23 23:03:28 | 00,003,241 | ---- | C] () -- C:\WINDOWS\jzzr_r64.ini
[2008/08/20 00:04:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WB.ini
[2008/08/19 15:41:00 | 00,715,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/08/09 14:58:32 | 00,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2008/08/09 14:46:42 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2008/08/09 14:34:25 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL
[2008/08/08 21:14:42 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/08/08 21:14:42 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/08/08 21:14:42 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2008/08/08 14:42:40 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/08/08 14:42:36 | 00,001,361 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2008/03/21 13:30:08 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/09/04 09:56:10 | 00,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2006/08/16 07:13:34 | 01,382,280 | ---- | C] () -- C:\WINDOWS\System32\fftw3.dll
[2006/05/26 06:29:14 | 00,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2006/04/03 05:26:36 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2006/03/18 06:16:04 | 00,540,178 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2004/08/04 05:00:00 | 00,000,582 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 05:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 08:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/08/07 19:18:48 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/07 19:17:51 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/06 11:57:50 | 04,313,484 | -H-- | M] () -- C:\Documents and Settings\Tpoyoy\Local Settings\Application Data\IconCache.db
[2009/08/06 11:45:39 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/06 11:39:02 | 00,000,286 | ---- | M] () -- C:\Documents and Settings\Tpoyoy\Desktop\Shortcut to ComboFix.exe.lnk
[2009/07/24 11:37:55 | 00,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/07/24 11:37:55 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/07/24 11:31:40 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Tpoyoy\Desktop\HijackThis.lnk
[2009/07/24 11:29:55 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/24 11:22:18 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/07/21 20:07:43 | 00,027,660 | ---- | M] () -- C:\WINDOWS\System32\igfxtray.exe
[2009/07/21 20:07:40 | 00,027,660 | ---- | M] () -- C:\WINDOWS\System32\ctfmon.exe
[2009/07/21 19:55:00 | 00,027,660 | ---- | M] () -- C:\WINDOWS\System32\hkcmd.exe
[2009/07/21 11:45:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/21 11:44:54 | 00,169,472 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\System32\rxI08Qio.dll
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2009/07/21 11:31:46 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2009/07/21 11:31:33 | 00,196,610 | ---- | M] () -- C:\WINDOWS\System32\pvG32Ogm.exe
[2009/07/21 11:30:52 | 00,080,191 | ---- | M] () -- C:\WINDOWS\System32\qgclnoj0ej5n .exe
[2009/07/21 11:30:44 | 00,029,184 | ---- | M] () -- C:\WINDOWS\System32\ryojqed.exe
[2009/07/21 11:05:24 | 00,836,464 | ---- | M] (WinRecovery Software ) -- C:\Documents and Settings\Tpoyoy\Desktop\cardrecovery_setup.exe
[2009/07/21 10:52:48 | 01,661,760 | ---- | M] (Pro Data Doctor Pvt. Ltd. ) -- C:\Documents and Settings\Tpoyoy\Desktop\PSPMemoryCardDataRecovery.exe
[2009/07/21 10:50:37 | 00,098,304 | ---- | M] () -- C:\Documents and Settings\Tpoyoy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/21 10:48:58 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/07/15 13:42:35 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/13 05:48:54 | 00,219,648 | ---- | M] () -- C:\WINDOWS\PEV.exe
< End of report >



Extras
OTL Extras logfile created on: 8/7/2009 7:32:16 PM - Run 1
OTL by OldTimer - Version 3.0.10.5 Folder = L:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.73 Mb Total Physical Memory | 250.90 Mb Available Physical Memory | 49.91% Memory free
1.20 Gb Paging File | 1.00 Gb Available in Paging File | 83.73% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 43.77 Gb Free Space | 23.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 4.44 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 1.86 Gb Total Space | 1.78 Gb Free Space | 95.78% Space Free | Partition Type: FAT

Computer Name: NKCA
Current User Name: Tpoyoy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-842925246-1202660629-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"23070:TCP" = 23070:TCP:*:Enabled:BitComet 23070 TCP
"23070:UDP" = 23070:UDP:*:Enabled:BitComet 23070 UDP
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client -- (www.BitComet.com)
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\WINDOWS\system32\ryojqed.exe" = C:\WINDOWS\system32\ryojqed.exe:*:Enabled:ENABLE -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0E6AB9FC-76C2-431B-9C06-6C1CFFFEA8EB}" = Ad-Aware 2007
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}" = Adobe Photoshop CS3
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel« Graphics Media Accelerator Driver
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9DE9E293-5D7B-4312-88C2-BDFAEC5310AE}" = Microsoft .NET Framework 3.0
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Franšais, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Franšais, Deutsch
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{CA9A3609-3ECC-4574-8824-A8161A71A603}" = Canon MP150
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F855C3AE-992D-4B84-A09D-07103CDCDAC2}" = Compact Wireless-G USB Adapter
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"AllToAVI" = AllToAVI v4 r5394
"BitComet" = BitComet 1.03
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Diablo II" = Diablo II
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ImTOO Download YouTube Video" = ImTOO Download YouTube Video
"ImTOO PSP Video Converter" = ImTOO PSP Video Converter
"ImTOO Video to Audio Converter" = ImTOO Video to Audio Converter
"ImTOO YouTube to iPod Converter" = ImTOO YouTube to iPod Converter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)
"MP Navigator 2.0" = Canon MP Navigator 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PowerISO" = PowerISO
"PROSet" = Intel« PRO Network Adapters and Drivers
"ST6UNST #1" = Hero Editor V0.96
"VeryPDF PDF2Word v3.0_is1" = VeryPDF PDF2Word v3.0
"VLC media player" = VideoLAN VLC media player 0.8.1
"WindowBlinds" = WindowBlinds
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Xvid_is1" = Xvid 1.1.3 final uninstall
"XviD4PSP5" = XviD4PSP 5.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/18/2009 12:56:59 AM | Computer Name = NKCA | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft ActiveSync -- You must be a member of the Administrators
group to configure Microsoft ActiveSync.

Error - 1/24/2009 1:35:21 AM | Computer Name = NKCA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3257, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/1/2009 10:10:35 PM | Computer Name = NKCA | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 2/1/2009 10:11:18 PM | Computer Name = NKCA | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/11/2009 10:06:35 PM | Computer Name = NKCA | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 2/18/2009 11:29:56 PM | Computer Name = NKCA | Source = Application Error | ID = 1000
Description = Faulting application itunes.exe, version 8.0.2.20, faulting module
quicktimempeg4.qtx, version 7.55.90.70, fault address 0x00010e23.

Error - 2/20/2009 9:04:20 PM | Computer Name = NKCA | Source = McLogEvent | ID = 5051
Description =

Error - 2/20/2009 9:04:32 PM | Computer Name = NKCA | Source = McLogEvent | ID = 1008
Description =

[ System Events ]
Error - 6/13/2009 6:04:08 PM | Computer Name = NKCA | Source = Print | ID = 6161
Description = The document Microsoft Word - Document1 owned by julieee ly failed
to print on printer Canon MP150 Series Printer. Data type: NT EMF 1.008. Size of
the spool file in bytes: 2359296. Number of bytes printed: 2324800. Total number
of pages in the document: 1. Number of pages printed: 0. Client machine: \\NKCA.
Win32 error code returned by the print processor: 8 (0x8).

Error - 6/13/2009 6:06:55 PM | Computer Name = NKCA | Source = Print | ID = 6161
Description = The document Microsoft Word - Document1 owned by julieee ly failed
to print on printer Canon MP150 Series Printer. Data type: NT EMF 1.008. Size of
the spool file in bytes: 2359296. Number of bytes printed: 2324800. Total number
of pages in the document: 1. Number of pages printed: 0. Client machine: \\NKCA.
Win32 error code returned by the print processor: 8 (0x8).

Error - 6/25/2009 12:38:14 PM | Computer Name = NKCA | Source = Print | ID = 6161
Description = The document Lecture+2.pdf owned by julieee ly failed to print on
printer Canon MP150 Series Printer. Data type: NT EMF 1.008. Size of the spool file
in bytes: 118498124. Number of bytes printed: 35966376. Total number of pages in
the document: 6. Number of pages printed: 0. Client machine: \\NKCA. Win32 error
code returned by the print processor: 0 (0x0).

Error - 6/29/2009 12:42:06 PM | Computer Name = NKCA | Source = Print | ID = 6161
Description = The document Midterm+Key+07+FV.pdf owned by julieee ly failed to print
on printer Canon MP150 Series Printer. Data type: NT EMF 1.008. Size of the spool
file in bytes: 65536. Number of bytes printed: 20944. Total number of pages in
the document: 2. Number of pages printed: 0. Client machine: \\NKCA. Win32 error
code returned by the print processor: 6 (0x6).

Error - 6/29/2009 12:50:48 PM | Computer Name = NKCA | Source = Print | ID = 6161
Description = The document Midterm+Key+07+FV.pdf owned by julieee ly failed to print
on printer Canon MP150 Series Printer. Data type: NT EMF 1.008. Size of the spool
file in bytes: 65536. Number of bytes printed: 35872. Total number of pages in
the document: 3. Number of pages printed: 0. Client machine: \\NKCA. Win32 error
code returned by the print processor: 87 (0x57).

Error - 7/2/2009 12:49:56 AM | Computer Name = NKCA | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Microsoft XPS Document Writer
share name Printer2.

Error - 7/5/2009 1:46:22 PM | Computer Name = NKCA | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Canon MP150 Series Printer
share name Printer3.

Error - 7/9/2009 10:43:21 PM | Computer Name = NKCA | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 7/10/2009 10:49:44 PM | Computer Name = NKCA | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Microsoft XPS Document Writer
share name Printer2.

Error - 7/20/2009 10:14:35 PM | Computer Name = NKCA | Source = Print | ID = 6161
Description = The document Lecture+8.pdf owned by julieee ly failed to print on
printer Canon MP150 Series Printer. Data type: NT EMF 1.008. Size of the spool file
in bytes: 228693832. Number of bytes printed: 67437440. Total number of pages in
the document: 9. Number of pages printed: 0. Client machine: \\NKCA. Win32 error
code returned by the print processor: 0 (0x0).


< End of report >






The file you told me to download from microsoft website was

WindowsXP-KB310994-SP2-Home-BootDisk-ENU

and I don't have the xp installation disc.

Edited by iops, 07 August 2009 - 09:50 PM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 08 August 2009 - 09:20 AM

Hi iops,

Please follow the instructions carefully, its very important to do everything in the given order!
  • Insert a flash drive on a computer with internet acces and download a fresh copy of Combofix
    Don't use your old copy of Combofix, this will not work!
    Download ComboFix from one of these locations:
    Link 1
    Link 2
    Save combofix.exe on your flashdrive.
  • Save the WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe file (the one you downloaded from Microsoft website) on your flashdrive as well.
  • Click start > Run and in the box that opens, type notepad and press enter.
    Copy/paste the following text in Notepad and save it to your flashdrive as fix.bat
    @echo off
    "L:\Combofix.exe" "L:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe"
    Exit Notepad.
  • You should now have a flashdrive with the following 3 files:
    • combofix.exe
    • fix.bat
    • WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
  • Now insert this flashdrive in your infected computer and doubleclick on fix.bat
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • Posted Image
    • At the next prompt, click 'Yes' to run the full ComboFix scan.
    • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 iops

iops
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 08 August 2009 - 10:25 AM

ComboFix 09-08-07.09 - Tpoyoy 08/08/2009 8:02.3.2 - NTFSx86
Running from: L:\ComboFix.exe
Command switches used :: L:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\qgclnoj0ej5n .exe





.
((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.

2009-07-24 18:31 . 2009-07-24 18:31 -------- d-----w- c:\program files\Trend Micro
2009-07-24 18:29 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 18:29 . 2009-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 18:29 . 2009-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 18:29 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 18:18 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-24 18:17 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-24 18:04 . 2009-07-24 18:04 -------- d-----w- c:\documents and settings\Tpoyoy\Application Data\AVG8
2009-07-21 18:44 . 2009-07-21 18:44 169472 ----a-w- c:\windows\system32\rxI08Qio.dll
2009-07-21 18:31 . 2009-07-21 18:31 196610 ----a-w- c:\windows\system32\pvG32Ogm.exe
2009-07-21 18:30 . 2009-07-21 18:30 29184 ---h--w- c:\documents and settings\Tpoyoy\ytjix.exe
2009-07-21 18:30 . 2009-07-21 18:30 29184 ----a-w- c:\windows\system32\ryojqed.exe
2009-07-11 22:45 . 2001-08-17 20:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-07-11 22:45 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 18:44 . 2008-10-29 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-06 18:42 . 2008-08-21 18:39 -------- d-----w- c:\program files\DAP Premium
2009-07-22 03:07 . 2008-08-09 04:19 27660 ----a-w- c:\windows\system32\igfxtray.exe
2009-07-22 03:07 . 2004-08-04 12:00 27660 ----a-w- c:\windows\system32\ctfmon.exe
2009-07-22 02:55 . 2008-08-09 04:19 27660 ----a-w- c:\windows\system32\hkcmd.exe
2009-07-15 20:42 . 2008-08-08 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-19 01:18 . 2008-12-27 03:21 -------- d-----w- c:\documents and settings\julieee ly\Application Data\Canon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2009-07-24_18.22.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2004-08-04 12:00 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 1033728 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-08-20 07:09 229376 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^Tpoyoy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Tpoyoy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\ryojqed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23070:TCP"= 23070:TCP:BitComet 23070 TCP
"23070:UDP"= 23070:UDP:BitComet 23070 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-08-19 3768]

.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\At1.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At10.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At11.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At12.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At13.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At14.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At15.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At16.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At17.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At18.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At19.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At2.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At20.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At21.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At22.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At23.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At24.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At3.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At4.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At5.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At6.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At7.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At8.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\At9.job
- c:\windows\system32\pvG32Ogm.exe [2009-07-21 18:31]

2009-07-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Tpoyoy\Application Data\Mozilla\Firefox\Profiles\1zq8fss0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mail.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 08:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
.
**************************************************************************
.
Completion time: 2009-08-08 8:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-08 15:20
ComboFix2.txt 2009-08-06 18:48
ComboFix3.txt 2009-07-24 18:27

Pre-Run: 46,974,373,888 bytes free
Post-Run: 46,949,646,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

184 --- E O F --- 2009-07-15 20:42

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 09 August 2009 - 09:14 AM

Hello iops,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
AtJob::

File::
C:\WINDOWS\System32\rxI08Qio.dll
C:\WINDOWS\System32\pvG32Ogm.exe
C:\WINDOWS\System32\qgclnoj0ej5n .exe
C:\WINDOWS\System32\ryojqed.exe
c:\documents and settings\tpoyoy\ytjix.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ryojqed.exe"=

SRPeek::
c:\windows\system32\svchost.exe

FileLook::
c:\windows\system32\svchost.exe
Save this as CFScript.txt, in the same location as ComboFix.exe (in your case, if you still cant move them to the desktop of your infected computer, keep them both on your flash drive).

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • Please let me know if things are improved, and if yes, what is working better now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 iops

iops
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 09 August 2009 - 11:33 AM

Have not noticed anything so far, can't move items still, can't copy or paste items, taskbar still stays empty


Combofix wanted to submit files for further analysis, but infected pc no internet, combofix created a submissions form at *C:\CF-Submit.htm please use to manually upload it later


Also since I can't drag items
I made a fix.bat

@echo off
"L:\Combofix.exe" "L:\CFScript.txt"


anyway heres the combofix log




ComboFix 09-08-07.09 - Tpoyoy 08/09/2009 8:41.4.2 - NTFSx86
Running from: L:\ComboFix.exe
Command switches used :: L:\CFScript.txt

FILE ::
"c:\documents and settings\tpoyoy\ytjix.exe"
"c:\windows\System32\pvG32Ogm.exe"
"c:\windows\System32\qgclnoj0ej5n .exe"
"c:\windows\System32\rxI08Qio.dll"
"c:\windows\System32\ryojqed.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tpoyoy\ytjix.exe
c:\windows\System32\pvG32Ogm.exe
c:\windows\System32\rxI08Qio.dll
c:\windows\System32\ryojqed.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.

2009-07-24 18:31 . 2009-07-24 18:31 -------- d-----w- c:\program files\Trend Micro
2009-07-24 18:29 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 18:29 . 2009-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 18:29 . 2009-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 18:29 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 18:18 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-24 18:17 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-24 18:04 . 2009-07-24 18:04 -------- d-----w- c:\documents and settings\Tpoyoy\Application Data\AVG8
2009-07-11 22:45 . 2001-08-17 20:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-07-11 22:45 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 18:44 . 2008-10-29 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-06 18:42 . 2008-08-21 18:39 -------- d-----w- c:\program files\DAP Premium
2009-07-22 03:07 . 2008-08-09 04:19 27660 ----a-w- c:\windows\system32\igfxtray.exe
2009-07-22 03:07 . 2004-08-04 12:00 27660 ----a-w- c:\windows\system32\ctfmon.exe
2009-07-22 02:55 . 2008-08-09 04:19 27660 ----a-w- c:\windows\system32\hkcmd.exe
2009-07-15 20:42 . 2008-08-08 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-19 01:18 . 2008-12-27 03:21 -------- d-----w- c:\documents and settings\julieee ly\Application Data\Canon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\system32\svchost.exe [x]
[-] 27C6D03BCDB8CFEB96B716F3D8BE3E18 14336 \RP153\A0023774.exe
.
------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2009-07-24_18.22.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2004-08-04 12:00 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 1033728 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-08-20 07:09 229376 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^Tpoyoy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Tpoyoy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23070:TCP"= 23070:TCP:BitComet 23070 TCP
"23070:UDP"= 23070:UDP:BitComet 23070 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-08-19 3768]

.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Tpoyoy\Application Data\Mozilla\Firefox\Profiles\1zq8fss0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mail.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 08:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-08-09 8:51
ComboFix-quarantined-files.txt 2009-08-09 15:51
ComboFix2.txt 2009-08-08 15:20
ComboFix3.txt 2009-08-06 18:48
ComboFix4.txt 2009-07-24 18:27

Pre-Run: 46,967,480,320 bytes free
Post-Run: 46,944,923,648 bytes free

149 --- E O F --- 2009-07-15 20:42

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 10 August 2009 - 08:03 AM

Hi iops!

We have to execute another CF script. Please make sure you download a fresh copy of Combofix first and that you delete the old Combofix.exe and the old CFScript.txt from your flashdrive before continuing, to avoid problems.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
SCOPY::
\RP153\A0023774.exe|c:\windows\system32\svchost.exe
Save this as CFScript.txt, in the same location as ComboFix.exe (in your case, if you still cant move them to the desktop of your infected computer, keep them both on your flash drive).

You can use the same batch file (fix.bat) to execute the CF script.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 iops

iops
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 10 August 2009 - 06:05 PM

Ok, internet works now, copy and paste works, dragging items work, taskbar no longer stays empty, system restore seems normal. :thumbup2:


Heres the log.



ComboFix 09-08-10.01 - Tpoyoy 08/10/2009 15:38.5.2 - NTFSx86
Running from: L:\ComboFix.exe
Command switches used :: L:\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?

.
--------------- SCopy ---------------

\RP153\A0023774.exe --> c:\windows\system32\svchost.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 22:38 . 2008-04-14 00:12 14336 -c--a-w- c:\windows\system32\dllcache\svchost.exe
2009-08-10 22:38 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\svchost.exe
2009-07-24 18:31 . 2009-07-24 18:31 -------- d-----w- c:\program files\Trend Micro
2009-07-24 18:29 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 18:29 . 2009-07-24 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-24 18:29 . 2009-07-24 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-24 18:29 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 18:18 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-24 18:17 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-24 18:04 . 2009-07-24 18:04 -------- d-----w- c:\documents and settings\Tpoyoy\Application Data\AVG8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 18:44 . 2008-10-29 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-06 18:42 . 2008-08-21 18:39 -------- d-----w- c:\program files\DAP Premium
2009-07-22 03:07 . 2008-08-09 04:19 27660 ----a-w- c:\windows\system32\igfxtray.exe
2009-07-22 03:07 . 2004-08-04 12:00 27660 ----a-w- c:\windows\system32\ctfmon.exe
2009-07-22 02:55 . 2008-08-09 04:19 27660 ----a-w- c:\windows\system32\hkcmd.exe
2009-07-15 20:42 . 2008-08-08 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-19 01:18 . 2008-12-27 03:21 -------- d-----w- c:\documents and settings\julieee ly\Application Data\Canon
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-08-08 23:48 361344 33A7A4E915A2DD501A4BDCDB40DE78D3 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-09-04 04:09 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\dllcache\tcpip.sys
[-] 2008-09-04 04:09 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 512000 4EF44BCC171BB75ED133849CF5356270 c:\windows\system32\winlogon.exe

[7] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2009-07-22 03:07 27660 CC75273339BF892FF4DDD008EAEC6098 c:\windows\system32\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-07-24_18.22.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2004-08-04 12:00 . 2009-02-06 11:11 110592 c:\windows\system32\services.exe
+ 2004-08-04 12:00 . 2008-04-14 00:12 1033728 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-21 77824]

c:\documents and settings\julieee ly\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-08-20 07:09 229376 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^Tpoyoy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Tpoyoy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23070:TCP"= 23070:TCP:BitComet 23070 TCP
"23070:UDP"= 23070:UDP:BitComet 23070 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-08-19 3768]

.
Contents of the 'Scheduled Tasks' folder

2009-07-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Tpoyoy\Application Data\Mozilla\Firefox\Profiles\1zq8fss0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mail.com/
FF - plugin: c:\documents and settings\Tpoyoy\Application Data\Mozilla\Firefox\Profiles\1zq8fss0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 15:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-08-10 15:48
ComboFix-quarantined-files.txt 2009-08-10 22:48
ComboFix2.txt 2009-08-09 15:51
ComboFix3.txt 2009-08-08 15:20
ComboFix4.txt 2009-08-06 18:48
ComboFix5.txt 2009-08-10 22:37

Pre-Run: 46,961,037,312 bytes free
Post-Run: 46,924,804,096 bytes free

131 --- E O F --- 2009-07-15 20:42



Anything else to do?

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 11 August 2009 - 10:51 AM

Hello iops,


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Very important! Please download a fresh copy of Combofix!
    link
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
FCopy::
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | C:\windows\$NtUninstallKB951748$\tcpip.sys
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\ServicePackFiles\i386\winlogon.exe | C:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\ctfmon.exe | C:\windows\system32\ctfmon.exe

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\DAP Premium
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • Combofix.txt
  • A new DDS log
  • A description of any problems remaining after these steps

Edited by elise025, 11 August 2009 - 12:44 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users