Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack - ToSeekA


  • This topic is locked This topic is locked
11 replies to this topic

#1 Mr. Paul

Mr. Paul

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 08 September 2009 - 05:42 PM

Doing Google searches (in either IE or Firefox) and then clicking on the results gets redirected to bogus search sites, usually ToSeekA. It also seemed to get rid of cookie and block images from being displayed during searches.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Paul at 16:50:36.26 on Tue 09/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2224 [GMT -5:00]

AV: Total Protection Service *On-access scanning enabled* (Outdated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *enabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSSystem32WLTRYSVC.EXE
C:WINDOWSSystem32bcmwltry.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesGoogleUpdate1.2.183.7GoogleCrashHandler.exe
C:Program FilesDellTPadApoint.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32igfxpers.exe
C:WINDOWSOEM13Mon.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesDellDell Webcam ManagerDellWMgr.exe
C:WINDOWSsystem32WLTRAY.exe
C:Program FilesDellQuickSetquickset.exe
C:WINDOWSsystem32igfxsrvc.exe
C:Program FilesAdobeAcrobat 9.0AcrobatAcrotray.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
C:Program FilesDellTPadApMsgFwd.exe
C:Program FilesWinampwinampa.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb07.exe
C:Program FilesMcAfeeManaged VirusScanAgentmyAgtTry.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesDellTPadHidFind.exe
C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe
C:Program FilesDellTPadApntex.exe
C:Program FilesRoxio Creator 2009 Ultimate5.0CPMonitor.exe
C:WINDOWSsystem32hphmon04.exe
C:windowspp12.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMicrosoft ActiveSyncwcescomm.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:PROGRA~1MICROS~2rapimgr.exe
C:Program FilesOpenOffice.org 3programsoffice.exe
C:Program FilesOpenOffice.org 3programsoffice.bin
svchost.exe
C:Program FilesRoxioBackOnTrackDisaster RecoverySaibSVC.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSsystem32cisvc.exe
C:WINDOWSsySTEM32svchost.exe -k ddnsfilter
C:Program FilesMcAfeeManaged VirusScanVScanEngineServer.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMcAfeeHackerWatchHWAPI.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Program FilesMcAfeeManaged VirusScanAgentmyAgtSvc.exe
C:WINDOWSsystem32DRIVERSo2flash.exe
C:Program FilesDell Support Centerbinsprtsvc.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesiPodbiniPodService.exe
C:Program FilesMcAfeeManaged VirusScanVScanMcShield.exe
C:PROGRA~1MICROS~3OfficeOUTLOOK.EXE
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:DOCUME~1PaulLOCALS~1TempGoogle Toolbargtb166.tmp.exe
C:Program FilesWinampwinamp.exe
C:WINDOWSsystem32cidaemon.exe
C:Program FilesAdobeAcrobat 9.0AcrobatAcrobat.exe
C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesAdobeAcrobat 9.0AcrobatAcrobatInfo.exe
J:Malwaredds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = file:///C:/Stuff/Web%20Pages/HomePage.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:program filesgoogleadvertising cookie opt-outopt_out.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.15642swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesdellbaeBAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:program filesgooglegoogle gearsinternet explorer0.5.32.0gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [H/PC Connection Agent] "c:program filesmicrosoft activesyncwcescomm.exe"
uRun: [swg] c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe
mRun: [Apoint] c:program filesdelltpadApoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [OEM13Mon.exe] c:windowsOEM13Mon.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [DELL Webcam Manager] "c:program filesdelldell webcam managerDellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:windowssystem32WLTRAY.exe
mRun: [Dell QuickSet] c:program filesdellquicksetquickset.exe
mRun: [Adobe Acrobat Speed Launcher] "c:program filesadobeacrobat 9.0acrobatAcrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:program filesadobeacrobat 9.0acrobatAcrotray.exe"
mRun: [Google Desktop Search] "c:program filesgooglegoogle desktop searchGoogleDesktop.exe" /startup
mRun: [dscactivate] "c:program filesdell support centergs_agentcustomdsca.exe"
mRun: [MVS Splash] c:program filesmcafeemanaged virusscanagentSplash.exe
mRun: [McAfee Managed Services Tray] "c:program filesmcafeemanaged virusscanagentStartMyagtTry.exe"
mRun: [WinampAgent] "c:program fileswinampwinampa.exe"
mRun: [HPDJ Taskbar Utility] c:windowssystem32spooldriversw32x863hpztsb07.exe
mRun: [DellSupportCenter] "c:program filesdell support centerbinsprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [PDVDDXSrv] "c:program filescyberlinkpowerdvd dxPDVDDXSrv.exe"
mRun: [RoxWatchTray] "c:program filescommon filesroxio shared11.0sharedcomRoxWatchTray11.exe"
mRun: [CPMonitor] "c:program filesroxio creator 2009 ultimate5.0CPMonitor.exe"
mRun: [HPHmon04] c:windowssystem32hphmon04.exe
mRun: [sysldtray] c:windowsld14.exe
mRun: [pp] c:windowspp12.exe
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
StartupFolder: c:docume~1paulstartm~1programsstartupopenof~1.lnk - c:program filesopenoffice.org 3programquickstart.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeofficeOSA9.EXE
IE: Append Link Target to Existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:program filesgooglegoogle gearsinternet explorer0.5.32.0gears.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:progra~1micros~2INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:progra~1micros~2INetRepl.dll
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com*
Trusted Zone: mcafeeasap.combetavscan
Trusted Zone: mcafeeasap.comvs
Trusted Zone: mcafeeasap.comwww
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233170336703
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://woodmansdigitalphoto.lifepics.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:program filesmcafeemanaged virusscanagentMyRmProt4.7.0.752.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1paulapplic~1mozillafirefoxprofiles3n2gfyon.default
FF - prefs.js: browser.startup.homepage - file:///C:/Stuff/Web%20Pages/HomePage.html
FF - component: c:program filesgooglegoogle gearsfirefoxlibff35gears.dll
FF - component: c:program filesmozilla firefoxcomponentsGoogleDesktopMozilla.dll
FF - plugin: c:program filesgoogleupdate1.2.183.7npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("media.enforce_same_site_origin", false);
c:program filesmozilla firefoxgreprefsall.js - pref("media.cache_size", 51200);
c:program filesmozilla firefoxgreprefsall.js - pref("media.ogg.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.wave.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.autoplay.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.urlbar.autocomplete.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("dom.storage.default_quota", 5120);
c:program filesmozilla firefoxgreprefsall.js - pref("content.sink.event_probe_rate", 3);
c:program filesmozilla firefoxgreprefsall.js - pref("network.http.prompt-temp-redirect", true);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.dpi", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.devPixelsPerPx", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("gestures.enable_single_finger_input", true);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.max_chrome_script_run_time", 0);
c:program filesmozilla firefoxgreprefsall.js - pref("network.tcp.sendbuffer", 131072);
c:program filesmozilla firefoxgreprefsall.js - pref("geo.enabled", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.blocklist.level", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.restrict.typed", "~");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.default.behavior", 0);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.ssl_override_behavior", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.autostart", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R?2 ddnsfilter;ddnsfilter;c:windowssystem32svchost.exe -k ddnsfilter [2008-4-25 14336]
R0 SahdIa32;HDD Filter Driver;c:windowssystem32driversSahdIa32.sys [2009-3-22 20464]
R0 SaibIa32;Volume Filter Driver;c:windowssystem32driversSaibIa32.sys [2009-3-22 15856]
R1 c2scsi;c2scsi;c:windowssystem32driversc2scsi.sys [2009-5-16 244608]
R1 Filter;Filter;c:windowssystem32driversFilter.sys [2009-9-4 37760]
R1 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2009-1-22 213768]
R1 SaibVd32;Virtual Disk Driver;c:windowssystem32driversSaibVd32.sys [2009-3-22 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:program filesroxiobackontrackdisaster recoverySaibSVC.exe [2008-8-1 125424]
R2 EngineServer;EngineServer;c:program filesmcafeemanaged virusscanvscanEngineServer.exe [2009-1-22 14144]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:program filescommon filesmcafeehackerwatchHWAPI.exe [2009-1-22 540776]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:program filesmcafeemanaged virusscanagentmyAgtSvc.exe [2009-1-22 175704]
R3 McShield;McShield;c:program filesmcafeemanaged virusscanvscanMcShield.exe [2009-1-22 144704]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:windowssystem32driversMfeAVFK.sys [2009-1-22 79880]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:windowssystem32driversMfeBOPK.sys [2009-1-22 35272]
R3 O2MDRDR;O2MDRDR;c:windowssystem32driverso2media.sys [2009-1-22 51288]
R3 O2SDRDR;O2SDRDR;c:windowssystem32driverso2sd.sys [2009-1-22 43608]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:windowssystem32driversOEM13Afx.sys [2009-1-22 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:windowssystem32driversOEM13Vfx.sys [2009-1-22 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:windowssystem32driversOEM13Vid.sys [2009-1-22 235840]
S2 gupdate1c9a277d130b6b6;Google Update Service (gupdate1c9a277d130b6b6);c:program filesgoogleupdateGoogleUpdate.exe [2009-3-11 133104]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:windowssystem32driversRioUsb.sys [2009-3-28 15152]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:program filesroxio creator 2009 ultimatedigital home 11RoxioUpnpService11.exe [2008-8-14 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:program filescommon filesroxio shared11.0sharedcomRoxLiveShare11.exe [2008-8-14 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:program filescommon filesroxio shared11.0sharedcomRoxWatch11.exe [2008-8-14 170480]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:program filesgooglegoogle desktop searchGoogleDesktop.exe [2009-1-22 30192]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:windowssystem32driversMfeRKDK.sys [2009-1-22 34216]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:program filesroxio creator 2009 ultimatedigital home 11RoxioUPnPRenderer11.exe [2008-8-14 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:program filescommon filesroxio shared11.0sharedcomRoxMediaDB11.exe [2009-1-8 1122304]

=============== Created Last 30 ================

2009-09-08 15:56 97,280 a------- c:windowsvkl_1252443368.exe.exe
2009-09-08 15:56 97,280 a------- c:windowsvkl_1252443368.exe
2009-09-04 22:58 1 ----h--- c:windowse323567.dat
2009-09-04 22:57 73,728 a------- c:windowsfreddy63.exe
2009-09-04 22:57 2 a------- c:windows0101120101465154.xe
2009-09-04 01:33 49,152 ----h--- c:windowspp12.exe
2009-09-04 01:33 37,760 a------- c:windowssystem32driversFilter.sys
2009-09-04 01:33 <DIR> --d----- c:program filesDDnsFilter
2009-09-02 22:17 61,440 a------- c:windowsnl15.exe
2009-09-02 22:17 2 a------- c:windows0101120101465349.xe
2009-09-02 22:17 1 ----h--- c:windowsnlmark2.dat
2009-09-02 22:17 2 a------- c:windows0101120101465249.xe
2009-09-01 22:15 1 ----h--- c:windowsex23567.dat
2009-09-01 22:15 1 a------- c:windowsfdgg34353edfgdfdf
2009-09-01 22:15 36,864 ----h--- c:windowspp11.exe
2009-09-01 22:15 2 a------- c:windows0101120101465149.xe
2009-09-01 22:15 86,016 a------- c:windowsmstre21.exe
2009-09-01 22:15 2 a------- c:windows0101120101464950.xe
2009-09-01 22:15 1 ----h--- c:windowsmmsmark2.dat
2009-09-01 22:15 2 a------- c:windows0101120101465449.xe
2009-09-01 22:15 73,728 a------- c:windowsfreddy62.exe
2009-09-01 22:15 2 a------- c:windows0101120101465054.xe
2009-09-01 22:15 2 a------- c:windows0535251103110107106.yux
2009-09-01 22:13 2 a------- c:windows010112010146101105.te
2009-09-01 22:09 53,248 -------- c:windowsld14.exe
2009-08-31 23:51 286,720 -------- c:windowsSetup1.exe
2009-08-31 23:51 73,216 a------- c:windowsST6UNST.EXE
2009-08-17 07:08 40,223,278 a------- C:BlackHawk - Not By Chance (demo).wav
2009-08-17 07:08 32,297,518 a------- C:BlackHawk - That's What I'm Talking About (demo).wav
2009-08-17 07:08 44,282,926 a------- C:BlackHawk - Voices (demo).wav
2009-08-17 07:08 33,970,222 a------- C:BlackHawk - Who's Gonna Rock Ya (demo).wav
2009-08-17 07:08 34,647,598 a------- C:BlackHawk - Wide Open Spaces (demo).wav
2009-08-12 19:57 128,512 -c------ c:windowssystem32dllcachedhtmled.ocx
2009-08-12 19:57 1,315,328 -c------ c:windowssystem32dllcachemsoe.dll

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- c:windowssystem32mswebdvd.dll
2009-07-17 14:01 58,880 a------- c:windowssystem32atl.dll
2009-07-13 23:43 286,208 a------- c:windowssystem32wmpdxm.dll
2009-07-03 12:09 915,456 a------- c:windowssystem32wininet.dll
2009-06-25 03:25 730,112 a------- c:windowssystem32lsasrv.dll
2009-06-25 03:25 301,568 a------- c:windowssystem32kerberos.dll
2009-06-25 03:25 147,456 a------- c:windowssystem32schannel.dll
2009-06-25 03:25 136,192 a------- c:windowssystem32msv1_0.dll
2009-06-25 03:25 56,832 a------- c:windowssystem32secur32.dll
2009-06-25 03:25 54,272 a------- c:windowssystem32wdigest.dll
2009-06-16 09:36 119,808 a------- c:windowssystem32t2embed.dll
2009-06-16 09:36 81,920 a------- c:windowssystem32fontsub.dll
2009-06-12 07:31 80,896 a------- c:windowssystem32tlntsess.exe
2009-06-12 07:31 76,288 a------- c:windowssystem32telnet.exe
2009-03-25 08:45 167 a------- c:documents and settingspauludownload.dat
2009-01-22 18:50 76 ---shr-- c:windowsCT4CET.bin

============= FINISH: 16:51:13.96 ===============

Since my original post, I'm also getting the following McAfee Total Protection Service file deletions, which of course repeat themselves every time I boot up the computer:
  • Generic.dx!elb
  • W32/koobface.worm.gen.j
  • Artemis!08e758770412
===========

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 19 August 2010 - 12:58 AM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 10 September 2009 - 12:34 PM

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)



Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Mr. Paul

Mr. Paul
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 11 September 2009 - 12:27 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

ComboFix 09-09-10.03 - Paul 09/11/2009 11:12.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2294 [GMT -5:00]
Running from: j:\malware\Combo-Fix.exe
AV: Total Protection Service *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\DDnsFilter
c:\windows\010112010146101105.te
c:\windows\0101120101464950.xe
c:\windows\0101120101465054.xe
c:\windows\0101120101465149.xe
c:\windows\0101120101465154.xe
c:\windows\0101120101465249.xe
c:\windows\0101120101465349.xe
c:\windows\0101120101465449.xe
c:\windows\vkl_1252541157.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SfX


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-10 10:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-10 10:19 . 2009-09-10 10:20 -------- d-----w- c:\program files\webserver
2009-09-08 22:23 . 2009-09-08 22:23 -------- d-----w- c:\program files\CCleaner
2009-09-05 03:58 . 2009-09-05 03:58 1 ---h--w- c:\windows\e323567.dat
2009-09-05 03:53 . 2009-09-05 03:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-09-03 03:17 . 2009-09-03 03:17 1 ---h--w- c:\windows\nlmark2.dat
2009-09-02 03:15 . 2009-09-02 03:15 1 ---h--w- c:\windows\ex23567.dat
2009-09-02 03:15 . 2009-09-02 03:15 1 ---h--w- c:\windows\mmsmark2.dat
2009-09-01 04:51 . 2009-09-01 04:51 286720 ------w- c:\windows\Setup1.exe
2009-09-01 04:51 . 2009-09-01 04:51 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-08-13 00:57 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 14:25 . 2009-02-01 08:25 -------- d-----w- c:\documents and settings\Paul\Application Data\.purple
2009-09-05 15:50 . 2009-01-22 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-05 03:55 . 2009-01-22 23:54 -------- d-----w- c:\program files\Google
2009-08-21 15:45 . 2009-01-28 17:33 55016 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 13:29 . 2009-03-29 21:54 794192 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-11 13:02 . 2009-05-12 05:00 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 01:42 . 2009-08-01 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-03 01:42 . 2009-08-01 19:22 -------- d-----w- c:\program files\NOS
2009-07-28 15:43 . 2009-07-28 15:43 -------- d-----w- c:\documents and settings\Paul\Application Data\EPSON
2009-07-24 11:35 . 2009-01-22 23:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 11:33 . 2009-07-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
2009-07-24 11:33 . 2009-07-24 11:33 -------- d-----w- c:\program files\Amazon
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 13:44 . 2009-01-28 18:02 -------- d-----w- c:\documents and settings\Paul\Application Data\Winamp
2009-07-17 03:03 . 2009-01-28 18:02 -------- d-----w- c:\program files\Winamp
2009-07-14 04:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-25 16:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-25 16:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-25 16:16 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-25 16:16 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-25 16:16 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-01-22 23:54 . 2009-01-28 18:43 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-22 23:50 . 2009-01-22 23:50 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-22 137752]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-07-16 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-15 148888]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-22 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2009-04-13 468288]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2009-04-13 87360]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-13 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-11-20 128296]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe" [2009-04-20 84464]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-02-21 16855552]

c:\documents and settings\Paul\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8085:TCP"= 8085:TCP:ddnsfilter
"53:TCP"= 53:TCP:webserver

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [3/22/2009 6:45 PM 20464]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [3/22/2009 6:45 PM 15856]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [5/16/2009 8:33 PM 244608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [3/22/2009 6:45 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [8/1/2008 11:59 AM 125424]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [1/22/2009 6:54 PM 14144]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [1/22/2009 6:54 PM 175704]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [1/22/2009 8:41 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [1/22/2009 8:41 PM 43608]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [1/22/2009 8:41 PM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [1/22/2009 8:41 PM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [1/22/2009 8:41 PM 235840]
S2 ddnsfilter;ddnsfilter;c:\windows\sySTEM32\svchost.exe -k ddnsfilter [4/25/2008 11:16 AM 14336]
S2 gupdate1c9a277d130b6b6;Google Update Service (gupdate1c9a277d130b6b6);c:\program files\Google\Update\GoogleUpdate.exe [3/11/2009 1:33 PM 133104]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\RioUsb.sys [3/28/2009 9:01 AM 15152]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/22/2009 6:54 PM 30192]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [1/8/2009 12:52 AM 1122304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ddnsfilter REG_MULTI_SZ ddnsfilter

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 18:33]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 18:33]

2009-09-11 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2009-01-28 19:07]

2009-09-11 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2009-01-28 19:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = file:///C:/Stuff/Web%20Pages/HomePage.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://woodmansdigitalphoto.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\3n2gfyon.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Stuff/Web%20Pages/HomePage.html
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 11:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3096)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\drivers\o2flash.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\Managed VirusScan\VScan\McShield.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-11 11:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 16:26

Pre-Run: 154,697,814,016 bytes free
Post-Run: 154,954,084,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

291 --- E O F --- 2009-09-10 10:26

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 11 September 2009 - 12:41 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
ddnsfilter

File::
c:\windows\e323567.dat
c:\windows\nlmark2.dat
c:\windows\ex23567.dat
c:\windows\mmsmark2.dat
c:\windows\CT4CET.bin

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"=-
"8085:TCP"=-
"53:TCP"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"ddnsfilter"=-

DirLook::
c:\program files\webserver

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Mr. Paul

Mr. Paul
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 11 September 2009 - 02:15 PM

ComboFix 09-09-10.03 - Paul 09/11/2009 14:02.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2432 [GMT -5:00]
Running from: j:\malware\Combo-Fix.exe
Command switches used :: j:\malware\CFScript.txt
FW: Total Protection Service *disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

FILE ::
"c:\windows\CT4CET.bin"
"c:\windows\e323567.dat"
"c:\windows\ex23567.dat"
"c:\windows\mmsmark2.dat"
"c:\windows\nlmark2.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\CT4CET.bin
c:\windows\e323567.dat
c:\windows\ex23567.dat
c:\windows\mmsmark2.dat
c:\windows\nlmark2.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DDNSFILTER
-------\Service_ddnsfilter


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 18:12 . 2009-09-11 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-09-11 18:04 . 2009-09-11 18:04 -------- d-----w- c:\program files\Citrix
2009-09-11 18:04 . 2009-09-11 18:04 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Citrix
2009-09-11 18:04 . 2009-09-11 18:04 61224 ----a-w- c:\documents and settings\Paul\GoToAssistDownloadHelper.exe
2009-09-11 18:01 . 2009-09-11 18:01 -------- d-----w- c:\documents and settings\Paul\Application Data\McAfee
2009-09-10 10:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-10 10:19 . 2009-09-10 10:20 -------- d-----w- c:\program files\webserver
2009-09-08 22:23 . 2009-09-08 22:23 -------- d-----w- c:\program files\CCleaner
2009-09-05 03:53 . 2009-09-05 03:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-09-01 04:51 . 2009-09-01 04:51 286720 ------w- c:\windows\Setup1.exe
2009-09-01 04:51 . 2009-09-01 04:51 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-08-13 00:57 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 18:48 . 2009-01-22 23:54 -------- d-----w- c:\program files\McAfee
2009-09-11 18:00 . 2009-01-22 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-11 17:31 . 2009-01-22 23:50 -------- d-----w- c:\program files\Java
2009-09-08 14:25 . 2009-02-01 08:25 -------- d-----w- c:\documents and settings\Paul\Application Data\.purple
2009-09-05 15:50 . 2009-01-22 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-05 03:55 . 2009-01-22 23:54 -------- d-----w- c:\program files\Google
2009-08-21 15:45 . 2009-01-28 17:33 55016 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 13:29 . 2009-03-29 21:54 794192 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-11 13:02 . 2009-05-12 05:00 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 01:42 . 2009-08-01 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-03 01:42 . 2009-08-01 19:22 -------- d-----w- c:\program files\NOS
2009-07-28 15:43 . 2009-07-28 15:43 -------- d-----w- c:\documents and settings\Paul\Application Data\EPSON
2009-07-25 10:23 . 2009-04-15 03:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 11:35 . 2009-01-22 23:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 11:33 . 2009-07-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
2009-07-24 11:33 . 2009-07-24 11:33 -------- d-----w- c:\program files\Amazon
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 13:44 . 2009-01-28 18:02 -------- d-----w- c:\documents and settings\Paul\Application Data\Winamp
2009-07-17 03:03 . 2009-01-28 18:02 -------- d-----w- c:\program files\Winamp
2009-07-14 04:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-25 16:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-25 16:16 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-25 16:16 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-25 16:16 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-01-22 23:54 . 2009-01-28 18:43 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\webserver ----



((((((((((((((((((((((((((((( SnapShot@2009-09-11_16.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 05:02 . 2009-07-12 05:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-09-11 17:31 . 2009-07-25 10:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-11 17:31 . 2009-07-25 10:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-11 17:31 . 2009-07-25 10:23 145184 c:\windows\system32\java.exe
+ 2009-01-28 15:33 . 2009-09-11 17:31 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2009-01-28 15:33 . 2009-01-22 23:58 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-09-11 18:47 . 2009-09-11 18:47 219648 c:\windows\Installer\7e997a.msi
+ 2009-07-12 05:02 . 2009-07-12 05:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-22 137752]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-07-16 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-22 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2009-04-13 468288]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2009-04-13 87360]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-13 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-11-20 128296]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe" [2009-04-20 84464]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-02-21 16855552]

c:\documents and settings\Paul\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [3/22/2009 6:45 PM 20464]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [3/22/2009 6:45 PM 15856]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [5/16/2009 8:33 PM 244608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [3/22/2009 6:45 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [8/1/2008 11:59 AM 125424]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [1/22/2009 6:54 PM 175704]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [1/22/2009 8:41 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [1/22/2009 8:41 PM 43608]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [1/22/2009 8:41 PM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [1/22/2009 8:41 PM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [1/22/2009 8:41 PM 235840]
S2 gupdate1c9a277d130b6b6;Google Update Service (gupdate1c9a277d130b6b6);c:\program files\Google\Update\GoogleUpdate.exe [3/11/2009 1:33 PM 133104]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\RioUsb.sys [3/28/2009 9:01 AM 15152]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/22/2009 6:54 PM 30192]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [1/8/2009 12:52 AM 1122304]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 18:33]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 18:33]

2009-09-11 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2009-01-28 19:07]

2009-09-11 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2009-01-28 19:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = file:///C:/Stuff/Web%20Pages/HomePage.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://woodmansdigitalphoto.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\3n2gfyon.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Stuff/Web%20Pages/HomePage.html
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 14:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\drivers\o2flash.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-11 14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 19:12
ComboFix2.txt 2009-09-11 16:26

Pre-Run: 154,928,852,992 bytes free
Post-Run: 154,927,267,840 bytes free

292 --- E O F --- 2009-09-10 10:26




ComboFix 09-09-10.03 - Paul 09/11/2009 14:02.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2432 [GMT -5:00]
Running from: j:\malware\Combo-Fix.exe
Command switches used :: j:\malware\CFScript.txt
FW: Total Protection Service *disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

FILE ::
"c:\windows\CT4CET.bin"
"c:\windows\e323567.dat"
"c:\windows\ex23567.dat"
"c:\windows\mmsmark2.dat"
"c:\windows\nlmark2.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\CT4CET.bin
c:\windows\e323567.dat
c:\windows\ex23567.dat
c:\windows\mmsmark2.dat
c:\windows\nlmark2.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DDNSFILTER
-------\Service_ddnsfilter


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 18:12 . 2009-09-11 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-09-11 18:04 . 2009-09-11 18:04 -------- d-----w- c:\program files\Citrix
2009-09-11 18:04 . 2009-09-11 18:04 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Citrix
2009-09-11 18:04 . 2009-09-11 18:04 61224 ----a-w- c:\documents and settings\Paul\GoToAssistDownloadHelper.exe
2009-09-11 18:01 . 2009-09-11 18:01 -------- d-----w- c:\documents and settings\Paul\Application Data\McAfee
2009-09-10 10:22 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-10 10:19 . 2009-09-10 10:20 -------- d-----w- c:\program files\webserver
2009-09-08 22:23 . 2009-09-08 22:23 -------- d-----w- c:\program files\CCleaner
2009-09-05 03:53 . 2009-09-05 03:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-09-01 04:51 . 2009-09-01 04:51 286720 ------w- c:\windows\Setup1.exe
2009-09-01 04:51 . 2009-09-01 04:51 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-08-13 00:57 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 18:48 . 2009-01-22 23:54 -------- d-----w- c:\program files\McAfee
2009-09-11 18:00 . 2009-01-22 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-11 17:31 . 2009-01-22 23:50 -------- d-----w- c:\program files\Java
2009-09-08 14:25 . 2009-02-01 08:25 -------- d-----w- c:\documents and settings\Paul\Application Data\.purple
2009-09-05 15:50 . 2009-01-22 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-05 03:55 . 2009-01-22 23:54 -------- d-----w- c:\program files\Google
2009-08-21 15:45 . 2009-01-28 17:33 55016 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-19 13:29 . 2009-03-29 21:54 794192 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-11 13:02 . 2009-05-12 05:00 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 01:42 . 2009-08-01 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-03 01:42 . 2009-08-01 19:22 -------- d-----w- c:\program files\NOS
2009-07-28 15:43 . 2009-07-28 15:43 -------- d-----w- c:\documents and settings\Paul\Application Data\EPSON
2009-07-25 10:23 . 2009-04-15 03:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 11:35 . 2009-01-22 23:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 11:33 . 2009-07-24 11:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
2009-07-24 11:33 . 2009-07-24 11:33 -------- d-----w- c:\program files\Amazon
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 13:44 . 2009-01-28 18:02 -------- d-----w- c:\documents and settings\Paul\Application Data\Winamp
2009-07-17 03:03 . 2009-01-28 18:02 -------- d-----w- c:\program files\Winamp
2009-07-14 04:43 . 2008-04-25 16:16 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-25 16:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-25 16:16 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-25 16:16 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-25 16:16 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-01-22 23:54 . 2009-01-28 18:43 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\webserver ----



((((((((((((((((((((((((((((( SnapShot@2009-09-11_16.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 05:02 . 2009-07-12 05:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-09-11 17:31 . 2009-07-25 10:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-11 17:31 . 2009-07-25 10:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-11 17:31 . 2009-07-25 10:23 145184 c:\windows\system32\java.exe
+ 2009-01-28 15:33 . 2009-09-11 17:31 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2009-01-28 15:33 . 2009-01-22 23:58 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-09-11 18:47 . 2009-09-11 18:47 219648 c:\windows\Installer\7e997a.msi
+ 2009-07-12 05:02 . 2009-07-12 05:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-22 137752]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-07-16 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-22 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\Agent\Splash.exe" [2009-04-13 468288]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2009-04-13 87360]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-13 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-11-20 128296]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009 Ultimate\5.0\CPMonitor.exe" [2009-04-20 84464]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-02-21 16855552]

c:\documents and settings\Paul\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [3/22/2009 6:45 PM 20464]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [3/22/2009 6:45 PM 15856]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [5/16/2009 8:33 PM 244608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [3/22/2009 6:45 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [8/1/2008 11:59 AM 125424]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [1/22/2009 6:54 PM 175704]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [1/22/2009 8:41 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [1/22/2009 8:41 PM 43608]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [1/22/2009 8:41 PM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [1/22/2009 8:41 PM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [1/22/2009 8:41 PM 235840]
S2 gupdate1c9a277d130b6b6;Google Update Service (gupdate1c9a277d130b6b6);c:\program files\Google\Update\GoogleUpdate.exe [3/11/2009 1:33 PM 133104]
S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\RioUsb.sys [3/28/2009 9:01 AM 15152]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/22/2009 6:54 PM 30192]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [1/8/2009 12:52 AM 1122304]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 18:33]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 18:33]

2009-09-11 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2009-01-28 19:07]

2009-09-11 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2009-01-28 19:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = file:///C:/Stuff/Web%20Pages/HomePage.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://woodmansdigitalphoto.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\3n2gfyon.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Stuff/Web%20Pages/HomePage.html
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 14:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\drivers\o2flash.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-11 14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 19:12
ComboFix2.txt 2009-09-11 16:26

Pre-Run: 154,928,852,992 bytes free
Post-Run: 154,927,267,840 bytes free

292 --- E O F --- 2009-09-10 10:26

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 11 September 2009 - 02:47 PM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Mr. Paul

Mr. Paul
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 11 September 2009 - 11:52 PM

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

9/11/2009 9:52:24 PM
mbam-log-2009-09-11 (21-52-24).txt

Scan type: Full Scan (C:\|F:\|G:\|H:\|I:\|)
Objects scanned: 401922
Time elapsed: 2 hour(s), 7 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (file:///C:/Stuff/Web%20Pages/HomePage.html) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP75\A0027467.dll (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP76\A0027576.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP76\A0027577.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP76\A0027578.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP76\A0027579.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
# version=6
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=1e121a03b3572c419b7d8785364b7bf4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-12 04:38:58
# local_time=2009-09-11 11:38:58 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=162010
# found=4
# cleaned=4
# scan_time=3540
C:\!! TO TRANSFER\Freeware\gozilla.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\!! TO TRANSFER\Freeware\HTML Heaven 2.0.1 SETUP.exe probably a variant of Win32/TrojanDropper.Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\!! TO TRANSFER\Freeware\rgb.exe probably a variant of Win32/Adware.Agent application (deleted - quarantined) 00000000000000000000000000000000 C
C:\!! TO TRANSFER\Freeware\xplus.exe Win32/Adware.SaveNow application (deleted - quarantined) 00000000000000000000000000000000 C


This seems to have cured the browser hijacking... I have yet to be redirected where I don't want to be.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 12 September 2009 - 12:03 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :(



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Mr. Paul

Mr. Paul
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 12 September 2009 - 09:09 AM

No browser hijacking noted. Thank you for your help! :(

There is one weird thing it's doing, though...

When I open a new tab, then click on the "Home" icon, it opens an additional tab that points to this thread! (http://www.bleepingcomputer.com/forums/index.php?act=post&do=reply_post&f=22&t=256208)

Any ideas?

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 12 September 2009 - 10:55 AM

No browser hijacking noted. Thank you for your help! :(

There is one weird thing it's doing, though...

When I open a new tab, then click on the "Home" icon, it opens an additional tab that points to this thread! (http://www.bleepingcomputer.com/forums/index.php?act=post&do=reply_post&f=22&t=256208)

Any ideas?



Set your "Home Page"?

http://websearch.about.com/od/internetrese...tomhomepage.htm

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Mr. Paul

Mr. Paul
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 12 September 2009 - 11:09 AM

Set your "Home Page"?

Ah... it was opening my home page AND this thread. I didn't know you could do more than one... just learned something new! It's "fixed" now.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 13 September 2009 - 12:08 AM

:(


I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users