Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in services/registry?? Anti-programs crash


  • This topic is locked This topic is locked
32 replies to this topic

#1 ScottyK

ScottyK

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 10:22 AM

Hello, If I weren't bald, I'd be pulling it out!
I believe the problem started when I downloaded AVG
symptoms:

1.right clicking some files OR desktop crashes explorer.exe
2.DDS,Malware Bytes,Spybot,AVG,Adaware,Hijack this usually install but crash upon scanning
3.Once the programs crash and I try to restart, an error window pops up...."....do not have permission..."
4.GMER is a great Malware/Rootkit program that ALLOWS me to scan:System,Sections,IAT/EAT,Devices,Modules,Processes,Threads,Libraries,Registry and Files.
5.SVCSpy is a program that strictly scans services and crashes immediately
6.I removed everything associated (that I could) with AVG and Ultramon as I believe this is the root of the problem.
7. I did a few online scanner that didnt really show much of anything suspicious.
8.win32k.sys:1 and 2 show up as malware w/ no info
9.All same sysmptoms in Safe Mode
10.Tried installing anti-programs with new name from a clean computer and reinstalling through my thumbdrive

I have Maxtor backup drive, which the restore CD doesnt work for some reason. (tried burning .iso cd, and still same)
\file system\fastfat\fat (fltmgr.sys) also shows up
I believe a service is causing the problem
Here are the Win32kdiag.txt and Log txt and GMER scan log
Hope this helps Thanks!!!


Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB925720\KB925720

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP142.tmp\ZAP142.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP189.tmp\ZAP189.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B3.tmp\ZAP1B3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20E9.tmp\ZAP20E9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21CF.tmp\ZAP21CF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21F4.tmp\ZAP21F4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ASP.NETClientFiles\ASP.NETClientFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\Microsoft .NET Framework 3.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MVUNINST\App1\App1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\01cd5ce76aab2e96c5bc0130d8dde39a\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0eaed8d713d78954a90c813a5e2c5934\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a39d7c907193cb74dabeac9b04866368\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Mount point destination : \Device\__max++>\^



Finished!

_____________________________________________________________________________________________
Volume in drive C has no label.
Volume Serial Number is 5417-4880

Directory of C:\WINDOWS\$NtServicePackUninstall$

2004-08-04 08:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

2004-08-04 08:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

2004-08-04 08:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

2008-04-13 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

2008-04-13 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

2008-04-13 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

2008-04-13 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

2008-04-13 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

2008-04-13 08:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 126,152,683,520 bytes free
_________________________________________________________________________________________

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-02 11:20:41
Windows 5.1.2600 Service Pack 3
Running: bu5m0ojl.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwwcafow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1008] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1008] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1008] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[1008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [436] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [972] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1008] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1064] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1256] 0x35670000
Library \\?\globalroot\Device\__max++>\A8FA7AA4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1604] 0x35670000

---- EOF - GMER 1.0.15 ----

Edited by ScottyK, 02 October 2009 - 10:37 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:30 AM

Posted 02 October 2009 - 11:56 AM

Hi ScottyK,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

As you might already figure out you have a nasty rootkit which requires special "treatment".
  • Go to start > Run copy/paste the following text in the run box and click OK.

    sc config eventlog start= disabled

    A window will flash, it is normal.

  • Reboot your computer.

  • We need to run the tool with the following command to fix some malware related changes.
    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. You may rename it to far.exe. Also make sure you have internet connection and let it installs Recovery Console.

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------
    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)

    Double click on Combo-Fix.exe & follow the prompts. If ComboFix needed to reboot please allow it.When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



#3 ScottyK

ScottyK
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 01:42 PM

Hi, Thanks for your help.
Now when I downloaded comboFix it didnt give an option to "save file as".
It just automatically saves it to the desktop. Is that ok and then rename it?
Or does it have to be renamed BEFORE it is downloaded?
I tried to run the program and it says the following real time scanners are active:
Norton antivirus 2006
and AVG free
I dont know where or how to uninstall these scanners..(didnt even know they were there)
Could you help me with these two steps and Ill return back. Thank you!

I followed the link to disable anti-virus, but there is no trace of the programs except the program files which I deleted and Ill try again.

Edited by ScottyK, 02 October 2009 - 02:05 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:30 AM

Posted 02 October 2009 - 02:02 PM

Please stick to the instruction and tell me if you face any problem and avoid improvising. thanks.

I guess you have Firefox and have not configure it to give you the save options.

Run Firefox:
Under Tools menu select Options... under download section check:
Show the Downloads window when downloading a file.
Always ask me where to save files.

Now delete your copy of ComboFix. Download a fresh copy, Click Save and follow the rest of instruction.

Also ignore any warning about AVG and Norton. They are leftovers and will not cause any problem. We remove them later on. but you have to make sure the current antivirus is disabled and will not run even after reboot.

#5 ScottyK

ScottyK
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 02:06 PM

OK Thanks Ill get started.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:30 AM

Posted 02 October 2009 - 02:11 PM

:(

#7 ScottyK

ScottyK
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 02:27 PM

OK Ill be honest with you. I proceeded with the Combofix scan (because it worked) the first time when I downloaded it to desktop THEN changed the file name, installed Microsoft Recover, and it said it detected malware and fixed it.

I think I accidently overwrote the Win32kDiag.txt the first time because this is all it says now:

Running from: C:\Documents and Settings\Owner\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Here is the Combo-Fix report from the first scan : (sorry I didnt know you would get back to me so soon :(..I will re-download and change name before saving and try to scan again.

ComboFix 09-10-01.05 - Owner 2009-10-02 14:46.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2070 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\far.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\My Videos\My Video.url
c:\program files\outlook
c:\recycler\S-1-5-21-1306252711-3682585481-824141028-1003
c:\recycler\S-1-5-21-478502443-4112256094-1702388168-1003
c:\recycler\S-1-5-21-583907252-1715567821-1801674531-1003
c:\recycler\S-1-5-21-788107208-2542915062-144897898-1003
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Installer\13dcd.msp
c:\windows\Installer\14bad2.msi
c:\windows\Installer\14e86a.msi
c:\windows\Installer\1ebb9f63.msp
c:\windows\Installer\1ebb9f66.msp
c:\windows\Installer\1f4177.msp
c:\windows\Installer\2160610.msp
c:\windows\Installer\2160611.msp
c:\windows\Installer\2160612.msp
c:\windows\Installer\2160613.msp
c:\windows\Installer\2160614.msp
c:\windows\Installer\2160615.msp
c:\windows\Installer\2160616.msp
c:\windows\Installer\2160617.msp
c:\windows\Installer\2160618.msp
c:\windows\Installer\21c63f6.msp
c:\windows\Installer\21c63f7.msp
c:\windows\Installer\21c63f8.msp
c:\windows\Installer\21c63f9.msp
c:\windows\Installer\21c63fa.msp
c:\windows\Installer\21c63fb.msp
c:\windows\Installer\21c63fc.msp
c:\windows\Installer\21c63fd.msp
c:\windows\Installer\21c63fe.msp
c:\windows\Installer\21c63ff.msp
c:\windows\Installer\2be676.msp
c:\windows\Installer\3170545.msi
c:\windows\Installer\326415e.msp
c:\windows\Installer\37608e3.msi
c:\windows\Installer\3d0c8a.msp
c:\windows\Installer\442cf1.msp
c:\windows\Installer\4ec9591.msp
c:\windows\Installer\4f0bee7.msi
c:\windows\Installer\6c32ae.msi
c:\windows\Installer\RadLinker.msi
c:\windows\jestertb.dll
c:\windows\system32\Lma.dll
c:\windows\system32\zip32.dll
L:\autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-10-02 14:00 . 2009-10-02 14:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-02 14:00 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 14:00 . 2009-10-02 14:00 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-10-02 14:00 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 01:04 . 2009-10-02 01:04 -------- d-----w- c:\windows\LastGood(3)
2009-10-01 23:53 . 2009-10-02 01:04 -------- d-----w- c:\program files\Free Window Registry Repair
2009-10-01 19:06 . 2009-10-01 19:06 -------- d-----w- c:\program files\AVG
2009-10-01 19:06 . 2009-10-01 19:06 -------- d-----w- C:\$AVG8(3).VAULT$
2009-10-01 19:06 . 2009-10-01 19:06 -------- d-----w- C:\$AVG8(2).VAULT$
2009-10-01 19:06 . 2009-10-01 19:06 -------- d-----w- c:\program files\AVG(2)
2009-10-01 10:31 . 2009-10-01 19:05 -------- d-s---w- c:\documents and settings\Administrator
2009-10-01 00:03 . 2009-10-01 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 00:03 . 2009-10-01 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 19:47 . 2009-09-28 19:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Safer Networking
2009-09-28 19:35 . 2009-09-28 19:46 -------- d-----w- c:\program files\Safer Networking
2009-09-28 17:34 . 2009-09-28 17:34 -------- d-----w- C:\delete
2009-09-28 16:23 . 2009-09-28 16:23 -------- d-----w- c:\windows\LastGood(2)
2009-09-28 16:22 . 2009-09-28 16:22 -------- d-----w- c:\program files\Lavasoft
2009-09-28 16:22 . 2009-09-28 16:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\program files\Common Files\Realtime Soft
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\program files\UltraMon
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Realtime Soft
2009-09-28 15:29 . 2009-09-28 16:16 -------- d-----w- c:\program files\File Shredder
2009-09-28 15:00 . 2009-09-28 15:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-28 14:44 . 2009-09-28 14:44 -------- d-----w- c:\program files\NirSoft
2009-09-28 09:19 . 2009-09-28 16:21 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-09-23 23:17 . 2009-09-28 19:39 -------- d-----w- c:\program files\Unlocker
2009-09-22 20:20 . 2009-09-22 20:20 -------- d-----w- c:\program files\Panda Security
2009-09-22 17:29 . 2009-09-22 17:46 -------- d-----w- c:\program files\Norton Security Scan
2009-09-22 17:29 . 2009-09-22 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-22 17:29 . 2009-09-22 17:29 -------- d-----w- c:\program files\NortonInstaller
2009-09-22 17:29 . 2009-09-22 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-22 17:24 . 2009-09-22 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-22 17:24 . 2009-09-22 17:46 -------- d-----w- c:\program files\STOPzilla!
2009-09-22 17:24 . 2009-09-22 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-22 17:24 . 2009-09-22 17:24 -------- d-----w- c:\program files\Common Files\iS3
2009-09-22 16:10 . 2009-09-22 19:54 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-09-21 22:23 . 2009-09-21 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-09-21 22:23 . 2009-09-22 15:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-09-21 22:22 . 2009-09-22 15:25 -------- d-----w- c:\program files\Vuze(2)
2009-09-21 22:22 . 2009-09-22 15:25 -------- d-----w- c:\program files\AskBarDis
2009-09-21 14:00 . 2009-09-22 15:26 -------- d-----w- c:\program files\UltraMon(2)
2009-09-21 13:39 . 2009-09-28 19:39 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-09-21 13:27 . 2009-10-02 14:14 0 ----a-w- c:\windows\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 15:43 . 2007-11-18 14:58 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-02 14:19 . 2006-08-09 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-10-02 14:15 . 2006-08-09 01:50 -------- d-----w- c:\program files\Security Task Manager
2009-10-02 14:08 . 2009-05-16 15:00 -------- d-----w- c:\program files\Microsoft
2009-10-02 12:39 . 2007-06-10 20:27 -------- d-----w- c:\program files\Bonjour
2009-10-02 11:48 . 2007-02-17 20:39 -------- d-----w- c:\program files\LimeWire
2009-10-01 23:49 . 2007-02-10 02:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-10-01 23:49 . 2007-02-10 02:47 -------- d-----w- c:\program files\Uniblue
2009-10-01 20:39 . 2006-07-09 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-01 20:10 . 2004-12-24 18:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-01 19:06 . 2006-07-09 15:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-01 19:06 . 2007-01-27 00:37 -------- d-----w- c:\program files\Uninstall Plus v3.9
2009-10-01 19:05 . 2006-12-12 00:10 -------- d-----w- c:\program files\Grisoft(2)
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7(2)
2009-10-01 19:05 . 2007-06-29 01:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Grisoft
2009-10-01 19:05 . 2006-12-12 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft(2)
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-01 19:05 . 2009-10-01 10:36 -------- d-----w- c:\program files\Spybot2 - Search & Destroy
2009-09-28 19:44 . 2007-06-29 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-09-22 17:31 . 2004-08-20 01:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-21 15:33 . 2009-05-19 23:30 11952 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-08-15 22:26 . 2008-11-03 15:38 -------- d-----w- c:\program files\Free FTP
2009-08-14 20:46 . 2009-05-19 23:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 20:46 . 2009-05-19 23:30 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 20:46 . 2009-05-19 23:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-09 12:49 . 2009-08-09 12:49 -------- d-----w- c:\program files\Opera
2009-08-09 09:35 . 2005-03-19 16:25 64448 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-20 00:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-20 00:48 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-20 00:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2007-01-27 00:41 . 2007-01-27 00:40 291 -c--a-w- c:\program files\Program Files.ini
2006-03-04 23:47 . 2007-01-27 00:40 262144 -c--a-w- c:\program files\unst0_0.exe
2004-10-01 19:00 . 2006-08-06 00:56 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\documents and settings\Owner\Desktop\msconfig.exe" [2009-05-17 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Glassy Recycle Bin App.exe [2005-3-6 557056]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-5-17 3450608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - c:\windows\Installer\{89291966-CF6B-4DC7-9D72-8C9034A194D9}\IcoUltraMon.ico [2009-7-11 29310]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 20:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UltraMon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UltraMon.lnk
backup=c:\windows\pss\UltraMon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Hyalo-Time and Date gadget by adni18.exe]
backup=c:\windows\pss\Hyalo-Time and Date gadget by adni18.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^weather.ini]
backup=c:\windows\pss\weather.iniStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_RegCleaner
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinDefend"=2 (0x2)
"QuickBooksDB18"=2 (0x2)
"QBFCService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"ose"=3 (0x3)
"Bonjour Service"=2 (0x2)
"MDM"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Free FTP\\FreeFTP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-05-19 5:54 PM 64160]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-11-14 3:11 AM 17184]
S3 PPDrv;Protector Plus Driver (UnRegistered);\??\c:\protector plus\PPDrv.sys --> c:\protector plus\PPDrv.sys [?]
S3 PPEMSCAN;Protector Plus Email Scan Driver;\??\c:\protector plus\PPEMSCAN.sys --> c:\protector plus\PPEMSCAN.sys [?]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2004-12-22 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-20 00:12]

2004-12-22 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-20 00:12]

2009-10-01 c:\windows\Tasks\Rescue Reminder for 2HAA281S.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2008-07-21 20:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scottkauffman.org/
mStart Page = about:blank
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xh0y4fd5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(2).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(3).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(4).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(5).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(6).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(7).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(8).dll
FF - plugin: c:\program files\Panda Security\ActiveScan 2.0\npwrapper(9).dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
SafeBoot-Lavasoft Ad-Aware Service
AddRemove-File Shredder_is1 - c:\program files\File Shredder\unins000.exe
AddRemove-Free Window Registry Repair - c:\progra~1\FREEWI~1\UNWISE.EXE
AddRemove-Unlocker - c:\program files\Unlocker\uninst.exe
AddRemove-{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1 - c:\program files\Safer Networking\RegAlyzer\unins000.exe
AddRemove-{29D3773E-54F4-23C2-D523-236A4453B844}_is1 - c:\program files\Safer Networking\FileAlyzer\unins000.exe
AddRemove-{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1 - c:\program files\Safer Networking\RunAlyzer\unins000.exe
AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - c:\program files\Spybot2 - Search & Destroy\unins000.exe
AddRemove-{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1 - c:\program files\Uniblue\RegistryBooster 2010\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 14:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-287224735-1645239246-1093931250-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:cc,a6,b9,a7,54,ee,5c,c5,49,f8,91,18,0c,92,cc,c0,c3,27,a5,1d,dc,dc,4f,
59,5e,e7,30,f4,9c,d2,7f,30,7d,c1,03,86,df,9e,4f,66,4f,b4,a5,63,3f,67,73,2a,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4036)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\UltraMon\UltraMon.exe
c:\docume~1\Owner\LOCALS~1\Temp\{67E4B9EE-C5EE-475F-8280-27A8866E8222}\Glassy Recycle Bin App.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2009-10-02 14:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-02 18:54

Pre-Run: 131,114,274,816 bytes free
Post-Run: 131,081,633,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot

312 --- E O F --- 2009-09-28 15:06

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:30 AM

Posted 02 October 2009 - 02:31 PM

Hi ScottyK,

Let's be friends. Don't do anything else between the posts unless it is asked. You have done a good job and I'll get back to you ASAP. :(

#9 ScottyK

ScottyK
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 02:42 PM

OK I wont do anything further. Thanks
I saved a new comboFix program with a new name and ran another scan (before I read your reply) if it matters(it didnt say anything about malware this time)..Here it is :

ComboFix 09-10-01.05 - Owner 2009-10-02 15:30.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2149 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

L:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-10-02 14:00 . 2009-10-02 14:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-02 14:00 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 14:00 . 2009-10-02 14:00 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-10-02 14:00 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 01:04 . 2009-10-02 01:04 -------- d-----w- c:\windows\LastGood(3)
2009-10-01 23:53 . 2009-10-02 01:04 -------- d-----w- c:\program files\Free Window Registry Repair
2009-10-01 10:31 . 2009-10-01 19:05 -------- d-s---w- c:\documents and settings\Administrator
2009-10-01 00:03 . 2009-10-01 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 00:03 . 2009-10-01 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 19:47 . 2009-09-28 19:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Safer Networking
2009-09-28 19:35 . 2009-09-28 19:46 -------- d-----w- c:\program files\Safer Networking
2009-09-28 17:34 . 2009-09-28 17:34 -------- d-----w- C:\delete
2009-09-28 16:23 . 2009-09-28 16:23 -------- d-----w- c:\windows\LastGood(2)
2009-09-28 16:22 . 2009-09-28 16:22 -------- d-----w- c:\program files\Lavasoft
2009-09-28 16:22 . 2009-09-28 16:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\program files\Common Files\Realtime Soft
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\program files\UltraMon
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Realtime Soft
2009-09-28 15:29 . 2009-09-28 16:16 -------- d-----w- c:\program files\File Shredder
2009-09-28 15:00 . 2009-09-28 15:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-28 14:44 . 2009-09-28 14:44 -------- d-----w- c:\program files\NirSoft
2009-09-28 09:19 . 2009-09-28 16:21 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-09-23 23:17 . 2009-09-28 19:39 -------- d-----w- c:\program files\Unlocker
2009-09-22 20:20 . 2009-09-22 20:20 -------- d-----w- c:\program files\Panda Security
2009-09-22 17:29 . 2009-09-22 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-22 17:29 . 2009-09-22 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-22 17:24 . 2009-09-22 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-22 17:24 . 2009-09-22 17:46 -------- d-----w- c:\program files\STOPzilla!
2009-09-22 17:24 . 2009-09-22 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-22 17:24 . 2009-09-22 17:24 -------- d-----w- c:\program files\Common Files\iS3
2009-09-22 16:10 . 2009-09-22 19:54 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-09-21 22:23 . 2009-09-21 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-09-21 22:23 . 2009-09-22 15:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-09-21 22:22 . 2009-09-22 15:25 -------- d-----w- c:\program files\Vuze(2)
2009-09-21 22:22 . 2009-09-22 15:25 -------- d-----w- c:\program files\AskBarDis
2009-09-21 14:00 . 2009-09-22 15:26 -------- d-----w- c:\program files\UltraMon(2)
2009-09-21 13:39 . 2009-09-28 19:39 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-09-21 13:27 . 2009-10-02 14:14 0 ----a-w- c:\windows\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 15:43 . 2007-11-18 14:58 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-02 14:19 . 2006-08-09 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-10-02 14:15 . 2006-08-09 01:50 -------- d-----w- c:\program files\Security Task Manager
2009-10-02 14:08 . 2009-05-16 15:00 -------- d-----w- c:\program files\Microsoft
2009-10-02 12:39 . 2007-06-10 20:27 -------- d-----w- c:\program files\Bonjour
2009-10-02 11:48 . 2007-02-17 20:39 -------- d-----w- c:\program files\LimeWire
2009-10-01 23:49 . 2007-02-10 02:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-10-01 23:49 . 2007-02-10 02:47 -------- d-----w- c:\program files\Uniblue
2009-10-01 20:39 . 2006-07-09 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-01 20:10 . 2004-12-24 18:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-01 19:06 . 2006-07-09 15:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-01 19:06 . 2007-01-27 00:37 -------- d-----w- c:\program files\Uninstall Plus v3.9
2009-10-01 19:05 . 2006-12-12 00:10 -------- d-----w- c:\program files\Grisoft(2)
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7(2)
2009-10-01 19:05 . 2007-06-29 01:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Grisoft
2009-10-01 19:05 . 2006-12-12 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft(2)
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-01 19:05 . 2009-10-01 10:36 -------- d-----w- c:\program files\Spybot2 - Search & Destroy
2009-09-28 19:44 . 2007-06-29 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-09-22 17:31 . 2004-08-20 01:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-21 15:33 . 2009-05-19 23:30 11952 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-08-15 22:26 . 2008-11-03 15:38 -------- d-----w- c:\program files\Free FTP
2009-08-14 20:46 . 2009-05-19 23:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 20:46 . 2009-05-19 23:30 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 20:46 . 2009-05-19 23:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-09 12:49 . 2009-08-09 12:49 -------- d-----w- c:\program files\Opera
2009-08-09 09:35 . 2005-03-19 16:25 64448 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-20 00:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-20 00:48 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-20 00:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2007-01-27 00:41 . 2007-01-27 00:40 291 -c--a-w- c:\program files\Program Files.ini
2006-03-04 23:47 . 2007-01-27 00:40 262144 -c--a-w- c:\program files\unst0_0.exe
2004-10-01 19:00 . 2006-08-06 00:56 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\documents and settings\Owner\Desktop\msconfig.exe" [2009-05-17 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Glassy Recycle Bin App.exe [2005-3-6 557056]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-5-17 3450608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - c:\windows\Installer\{89291966-CF6B-4DC7-9D72-8C9034A194D9}\IcoUltraMon.ico [2009-7-11 29310]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 20:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UltraMon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UltraMon.lnk
backup=c:\windows\pss\UltraMon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Hyalo-Time and Date gadget by adni18.exe]
backup=c:\windows\pss\Hyalo-Time and Date gadget by adni18.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^weather.ini]
backup=c:\windows\pss\weather.iniStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinDefend"=2 (0x2)
"QuickBooksDB18"=2 (0x2)
"QBFCService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"ose"=3 (0x3)
"Bonjour Service"=2 (0x2)
"MDM"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Free FTP\\FreeFTP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-05-19 5:54 PM 64160]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-11-14 3:11 AM 17184]
S3 PPDrv;Protector Plus Driver (UnRegistered);\??\c:\protector plus\PPDrv.sys --> c:\protector plus\PPDrv.sys [?]
S3 PPEMSCAN;Protector Plus Email Scan Driver;\??\c:\protector plus\PPEMSCAN.sys --> c:\protector plus\PPEMSCAN.sys [?]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2004-12-22 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-20 00:12]

2004-12-22 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-20 00:12]

2009-10-01 c:\windows\Tasks\Rescue Reminder for 2HAA281S.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2008-07-21 20:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scottkauffman.org/
mStart Page = about:blank
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xh0y4fd5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 15:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-287224735-1645239246-1093931250-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:cc,a6,b9,a7,54,ee,5c,c5,49,f8,91,18,0c,92,cc,c0,c3,27,a5,1d,dc,dc,4f,
59,5e,e7,30,f4,9c,d2,7f,30,7d,c1,03,86,df,9e,4f,66,4f,b4,a5,63,3f,67,73,2a,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-02 15:37
ComboFix-quarantined-files.txt 2009-10-02 19:37

Pre-Run: 131,091,542,016 bytes free
Post-Run: 131,054,440,448 bytes free

209 --- E O F --- 2009-09-28 15:06

Edited by ScottyK, 02 October 2009 - 02:43 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:30 AM

Posted 02 October 2009 - 02:48 PM

I guess you missed my post and run ComboFix once more to have followed the instruction, so we are still friends.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p (Azarus, uTorrent, etc...) download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a/s "%systemdrive%\win32k.sys" >log.txt&log.txt

    A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

  • Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.

  • We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • First unzip. If it is extracted/unzipped to a folder open the folder and put junction.exe inside it on the desktop. Make sure the file itself is on the desktop. It should look like this: Posted Image
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.


#11 ScottyK

ScottyK
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 03:20 PM

here is the first log as requested:
Volume in drive C has no label.
Volume Serial Number is 5417-4880

Directory of C:\WINDOWS

2009-10-02 10:14 AM 0 win32k.sys
1 File(s) 0 bytes

Directory of C:\WINDOWS\$hf_mig$\KB890859\SP2QFE

2005-03-01 09:11 PM 1,836,160 win32k.sys
1 File(s) 1,836,160 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896424\SP2QFE

2005-10-05 08:10 PM 1,839,360 win32k.sys
1 File(s) 1,839,360 bytes

Directory of C:\WINDOWS\$hf_mig$\KB925902\SP2QFE

2007-03-08 09:49 AM 1,843,968 win32k.sys
1 File(s) 1,843,968 bytes

Directory of C:\WINDOWS\$hf_mig$\KB941693\SP2QFE

2008-03-19 05:40 AM 1,845,888 win32k.sys
1 File(s) 1,845,888 bytes

Directory of C:\WINDOWS\$hf_mig$\KB954211\SP3QFE

2008-09-15 08:25 AM 1,846,912 win32k.sys
1 File(s) 1,846,912 bytes

Directory of C:\WINDOWS\$hf_mig$\KB958690\SP3QFE

2009-02-09 07:08 AM 1,847,552 win32k.sys
1 File(s) 1,847,552 bytes

Directory of C:\WINDOWS\$hf_mig$\KB968537\SP3QFE

2009-04-17 06:50 AM 1,847,808 win32k.sys
1 File(s) 1,847,808 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

2008-03-19 05:47 AM 1,845,248 win32k.sys
1 File(s) 1,845,248 bytes

Directory of C:\WINDOWS\$NtUninstallKB890859$

2004-08-04 08:00 AM 1,835,904 win32k.sys
1 File(s) 1,835,904 bytes

Directory of C:\WINDOWS\$NtUninstallKB896424$

2005-03-01 09:06 PM 1,836,288 win32k.sys
1 File(s) 1,836,288 bytes

Directory of C:\WINDOWS\$NtUninstallKB925902$

2005-10-05 08:05 PM 1,839,488 win32k.sys
1 File(s) 1,839,488 bytes

Directory of C:\WINDOWS\$NtUninstallKB941693$

2007-03-08 09:47 AM 1,843,584 win32k.sys
1 File(s) 1,843,584 bytes

Directory of C:\WINDOWS\$NtUninstallKB954211$

2008-04-13 03:30 PM 1,845,632 win32k.sys
1 File(s) 1,845,632 bytes

Directory of C:\WINDOWS\$NtUninstallKB958690$

2008-09-15 08:12 AM 1,846,400 win32k.sys
1 File(s) 1,846,400 bytes

Directory of C:\WINDOWS\$NtUninstallKB968537$

2009-02-09 07:13 AM 1,846,784 win32k.sys
1 File(s) 1,846,784 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

2008-04-13 03:30 PM 1,845,632 win32k.sys
1 File(s) 1,845,632 bytes

Directory of C:\WINDOWS\system32

2009-04-17 08:26 AM 1,847,168 win32k.sys
1 File(s) 1,847,168 bytes

Directory of C:\WINDOWS\system32\dllcache

2009-04-17 08:26 AM 1,847,168 win32k.sys
1 File(s) 1,847,168 bytes

Total Files Listed:
19 File(s) 33,186,944 bytes
0 Dir(s) 131,080,704,000 bytes free

#12 ScottyK

ScottyK
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 03:21 PM

and here is the second:
{62369F2F77534556AEF4C58152E3BDE5}
Acrobat.com
Adobe Acrobat 5.0
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager 2.2 (Remove Only)
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS
Adobe InDesign CS
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.1
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.4
BigFix
Canon MP Navigator 3.0
Canon MP160
Canon My Printer
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CDBurnerXP Pro 3
Connection Manager
Critical Update for Windows Media Player 11 (KB959772)
Easy-WebPrint
Free FTP
FUJIFILM USB Driver
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® PRO Network Adapters and Drivers
Internet Explorer Developer Toolbar
IrfanView (remove only)
Java™ 6 Update 13
LG ODD Auto Firmware Update
Logitech MouseWare 9.79
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8 Video Encoder
Malwarebytes' Anti-Malware
Maxtor Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MicroStaff WINASPI
Mozilla Firefox (3.5)
Mozilla Thunderbird (2.0.0.9)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Multimedia Keyboard Driver
ObjectDock
Opera 9.64
PDF Settings
Plaxo Toolbar for Outlook (with AIM Enhancements)
QuickTime
Security Task Manager 1.7h
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Skins
SoftV92 Data Fax Modem with SmartCP
SupportSoft Assisted Service
UltraMon
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Winamp
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Yahoo! Browser Services
Yahoo! Mail
Yahoo! Toolbar

#13 ScottyK

ScottyK
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 03:25 PM

and the third:

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\HijackThis\HijackThis.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790



\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

...

...

.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:30 AM

Posted 02 October 2009 - 04:05 PM

Very well done.
  • I don't see any antivirus listed on your list of programs. Please tell me if you have any antivirus protection.

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Driver::
    PPDrv
    PPEMSCAN
    Fcopy::
    C:\WINDOWS\$NtUninstallKB968537$\win32k.sys | C:\WINDOWS\system32\dllcache\win32k.sys
    C:\WINDOWS\$NtUninstallKB968537$\win32k.sys | C:\WINDOWS\system32\win32k.sys
    
    File::
    c:\windows\win32k.sys
    Folder::
    c:\program files\AskBarDis
    c:\protector plus
    Rootkit::
    c:\protector plus\PPDrv.sys
    c:\protector plus\PPEMSCAN.sys
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSConfig"=-
    SecCenter::
    {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    {E10A9785-9598-4754-B552-92431C1C35F8}
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#15 ScottyK

ScottyK
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 02 October 2009 - 04:43 PM

yes I uninstalled all antivirus software to try to fix..
I set my email preferences so I should instantly get an email everytime you reply, but its not working :(
I am actually leaving for the night, but will be back on first thing in the morning. Thanks for your help!
here is the next log..

ComboFix 09-10-01.05 - Owner 2009-10-02 17:31.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2041 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\windows\win32k.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\Cache\0292FD2C
c:\program files\AskBarDis\bar\Cache\029301EE.bin
c:\program files\AskBarDis\bar\Cache\029306C1.bin
c:\program files\AskBarDis\bar\Cache\02930886.bin
c:\program files\AskBarDis\bar\Cache\02930C20.bin
c:\program files\AskBarDis\bar\Cache\02931075.bin
c:\program files\AskBarDis\bar\Cache\029311FC.bin
c:\program files\AskBarDis\bar\Cache\029312D6.bin
c:\program files\AskBarDis\bar\History\search
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\bar\Settings\prevcfg.htm
c:\program files\AskBarDis\bar\Settings\prevCfg2.htm
c:\program files\AskBarDis\unins000.dat
c:\windows\win32k.sys

.
--------------- FCopy ---------------

c:\windows\$NtUninstallKB968537$\win32k.sys --> c:\windows\system32\dllcache\win32k.sys
c:\windows\$NtUninstallKB968537$\win32k.sys --> c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PPDRV
-------\Legacy_PPEMSCAN
-------\Service_PPDrv
-------\Service_PPEMSCAN


((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-10-02 14:00 . 2009-10-02 14:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-02 14:00 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 14:00 . 2009-10-02 14:00 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-10-02 14:00 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 01:04 . 2009-10-02 01:04 -------- d-----w- c:\windows\LastGood(3)
2009-10-01 23:53 . 2009-10-02 01:04 -------- d-----w- c:\program files\Free Window Registry Repair
2009-10-01 10:31 . 2009-10-01 19:05 -------- d-s---w- c:\documents and settings\Administrator
2009-10-01 00:03 . 2009-10-01 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 00:03 . 2009-10-01 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 19:47 . 2009-09-28 19:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Safer Networking
2009-09-28 19:35 . 2009-09-28 19:46 -------- d-----w- c:\program files\Safer Networking
2009-09-28 17:34 . 2009-09-28 17:34 -------- d-----w- C:\delete
2009-09-28 16:23 . 2009-09-28 16:23 -------- d-----w- c:\windows\LastGood(2)
2009-09-28 16:22 . 2009-09-28 16:22 -------- d-----w- c:\program files\Lavasoft
2009-09-28 16:22 . 2009-09-28 16:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\program files\Common Files\Realtime Soft
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\program files\UltraMon
2009-09-28 16:16 . 2009-09-28 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Realtime Soft
2009-09-28 15:29 . 2009-09-28 16:16 -------- d-----w- c:\program files\File Shredder
2009-09-28 15:00 . 2009-09-28 15:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-28 14:44 . 2009-09-28 14:44 -------- d-----w- c:\program files\NirSoft
2009-09-28 09:19 . 2009-09-28 16:21 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2009-09-23 23:17 . 2009-09-28 19:39 -------- d-----w- c:\program files\Unlocker
2009-09-22 20:20 . 2009-09-22 20:20 -------- d-----w- c:\program files\Panda Security
2009-09-22 17:29 . 2009-09-22 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-22 17:29 . 2009-09-22 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-22 17:24 . 2009-09-22 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-22 17:24 . 2009-09-22 17:46 -------- d-----w- c:\program files\STOPzilla!
2009-09-22 17:24 . 2009-09-22 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-22 17:24 . 2009-09-22 17:24 -------- d-----w- c:\program files\Common Files\iS3
2009-09-22 16:10 . 2009-09-22 19:54 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-09-21 22:23 . 2009-09-21 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-09-21 22:23 . 2009-09-22 15:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-09-21 22:22 . 2009-09-22 15:25 -------- d-----w- c:\program files\Vuze(2)
2009-09-21 14:00 . 2009-09-22 15:26 -------- d-----w- c:\program files\UltraMon(2)
2009-09-21 13:39 . 2009-09-28 19:39 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 15:43 . 2007-11-18 14:58 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-02 14:19 . 2006-08-09 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-10-02 14:15 . 2006-08-09 01:50 -------- d-----w- c:\program files\Security Task Manager
2009-10-02 14:08 . 2009-05-16 15:00 -------- d-----w- c:\program files\Microsoft
2009-10-02 12:39 . 2007-06-10 20:27 -------- d-----w- c:\program files\Bonjour
2009-10-02 11:48 . 2007-02-17 20:39 -------- d-----w- c:\program files\LimeWire
2009-10-01 23:49 . 2007-02-10 02:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-10-01 23:49 . 2007-02-10 02:47 -------- d-----w- c:\program files\Uniblue
2009-10-01 20:39 . 2006-07-09 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-01 20:10 . 2004-12-24 18:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-01 19:06 . 2006-07-09 15:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-01 19:06 . 2007-01-27 00:37 -------- d-----w- c:\program files\Uninstall Plus v3.9
2009-10-01 19:05 . 2006-12-12 00:10 -------- d-----w- c:\program files\Grisoft(2)
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7(2)
2009-10-01 19:05 . 2007-06-29 01:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Grisoft
2009-10-01 19:05 . 2006-12-12 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft(2)
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 19:05 . 2009-10-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-01 19:05 . 2009-10-01 10:36 -------- d-----w- c:\program files\Spybot2 - Search & Destroy
2009-09-28 19:44 . 2007-06-29 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-09-22 17:31 . 2004-08-20 01:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-21 15:33 . 2009-05-19 23:30 11952 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-08-15 22:26 . 2008-11-03 15:38 -------- d-----w- c:\program files\Free FTP
2009-08-14 20:46 . 2009-05-19 23:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 20:46 . 2009-05-19 23:30 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 20:46 . 2009-05-19 23:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-09 12:49 . 2009-08-09 12:49 -------- d-----w- c:\program files\Opera
2009-08-09 09:35 . 2005-03-19 16:25 64448 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-20 00:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-20 00:48 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-20 00:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2007-01-27 00:41 . 2007-01-27 00:40 291 -c--a-w- c:\program files\Program Files.ini
2006-03-04 23:47 . 2007-01-27 00:40 262144 -c--a-w- c:\program files\unst0_0.exe
2004-10-01 19:00 . 2006-08-06 00:56 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-02_18.51.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-19 18:07 . 2009-10-02 21:36 1526088 c:\windows\system32\FNTCACHE.DAT
- 2004-08-19 18:07 . 2009-08-08 07:57 1526088 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Glassy Recycle Bin App.exe [2005-3-6 557056]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-5-17 3450608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - c:\windows\Installer\{89291966-CF6B-4DC7-9D72-8C9034A194D9}\IcoUltraMon.ico [2009-7-11 29310]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 20:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UltraMon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UltraMon.lnk
backup=c:\windows\pss\UltraMon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Hyalo-Time and Date gadget by adni18.exe]
backup=c:\windows\pss\Hyalo-Time and Date gadget by adni18.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^weather.ini]
backup=c:\windows\pss\weather.iniStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVG Anti-Spyware Guard"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinDefend"=2 (0x2)
"QuickBooksDB18"=2 (0x2)
"QBFCService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"ose"=3 (0x3)
"Bonjour Service"=2 (0x2)
"MDM"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Free FTP\\FreeFTP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-05-19 5:54 PM 64160]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-11-14 3:11 AM 17184]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2004-12-22 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-20 00:12]

2004-12-22 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-20 00:12]

2009-10-01 c:\windows\Tasks\Rescue Reminder for 2HAA281S.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2008-07-21 20:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scottkauffman.org/
mStart Page = about:blank
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xh0y4fd5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-287224735-1645239246-1093931250-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:cc,a6,b9,a7,54,ee,5c,c5,49,f8,91,18,0c,92,cc,c0,c3,27,a5,1d,dc,dc,4f,
59,5e,e7,30,f4,9c,d2,7f,30,7d,c1,03,86,df,9e,4f,66,4f,b4,a5,63,3f,67,73,2a,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3112)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\UltraMon\UltraMon.exe
c:\windows\system32\wscntfy.exe
c:\docume~1\Owner\LOCALS~1\Temp\{6229412D-3981-4620-8A8F-B6B2FA59EBBE}\Glassy Recycle Bin App.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2009-10-02 17:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-02 21:39
ComboFix2.txt 2009-10-02 19:37

Pre-Run: 131,066,449,920 bytes free
Post-Run: 131,021,340,672 bytes free

247 --- E O F --- 2009-09-28 15:06




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users