Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have Trojan Agent r_OT


  • This topic is locked This topic is locked
12 replies to this topic

#1 Jpsyr

Jpsyr

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 11 November 2009 - 09:09 PM

Hi, My name is Jack, my problem was escalated to this forum for further action. I have the stupid r_OT trojan, have had it about week and a half. So far it only redirects or stops my browser from working. AVG finds 80-89 files with it, many of which are in AVG or my Firewall (Zone Alarm) or Lavasoft files. Some are in Windows system files as well. I have been able to run all scans that have been required for this forum and have attached them. My Root Repeal log is here in the body if thats OK. I ran MBAM and it removed a few files to the vault, AVG claims that it has done that but the files reappear each morning after the overnight scan. I haven't noticed anything non internet related, but I fear I am being "watched"

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 20:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAEBE4000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xBA5CC000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Compaq_Owner\Desktop\stuff\APBAHO~1.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb014c6b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02bafc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02b7c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb014c574

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02bb580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02cf900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02cfb10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d3b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02bb670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02b8210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d29f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb014ca52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02cf280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d2f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d2f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02b8070

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb014c64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d1180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d0f40

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb014c76e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d36f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d3150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02babe0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb014c72e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02bb190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02b8440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb014c8ae

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d0200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02d0080

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02b9e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02b9f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02b9fe0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02b8d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb02ba250

==EOF==

The others are attached and begin with Jpsyr for ease of remembering who they came from.

Thank you very much, I work as a field product specialist fixing and installing pieces of EQ, so I understand the nature of waiting...Thank you again

Jack

Attached Files


Edited by Jpsyr, 11 November 2009 - 09:14 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 12 November 2009 - 08:21 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Jpsyr

Jpsyr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 12 November 2009 - 10:34 PM

Hi Sam, Thank you very much for your help...I can't seem to turn AVG off, it's running, but it's not in my system tray, and I can't seem to find an off button for it, I don't want to run Combo fix until I can turn AVG off.

Jack

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 13 November 2009 - 09:05 AM

Check this link for further documentation on disabling your antivirus.
http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Jpsyr

Jpsyr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 13 November 2009 - 05:39 PM

Thank you, I will doing the combo fix in a few hours from now

#6 Jpsyr

Jpsyr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 13 November 2009 - 11:15 PM

Ok, here is the combofix log, There was an error that popped up before the log, said something about not being able to export, I should have written it down, sorry, I will in the future.

ComboFix 09-11-13.04 - Compaq_Owner 11/13/2009 22:42.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1919.1281 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1570880150-1600476138-4193526188-1009
c:\windows\db32.txt
c:\windows\g32.txt
c:\windows\gs32.txt
c:\windows\run.log
c:\windows\system32\ps2.bat
c:\windows\viassary-hp.reg
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 03:39 . 2003-12-03 01:23 142336 ----a-w- c:\windows\system32\drivers\fasttx2k.sys
2009-11-12 12:32 . 2009-11-10 05:05 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 12:32 . 2009-11-10 05:05 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 12:32 . 2009-11-10 05:05 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 12:32 . 2009-11-10 05:05 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 12:32 . 2009-10-29 12:10 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-12 12:32 . 2009-10-29 12:10 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-11 02:16 . 2009-06-03 18:35 180224 ----a-w- c:\windows\system32\imsispd.exe
2009-11-11 02:16 . 2009-11-11 02:16 -------- d-----w- c:\windows\system32\aspi
2009-11-11 02:16 . 2009-11-11 02:23 -------- d-----w- c:\program files\intelliScore Polyphonic WAV to MIDI Converter Demo
2009-11-10 05:14 . 2009-11-10 05:14 -------- d-----w- c:\program files\ESET
2009-11-10 05:06 . 2009-10-29 12:10 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 05:05 . 2009-10-29 12:10 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 05:05 . 2009-10-29 12:10 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-07 14:16 . 2009-11-07 14:17 -------- d-----w- c:\windows\system32\NtmsData
2009-11-06 03:36 . 2008-06-26 17:00 857528 ----a-w- c:\documents and settings\All Users\Application Data\EmailNotifier\EmailNotifierAPI.dll
2009-11-06 03:36 . 2008-06-26 16:54 850672 ----a-w- c:\documents and settings\All Users\Application Data\EmailNotifier\EmailNotifier.exe
2009-11-06 03:36 . 2009-11-06 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier
2009-11-06 02:23 . 2009-11-06 02:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-11-06 02:22 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 02:22 . 2009-11-06 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 02:22 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 02:22 . 2009-11-06 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 01:58 . 2009-11-06 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-06 01:58 . 2009-11-06 02:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 22:59 . 2009-11-04 22:59 -------- d-----w- c:\program files\Alwil Software
2009-11-04 00:04 . 2009-11-04 00:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVG9
2009-11-03 23:20 . 2009-11-03 23:20 2855 ----a-w- c:\windows\sa23sl.PIF
2009-10-31 16:07 . 2009-10-31 16:07 1794456 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-29 12:54 . 2009-10-29 12:54 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-29 12:54 . 2009-10-29 12:54 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-10-29 12:54 . 2009-10-29 12:54 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-10-29 12:54 . 2009-10-29 12:54 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-10-29 12:54 . 2009-10-29 12:54 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-10-17 01:04 . 2009-10-17 01:04 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 03:41 . 2009-05-26 00:45 625 --sha-w- c:\windows\system32\mmf.sys
2009-11-13 22:31 . 2009-10-29 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-12 04:35 . 2009-08-10 20:08 13185260 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-12 04:11 . 2006-12-13 13:08 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Audacity
2009-11-12 00:08 . 2007-05-04 00:05 -------- d-----w- c:\program files\PCFriendly
2009-11-11 23:54 . 2007-06-24 04:06 -------- d-----w- c:\program files\WIDI 2.3
2009-11-11 04:52 . 2007-06-25 02:35 -------- d-----w- c:\program files\AmazingMIDI
2009-11-10 05:05 . 2009-01-03 02:10 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-05 21:46 . 2005-09-07 12:00 4038 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-11-02 14:16 . 2005-08-11 20:53 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AdobeUM
2009-11-01 20:50 . 2009-11-01 20:52 1668608 ----a-w- c:\windows\Internet Logs\xDB6B9.tmp
2009-11-01 13:26 . 2008-06-21 21:01 -------- d-----w- c:\program files\VST
2009-11-01 13:26 . 2005-12-12 21:36 -------- d-----w- c:\program files\iZotope
2009-11-01 13:20 . 2006-06-30 21:26 -------- d-----w- c:\program files\Verizon Online
2009-11-01 13:17 . 2009-03-08 12:53 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-11-01 11:57 . 2009-11-01 11:59 1640960 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-10-31 16:10 . 2007-09-22 12:29 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-10-31 16:07 . 2009-07-27 23:49 143976 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks\uninstall.exe
2009-10-31 16:07 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-10-31 14:45 . 2008-06-23 14:08 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-10-30 15:27 . 2007-12-09 21:59 850 -c--a-w- c:\windows\EReg077.dat
2009-10-30 11:41 . 2009-10-30 11:43 1612288 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-10-29 12:53 . 2009-06-24 12:15 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-10-29 12:52 . 2009-10-29 12:52 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-29 12:10 . 2009-01-03 02:10 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 12:10 . 2009-01-03 02:10 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-29 12:10 . 2009-01-03 12:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 12:10 . 2008-05-23 12:25 -------- d-----w- c:\program files\AVG
2009-10-29 11:29 . 2005-05-28 07:28 -------- d-----w- c:\program files\Google
2009-10-25 19:54 . 2009-10-25 20:01 1539584 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-10-20 21:21 . 2009-10-20 21:21 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-10-20 21:21 . 2009-03-05 22:20 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-10-20 21:21 . 2009-03-05 22:20 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-10-20 21:21 . 2009-06-24 12:15 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-10-17 15:11 . 2005-08-09 03:00 -------- d-----w- c:\program files\Microsoft Home Publishing 2000
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-10 15:23 . 2009-10-10 15:23 -------- d-----w- c:\program files\Disney
2009-10-03 08:15 . 2009-10-29 12:52 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-02 03:47 . 2005-08-13 02:24 631 -c--a-w- c:\windows\eReg.dat
2009-10-01 00:51 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-01 00:51 . 2009-10-01 00:51 1407680 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-09-30 18:04 . 2009-09-30 17:56 -------- d-----w- c:\program files\Computer Requirements
2009-09-30 17:57 . 2005-09-07 11:41 78032 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 12:55 . 2009-02-08 14:33 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-20 23:19 . 2009-05-25 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 17:51 . 2009-09-14 17:51 81920 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connecthook.dll
2009-09-14 17:51 . 2009-09-14 17:51 190976 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectsprd.dll
2009-09-08 16:40 . 2009-09-08 16:47 8192 -c--a-w- c:\windows\Internet Logs\xDB1.tmp
2009-09-08 16:39 . 2009-09-08 16:40 8192 -c--a-w- c:\windows\Internet Logs\xDB1037.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB1035.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB1033.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB1031.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB102E.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB102C.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB102A.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB1028.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB1026.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB1024.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB1021.tmp
2009-09-08 16:39 . 2009-09-08 16:39 8192 -c--a-w- c:\windows\Internet Logs\xDB101E.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFFE.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFFC.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFFA.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFF8.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFF6.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFF4.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFF2.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFF0.tmp
2009-09-08 16:37 . 2009-09-08 16:37 8192 -c--a-w- c:\windows\Internet Logs\xDBFED.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFEB.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFE8.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFE6.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFE4.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFE2.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFE0.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFDE.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFDC.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFDA.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFD8.tmp
2009-09-08 16:36 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFD5.tmp
2009-09-08 16:35 . 2009-09-08 16:36 8192 -c--a-w- c:\windows\Internet Logs\xDBFD3.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFD1.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFCF.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFCD.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFCA.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFC8.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFC6.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFC4.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFC2.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFC0.tmp
2009-09-08 16:35 . 2009-09-08 16:35 8192 -c--a-w- c:\windows\Internet Logs\xDBFBE.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBFA2.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBFA0.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBF9E.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBF9C.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBF9A.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBF98.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBF96.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBF94.tmp
2009-09-08 16:33 . 2009-09-08 16:33 8192 -c--a-w- c:\windows\Internet Logs\xDBF92.tmp
2008-02-25 12:59 . 2008-02-25 12:59 34384 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-02-25 12:59 . 2008-02-25 12:59 94872 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2005-11-18 23:28 . 2005-11-18 23:28 331 -csha-r- c:\windows\110x52qx4x.dat
2009-08-07 03:00 . 2009-08-07 03:00 22 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 16:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-29 12:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Microsoft Office Fast Start.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk
backup=c:\windows\pss\Microsoft Office Fast Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Microsoft Office Find Fast Indexer.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Microsoft Office Find Fast Indexer.lnk
backup=c:\windows\pss\Microsoft Office Find Fast Indexer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"SymWSC"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Application Data\\Juniper Networks\\Setup Client\\JuniperSetupClient.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/8/2009 9:33 AM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/2/2009 9:10 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/2/2009 9:10 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/29/2009 7:10 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/29/2009 7:10 AM 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/29/2009 6:27 AM 133104]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [10/3/2006 7:13 PM 2560]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [3/22/2009 8:42 AM 16512]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 12:54]

2009-10-28 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-02-18 16:00]

2009-11-13 c:\windows\Tasks\{328C623C-46BC-40EF-AC8E-7652365E63FC}_UPSTAIRS_Compaq_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 12:00]

2009-11-13 c:\windows\Tasks\{3A3AC2AA-FA8D-4D99-A093-AE5AF57FC24C}_UPSTAIRS_Compaq_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 12:00]

2009-11-13 c:\windows\Tasks\{C8C3BC90-21D4-4C89-A1DF-6907479F09EB}_UPSTAIRS_Compaq_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 12:00]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://my.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\k0dwmmi0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://home.verizon.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Eastside UK pre-game Editor for NHL EHM 2007_is1 - k:\sports interactive\Eastside UK\unins000.exe
AddRemove-Eastside UK saved game Editor for NHL EHM 2007_is1 - k:\sports interactive\Eastside UK\Eastside UK\unins000.exe
AddRemove-{4816702A-0879-4499-0085-ACFC0F65E811} - k:\program files\EA SPORTS\NHL 2004\EAUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 23:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,
e3
"2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d,
78,d5,ad,68,1b,c8,4a,9b,03
"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd,
70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]
"1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14
"2"=hex:58,92,5a,34,3f,c6,a5,c5
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,
42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,
63,a0,2f,06,c2,a3,e9,62,70,d1,3e,e6,57,b7,98,40,c9,e4,cc,88,e6,39,d6,95,f5,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|.|A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
Completion time: 2009-11-13 23:05
ComboFix-quarantined-files.txt 2009-11-14 04:03

Pre-Run: 91,662,016,512 bytes free
Post-Run: 91,701,927,936 bytes free

- - End Of File - - 07BCE22E6011EB88BFB223FAF0C3C7F5


Jack

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 14 November 2009 - 08:56 AM

Nicely done! :(


Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


====================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Jpsyr

Jpsyr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 14 November 2009 - 07:23 PM

Thank you for your help Sam, here is the MBAM log from todays scan after updating MBAM and Java.

Malwarebytes' Anti-Malware 1.41
Database version: 3171
Windows 5.1.2600 Service Pack 2

11/14/2009 7:12:02 PM
mbam-log-2009-11-14 (19-12-02).txt

Scan type: Full Scan (C:\|D:\|K:\|)
Objects scanned: 311504
Time elapsed: 1 hour(s), 52 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


This morning though when I checked my overnight scan from AVG, there were four infections

this is a copy of that report

"C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP414\A0071526.exe";"Trojan horse Agent2.SIQ";"Moved to Virus Vault"
"C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP414\A0071525.exe";"Trojan horse Agent2.ZZG";"Moved to Virus Vault"
"C:\hp\recovery\wizard\SWR_Wizard.exe";"Trojan horse Agent2.SIQ";"Moved to Virus Vault"
"C:\hp\bin\ProcessLogger.exe";"Trojan horse Agent2.ZZG";"Moved to Virus Vault"

AVG claims it moved them to the vault, but they aren't there

The computer has done very well today with no redirects, and all pages opened, though some were slower than others. Bleeping was hanging up earlier before the Java update. but I was still able to bring it up, since the update it seems to be fine. I am a bit concerned with AVG's findings though. I also do not want to have Combo on my desktop as I don't want anyone accidently clicking it, too powerful a thing to toy with. is it OK to uninstall it once were done?

Jack

Edit: AVG this am comes up clean of infections, only some warnings regarding some cookies

Edited by Jpsyr, 15 November 2009 - 07:26 AM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 15 November 2009 - 05:58 PM

Those items that AVG found aren't much to worry about. Two of them I believe are false positives and the others in are your system restore.
Since everything seems to be running smoothly and your logs look good, let's go ahead and remove Combofix and then I'll post some final steps for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Jpsyr

Jpsyr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 15 November 2009 - 06:40 PM

Ok, I have removed Combo, downloaded the spy program, turned off system restore and turned it back on, according to the directions (checking the box off, then on) updated the new spy program and enabled protection on my browsers. As I have thought about it, I think this thing came in through either a bad facebook video that was accidently clicked on, or through a very rarely and now NEVER used p2p site I used for watching hockey on my computer. A p2p will never be used by me again, I can't prove it came from there, but as I have read through the protection posts here, they are not good sites on the whole and I won't be messing with any again. Anyway, ....whats left to do?

Jack

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 16 November 2009 - 07:55 AM

That's it! :(
You should be good to go!
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Jpsyr

Jpsyr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 16 November 2009 - 08:26 AM

Thank you for your help Sam, AVG came up clean this am, things seem to be normal again. I figured I was in for a total re-install based on some things I had read about that trojan

Thank you once again, from my whole family

Jack

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:58 PM

Posted 17 November 2009 - 08:43 AM

I'm glad I could help you out! :(

Now that your problem appears to be resolved, this topic will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this topic in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users