Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

agent_r.ot


  • This topic is locked This topic is locked
2 replies to this topic

#1 mikeyparkster

mikeyparkster

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 19 November 2009 - 02:31 PM

edit: update: OMG... I can actually hear random sound bites.. as if someone is browsing on my dad's pc (like clicking sounds followed by video trailer music).. WEIRD AS HELL... DODGY!!! getting scared that they have access / full control over the pc now...


see here
http://forums.avg.com/gb-en/avg-free-forum...ge=3&type=0

my dad's machine has been infected with agent_r.ot

Since i came to this website, i tried running combofix... but it didn't fix the problem..of webpages re-directing / opening up...

the symptoms of the virus are exactly as described everywhere else .. including this forum several times over....
example of replica of my problem is here..

http://www.bleepingcomputer.com/forums/ind...p;hl=agent_r.ot


here's the log file....despite the rules saying dont post it... i anticipate it will be done anyway from reading other related threads... so i'll save us both some time.



ComboFix 09-11-18.06 - Owner 18/11/2009 23:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1633 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Custom Settings\TaskBarCmd v1.1.exe

c:\windows\system32\DRIVERS\atapi.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-18 18:37 . 2009-11-18 18:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-18 18:37 . 2009-11-18 18:37 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-11-18 18:37 . 2009-11-18 23:49 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AskToolbar
2009-11-14 16:44 . 2009-11-14 16:44 -------- d-----w- c:\program files\PrintKey2000
2009-11-14 14:58 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-14 14:58 . 2009-11-14 14:57 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-14 14:56 . 2009-11-14 14:56 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-14 14:56 . 2009-11-14 14:56 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-14 14:56 . 2009-11-14 14:56 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-14 14:56 . 2009-11-14 14:56 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-14 14:56 . 2009-11-14 14:56 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-14 14:56 . 2009-11-14 14:56 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-14 14:56 . 2009-11-14 14:56 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-14 14:55 . 2009-11-14 14:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 14:55 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-14 14:55 . 2009-11-14 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-14 14:55 . 2009-11-14 14:55 -------- d-----w- c:\program files\Lavasoft
2009-11-13 19:41 . 2009-11-18 23:36 650817 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-11-13 19:40 . 2009-11-13 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-11-13 19:40 . 2009-11-13 19:40 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-13 19:40 . 2009-11-13 19:40 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-13 19:40 . 2009-11-13 19:40 179792 ----a-w- c:\windows\system32\guard32.dll
2009-11-13 19:40 . 2009-11-13 19:40 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-13 19:40 . 2009-11-13 19:40 -------- d-----w- c:\program files\COMODO
2009-11-12 21:40 . 2009-11-09 20:20 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 21:40 . 2009-11-09 20:20 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 21:40 . 2009-11-09 20:20 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 21:40 . 2009-11-09 20:20 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 21:40 . 2009-10-28 20:59 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 21:40 . 2009-10-28 20:59 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-11 12:40 . 2009-11-11 12:40 220 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E3756CFDD4216204FB4A4B339C3DFF12.dll
2009-11-11 12:40 . 2009-11-11 12:40 139 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1FBBCDDC3072CB6439B8CB8CA1E1AEAA.dll
2009-11-11 01:13 . 2009-11-16 17:49 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-11 01:13 . 2009-11-11 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-11 01:13 . 2009-11-11 01:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-11 01:13 . 2009-11-11 01:13 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-11 01:13 . 2009-11-11 01:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-10 21:51 . 2009-11-11 00:16 -------- d-----w- C:\divx
2009-11-10 21:39 . 2009-11-10 21:39 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2009-11-10 19:51 . 2009-11-10 19:51 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-10 18:55 . 2009-11-10 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-11-10 18:55 . 2009-11-10 18:55 -------- d-----w- c:\program files\NCH Swift Sound
2009-11-10 18:52 . 2009-11-10 18:52 -------- d-----w- c:\program files\Alex Feinman
2009-11-10 08:14 . 2009-11-10 08:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-10 08:14 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 08:14 . 2009-11-10 08:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 08:14 . 2009-11-10 08:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-10 08:14 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 08:09 . 2009-11-10 22:16 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-11-10 01:16 . 2009-11-10 01:16 -------- d-sh--w- c:\documents and settings\Guest\IECompatCache
2009-11-10 01:16 . 2009-11-10 01:16 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google
2009-11-10 01:16 . 2009-11-10 01:16 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2009-11-10 01:15 . 2009-11-10 01:16 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AskToolbar
2009-11-10 00:30 . 2009-11-10 00:30 -------- d-----w- c:\program files\Security Task Manager
2009-11-10 00:08 . 2009-11-10 00:38 265248 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-10 00:08 . 2009-11-10 00:32 21280 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-09 23:57 . 2009-11-10 00:21 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-11-09 23:56 . 2009-11-09 23:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-11-09 23:53 . 2009-11-13 16:19 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2009-11-09 21:00 . 2009-11-09 21:00 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AVG Security Toolbar
2009-11-09 20:59 . 2009-11-09 20:59 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-11-09 20:20 . 2009-10-28 20:59 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 20:19 . 2009-10-28 20:59 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 20:19 . 2009-10-28 20:59 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 20:15 . 2009-11-09 20:15 262144 ----a-w- c:\windows\system32\default_user_class.dat
2009-11-01 19:43 . 2009-09-25 16:42 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-01 19:40 . 2009-11-18 11:02 -------- d-----w- C:\Downloads
2009-11-01 18:46 . 2009-11-01 18:46 -------- d-----w- c:\windows\Sun
2009-11-01 16:43 . 2008-04-13 22:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-11-01 14:28 . 2009-11-18 23:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AskToolbar
2009-11-01 14:22 . 2009-11-01 14:22 -------- d-----w- c:\program files\Ask.com
2009-11-01 14:22 . 2009-11-01 14:22 -------- d-----w- c:\program files\uTorrent
2009-11-01 14:21 . 2009-11-18 18:11 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-11-01 13:50 . 2009-11-01 19:45 -------- d-----w- c:\program files\Guitar Pro 5
2009-11-01 10:50 . 2009-11-01 10:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-11-01 10:45 . 2009-11-16 22:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-11-01 10:45 . 2009-11-01 10:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-11-01 10:44 . 2009-11-12 13:37 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-11-01 10:44 . 2009-11-12 13:35 -------- d-----w- c:\program files\Google
2009-11-01 10:32 . 2009-11-17 14:10 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-11-01 10:31 . 2009-11-01 10:31 -------- d-----w- c:\program files\VideoLAN
2009-10-28 22:13 . 2009-10-28 22:13 -------- d-----w- c:\program files\DreamBoxEdit
2009-10-28 22:10 . 2009-10-28 22:10 -------- d-----w- C:\MyS2GApp
2009-10-28 22:09 . 2009-10-28 22:09 -------- d-----w- c:\program files\CCcamInfoPHP v0.9
2009-10-28 22:08 . 2009-11-17 23:52 -------- d-----w- c:\program files\DCC
2009-10-28 22:00 . 2009-10-28 22:01 -------- d-----w- c:\windows\ie8updates
2009-10-28 21:59 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-10-28 21:58 . 2009-11-13 00:18 -------- d--h--w- c:\windows\$hf_mig$
2009-10-28 21:49 . 2009-09-11 14:13 136704 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-10-28 21:49 . 2009-06-25 08:41 56832 ------w- c:\windows\system32\dllcache\secur32.dll
2009-10-28 21:49 . 2009-06-25 08:41 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-10-28 21:49 . 2009-06-25 08:41 147456 ------w- c:\windows\system32\dllcache\schannel.dll
2009-10-28 21:49 . 2009-06-25 08:41 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-10-28 21:49 . 2009-06-24 10:28 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-10-28 21:48 . 2009-07-17 16:22 1435648 ------w- c:\windows\system32\dllcache\query.dll
2009-10-28 21:46 . 2009-06-22 06:44 726528 ------w- c:\windows\system32\dllcache\jscript.dll
2009-10-28 21:46 . 2009-06-21 21:49 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-10-28 21:45 . 2009-06-10 06:17 134144 ------w- c:\windows\system32\dllcache\wkssvc.dll
2009-10-28 21:45 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-10-28 21:45 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe
2009-10-28 21:45 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe
2009-10-28 21:45 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-10-28 21:44 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-10-28 21:29 . 2009-10-28 16:28 -------- d-----w- C:\Family Files
2009-10-28 21:29 . 2009-10-28 22:07 -------- d-----w- C:\backup
2009-10-28 21:24 . 2009-10-28 21:54 -------- d-----w- c:\program files\Microsoft Works
2009-10-28 21:23 . 2009-10-28 21:23 -------- d-----w- c:\program files\Microsoft.NET
2009-10-28 21:21 . 2009-10-28 21:22 -------- d-----w- c:\windows\SHELLNEW
2009-10-28 21:21 . 2009-10-28 21:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Microsoft Help
2009-10-28 21:21 . 2009-11-17 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-28 21:21 . 2009-10-28 21:21 -------- d-----r- C:\MSOCache
2009-10-28 21:09 . 2009-11-13 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-28 21:09 . 2009-10-28 21:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 19:39 . 2009-10-28 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-11 12:42 . 2009-11-10 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-11-10 19:52 . 2009-10-28 20:28 -------- d-----w- c:\program files\Java
2009-11-10 02:21 . 2009-11-09 20:13 -------- d-sh--w- c:\documents and settings\Guest\Application Data\lowsec
2009-11-10 00:08 . 2009-11-10 00:08 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-10 00:08 . 2009-11-10 00:08 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-01 19:43 . 2009-11-01 19:43 -------- d-----w- c:\program files\DivX
2009-11-01 19:43 . 2009-11-01 19:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-01 13:51 . 2009-10-28 20:40 66048 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 15:26 . 2009-10-28 20:20 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-28 20:59 . 2009-10-28 20:59 -------- d-----w- c:\program files\AVG
2009-10-28 20:48 . 2009-10-28 20:48 0 ----a-w- c:\windows\nsreg.dat
2009-10-28 20:43 . 2009-10-28 20:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-28 20:43 . 2009-10-28 20:43 -------- d-----w- c:\program files\SigmaTel
2009-10-28 20:43 . 2009-10-28 20:43 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-28 20:36 . 2009-10-28 20:36 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-28 20:29 . 2009-10-28 20:28 -------- d-----w- c:\program files\Unlocker
2009-10-28 20:29 . 2009-10-28 20:29 -------- d-----w- c:\program files\MediaLooks
2009-10-28 20:29 . 2009-10-28 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-28 20:29 . 2009-10-28 20:29 -------- d-----w- c:\program files\QuickTime Alternative
2009-10-28 20:29 . 2009-10-28 20:29 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-10-28 20:29 . 2009-10-28 20:29 -------- d-----w- c:\program files\7-Zip
2009-10-28 20:29 . 2009-10-28 20:29 -------- d-----w- c:\program files\Foxit Software
2009-10-28 20:29 . 2009-10-28 20:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2009-10-28 20:28 . 2009-10-28 20:28 318 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{A7050037-F0EA-4BAB-BCD5-FC05507D6147}\ARPPRODUCTICON.exe
2009-10-28 20:28 . 2009-10-28 20:28 25214 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}\_294823.exe
2009-10-28 20:28 . 2009-10-28 20:28 -------- d-----w- c:\program files\UPHClean
2009-09-25 16:42 . 2009-11-01 19:43 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-09-25 16:42 . 2009-11-01 19:43 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-25 16:42 . 2009-11-01 19:43 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-25 16:42 . 2009-11-01 19:43 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-09-25 16:42 . 2009-11-01 19:43 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-11 14:13 . 2009-07-19 16:01 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:01 . 2009-07-19 16:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:03 . 2009-07-19 16:02 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-07-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys


c:\windows\system32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-02 14:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-13 1799952]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-07-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-11-14 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14/11/2009 14:58 64288]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [13/11/2009 19:40 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [13/11/2009 19:40 25160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1179232]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/11/2009 10:45 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 14:56]

2009-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 10:44]

2009-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 10:44]

2009-11-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-09-02 14:56]

2009-11-18 c:\windows\Tasks\User_Feed_Synchronization-{62D7739D-82C0-47A6-889F-056B46F2A3F8}.job
- c:\windows\system32\msfeedssync.exe [2009-07-19 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {BFABE85C-968E-4C6B-A6FD-D763CCFE8793} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3ori5ciz.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://m.uk.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 00:07
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A78050C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-19 00:11
ComboFix-quarantined-files.txt 2009-11-19 00:11

Pre-Run: 125,368,639,488 bytes free
Post-Run: 125,884,010,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Edition" /noexecute=optin /fastdetect

- - End Of File - - 1753C85412A04FF0B7F2D720149632D3


Edited by mikeyparkster, 20 November 2009 - 09:35 AM.


BC AdBot (Login to Remove)

 


#2 mikeyparkster

mikeyparkster
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 21 November 2009 - 02:37 PM

i had to resort to a format, as the problems were far too extensive to be repaired by now... the virus situation got progressively worse.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:05 AM

Posted 21 November 2009 - 08:54 PM

Thank you for letting us know. Sometimes a reformat and reinstall is the quickest and best solution.

Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users