Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Last vestiges of c.exe infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 SAlzis

SAlzis

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 10 December 2009 - 11:22 AM

Hello,

I recently was infected by c.exe, and I was able to get most of it removed from the system/registry through a combination of SUPERAntiSpyware and MalwareBytes. This halted the strange pop-up behavior and inability to run new exe files that seemed to be the bulk of the symptoms.

However, it seems that I still have a port-blocking issue of some sort, as I am unable to connect to any site via IE or Google Chrome (as well as update any of my anti-malware programs). Firefox, surprisingly, works well -- which is how I am able to post to the forum today.

I checked C:\windows\system32\drivers\etc\ for the hosts file to see if there was anything strange going on, but it looks comparatively fine (matches what working machines have on my network).

Any advice or pointers are very welcome, as I would love take care of this without a nuke and pave. DDS and RootRepeal logs follow:



DDS (Ver_09-12-01.01) - NTFSx86
Run by chamje at 10:15:58.31 on Thu 12/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2474 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\PGP\PGP602i\PGPtray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\SHOREL~1\SHOREW~1\STCLogin.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Documents and Settings\chamje\My Documents\Downloads\OTL.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\chamje\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\chamje\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.peopleadmin.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\chamje\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
StartupFolder: c:\docume~1\chamje\startm~1\programs\startup\google~1.lnk - c:\documents and settings\chamje\local settings\application data\google\chrome\application\chrome.exe
StartupFolder: c:\docume~1\chamje\startm~1\programs\startup\shortc~1.lnk - c:\program files\microsoft office\office11\OUTLOOK.EXE
StartupFolder: c:\docume~1\chamje\startm~1\programs\startup\shortc~3.lnk - c:\program files\pidgin\pidgin.exe
StartupFolder: c:\docume~1\chamje\startm~1\programs\startup\shortc~2.lnk - c:\program files\microsoft sql server\80\tools\binn\SQL Server Enterprise Manager.MSC
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptray.lnk - c:\program files\pgp\pgp602i\PGPtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chamje\applic~1\mozilla\firefox\profiles\ebu8tg37.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\chamje\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-11-11 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-11-11 108392]
R2 PGPmemlock;PGPmemlock;c:\windows\system32\drivers\PGPmemlock.sys [2009-12-8 8384]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-11-11 2477304]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-17 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091209.041\NAVENG.SYS [2009-12-10 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091209.041\NAVEX15.SYS [2009-12-10 1323568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-11-11 23888]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-12-3 30192]

=============== Created Last 30 ================


==================== Find3M ====================

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\SET185.tmp
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\SET186.tmp
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\SET138.tmp
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\SET17D.tmp
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\SET17E.tmp

============= FINISH: 10:16:21.27 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/10 10:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6FA5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE50000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB4CD8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\chamje\application data\mozilla\firefox\profiles\ebu8tg37.default\sessionstore.js
Status: Size mismatch (API: 279365, Raw: 279427)

Path: C:\Documents and Settings\chamje\Local Settings\Apps\2.0\LA6GYZNH.Y8E\EEL92JQ5.2JT\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\chamje\Local Settings\Apps\2.0\LA6GYZNH.Y8E\EEL92JQ5.2JT\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8adf7e28

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8adf7f68

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8add5288

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8af56ed8

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8aa5b538

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8af68410

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8add38a8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8adf55c0

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8adf7b88

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8add0878

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8adf28a8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8ae0bbd8

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8ad780c8

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb74fb880

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8ae11688

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8ae01b38

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8af98108

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8ae643d8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8add91c0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8adf80e0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb71040b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8ae01a60

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8ae070a8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8add46e0

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8959aaf0

==EOF==

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:01 PM

Posted 10 December 2009 - 02:02 PM

Hi SAlzis,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • Go to Tools => Internet Options => click on the Connections tab, then click on LAN Settings. The following items should be unchecked:
    • Automatically detect settings
    • Use a proxy server for your LAN
  • Please disable Norton Antivirus, to do that
    • Please navigate to the system tray on the bottom right hand corner and look for the Norton system tray icon sign.
    • Right-click it -> chose "Disable Auto-Protect."
    • Select a duration of at least 2 hours (this assures no interference with the cleanup of your pc).
    • Click "Ok."
    • A popup will warn that protection will now be disabled. Then you see a rec circle with with cross on the system tray icon.
    • You successfully disabled the Norton Antivirus Guard.
  • Please disable Norton AntiVirus Script Blocking so it will not interfere with the fixes we are going to make. To do that:
    • Start Norton AntiVirus.
      If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
    • Click Options.
    • If you see a menu, click Norton AntiVirus.
    • In the left pane, click Script Blocking.
    • On the right pane, uncheck the Enable Script Blocking (recommended) check box. Click OK.
    Note: It is important to enable Norton Antivirus after ComboFix produced its log.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 SAlzis

SAlzis
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 10 December 2009 - 02:38 PM

Hi Farbar,

Thank you for your help -- I will indeed refrain from running any scanning software or installing any programs while you are assisting me.

I ran ComboFix, and upon restart my port problems seemed to have been fixed -- which is great. I'm not seeing any other aberrant behavior at this time, so I think that just running this utility may have solved my issue entirely. However, I'm still going to attach my information here in case I am being naive. Thanks for your help, again:


ComboFix 09-12-09.04 - chamje 12/10/2009 13:20:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2433 [GMT -6:00]
Running from: c:\documents and settings\chamje\My Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\chamje\LOCALS~1\Temp\install_flash_player.exe
c:\recycler\S-1-5-21-1000158025-4151988550-2647249530-500
c:\recycler\S-1-5-21-1202660629-1960408961-725345543-500
c:\recycler\S-1-5-21-2618458796-1513805834-3707945614-500
c:\recycler\S-1-5-21-2631782484-1814614412-4136514363-500
c:\recycler\S-1-5-21-3105941375-322374977-2911980705-500
c:\recycler\S-1-5-21-331742818-1760405631-1335406624-500
c:\recycler\S-1-5-21-3636857187-4112857629-1383995694-500
c:\recycler\S-1-5-21-3721289902-3635071087-1614288058-500
c:\recycler\S-1-5-21-3937739779-2444093951-1621253173-500
c:\recycler\S-1-5-21-4213961790-1319576102-1439567502-500
c:\recycler\S-1-5-21-767001543-3016269788-355964149-500
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-12-10 15:58 . 2009-12-10 15:58 388096 ----a-r- c:\documents and settings\chamje\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-10 15:58 . 2009-12-10 15:58 -------- d-----w- c:\program files\TrendMicro
2009-12-08 18:30 . 2009-12-08 18:30 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Help
2009-12-08 17:13 . 1997-04-09 02:08 299520 ----a-w- c:\windows\uninst.exe
2009-12-03 22:55 . 2009-12-03 23:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-03 21:52 . 2009-12-03 21:52 -------- d-----w- c:\documents and settings\chamje\Application Data\Malwarebytes
2009-12-03 21:52 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:52 . 2009-12-03 21:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 21:52 . 2009-12-03 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 21:52 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 19:20 . 2009-12-03 19:20 117760 ----a-w- c:\documents and settings\chamje\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-03 19:20 . 2009-12-03 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-03 19:20 . 2009-12-03 19:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-03 19:20 . 2009-12-03 19:20 -------- d-----w- c:\documents and settings\chamje\Application Data\SUPERAntiSpyware.com
2009-12-03 19:01 . 2009-12-03 19:01 2165 ----a-w- c:\documents and settings\chamje\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2009-12-03 17:18 . 2009-12-03 22:31 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-03 17:16 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-03 17:16 . 2009-12-03 22:31 -------- d-----w- c:\program files\Lavasoft
2009-12-03 17:16 . 2009-12-03 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-03 16:46 . 2009-12-03 22:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-03 16:39 . 2009-12-03 16:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-03 16:33 . 2009-12-03 17:43 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\wivmbr
2009-12-02 14:38 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-12-02 14:38 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-02 14:38 . 2001-08-18 04:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-12-02 14:38 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-12-01 14:57 . 2009-12-01 14:57 2145 ----a-w- c:\documents and settings\chamje\Application Data\.purple\certificates\x509\tls_peers\ows.messenger.msn.com
2009-11-24 15:03 . 2009-11-24 15:03 -------- d-----w- c:\program files\Common Files\Apple
2009-11-24 15:02 . 2009-11-24 15:02 -------- d-----w- c:\program files\QuickTime
2009-11-24 15:02 . 2009-11-24 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-24 03:06 . 2009-11-24 03:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-11-20 21:45 . 2009-11-20 21:45 -------- d-----w- C:\VSS_FILES
2009-11-19 22:06 . 2009-11-19 22:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-19 22:06 . 2009-11-19 22:06 -------- d-----w- c:\program files\MSBuild
2009-11-19 22:06 . 2009-11-19 22:06 -------- d-----w- c:\program files\Reference Assemblies
2009-11-19 22:06 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-19 22:06 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-19 22:06 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-19 22:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-19 22:06 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-19 22:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-19 22:06 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-19 22:06 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-19 22:06 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-19 18:48 . 2009-11-19 18:48 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Apple
2009-11-19 18:48 . 2009-11-19 18:48 -------- d-----w- c:\program files\Apple Software Update
2009-11-19 18:48 . 2009-11-19 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-19 18:48 . 2009-11-19 18:48 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Apple Computer
2009-11-18 15:47 . 2009-11-18 17:59 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Adobe
2009-11-18 15:45 . 2009-11-18 15:45 2141 ----a-w- c:\documents and settings\chamje\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-11-18 15:43 . 2009-11-18 15:43 2095 ----a-w- c:\documents and settings\chamje\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-11-18 15:42 . 2009-11-18 15:42 1065 ----a-w- c:\documents and settings\chamje\Application Data\.purple\certificates\x509\tls_peers\gmail.com
2009-11-18 15:41 . 2009-11-18 15:43 -------- d-----w- c:\documents and settings\chamje\Application Data\gtk-2.0
2009-11-18 15:40 . 2009-12-10 19:18 -------- d-----w- c:\documents and settings\chamje\Application Data\.purple
2009-11-18 15:40 . 2009-11-18 15:40 -------- d-----w- c:\program files\Pidgin
2009-11-18 15:39 . 2009-11-18 15:39 -------- d-----w- c:\program files\Common Files\GTK
2009-11-18 15:36 . 2009-12-03 21:52 -------- d-----w- c:\program files\Google
2009-11-18 15:25 . 2009-11-18 15:25 0 ----a-w- c:\windows\nsreg.dat
2009-11-18 15:25 . 2009-11-18 15:25 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Mozilla
2009-11-18 15:21 . 2009-12-03 22:22 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Temp
2009-11-18 15:21 . 2009-12-03 22:22 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Google
2009-11-18 15:21 . 2009-11-18 15:21 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Deployment
2009-11-18 15:16 . 2009-11-18 15:16 -------- d-sh--w- c:\documents and settings\chamje\IECompatCache
2009-11-18 15:16 . 2009-11-18 15:16 -------- d-sh--w- c:\documents and settings\chamje\PrivacIE
2009-11-18 15:12 . 2009-11-18 15:12 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-18 15:07 . 2009-11-18 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-11-18 15:03 . 2009-11-18 15:03 -------- d-----w- c:\documents and settings\chamje\Application Data\ShoreWare Client
2009-11-18 15:02 . 2009-11-19 22:18 45928 ----a-w- c:\documents and settings\chamje\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 15:02 . 2009-11-18 15:02 -------- d-----w- c:\documents and settings\chamje\Local Settings\Application Data\Symantec
2009-11-18 15:01 . 2007-05-07 20:01 -------- d-----w- c:\documents and settings\chamje\WINDOWS
2009-11-18 15:01 . 2007-05-07 19:09 -------- d-----w- c:\documents and settings\chamje\Application Data\AdobeUM
2009-11-18 15:01 . 2009-12-08 17:15 -------- d-----w- c:\documents and settings\chamje
2009-11-18 14:58 . 2009-11-18 14:58 -------- d-----w- c:\documents and settings\universe\Application Data\ShoreWare Client
2009-11-18 14:58 . 2009-11-18 14:58 -------- d-----w- c:\program files\Shoreline Communications
2009-11-18 14:57 . 2009-11-18 14:57 -------- d-----w- c:\documents and settings\universe\Application Data\{A4B436EC-9E0A-4989-A405-FBECF80C1666}
2009-11-18 14:52 . 2009-11-18 14:52 -------- d-sh--w- c:\documents and settings\universe\IETldCache
2009-11-17 21:00 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-17 21:00 . 2009-12-10 09:02 -------- d-----w- c:\windows\ie8updates
2009-11-17 21:00 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-17 21:00 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-17 20:58 . 2009-11-17 21:00 -------- dc-h--w- c:\windows\ie8
2009-11-17 20:47 . 2009-11-17 20:47 -------- d-----w- c:\windows\SchCache
2009-11-17 20:06 . 2009-11-17 20:06 -------- d-----w- c:\windows\system32\scripting
2009-11-17 20:06 . 2009-11-17 20:06 -------- d-----w- c:\windows\system32\en
2009-11-17 20:06 . 2009-11-17 20:06 -------- d-----w- c:\windows\l2schemas
2009-11-17 20:06 . 2009-11-17 20:06 -------- d-----w- c:\windows\system32\bits
2009-11-17 20:04 . 2009-11-17 20:07 -------- d-----w- c:\windows\ServicePackFiles
2009-11-17 19:52 . 2004-08-04 04:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-11-17 19:35 . 2009-12-03 21:14 149768 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2009-11-17 19:34 . 2009-11-11 22:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2009-11-17 19:32 . 2009-12-03 21:14 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-17 19:30 . 2009-11-17 20:11 -------- d-----w- C:\TEMP
2009-11-17 19:05 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-17 19:04 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-11-17 19:04 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-11-17 19:04 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-11-17 19:04 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-11-17 19:04 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-17 19:04 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-17 19:04 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-11-17 19:04 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-11-17 19:03 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-11-17 19:02 . 2009-11-03 02:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-17 19:01 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-11-17 19:01 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-17 19:01 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-11-17 19:01 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-11-17 19:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-11-17 19:01 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-17 19:01 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-17 19:01 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-17 19:01 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-17 19:00 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-11-17 19:00 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-11-17 19:00 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-17 19:00 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-11-17 19:00 . 2009-06-22 06:44 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2009-11-11 22:38 . 2009-11-11 22:38 89600 ----a-w- c:\windows\system32\atl71.dll
2009-11-11 22:38 . 2009-11-11 22:38 87368 ----a-w- c:\windows\system32\FwsVpn.dll
2009-11-11 22:38 . 2009-11-11 22:38 625032 ----a-w- c:\windows\system32\SymNeti.dll
2009-11-11 22:38 . 2009-11-11 22:38 42312 ----a-w- c:\windows\system32\drivers\WPSDRVnt.sys
2009-11-11 22:38 . 2009-11-11 22:38 357704 ----a-w- c:\windows\system32\sysfer.dll
2009-11-11 22:38 . 2009-11-11 22:38 242056 ----a-w- c:\windows\system32\SymRedir.dll
2009-11-11 22:38 . 2009-11-11 22:38 107848 ----a-w- c:\windows\system32\SymVPN.dll
2009-11-11 22:38 . 2009-11-11 22:38 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-08 17:14 . 2009-12-08 17:14 -------- d-----w- c:\program files\PGP
2009-11-17 20:39 . 2007-05-07 20:08 45928 ----a-w- c:\documents and settings\universe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-17 20:08 . 2007-05-07 16:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-17 19:35 . 2007-05-07 19:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-17 19:35 . 2007-05-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-11 22:38 . 2009-11-11 22:38 7442 ----a-w- c:\windows\system32\drivers\srtspx.cat
2009-11-11 22:37 . 2009-11-17 19:33 82288 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\program files\Symantec\SEP\I2ldvp3.dll
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-12-03 21:52 . 2009-12-03 21:52 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"Google Update"="c:\documents and settings\chamje\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe -hide" [X]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe -atboottime" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"nwiz"="nwiz.exe" [2005-02-24 1495040]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-11-11 115560]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-03 30192]

c:\documents and settings\chamje\Start Menu\Programs\Startup\
Google Chrome.lnk - c:\documents and settings\chamje\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [2009-12-3 921072]
Shortcut to OUTLOOK.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE [2005-7-5 196296]
Shortcut to pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2009-10-17 45603]
Shortcut to SQL Server Enterprise Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\SQL Server Enterprise Manager.MSC [2007-5-7 50688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
PGPtray.lnk - c:\program files\PGP\PGP602i\PGPtray.exe [2009-12-8 37888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 PGPmemlock;PGPmemlock;c:\windows\system32\drivers\PGPmemlock.sys [12/8/2009 11:14 AM 8384]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/17/2009 1:36 PM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/11/2009 4:37 PM 23888]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/3/2009 3:52 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.peopleadmin.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\chamje\Application Data\Mozilla\Firefox\Profiles\ebu8tg37.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\chamje\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus
MSConfigStartUp-Videohost - c:\docume~1\chamje\LOCALS~1\Temp\c.exe
MSConfigStartUp-yednombu - c:\documents and settings\chamje\Local Settings\Application Data\wivmbr\jgiksysguard.exe
AddRemove-WZCLINE - c:\program files\WinZip\winzip32



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 13:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\chamje\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(3928)
c:\windows\system32\WININET.dll
c:\windows\system32\PGP60hk.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\program files\Windows Defender\MSASCui.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\mmc.exe
c:\progra~1\SHOREL~1\SHOREW~1\STCLogin.exe
c:\program files\Microsoft Office\OFFICE11\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2009-12-10 13:31:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-10 19:31

Pre-Run: 65,276,739,584 bytes free
Post-Run: 66,208,972,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - ECF8E2770960024205CB67BAC9850D6B

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:01 PM

Posted 10 December 2009 - 05:32 PM

You are very welcome. :(

It looks good. :(

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

*****
Recommendations:
  • I strongly recommend you to update Adobe Acrobat to the latest version as the oldest versions have security holes that can be exploited by malware.

    To do that click start > All Programs > Adobe Reader > Help menu > click Check for Updates...

  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
Happy Surfing SAlzis!

Edited by farbar, 10 December 2009 - 05:51 PM.


#5 SAlzis

SAlzis
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 10 December 2009 - 05:46 PM

I really appreciate all your advice, FarBar -- have a good one!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:01 PM

Posted 10 December 2009 - 05:52 PM

You are most welcome SAlzis. :(

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users