Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Freezing Soon After Startup


  • This topic is locked This topic is locked
16 replies to this topic

#1 Noviz

Noviz

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 03 January 2010 - 08:36 PM

Hi,
Yesterday I got warnings from my anti-virus (avast) about the trojan named in the topic title.
Soon after this my computer stopped working.
Each time I load windows in normal mode it freezes within minutes. It first slows down, so I cannot click anything, then completely freezes.
In safe-mode I can work without this problem for much longer. But eventually the same thing happens.
I have tried running virus/malware scans using a range of programs. None are now detecting anything, however the issue still remains.


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Owner at 1:16:20.54 on 04/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1012.706 [GMT 0:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! antivirus 4.8.1368 [VPS 100103-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.co.uk
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231348905156
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231353951734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {91C045A0-A2A0-4FBC-9F04-01BD4E090301} - hxxps://slb-ssl-vpn.hull.ac.uk:10443/fortihostcheck.cab
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://slb-ssl-vpn.hull.ac.uk:10443/sslvpn.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\upi8y2md.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - component: c:\program files\mozilla firefox\components\FFConnectorLauncher.dll
FF - component: c:\program files\mozilla firefox\components\FFSource.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2009-3-9 36384]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-22 114768]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-22 20560]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-22 138680]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-21 54752]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-22 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-22 352920]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
S4 FortiSslvpnDaemon;FortiSslvpnDaemon;c:\windows\system32\fortisslvpndaemon.exe --> c:\windows\system32\FortiSslvpnDaemon.exe [?]
S4 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2010-01-03 22:40:25 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-03 18:56:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-03 18:05:03 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-03 18:04:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-03 13:34:54 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-25 15:41:13 0 d--h--w- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-12-25 15:40:44 1645320 ----a-w- c:\windows\system32\gdiplus.dll
2009-12-25 15:40:38 245408 ----a-w- c:\windows\system32\unicows.dll
2009-12-25 15:38:08 20992 ----a-w- c:\windows\jestertb.dll
2009-12-25 13:13:09 0 d-----w- c:\program files\DivX
2009-12-25 13:13:09 0 d-----w- c:\program files\common files\DivX Shared
2009-12-24 23:24:31 0 d-----w- c:\windows\system32\Adobe
2009-12-24 21:53:48 0 d-----w- c:\docume~1\owner\applic~1\qs
2009-12-24 21:52:09 0 d-----w- c:\program files\QuickSnooker 7
2009-12-23 19:01:28 0 d-----w- c:\program files\Lame for Audacity
2009-12-23 19:00:55 0 d-----w- c:\program files\Audacity
2009-12-22 17:08:26 0 d-----w- c:\program files\Windows Media Connect 2
2009-12-22 17:06:54 0 d-----w- C:\cf35c9a777d4f0ed9459924ef195546a
2009-12-22 17:06:14 0 d-----w- C:\e80ec319b4b8b5ec8b
2009-12-22 17:04:26 0 d-----w- c:\windows\pss
2009-12-22 16:52:12 0 d-----w- c:\program files\Gomez
2009-12-22 15:42:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-22 15:34:19 499712 ----a-r- c:\windows\system32\msvcp71.dll
2009-12-22 15:34:19 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-22 15:34:19 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-22 15:09:42 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-22 15:09:42 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-12-22 15:09:23 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-22 14:28:57 654 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-21 23:09:22 0 d-----w- c:\documents and settings\owner\Tracing
2009-12-21 23:08:03 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-12-21 23:02:06 0 d-----w- c:\program files\Microsoft
2009-12-21 23:01:41 0 d-----w- c:\program files\Windows Live SkyDrive
2009-12-21 22:45:38 0 d-----w- c:\program files\common files\Windows Live
2009-12-20 18:06:22 0 d-----w- c:\program files\GRETECH

==================== Find3M ====================

2009-11-14 00:47:32 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 1:17:09.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 04 January 2010 - 06:33 AM

Hi Noviz,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

In case normal mode doesn't stand long enough you may perform the fixes in safe mode.
  • If you have Daemon Tools installed please uninstall it as it is an undesirable program and might inferfere with our fixes. See for mor information: http://www.bleepingcomputer.com/uninstall/...emon-Tools.html

    Also please go to Add/Remove programs and uninstall Daemon Toolbar.

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  • Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @echo off
    cd\
    mbr.exe -t 
    start mbr.log
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click look.bat on the desktop.
    • A notepad opens, copy and paste the content (mbr.log) to your reply.


#3 Noviz

Noviz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 January 2010 - 07:48 AM

Ok. Steps 1 and 2 were completed without errors.
The logfile for step 3 is shown below:
(Thanks for helping me out)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8661FAF0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8661faf0
NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> 0x8669c1d0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 04 January 2010 - 07:59 AM

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

@echo off
cd\
mbr.exe -f
start mbr.log
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: fix.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click fix.bat on the desktop.
  • A notepad opens, copy and paste the content (mbr.log) to your reply.


#5 Noviz

Noviz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 January 2010 - 08:02 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8661faf0
NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> 0x8669c1d0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 04 January 2010 - 08:05 AM

It was too fast, did you performed the step in the previous post and made the fix.bat?

#7 Noviz

Noviz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 January 2010 - 08:07 AM

It was too fast, did you performed the step in the previous post and made the fix.bat?


Yeah I did what you said. I'll try run it again...

It comes up with something differant this time:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8661faf0
NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> 0x8669c1d0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
Use "Recovery Console" command "fixmbr" to clear infection !

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 04 January 2010 - 08:13 AM

OK well done. That is what we should see.

We prefer to run ComboFix in normal mode. But try first to see if the normal mode stands long enough. Don't run Combofix until you are sure. If it freezes then go to Safe Mode with Networking as we need internet connection. When ComboFix needed to reboot, reboot to normal mode and tell me if it produces its log.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#9 Noviz

Noviz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 January 2010 - 08:51 AM

Here you go:


ComboFix 10-01-03.05 - Owner 04/01/2010 13:33:27.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1012.468 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100103-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log
c:\windows\jestertb.dll
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2010-01-04 12:45 . 2010-01-04 12:45 77312 ----a-w- C:\mbr.exe
2010-01-04 01:44 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 01:44 . 2010-01-04 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 01:44 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 22:40 . 2010-01-04 00:30 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-03 21:02 . 2010-01-03 21:02 -------- d-----w- c:\documents and settings\HelpAssistant.ACERASPIRE\WINDOWS
2010-01-03 20:57 . 2010-01-03 21:02 -------- d-----w- c:\documents and settings\HelpAssistant.ACERASPIRE
2010-01-03 18:56 . 2010-01-03 20:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-03 18:05 . 2010-01-03 18:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-03 18:04 . 2010-01-03 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-02 23:35 . 2010-01-03 13:34 -------- d-s---w- c:\documents and settings\HelpAssistant
2009-12-25 15:41 . 2009-12-25 15:41 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ArcSoft
2009-12-25 15:41 . 2009-12-25 15:43 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2009-12-25 15:41 . 2009-12-25 15:43 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-12-25 15:40 . 2004-05-04 11:53 1645320 ----a-w- c:\windows\system32\gdiplus.dll
2009-12-25 15:40 . 2009-12-25 15:40 -------- d-----w- c:\program files\ArcSoft
2009-12-25 15:40 . 2005-04-27 16:36 245408 ----a-w- c:\windows\system32\unicows.dll
2009-12-25 15:40 . 2009-12-25 15:40 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-12-25 15:31 . 2009-12-25 15:31 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-12-25 13:13 . 2009-12-25 18:34 -------- d-----w- c:\program files\DivX
2009-12-25 13:13 . 2009-12-25 13:13 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-24 23:24 . 2009-12-24 23:24 -------- d-----w- c:\windows\system32\Adobe
2009-12-24 21:53 . 2009-12-25 15:28 -------- d-----w- c:\documents and settings\Owner\Application Data\qs
2009-12-24 21:52 . 2009-12-24 21:52 -------- d-----w- c:\program files\QuickSnooker 7
2009-12-23 19:07 . 2009-12-23 19:11 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2009-12-23 19:07 . 2009-12-23 19:07 -------- d-----w- c:\program files\FileZilla FTP Client
2009-12-23 19:01 . 2009-12-23 19:01 -------- d-----w- c:\program files\Lame for Audacity
2009-12-23 19:00 . 2009-12-23 19:00 -------- d-----w- c:\program files\Audacity
2009-12-22 17:08 . 2009-12-22 17:08 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-22 17:06 . 2009-12-22 17:07 -------- d-----w- C:\cf35c9a777d4f0ed9459924ef195546a
2009-12-22 17:06 . 2009-12-22 17:07 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-12-22 17:06 . 2009-12-22 17:06 -------- d-----w- C:\e80ec319b4b8b5ec8b
2009-12-22 16:52 . 2009-12-22 16:52 -------- d-----w- c:\program files\Gomez
2009-12-22 15:42 . 2009-12-22 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-22 15:35 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-22 15:35 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-22 15:35 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-22 15:34 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-22 15:34 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-22 15:34 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-22 15:34 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-22 15:34 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-22 15:34 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-22 15:34 . 2003-03-18 22:14 499712 ----a-r- c:\windows\system32\msvcp71.dll
2009-12-22 15:34 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-22 15:34 . 2003-02-21 04:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-22 15:34 . 2009-12-22 15:34 -------- d-----w- c:\program files\Alwil Software
2009-12-22 15:09 . 2010-01-03 18:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-22 15:09 . 2009-12-22 15:09 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-12-22 15:09 . 2009-12-22 15:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-22 14:27 . 2009-12-22 14:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-21 23:09 . 2010-01-02 22:07 -------- d-----w- c:\documents and settings\Owner\Tracing
2009-12-21 23:08 . 2009-12-22 13:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-21 23:08 . 2009-08-05 22:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-12-21 23:07 . 2009-12-21 23:07 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-12-21 23:07 . 2009-12-21 23:07 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-21 23:02 . 2009-12-21 23:02 -------- d-----w- c:\program files\Microsoft
2009-12-21 23:01 . 2009-12-21 23:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-21 22:45 . 2009-12-21 22:45 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-20 20:24 . 2009-12-20 20:24 -------- d-----w- c:\documents and settings\Owner\Application Data\GRETECH
2009-12-20 18:06 . 2009-12-20 18:06 -------- d-----w- c:\program files\GRETECH
2009-12-11 16:55 . 2009-12-11 17:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 13:18 . 2009-01-10 20:22 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-01-04 12:41 . 2009-02-16 22:58 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-01-03 19:50 . 2009-01-12 16:05 -------- d-----w- c:\documents and settings\Owner\Application Data\NewsBin
2010-01-03 17:02 . 2009-01-12 04:44 -------- d-----w- c:\program files\uTorrent
2010-01-03 17:01 . 2010-01-03 17:01 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-03 16:58 . 2009-11-13 13:02 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-03 13:34 . 2009-01-07 17:58 -------- d-----w- c:\program files\Steam
2010-01-03 11:59 . 2009-12-22 15:44 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-28 19:28 . 2009-01-07 18:41 57 ----a-w- c:\windows\popcinfot.dat
2009-12-26 23:06 . 2009-01-07 16:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-24 17:23 . 2009-06-10 16:54 -------- d-----w- c:\program files\DOSBox-0.73
2009-12-22 19:44 . 2009-01-11 03:23 -------- d-----w- c:\program files\PeerGuardian2
2009-12-22 16:15 . 2009-04-18 00:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Spotify
2009-12-22 15:43 . 2009-12-22 15:43 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-21 23:09 . 2009-01-07 18:20 35792 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 23:08 . 2009-01-07 18:24 -------- d-----w- c:\program files\Windows Live
2009-12-09 23:50 . 2009-03-17 00:44 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-23 18:57 . 2009-02-16 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-10 21:40 . 2009-11-10 21:39 -------- d-----w- c:\program files\TaoFramework
2009-11-10 21:31 . 2009-02-16 23:27 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-29 07:45 . 2009-01-07 14:35 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-19 20:11 . 2009-02-16 23:20 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-10-19 20:11 . 2009-02-16 23:20 1741408 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2009-10-13 10:30 . 2009-01-07 14:08 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2009-01-07 14:14 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2009-01-07 14:14 79872 ----a-w- c:\windows\system32\raschap.dll
2009-06-22 09:48 . 2009-06-22 09:48 115552 ----a-w- c:\program files\mozilla firefox\components\FFConnectorLauncher.dll
2009-06-22 09:48 . 2009-06-22 09:48 239968 ----a-w- c:\program files\mozilla firefox\components\FFSource.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\System32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bejeweled deluxe\\WinBej.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\everyday shooter\\EverydayShooter.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\freedom force\\fforce.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ultimate doom\\ultimate.bat"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [22/12/2009 15:34 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22/12/2009 15:34 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [21/12/2009 23:08 54752]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [09/03/2009 14:01 36384]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S4 FortiSslvpnDaemon;FortiSslvpnDaemon;c:\windows\system32\FortiSslvpnDaemon.exe --> c:\windows\system32\FortiSslvpnDaemon.exe [?]
S4 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [02/12/2006 05:17 2805000]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16/02/2009 22:56 717296]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - RDPWD
*NewlyCreated* - TDTCP
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
DPF: {91C045A0-A2A0-4FBC-9F04-01BD4E090301} - hxxps://slb-ssl-vpn.hull.ac.uk:10443/fortihostcheck.cab
DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://slb-ssl-vpn.hull.ac.uk:10443/sslvpn.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\upi8y2md.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\components\FFConnectorLauncher.dll
FF - component: c:\program files\Mozilla Firefox\components\FFSource.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe
MSConfigStartUp-Malware Defense - c:\program files\Malware Defense\mdefense.exe
AddRemove-Blake Stone Aliens of Gold_is1 - c:\emulators\Blake Stone Aliens of Gold\unins000.exe
AddRemove-Rise of The Triad_is1 - c:\emulators\Rise of The Triad\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-04 13:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\SEP3.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\docume~1\Owner\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-04 13:48:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-04 13:48

Pre-Run: 73,090,936,832 bytes free
Post-Run: 73,704,226,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="USB Repair NOT to Start Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 2BD0523E3CFE3B6C85D8DD203FAE4053

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 04 January 2010 - 09:30 AM

Well done. :(
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Open RootRepeal. Select Hidden Services. Then press Scan and when it finished Save Log. Either post the log or let me know if there is no Hidden Services found.


#11 Noviz

Noviz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 January 2010 - 09:47 AM

Nothing was found in either scan.
Also the symptoms I described in my first post have also seem to have been cured as normal mode has not frozen for atleast 30 minutes now.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 04 January 2010 - 10:01 AM

Great. :(

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • You may do the ususal things with the computer for a couple of hours and post back to let me know if there is any issue or freezing. Let ComboFix be on the system for now. We will uninstall it later on.


#13 Noviz

Noviz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 January 2010 - 10:30 AM

Ok, done all the things you said to do in your last post.

Will give it a few hours then report back.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:48 PM

Posted 04 January 2010 - 10:55 AM

:(

#15 Noviz

Noviz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 04 January 2010 - 06:50 PM

Just to let you know, the computer is now running perfectly




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users