Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Malaware NT/Authority System Shutdown and Google Redirect Problem


  • This topic is locked This topic is locked
19 replies to this topic

#1 Jorgieboy82

Jorgieboy82

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 10 January 2010 - 01:53 AM

Hello,

I am new to this site and I was hoping you guys can be of assistance to me. I am experiencing a virus that is shutting down my computer usually around 12:30am every night with the message NT/Authority System Shutdown your computer needs to be shut down in 30 seconds. Last time I received this was back in 2004 when I had the same worm most people had on their computers.

Another Issue I am having is my firefox and IE is extremely slow mainly due to this Google Redirect Bug/Virus whatever you want to call it. I have searched for days to try to resolve this matter. I downloaded numerous malaware programs such as Ant-Virus Plus, Pareto, Trojan Remover, Goored Fix, MalawareBytes I believe its called.. but nothing has worked. I scanned my system plenty of times but it never cleaned anything.

I have a Sony Vaio Laptop PCG-V505BX running on XP.

Please let me know what other information you need.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:53 PM

Posted 10 January 2010 - 06:43 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Jorgieboy82

Jorgieboy82
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 10 January 2010 - 08:47 PM

Do I need to add more information about the description of my virus?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:53 PM

Posted 11 January 2010 - 03:00 AM

Lets see if there might be some rootkit involved here.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Jorgieboy82

Jorgieboy82
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 11 January 2010 - 05:14 AM

Hi Elise,

Thank you for responding in a timely fashion. my google redirect problem along with my nt/authority system shutdown issue is really getting to me..

I followed your instructions by downloading GMER. However there were problems.

Once I double clicked it did the initial scan this is what came up:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-11 05:09:58
Windows 5.1.2600 Service Pack 3
Running: 2fxztm41.exe; Driver: C:\DOCUME~1\Jorge\LOCALS~1\Temp\pfxoiaoc.sys


---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 82EB5841

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


I then followed by pressing the scan button and it started to scan and it kept freezing when it hit:
C:\WINDOWS\system32\drivers\atapi.sys

My computer froze and I had to reboot. I tried it again and it froze on that part for a good 20mins which led to my computer freezing and I had to reboot again.

I tried doing the same on Safe Mode but the same thing happened again under Safe Mode.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:53 PM

Posted 11 January 2010 - 05:58 AM

No problem, I already see what is hitting you...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


In case you want to go for the cleanup, let me know, and I will move your topic to the HJT/Malware Removal forum, so we can use the tools needed to get rid of this.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Jorgieboy82

Jorgieboy82
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 11 January 2010 - 06:17 AM

Hey,

Sounds pretty serious.. But I use logmein.com everyday for work related stuff. Can that be it possibly? I dont do any banking online, I just play poker so I doubt they can steal that money. So I would rather do a clean up to remove the trojan that is causing my pc to shut down and the google redirect issue I have. I dont want to reboot my OS from scratch.

Can you let me know what steps I should proceed with? thank you very much

#8 Jorgieboy82

Jorgieboy82
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 11 January 2010 - 06:23 AM

Also I am thinking this is probably another virus I have apart from the google redirect and the NT shutdown system problem I am having. Or is it all related?

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:53 PM

Posted 11 January 2010 - 06:31 AM

Hello Jorgieboy82,

I moved the topic. Please follow the steps below.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Jorgieboy82

Jorgieboy82
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 11 January 2010 - 02:59 PM

Here's is the log.


ComboFix 10-01-11.01 - Jorge 01/11/2010 14:29:20.1.1 - x86
Running from: c:\documents and settings\Jorge\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jorge\Application Data\inst.exe
c:\documents and settings\Jorge\Cookies\jorge@188hi[2].txt
c:\program files\Altnet
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-1067688118-4221320767-1685243768-1003
c:\recycler\S-1-5-21-1155070956-1628213052-462537324-1003
c:\recycler\S-1-5-21-1421321755-3516220846-2608481734-1003
c:\recycler\S-1-5-21-2068674554-3297406837-3013754823-1003
c:\recycler\S-1-5-21-2637056195-2404664874-4104927818-1003
c:\recycler\S-1-5-21-2719765980-3988803633-379763130-1003
c:\recycler\S-1-5-21-299502267-1202660629-854245398-1003
c:\recycler\S-1-5-21-301776254-3807701885-3072517741-1003
c:\recycler\S-1-5-21-636562729-613478534-3359872679-1003
c:\windows\system32\eecacebdadbff.dll.vir

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-10 08:27 . 2010-01-10 08:48 -------- d--h--w- c:\windows\$hf_mig$
2010-01-10 07:28 . 2010-01-10 07:28 -------- d-----w- c:\program files\Alwil Software
2010-01-09 20:07 . 2010-01-09 20:07 -------- d-----w- c:\documents and settings\Jorge\Local Settings\Application Data\Yahoo
2010-01-09 20:07 . 2010-01-09 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-09 20:07 . 2010-01-09 20:07 -------- d-----w- c:\documents and settings\Jorge\Application Data\Yahoo!
2010-01-09 20:03 . 2010-01-09 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-09 17:38 . 2010-01-09 17:38 -------- d-----w- c:\documents and settings\Jorge\Application Data\Malwarebytes
2010-01-09 17:37 . 2010-01-09 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 14:29 . 2010-01-10 07:57 508960 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-09 14:29 . 2010-01-10 07:57 29984 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-09 14:13 . 2010-01-09 14:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-09 13:53 . 2010-01-10 07:50 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-09 13:53 . 2010-01-10 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-09 13:53 . 2010-01-09 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-01-09 13:42 . 2010-01-09 13:42 -------- d--h--w- c:\windows\PIF
2010-01-08 08:22 . 2010-01-08 08:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-08 07:19 . 2010-01-08 07:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-08 05:12 . 2010-01-11 15:54 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-12-29 16:56 . 2009-12-29 16:56 201744 ----a-w- c:\windows\system32\lastmon.dll.vir
2009-12-27 13:59 . 2009-12-29 16:39 -------- d-----w- c:\program files\Cake Poker
2009-12-17 06:23 . 2009-12-29 16:40 -------- d-----w- c:\program files\nivioDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 19:46 . 2009-07-30 18:26 -------- d-----w- c:\documents and settings\Jorge\Application Data\Skype
2010-01-11 19:45 . 2009-07-30 18:29 -------- d-----w- c:\documents and settings\Jorge\Application Data\skypePM
2010-01-11 19:04 . 2009-05-24 23:40 -------- d-----w- c:\program files\Absolute Poker
2010-01-11 07:14 . 2008-12-23 04:02 -------- d-----w- c:\program files\LogMeIn
2010-01-10 08:00 . 2003-05-01 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-01-10 07:57 . 2010-01-09 14:29 8936 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-10 07:57 . 2010-01-09 14:29 3860 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-10 05:53 . 2009-06-25 21:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-09 20:07 . 2003-05-01 02:35 -------- d-----w- c:\program files\Yahoo!
2010-01-09 14:45 . 2010-01-09 14:45 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-01-08 08:18 . 2009-03-12 19:44 -------- d-----w- c:\documents and settings\Jorge\Application Data\BitTorrent
2010-01-06 22:31 . 2009-09-06 01:18 -------- d-----w- c:\documents and settings\Jorge\Application Data\vlc
2010-01-05 16:56 . 2009-03-12 20:37 -------- d-----w- c:\documents and settings\Jorge\Application Data\Vso
2009-12-29 16:43 . 2009-12-09 06:26 -------- d-----w- c:\documents and settings\Jorge\Application Data\Singlesnet
2009-12-03 10:51 . 2003-07-20 20:40 -------- d-----w- c:\program files\America Online 8.0a
2009-11-28 10:23 . 2009-11-28 10:10 -------- d-----w- c:\program files\Multi File Downloader
2009-11-28 10:18 . 2009-11-28 10:10 -------- d-----w- c:\documents and settings\Jorge\Application Data\Multi File Downloader
2009-11-28 10:15 . 2009-11-28 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2009-11-10 19:39 . 2010-01-09 20:03 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-11-02 04:07 . 2009-08-01 09:42 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-02 04:07 . 2009-08-01 09:42 47360 ----a-w- c:\documents and settings\Jorge\Application Data\pcouffin.sys
2009-11-02 04:07 . 2009-08-01 09:42 47360 ----a-w- c:\documents and settings\Jorge\Application Data\pcouffin.sys
2009-10-29 22:27 . 2003-08-05 19:28 34640 -c--a-w- c:\documents and settings\Jorge\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:46 . 2006-06-23 15:33 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2003-04-30 19:59 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2007-08-06 16:07 . 2009-05-26 05:55 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-07-18 18:54 . 2009-05-26 05:55 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-02-27 114688]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-08 294912]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2003-04-08 11750]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-04-01 81920]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"RemoveElanIcon"="c:\windows\System32\ELAN.exe" [2002-02-21 28672]
"AME_CSA"="amecsa.cpl" [2002-03-27 520192]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - c:\program files\America Online 8.0a\aoltray.exe [2003-7-20 36939]
PowerPanel.lnk - c:\program files\PowerPanel\Program\PcfMgr.exe [2003-4-30 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 8.0a\\waol.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Multi File Downloader\\MultiFileDownloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [12/22/2008 11:02 PM 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/5/2009 6:38 AM 24652]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [4/30/2003 3:00 PM 71961]
S2 aebbafaaeca;a411ac33402ed7835ef219cd8c791232;c:\windows\aebbafaaeca.exe /s --> c:\windows\aebbafaaeca.exe [?]
S3 AmeAtmPc;AmeAtmPc;c:\windows\system32\drivers\ameatmpc.sys [7/28/2003 4:41 PM 109799]
S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [4/30/2003 2:59 PM 55808]
S3 PRISM;IEEE 802.11 Wireless NIC Driver;c:\windows\system32\drivers\EXPRESS.sys [4/30/2003 6:30 PM 631808]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2010-01-11 c:\windows\Tasks\PCHealth Scheduler for Upload Library.job
- c:\windows\PCHealth\UploadLB\Binaries\UploadM.exe [2003-04-30 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\v04w15qv.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.logmein.com
FF - prefs.js: keyword.URL -
FF - plugin: c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\v04w15qv.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE
AddRemove-BugOff - c:\documents and settings\Jorge\Local Settings\Temp\BugOff.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 14:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3664)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Sony\VAIO Media Music Server\SSSvr.exe
c:\program files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
c:\windows\wanmpsvc.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\WScript.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Sony\HotKey Utility\HKWnd.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-01-11 14:53:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 19:53

Pre-Run: 2,123,005,952 bytes free
Post-Run: 2,735,288,320 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - E90D12B18C14C268340252A5D44D9346


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:53 PM

Posted 12 January 2010 - 05:59 AM

Hello Jorgieboy82,

UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.

    Ask Toolbar
If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
File::
c:\windows\aebbafaaeca.exe

Driver::
aebbafaaeca

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:53 PM

Posted 16 January 2010 - 12:41 PM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Jorgieboy82

Jorgieboy82
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 17 January 2010 - 12:12 AM

yes i had to get a new modem so i was out of internet for a while.. i will run these steps and reply to your directions asap.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:53 PM

Posted 17 January 2010 - 02:58 AM

No problem smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Jorgieboy82

Jorgieboy82
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:08:53 AM

Posted 17 January 2010 - 06:21 PM

Hi Elise,

Just to let you know, I went to control panel add remove programs, to delete Ask Toolbar from my pc and it wouldn't let me.. I still continued with you directions.

Here is the report as follows:

ComboFix 10-01-11.01 - Jorge 01/17/2010 8:56.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.218 [GMT -5:00]
Running from: c:\documents and settings\Jorge\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jorge\Desktop\CFScript.txt

FILE ::
"c:\windows\aebbafaaeca.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AEBBAFAAECA
-------\Service_aebbafaaeca


((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-13 20:51 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 08:27 . 2010-01-14 08:13 -------- d--h--w- c:\windows\$hf_mig$
2010-01-10 07:28 . 2010-01-10 07:28 -------- d-----w- c:\program files\Alwil Software
2010-01-09 20:07 . 2010-01-14 04:04 -------- d-----w- c:\documents and settings\Jorge\Local Settings\Application Data\Yahoo
2010-01-09 20:07 . 2010-01-14 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-01-09 20:07 . 2010-01-09 20:07 -------- d-----w- c:\documents and settings\Jorge\Application Data\Yahoo!
2010-01-09 20:03 . 2010-01-09 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-09 17:38 . 2010-01-09 17:38 -------- d-----w- c:\documents and settings\Jorge\Application Data\Malwarebytes
2010-01-09 17:37 . 2010-01-09 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 14:29 . 2010-01-10 07:57 508960 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-09 14:29 . 2010-01-10 07:57 29984 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-09 14:13 . 2010-01-09 14:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-09 13:53 . 2010-01-10 07:50 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-09 13:53 . 2010-01-10 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-09 13:53 . 2010-01-09 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-01-09 13:42 . 2010-01-09 13:42 -------- d--h--w- c:\windows\PIF
2010-01-08 08:22 . 2010-01-08 08:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-08 07:19 . 2010-01-08 07:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-08 05:12 . 2010-01-11 15:54 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-12-29 16:56 . 2009-12-29 16:56 201744 ----a-w- c:\windows\system32\lastmon.dll.vir
2009-12-27 13:59 . 2009-12-29 16:39 -------- d-----w- c:\program files\Cake Poker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 23:05 . 2009-07-30 18:26 -------- d-----w- c:\documents and settings\Jorge\Application Data\Skype
2010-01-17 23:03 . 2009-07-30 18:29 -------- d-----w- c:\documents and settings\Jorge\Application Data\skypePM
2010-01-17 13:41 . 2009-05-24 23:40 -------- d-----w- c:\program files\Absolute Poker
2010-01-12 06:40 . 2008-12-23 04:02 -------- d-----w- c:\program files\LogMeIn
2010-01-10 08:00 . 2003-05-01 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-01-10 07:57 . 2010-01-09 14:29 8936 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-10 07:57 . 2010-01-09 14:29 3860 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-10 05:53 . 2009-06-25 21:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-09 20:07 . 2003-05-01 02:35 -------- d-----w- c:\program files\Yahoo!
2010-01-09 14:45 . 2010-01-09 14:45 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-01-08 08:18 . 2009-03-12 19:44 -------- d-----w- c:\documents and settings\Jorge\Application Data\BitTorrent
2010-01-06 22:31 . 2009-09-06 01:18 -------- d-----w- c:\documents and settings\Jorge\Application Data\vlc
2010-01-05 16:56 . 2009-03-12 20:37 -------- d-----w- c:\documents and settings\Jorge\Application Data\Vso
2009-12-29 16:43 . 2009-12-09 06:26 -------- d-----w- c:\documents and settings\Jorge\Application Data\Singlesnet
2009-12-29 16:40 . 2009-12-17 06:23 -------- d-----w- c:\program files\nivioDrive
2009-12-03 10:51 . 2003-07-20 20:40 -------- d-----w- c:\program files\America Online 8.0a
2009-11-28 10:23 . 2009-11-28 10:10 -------- d-----w- c:\program files\Multi File Downloader
2009-11-28 10:18 . 2009-11-28 10:10 -------- d-----w- c:\documents and settings\Jorge\Application Data\Multi File Downloader
2009-11-28 10:15 . 2009-11-28 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2009-11-21 15:51 . 2003-04-30 19:59 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-10 19:39 . 2010-01-09 20:03 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-11-02 04:07 . 2009-08-01 09:42 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-02 04:07 . 2009-08-01 09:42 47360 ----a-w- c:\documents and settings\Jorge\Application Data\pcouffin.sys
2009-11-02 04:07 . 2009-08-01 09:42 47360 ----a-w- c:\documents and settings\Jorge\Application Data\pcouffin.sys
2009-10-29 22:27 . 2003-08-05 19:28 34640 -c--a-w- c:\documents and settings\Jorge\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:46 . 2006-06-23 15:33 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2003-04-30 19:59 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2007-08-06 16:07 . 2009-05-26 05:55 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-07-18 18:54 . 2009-05-26 05:55 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-02-27 114688]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-08 294912]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2003-04-08 11750]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-04-01 81920]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"RemoveElanIcon"="c:\windows\System32\ELAN.exe" [2002-02-21 28672]
"AME_CSA"="amecsa.cpl" [2002-03-27 520192]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk - c:\program files\America Online 8.0a\aoltray.exe [2003-7-20 36939]
PowerPanel.lnk - c:\program files\PowerPanel\Program\PcfMgr.exe [2003-4-30 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 8.0a\\waol.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Multi File Downloader\\MultiFileDownloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [12/22/2008 11:02 PM 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/5/2009 6:38 AM 24652]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [4/30/2003 3:00 PM 71961]
S3 AmeAtmPc;AmeAtmPc;c:\windows\system32\drivers\ameatmpc.sys [7/28/2003 4:41 PM 109799]
S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [4/30/2003 2:59 PM 55808]
S3 PRISM;IEEE 802.11 Wireless NIC Driver;c:\windows\system32\drivers\EXPRESS.sys [4/30/2003 6:30 PM 631808]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2010-01-17 c:\windows\Tasks\PCHealth Scheduler for Upload Library.job
- c:\windows\PCHealth\UploadLB\Binaries\UploadM.exe [2003-04-30 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\v04w15qv.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.logmein.com
FF - prefs.js: keyword.URL -
FF - plugin: c:\documents and settings\Jorge\Application Data\Mozilla\Firefox\Profiles\v04w15qv.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 18:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3940)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Sony\VAIO Media Music Server\SSSvr.exe
c:\program files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
c:\windows\wanmpsvc.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\WScript.exe
c:\windows\system32\rundll32.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Sony\HotKey Utility\HKWnd.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
.
**************************************************************************
.
Completion time: 2010-01-17 18:11:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 23:11
ComboFix2.txt 2010-01-11 19:53

Pre-Run: 2,576,723,968 bytes free
Post-Run: 2,557,984,768 bytes free

- - End Of File - - 10EF946BED509087E8F0E3EF69D59016






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users