Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus: Blocks Programs, Crashes Web Browsing and Pretends to be an Antivirus


  • This topic is locked This topic is locked
25 replies to this topic

#1 zret

zret

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids, MI
  • Local time:05:33 AM

Posted 05 February 2010 - 01:11 AM

Hello. First off let me thank you for just having this site to go to, it's very reassuring to know somebody is out there that is willing to put the time into helping other people with a difficult and frustrating problem.

Alright. I have a PC that up until very recently had very few troubles. It runs with AVG free, which up until now has never failed in warning me or catching anything suspicious. Now the computer has been infected with what appears to be a fake antivirus program that insists nearly everything I try to do offline (except some non-essential programs and moving files) is infected and asks "Do you want to activate your antivirus software now?". Where the internet is concerned, every attempt I've made to try and scan the computer or attempt to troubleshoot the problem has caused downloads to have errors, and Internet Explorer doesn't work at all. In fact, with Internet Explorer the "Anti-virus" attempts to convince me that the site I'm trying to view (Google) is not safe and I should purchase an Anti-virus in order to be able to view it safely. Occasionally Windows Security Center pops up, I don't know if this is the virus again or if my Windows is trying to warn me, belatedly. Also, the virus loads up Internet Explorer and sends me to porno sites. I took a friend's advice and managed to get the PC to reboot into safe mode, and luckily the virus wasn't able to affect it....as much. In safe mode, Internet Explorer can't connect at all (obviously this is safe mode with network capability that I'm referring to) and Firefox crashes after a few moments. I used AVG to scan the entire computer in safe mode, to no avail. It was then I stumbled upon Combofix and this website, and decided to give it a shot. I'm doing this all from my desktop PC (the infected being a laptop) and have transferred the information via USB flash drive that has been routinely scanned before being used.

Here's the DDS file.


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Timmy at 22:04:49.96 on Thu 02/04/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2525 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\DllHost.exe
H:\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6]
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [pronto] "c:\program files\wimba\pronto\pronto.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [hdovqnku] c:\users\timmy\appdata\local\lcpcse\urchsftav.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AppMon Utility] "c:\program files\sony\appmonutil\AppMonUtility.exe" @@@Start
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [VAIOSecurity] "c:\program files\sony\vaio security center\VSC.exe" 1
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [UACEnableEntry] regedit.exe /s c:\users\timmy\appdata\local\temp\\UAC_Enable.reg
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\users\timmy\appdata\roaming\micros~1\windows\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\timmy\appdata\roaming\mozilla\firefox\profiles\3713tzfs.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-18 24652]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-27 21504]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2007-1-9 72704]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2007-1-9 43904]
S3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\system32\drivers\slim.sys [2007-1-9 699264]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2007-1-9 30976]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-1-9 227328]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\system32\drivers\USBAVCap.sys [2007-1-9 774528]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2008-4-15 741376]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2008-4-15 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2008-4-15 1089536]

=============== Created Last 30 ================

2010-02-05 01:31:18 0 d-----w- C:\ComboFix
2010-02-05 00:35:34 0 d---a-w- c:\programdata\TEMP
2010-02-04 21:56:04 0 d-----w- c:\windows\pss
2010-02-03 01:41:33 0 d-----w- c:\program files\iPod
2010-01-29 18:30:04 0 d-----w- c:\users\timmy\.rainlendar2
2010-01-29 18:29:46 0 d-----w- c:\program files\Rainlendar2
2010-01-26 23:11:15 0 d-----w- c:\program files\common files\PX Storage Engine
2010-01-26 23:10:58 0 d-----w- c:\program files\DivX
2010-01-26 23:10:58 0 d-----w- c:\program files\common files\DivX Shared
2010-01-20 00:17:02 0 d-----w- c:\windows\system32\Adobe
2010-01-12 21:45:22 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 21:45:22 156672 ----a-w- c:\windows\system32\t2embed.dll

==================== Find3M ====================

2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 19:45:11 86016 ----a-w- c:\windows\inf\infpub.dat
2009-11-17 19:45:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 19:45:11 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-17 19:45:11 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-14 00:47:32 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2008-10-28 11:24:19 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-14 21:25:05 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-14 21:20:47 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-04-15 14:54:46 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-04-15 14:54:46 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-04-15 14:54:46 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:05:31.16 ===============

Unfortunately, as you'll find out when you view the attachments, the only setback I've had was the fact that RootRepeal did not work completely. I'm sending what completed reports I have, along with the crash reports that RootRepeal sent to me during the multiple times I attempted to scan the C drive. They appear to have identical exception codes, and nearly identical Attempt to Write to Addresses. The exception address is always different.

Again, thank you for your time and assistance, it's much needed and much appreciated. Hope this will be enough info for you to help me.

Sincerely,

Zret

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:33 PM

Posted 12 February 2010 - 04:18 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 zret

zret
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids, MI
  • Local time:05:33 AM

Posted 12 February 2010 - 05:53 PM

Thank you for getting back to me. I admit to being slightly worried I had posted something wrong or that my post had been missed, but I'm glad it was taken care of and I didn't make any attempt to contact an administrator. As a volunteer site helping out those in need, it's good to know you guys are available at all to help! Patience truly is a virtue.

The problems I have haven't changed and are in the first post. Here's the new DDS log, and the GMER log is attached.

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Timmy at 17:15:51.89 on Fri 02/12/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2630 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Users\Timmy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Aim6]
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [pronto] "c:\program files\wimba\pronto\pronto.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [hdovqnku] c:\users\timmy\appdata\local\lcpcse\urchsftav.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AppMon Utility] "c:\program files\sony\appmonutil\AppMonUtility.exe" @@@Start
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [VAIOSecurity] "c:\program files\sony\vaio security center\VSC.exe" 1
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [UACEnableEntry] regedit.exe /s c:\users\timmy\appdata\local\temp\\UAC_Enable.reg
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\users\timmy\appdata\roaming\micros~1\windows\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 4.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\timmy\appdata\roaming\mozilla\firefox\profiles\3713tzfs.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-18 24652]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-27 21504]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2007-1-9 72704]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2007-1-9 43904]
S3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\system32\drivers\slim.sys [2007-1-9 699264]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2007-1-9 30976]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-1-9 227328]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\system32\drivers\USBAVCap.sys [2007-1-9 774528]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2008-4-15 741376]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2008-4-15 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2008-4-15 1089536]

=============== Created Last 30 ================

2010-02-12 22:13:12 32 ----a-w- c:\users\timmy\defogger_reenable
2010-02-05 01:31:18 0 d-----w- C:\ComboFix
2010-02-05 00:35:34 0 d---a-w- c:\programdata\TEMP
2010-02-04 21:56:04 0 d-----w- c:\windows\pss
2010-02-03 01:41:33 0 d-----w- c:\program files\iPod
2010-01-29 18:30:04 0 d-----w- c:\users\timmy\.rainlendar2
2010-01-29 18:29:46 0 d-----w- c:\program files\Rainlendar2
2010-01-26 23:11:15 0 d-----w- c:\program files\common files\PX Storage Engine
2010-01-26 23:10:58 0 d-----w- c:\program files\DivX
2010-01-26 23:10:58 0 d-----w- c:\program files\common files\DivX Shared
2010-01-20 00:17:02 0 d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 19:45:11 86016 ----a-w- c:\windows\inf\infpub.dat
2009-11-17 19:45:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 19:45:11 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-17 19:45:11 143360 ----a-w- c:\windows\inf\infstor.dat
2008-10-28 11:24:19 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-14 21:25:05 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-14 21:20:47 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-04-15 14:54:46 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-04-15 14:54:46 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-04-15 14:54:46 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:18:42.25 ===============

Hope to hear back soon. Thanks again!

Attached Files

  • Attached File  ark.txt   956bytes   11 downloads


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 13 February 2010 - 11:00 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

===========

If you plan to continue to use a flash drive it should be immunized so as to avoid infecting your other computer.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

===========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.

==========

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

QUOTE
To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.


==========

Download ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.



  • Drag the setup package onto "thcbytes.exe" and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

==========

With your next post please provide:

* RKill log
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 zret

zret
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids, MI
  • Local time:05:33 AM

Posted 13 February 2010 - 12:50 PM

Hello thcbytes,

Both the rkill log and the combofix log are attached. Also both logs are at the bottom of the post.

Concerning Windows Recovery Console....I operate on Windows Vista, and the only thing the Microsoft support website says about Vista's recovery console is a link to another website, Neosmart, and that website wants me to download a file and mount the image to disc. I haven't made any move to do this, especially since my CD emulation is disabled right now.

So in a nutshell, my laptop went through Rkill and Combofix today, and that's the only changes that have been made.

Hope to hear back soon. Thanks again!

Zret

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Timmy on 02/13/2010 at 11:33:28.


Processes terminated by Rkill or while it was running:


C:\Users\Timmy\Desktop\rkill.pif


Rkill completed on 02/13/2010 at 11:33:30.


ComboFix 10-02-12.01 - Timmy 02/13/2010 12:20:51.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2561 [GMT -5:00]
Running from: c:\users\Timmy\Desktop\thcbytes.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2194084955-3655368498-1041697596-500
c:\$recycle.bin\S-1-5-21-4130631845-871935868-871808829-500
c:\users\Timmy\AppData\Local\lcpcse
c:\users\Timmy\AppData\Local\lcpcse\urchsftav.exe
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-13 17:28 . 2010-02-13 17:28 -------- d-----w- c:\users\Timmy\AppData\Local\temp
2010-02-13 17:28 . 2010-02-13 17:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-03 01:41 . 2010-02-03 01:41 -------- d-----w- c:\program files\iPod
2010-02-03 01:39 . 2010-02-03 01:39 -------- d-----w- c:\program files\QuickTime
2010-02-03 01:36 . 2010-02-03 01:36 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-29 18:30 . 2010-02-05 05:43 -------- d-----w- c:\users\Timmy\.rainlendar2
2010-01-29 18:29 . 2010-01-29 18:29 -------- d-----w- c:\program files\Rainlendar2
2010-01-26 23:55 . 2010-01-26 23:55 -------- d-----w- c:\users\Timmy\AppData\Roaming\DivX
2010-01-26 23:11 . 2010-01-26 23:11 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-26 23:10 . 2010-01-26 23:11 -------- d-----w- c:\program files\DivX
2010-01-26 23:10 . 2010-01-26 23:11 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-24 18:20 . 2010-01-24 18:20 38784 ----a-w- c:\users\Timmy\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-24 18:20 . 2010-01-24 18:20 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-24 18:20 . 2010-01-24 18:20 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-23 16:08 . 2010-01-23 16:08 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 00:17 . 2010-01-22 19:32 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 01:17 . 2008-11-04 21:24 -------- d-----w- c:\programdata\avg8
2010-02-03 16:27 . 2008-11-08 15:53 0 ----a-w- c:\users\Timmy\AppData\Local\prvlcl.dat
2010-02-03 01:42 . 2008-04-15 09:38 -------- d-----w- c:\program files\iTunes
2010-02-03 01:41 . 2008-04-18 13:27 -------- d-----w- c:\program files\Common Files\Apple
2010-01-29 23:00 . 2010-01-03 09:19 -------- d-----w- c:\users\Timmy\AppData\Roaming\vlc
2010-01-26 13:18 . 2008-10-28 13:50 -------- d-----w- c:\users\Timmy\AppData\Roaming\uTorrent
2010-01-24 18:20 . 2009-07-20 20:54 -------- d-----w- c:\programdata\Electronic Arts
2010-01-23 08:20 . 2009-01-28 22:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 16:12 . 2009-10-02 17:57 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 04:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-03 05:10 . 2010-01-03 05:10 -------- d-----w- c:\program files\VideoLAN
2010-01-02 06:38 . 2010-01-22 10:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 10:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 10:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 10:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 19:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-24 39408]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-13 118784]
"AppMon Utility"="c:\program files\Sony\AppMonUtil\AppMonUtility.exe" [2006-11-15 415864]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2006-11-11 43128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"VAIOSecurity"="c:\program files\Sony\VAIO Security Center\VSC.exe" [2006-11-28 2150400]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-16 430080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-26 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-26 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Timmy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Audio Filter.lnk - c:\program files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe [2008-4-15 6173752]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 960032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-12-14 23:06 73728 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:71,e4,05,ed,e6,3b,ca,01

S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/18/2008 6:45 AM 24652]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 4:12 PM 102400]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\System32\drivers\NwUsbCdFil.sys [7/7/2008 11:23 AM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\System32\drivers\nwusbser2.sys [5/9/2008 10:08 AM 174336]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [1/9/2007 2:18 PM 72704]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [1/9/2007 2:18 PM 43904]
S3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\System32\drivers\slim.sys [1/9/2007 2:30 PM 699264]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\System32\drivers\SonyImgF.sys [1/9/2007 3:10 PM 30976]
S3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [1/9/2007 2:29 PM 227328]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\System32\drivers\USBAVCap.sys [1/9/2007 2:17 PM 774528]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [4/15/2008 11:14 AM 741376]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [4/15/2008 11:13 AM 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [4/15/2008 11:13 AM 1089536]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/18/2008 11:58 AM 715248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Timmy\AppData\Roaming\Mozilla\Firefox\Profiles\3713tzfs.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-pronto - c:\program files\Wimba\Pronto\pronto.exe
HKCU-Run-hdovqnku - c:\users\Timmy\AppData\Local\lcpcse\urchsftav.exe
HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-RunOnce-<NO NAME> - (no file)
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 12:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-13 12:29:45
ComboFix-quarantined-files.txt 2010-02-13 17:29

Pre-Run: 62,784,507,904 bytes free
Post-Run: 63,056,068,608 bytes free

- - End Of File - - 59EA5D76E2B10524BAADCB7B6B6D0281

Attached Files

  • Attached File  rkill.log   352bytes   8 downloads
  • Attached File  log.txt   11.86KB   11 downloads

Edited by zret, 13 February 2010 - 12:52 PM.


#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 13 February 2010 - 01:02 PM

In regards to the Recovery Console. Vista has an awesome preinstalled Recovery Environment. You are in good shape from that standpoint.

Are you now able to connect to the internet?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 zret

zret
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids, MI
  • Local time:05:33 AM

Posted 13 February 2010 - 01:09 PM

Yes, my laptop is running in safe mode with network access.

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 13 February 2010 - 01:18 PM

Did you run Combofix in normal or safe mode? Can you boot into normal mode and successful make an internet connection?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 zret

zret
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids, MI
  • Local time:05:33 AM

Posted 13 February 2010 - 01:34 PM

Actually, I may have a problem getting back into safe mode. Since pressing F8 when I boot the laptop wasn't doing anything, I would go to command prompt and type in msconfig and select the option to boot in safe mode. However, after just trying that, I now get an error message saying C:\Windows\system32\msconfig.exe Illegal operation attempted on a registry key that has been marked for deletion. So I'm not sure how I'm going to get my computer out of safe mode now.

In regards to Combofix, it was run in safe mode.

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 13 February 2010 - 01:47 PM

Let's create a boot cd. With it I will have you boot into a Virtual Environment outside of Windows. We can fix thing up from there.

Please do this........

First.........

After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Please post the contents of the C:\OTL.txt file in your next reply.
    • Copy this file to your USB drive if you do not have an internet connection.


    Next........

  • Navigate here to the forum and click this link.
  • Download the program and save it to the REATOGO-X-PE desktop.
  • Once saved, close all other windows then double click the program to run it.
  • When completed, a log will open.
  • Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

==========

With your next post please provide:

* OTL.txt
* DDS.txt
* Are you able to make an internet connection directly from REATO-GO-X PE?

Kind regards,
~t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 zret

zret
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids, MI
  • Local time:05:33 AM

Posted 13 February 2010 - 02:31 PM

After restarting (still in Safe Mode) I attempted to open the disc drive to put the boot CD in, but it's not working. However, I checked command prompt again and msconfig worked and I'm able to restart into normal mode. Do you want me to boot in normal mode and try Combofix again, or is there a way to get the CD drive to open so I can run the boot disk?

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 13 February 2010 - 02:46 PM

Yes. Run it in normal mode. thumbup2.gif
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 zret

zret
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids, MI
  • Local time:05:33 AM

Posted 13 February 2010 - 03:13 PM

Ok here's the Combofix log after being ran in normal mode.

ComboFix 10-02-12.01 - Timmy 02/13/2010 12:20:51.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2561 [GMT -5:00]
Running from: c:\users\Timmy\Desktop\thcbytes.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2194084955-3655368498-1041697596-500
c:\$recycle.bin\S-1-5-21-4130631845-871935868-871808829-500
c:\users\Timmy\AppData\Local\lcpcse
c:\users\Timmy\AppData\Local\lcpcse\urchsftav.exe
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-13 17:28 . 2010-02-13 17:28 -------- d-----w- c:\users\Timmy\AppData\Local\temp
2010-02-13 17:28 . 2010-02-13 17:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-03 01:41 . 2010-02-03 01:41 -------- d-----w- c:\program files\iPod
2010-02-03 01:39 . 2010-02-03 01:39 -------- d-----w- c:\program files\QuickTime
2010-02-03 01:36 . 2010-02-03 01:36 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-29 18:30 . 2010-02-05 05:43 -------- d-----w- c:\users\Timmy\.rainlendar2
2010-01-29 18:29 . 2010-01-29 18:29 -------- d-----w- c:\program files\Rainlendar2
2010-01-26 23:55 . 2010-01-26 23:55 -------- d-----w- c:\users\Timmy\AppData\Roaming\DivX
2010-01-26 23:11 . 2010-01-26 23:11 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-26 23:10 . 2010-01-26 23:11 -------- d-----w- c:\program files\DivX
2010-01-26 23:10 . 2010-01-26 23:11 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-24 18:20 . 2010-01-24 18:20 38784 ----a-w- c:\users\Timmy\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-24 18:20 . 2010-01-24 18:20 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-24 18:20 . 2010-01-24 18:20 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-23 16:08 . 2010-01-23 16:08 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 00:17 . 2010-01-22 19:32 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 01:17 . 2008-11-04 21:24 -------- d-----w- c:\programdata\avg8
2010-02-03 16:27 . 2008-11-08 15:53 0 ----a-w- c:\users\Timmy\AppData\Local\prvlcl.dat
2010-02-03 01:42 . 2008-04-15 09:38 -------- d-----w- c:\program files\iTunes
2010-02-03 01:41 . 2008-04-18 13:27 -------- d-----w- c:\program files\Common Files\Apple
2010-01-29 23:00 . 2010-01-03 09:19 -------- d-----w- c:\users\Timmy\AppData\Roaming\vlc
2010-01-26 13:18 . 2008-10-28 13:50 -------- d-----w- c:\users\Timmy\AppData\Roaming\uTorrent
2010-01-24 18:20 . 2009-07-20 20:54 -------- d-----w- c:\programdata\Electronic Arts
2010-01-23 08:20 . 2009-01-28 22:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 16:12 . 2009-10-02 17:57 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 04:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-03 05:10 . 2010-01-03 05:10 -------- d-----w- c:\program files\VideoLAN
2010-01-02 06:38 . 2010-01-22 10:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 10:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 10:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 10:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 19:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-24 39408]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-13 118784]
"AppMon Utility"="c:\program files\Sony\AppMonUtil\AppMonUtility.exe" [2006-11-15 415864]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2006-11-11 43128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"VAIOSecurity"="c:\program files\Sony\VAIO Security Center\VSC.exe" [2006-11-28 2150400]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-16 430080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-26 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-26 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Timmy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Audio Filter.lnk - c:\program files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe [2008-4-15 6173752]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 960032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-12-14 23:06 73728 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:71,e4,05,ed,e6,3b,ca,01

S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/18/2008 6:45 AM 24652]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 4:12 PM 102400]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\System32\drivers\NwUsbCdFil.sys [7/7/2008 11:23 AM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\System32\drivers\nwusbser2.sys [5/9/2008 10:08 AM 174336]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [1/9/2007 2:18 PM 72704]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [1/9/2007 2:18 PM 43904]
S3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\System32\drivers\slim.sys [1/9/2007 2:30 PM 699264]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\System32\drivers\SonyImgF.sys [1/9/2007 3:10 PM 30976]
S3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [1/9/2007 2:29 PM 227328]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\System32\drivers\USBAVCap.sys [1/9/2007 2:17 PM 774528]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [4/15/2008 11:14 AM 741376]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [4/15/2008 11:13 AM 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [4/15/2008 11:13 AM 1089536]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/18/2008 11:58 AM 715248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Timmy\AppData\Roaming\Mozilla\Firefox\Profiles\3713tzfs.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-pronto - c:\program files\Wimba\Pronto\pronto.exe
HKCU-Run-hdovqnku - c:\users\Timmy\AppData\Local\lcpcse\urchsftav.exe
HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-RunOnce-<NO NAME> - (no file)
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 12:28
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-13 12:29:45
ComboFix-quarantined-files.txt 2010-02-13 17:29

Pre-Run: 62,784,507,904 bytes free
Post-Run: 63,056,068,608 bytes free

- - End Of File - - 59EA5D76E2B10524BAADCB7B6B6D0281


#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 13 February 2010 - 08:39 PM

Hi,
Unfortunately you reposted your 1st Combofix log. It get confusing. I understand. Do 2 things for me please...

1st...

Post the most recent C:\Combofix.txt. It might be called C:\Combofix2.txt or something like that.

2nd...

Do this......
  1. Select
  2. Select All Programs
  3. Select Accessories
  4. Right click Command Prompt and choose Run as administrator


  5. If you have the User Account Control (UAC) enabled you will be asked for authorization prior to the command prompt opening.
  6. You may simply need to press the Continue button if you are the administrator or insert the administrator password.


Copy-paste the following command (the bolded text) into the "cmd" box, and click enter.

dir /a /s C:\QooBox >log.txt&start log.txt


A log will be produced.

Please post that log for my review.


Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 zret

zret
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Grand Rapids, MI
  • Local time:05:33 AM

Posted 13 February 2010 - 08:53 PM

Ooops....my bad. Here's the correct Combofix log followed by the Command Prompt Log.

ComboFix 10-02-12.01 - Timmy 02/13/2010 14:54:47.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.2170 [GMT -5:00]
Running from: c:\users\Timmy\Desktop\thcbytes.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-13 20:02 . 2010-02-13 20:02 -------- d-----w- c:\users\Timmy\AppData\Local\temp
2010-02-13 20:02 . 2010-02-13 20:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-13 20:02 . 2010-02-13 20:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-05 01:31 . 2010-02-13 17:19 -------- d-----w- C:\ComboFix
2010-02-03 01:41 . 2010-02-03 01:41 -------- d-----w- c:\program files\iPod
2010-02-03 01:39 . 2010-02-03 01:39 -------- d-----w- c:\program files\QuickTime
2010-02-03 01:36 . 2010-02-03 01:36 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-29 18:30 . 2010-02-13 19:53 -------- d-----w- c:\users\Timmy\.rainlendar2
2010-01-29 18:29 . 2010-01-29 18:29 -------- d-----w- c:\program files\Rainlendar2
2010-01-26 23:55 . 2010-01-26 23:55 -------- d-----w- c:\users\Timmy\AppData\Roaming\DivX
2010-01-26 23:11 . 2010-01-26 23:11 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-26 23:10 . 2010-01-26 23:11 -------- d-----w- c:\program files\DivX
2010-01-26 23:10 . 2010-01-26 23:11 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-24 18:20 . 2010-01-24 18:20 38784 ----a-w- c:\users\Timmy\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-24 18:20 . 2010-01-24 18:20 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-24 18:20 . 2010-01-24 18:20 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-23 16:08 . 2010-01-23 16:08 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-20 00:17 . 2010-01-22 19:32 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 01:17 . 2008-11-04 21:24 -------- d-----w- c:\programdata\avg8
2010-02-03 16:27 . 2008-11-08 15:53 0 ----a-w- c:\users\Timmy\AppData\Local\prvlcl.dat
2010-02-03 01:42 . 2008-04-15 09:38 -------- d-----w- c:\program files\iTunes
2010-02-03 01:41 . 2008-04-18 13:27 -------- d-----w- c:\program files\Common Files\Apple
2010-01-29 23:00 . 2010-01-03 09:19 -------- d-----w- c:\users\Timmy\AppData\Roaming\vlc
2010-01-26 13:18 . 2008-10-28 13:50 -------- d-----w- c:\users\Timmy\AppData\Roaming\uTorrent
2010-01-24 18:20 . 2009-07-20 20:54 -------- d-----w- c:\programdata\Electronic Arts
2010-01-23 08:20 . 2009-01-28 22:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 16:12 . 2009-10-02 17:57 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 04:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-03 05:10 . 2010-01-03 05:10 -------- d-----w- c:\program files\VideoLAN
2010-01-02 06:38 . 2010-01-22 10:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 10:37 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 10:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 10:37 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 19:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-24 39408]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-13 118784]
"AppMon Utility"="c:\program files\Sony\AppMonUtil\AppMonUtility.exe" [2006-11-15 415864]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2006-11-11 43128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"VAIOSecurity"="c:\program files\Sony\VAIO Security Center\VSC.exe" [2006-11-28 2150400]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-05-16 430080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-26 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-26 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\users\Timmy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Audio Filter.lnk - c:\program files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe [2008-4-15 6173752]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-17 960032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-12-14 23:06 73728 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:71,e4,05,ed,e6,3b,ca,01

R2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/18/2008 6:45 AM 24652]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 4:12 PM 102400]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [1/9/2007 2:18 PM 72704]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [1/9/2007 2:18 PM 43904]
R3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\System32\drivers\slim.sys [1/9/2007 2:30 PM 699264]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\System32\drivers\SonyImgF.sys [1/9/2007 3:10 PM 30976]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [1/9/2007 2:29 PM 227328]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\System32\drivers\NwUsbCdFil.sys [7/7/2008 11:23 AM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\System32\drivers\nwusbser2.sys [5/9/2008 10:08 AM 174336]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\System32\drivers\USBAVCap.sys [1/9/2007 2:17 PM 774528]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [4/15/2008 11:14 AM 741376]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [4/15/2008 11:13 AM 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [4/15/2008 11:13 AM 1089536]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [9/18/2008 11:58 AM 715248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Timmy\AppData\Roaming\Mozilla\Firefox\Profiles\3713tzfs.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 15:02
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-13 15:04:27
ComboFix-quarantined-files.txt 2010-02-13 20:04
ComboFix2.txt 2010-02-13 17:29

Pre-Run: 62,989,041,664 bytes free
Post-Run: 62,965,731,328 bytes free

- - End Of File - - C6266DF2937E2AEB881F7F7037239F35


Volume in drive C has no label.
Volume Serial Number is 5EA1-B3F4

Directory of C:\QooBox

02/13/2010 03:04 PM <DIR> .
02/13/2010 03:04 PM <DIR> ..
02/13/2010 03:03 PM 5,107 Add-Remove Programs.txt
02/13/2010 12:19 PM <DIR> BackEnv
02/13/2010 03:04 PM 1,446 ComboFix-quarantined-files.txt
02/13/2010 12:29 PM 12,142 ComboFix2.txt
02/13/2010 12:19 PM <DIR> Quarantine
02/13/2010 12:29 PM 3,178,361 SnapShot@2010-02-13_17.28.23.dat
02/13/2010 03:03 PM 0 SnapShot@2010-02-13_20.02.26.dat
5 File(s) 3,197,056 bytes

Directory of C:\QooBox\BackEnv

02/13/2010 12:19 PM <DIR> .
02/13/2010 12:19 PM <DIR> ..
02/13/2010 12:19 PM 123 appdata.folder.dat
02/13/2010 12:19 PM 228 cache.folder.dat
02/13/2010 12:19 PM 60 Cookies.folder.dat
02/13/2010 12:19 PM 81 desktop.folder.dat
02/13/2010 12:19 PM 114 favorites.folder.dat
02/13/2010 12:19 PM 99 localappdata.folder.dat
02/13/2010 12:19 PM 99 LocalSettings.folder.dat
02/13/2010 12:19 PM 84 mypictures.folder.dat
02/13/2010 12:19 PM 87 personal.folder.dat
02/13/2010 12:19 PM 177 Profiles.Folder.dat
02/13/2010 12:19 PM 201 Profiles.Folder.folder.dat
02/13/2010 12:19 PM 344 programs.folder.dat
02/13/2010 12:19 PM 4,770 SetPath.bat
02/13/2010 12:19 PM 239 startmenu.folder.dat
02/13/2010 12:19 PM 384 startup.folder.dat
02/13/2010 12:19 PM 898 SysPath.dat
02/13/2010 12:19 PM 235 templates.folder.dat
17 File(s) 8,223 bytes

Directory of C:\QooBox\Quarantine

02/13/2010 12:19 PM <DIR> .
02/13/2010 12:19 PM <DIR> ..
02/13/2010 12:27 PM <DIR> C
02/13/2010 02:54 PM 144 catchme.log
02/13/2010 03:03 PM <DIR> Registry_backups
1 File(s) 144 bytes

Directory of C:\QooBox\Quarantine\C

02/13/2010 12:27 PM <DIR> .
02/13/2010 12:27 PM <DIR> ..
02/13/2010 12:27 PM <DIR> Users
02/13/2010 12:27 PM <DIR> Windows
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Users

02/13/2010 12:27 PM <DIR> .
02/13/2010 12:27 PM <DIR> ..
02/13/2010 12:27 PM <DIR> Timmy
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Users\Timmy

02/13/2010 12:27 PM <DIR> .
02/13/2010 12:27 PM <DIR> ..
02/13/2010 12:27 PM <DIR> AppData
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Users\Timmy\AppData

02/13/2010 12:27 PM <DIR> .
02/13/2010 12:27 PM <DIR> ..
02/13/2010 12:27 PM <DIR> Local
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Users\Timmy\AppData\Local

02/13/2010 12:27 PM <DIR> .
02/13/2010 12:27 PM <DIR> ..
02/13/2010 12:27 PM <DIR> lcpcse
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Users\Timmy\AppData\Local\lcpcse

02/13/2010 12:27 PM <DIR> .
02/13/2010 12:27 PM <DIR> ..
02/03/2010 09:33 PM 303,360 urchsftav.exe.vir
1 File(s) 303,360 bytes

Directory of C:\QooBox\Quarantine\C\Windows

02/13/2010 12:27 PM <DIR> .
02/13/2010 12:27 PM <DIR> ..
02/13/2010 12:27 PM <DIR> System32
0 File(s) 0 bytes

Directory of C:\QooBox\Quarantine\C\Windows\System32

02/13/2010 12:27 PM <DIR> .
02/13/2010 12:27 PM <DIR> ..
12/20/2006 11:16 PM 90,112 STACSV.EXE.vir
1 File(s) 90,112 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

02/13/2010 03:03 PM <DIR> .
02/13/2010 03:03 PM <DIR> ..
02/13/2010 12:29 PM 1,370 AddRemove-ShockwaveFlash.reg.dat
02/13/2010 12:29 PM 90 HKCU-Run-Aim6.reg.dat
02/13/2010 12:29 PM 155 HKCU-Run-EA Core.reg.dat
02/13/2010 12:29 PM 149 HKCU-Run-hdovqnku.reg.dat
02/13/2010 12:29 PM 140 HKCU-Run-pronto.reg.dat
02/13/2010 12:29 PM 181 HKLM-Run-ISUSPM.reg.dat
02/13/2010 12:29 PM 160 HKU-Default-Run-Picasa Media Detector.reg.dat
02/13/2010 03:01 PM 7,228 tcpip.reg
8 File(s) 9,473 bytes

Total Files Listed:
33 File(s) 3,608,368 bytes
35 Dir(s) 56,320,299,008 bytes free







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users