Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Contracted AntiVirus Plus with Firefox


  • This topic is locked This topic is locked
32 replies to this topic

#1 Plasmatic

Plasmatic

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 15 February 2010 - 04:27 PM

Saturday afternoon I was surfing with Firefox, when IE started up on it's own and my system started a 'security scan'.

I killed multiple instances of rogue processes in taskmanager - started with cmd, but they were spawning faster than I could kill them. I disconnected my lan cable and restarted. Ported combofix with a flash drive to the machine and tried to run, the virus kept closing it. Restarted in safe mode and was able to run it renamed with cmd. Combofix reported I had drive emulators running (I do) and needed to disable them just before rebooting. I think the virus was rebooting before combofix had a chance to run. This happened a few times. Now the machine will run combofix, but I cannot get the recovery console installed - with the automatic download or manually copied from another machine. Windows update is unavailable, probably blocked, as are most other windows.com pages. arcotray.exe keeps popping up with an error and closing - I think this is my sound driver.

I have 3 log files from combofix, I renamed them each time I ran. When I open them the virus reports an error - unable to find file, but notepad opens it anyway. I imagine if I wasn't running in safe mode the virus would close the process.

First log
CODE
ComboFix 10-02-12.01 - X 02/14/2010  10:32:18.6.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1715 [GMT -6:00]
Running from: C:\smack.exe
Command switches used :: smack

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\X\alcwzrd .exe
c:\documents and settings\X\Desktop\Advanced Defender.lnk
c:\documents and settings\X\hdaudpropshortcut .exe
c:\documents and settings\X\Local Settings\Application Data\{8C8186BE-D58D-46A9-A973-B939E1080C0A}
c:\documents and settings\X\Local Settings\Application Data\{8C8186BE-D58D-46A9-A973-B939E1080C0A}\chrome.manifest
c:\documents and settings\X\Local Settings\Application Data\{8C8186BE-D58D-46A9-A973-B939E1080C0A}\chrome\content\_cfg.js
c:\documents and settings\X\Local Settings\Application Data\{8C8186BE-D58D-46A9-A973-B939E1080C0A}\chrome\content\overlay.xul
c:\documents and settings\X\Local Settings\Application Data\{8C8186BE-D58D-46A9-A973-B939E1080C0A}\install.rdf
c:\documents and settings\X\nwiz .exe
c:\documents and settings\X\rundll32 .exe
c:\documents and settings\X\rundll32.exe
c:\documents and settings\X\soundman.exe
c:\documents and settings\X\Start Menu\Programs\Advanced Defender
c:\documents and settings\X\Start Menu\Programs\Advanced Defender\Advanced Defender.lnk
c:\program files\Advanced Defender
c:\program files\Advanced Defender\advanceddefender .exe
c:\program files\Advanced Defender\advanceddefender.exe
c:\program files\Advanced Defender\base.wdb
c:\program files\Advanced Defender\baseadd.wdb
c:\program files\Advanced Defender\conf.wcf
c:\program files\Advanced Defender\quarant.wdb
c:\program files\Advanced Defender\queue.wdb
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
C:\prviwvy.exe
C:\sckw.exe
c:\windows\system32\lkmj.bdo
c:\windows\system32\smss32.exe
C:\ytlmlfc.exe

.
(((((((((((((((((((((((((   Files Created from 2010-01-14 to 2010-02-14  )))))))))))))))))))))))))))))))
.

2010-02-14 16:26 . 2010-02-14 00:04    3857112    ----a-r-    C:\smack.exe
2010-02-14 00:43 . 2010-02-14 00:04    3857112    ----a-r-    C:\ComboFix(3).exe
2010-02-13 22:05 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\nwiz.exe
2010-02-13 22:05 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\alcwzrd.exe
2010-02-13 22:05 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\hdaudpropshortcut.exe
2010-02-13 21:11 . 2010-02-06 22:28    3849526    ----a-r-    C:\ComboFix1.exe
2010-02-13 21:10 . 2010-02-13 21:10    55296    ----a-w-    c:\windows\system32\nwiz.exe
2010-02-13 21:10 . 2010-02-13 21:10    55296    ----a-w-    c:\windows\system32\alcwzrd.exe
2010-02-13 21:10 . 2010-02-13 21:10    55296    ----a-w-    c:\windows\system32\soundman.exe
2010-02-13 20:57 . 2010-02-13 20:57    55296    ----a-w-    C:\owhjo.exe
2010-02-13 20:57 . 2010-02-13 20:57    43520    ----a-w-    C:\viqu.exe
2010-02-13 20:57 . 2010-02-13 20:57    52736    ----a-w-    C:\wgtqgxch.exe
2010-02-13 20:57 . 2010-02-13 20:57    43008    ----a-w-    C:\cdgxgtxp.exe
2010-02-13 20:57 . 2010-02-13 20:57    120    ----a-w-    c:\windows\Elajusocac.dat
2010-02-13 20:57 . 2010-02-13 20:57    0    ----a-w-    c:\windows\Cmatetuhes.bin
2010-02-13 20:54 . 2010-02-13 20:54    --------    d-----w-    c:\documents and settings\All Users\Microsoft PData
2010-02-13 20:53 . 2010-02-13 20:53    52736    ----a-w-    C:\kkalf.exe
2010-02-08 14:52 . 2010-02-08 14:53    36630343    ----a-w-    C:\tribessoundtrack.zip
2010-01-21 17:19 . 2010-01-21 17:32    --------    d-----w-    c:\documents and settings\X\Application Data\TS3Client
2010-01-21 17:18 . 2010-01-21 17:18    --------    d-----w-    c:\program files\TeamSpeak 3 Client
2010-01-21 17:15 . 2010-01-21 17:15    --------    d-----w-    c:\documents and settings\All Users\Application Data\boost_interprocess

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 17:02 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\rundll32.exe
2010-02-14 17:02 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\rundll32 .exe
2010-02-14 17:02 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\soundman.exe
2010-02-14 17:02 . 2006-05-05 22:28    --------    d-----w-    c:\program files\QuickTime
2010-02-14 17:02 . 2010-02-14 17:02    55296    ----a-w-    c:\windows\system32\smss32.exe
2010-02-14 17:02 . 2005-01-20 11:44    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-02-14 17:02 . 2008-10-30 09:43    --------    d-----w-    c:\program files\DNA
2010-02-14 17:02 . 2008-10-30 09:43    --------    d-----w-    c:\documents and settings\X\Application Data\DNA
2010-02-14 00:32 . 2010-02-13 22:05    55296    ----a-w-    c:\documents and settings\X\nwiz .exe
2010-02-14 00:32 . 2010-02-13 22:05    55296    ----a-w-    c:\documents and settings\X\alcwzrd .exe
2010-02-14 00:32 . 2010-02-13 22:05    55296    ----a-w-    c:\documents and settings\X\hdaudpropshortcut .exe
2010-02-13 21:10 . 2004-03-17 20:10    55296    ----a-w-    c:\windows\system32\hdaudpropshortcut.exe
2010-02-13 20:53 . 2010-02-13 20:53    55296    ----a-w-    c:\windows\system32\OLD6F4.tmp
2010-02-13 20:53 . 2010-02-13 20:53    55296    ----a-w-    c:\windows\system32\OLD6F1.tmp
2010-01-25 00:48 . 2004-12-06 14:00    --------    d-----w-    c:\program files\Paint Shop Pro 6
2010-01-11 03:42 . 2009-10-30 19:30    --------    d-----w-    c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-04 20:39 . 2010-01-04 20:39    183462    ----a-w-    C:\fr-041_debris.zip
2010-01-04 20:24 . 2010-01-04 20:24    100185    ----a-w-    C:\kkrieger-beta.zip
2010-01-03 20:41 . 2010-01-03 20:40    --------    d-----w-    c:\documents and settings\All Users\Application Data\Symantec
2010-01-03 20:41 . 2010-01-03 20:40    --------    d-----w-    c:\program files\Symantec
2010-01-03 20:41 . 2010-01-03 20:41    --------    d-----w-    c:\documents and settings\X\Application Data\Symantec
2010-01-03 20:41 . 2010-01-03 20:41    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2010-01-03 20:04 . 2006-09-11 11:02    --------    d-----w-    c:\documents and settings\X\Application Data\BitTorrent
2010-01-02 18:58 . 2010-01-02 18:57    --------    d-----w-    c:\program files\NVIDIA Corporation
2010-01-02 18:57 . 2010-01-02 18:57    --------    d-----w-    c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-01-02 03:59 . 2007-06-11 12:59    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 09:49 . 2009-12-30 09:49    --------    d-----w-    c:\program files\SystemRequirementsLab
2009-12-30 09:49 . 2009-12-30 09:49    --------    d-----w-    c:\documents and settings\X\Application Data\SystemRequirementsLab
2009-12-30 09:49 . 2009-12-30 09:49    290816    ----a-w-    c:\documents and settings\X\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-12-30 09:49 . 2009-12-30 09:49    290816    ----a-w-    c:\documents and settings\X\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-12-30 09:49 . 2009-12-30 09:49    290816    ----a-w-    c:\documents and settings\X\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-12-30 09:49 . 2009-12-30 09:49    290816    ----a-w-    c:\documents and settings\X\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-12-28 02:58 . 2009-12-28 02:56    160217136    ----a-w-    C:\DiscWizardSetup.en.exe
2009-12-02 10:11 . 2009-12-02 10:11    1297814    ----a-w-    C:\fwfwdfwbeercanmodelcars.zip
2009-11-30 17:31 . 2009-11-30 17:31    4886870    ----a-w-    C:\HandBrake-0.9.4-Win_GUI.exe
2009-11-24 20:49 . 2009-11-24 20:49    2169915    ----a-w-    C:\SetupImgBurn_2.5.0.0.exe
2009-11-21 02:32 . 2009-11-21 02:32    278120    ----a-w-    c:\windows\system32\nvmccs.dll
2009-11-21 02:32 . 2009-11-21 02:32    154216    ----a-w-    c:\windows\system32\nvsvc32.exe
2009-11-21 02:32 . 2009-11-21 02:32    145000    ----a-w-    c:\windows\system32\nvcolor.exe
2009-11-21 02:32 . 2009-11-21 02:32    12669544    ----a-w-    c:\windows\system32\nvcpl.dll
2009-11-21 02:32 . 2009-11-21 02:32    110184    ----a-w-    c:\windows\system32\nvmctray.dll
2009-11-21 02:32 . 2009-11-21 02:32    81920    ----a-w-    c:\windows\system32\nvwddi.dll
2009-11-20 03:42 . 2006-02-26 12:20    592488    ----a-w-    c:\windows\system32\NVUNINST.EXE
2009-11-18 05:02 . 2009-11-18 05:02    3749896    ----a-w-    C:\rcsetup132.exe
2004-05-06 18:11 . 2005-03-17 16:42    777    ----a-w-    c:\program files\trial_setup.ini
2004-05-06 18:11 . 2005-03-17 16:42    4289024    ----a-w-    c:\program files\trial_setup.msi
2004-05-06 18:11 . 2005-03-17 16:42    40448    ----a-w-    c:\program files\trial_setup.exe
1999-08-13 12:00 . 2004-12-06 14:02    4820    ----a-w-    c:\program files\CAMUNWISE.INI
2007-09-16 06:35 . 2007-10-14 14:24    66408    ----a-w-    c:\program files\mozilla firefox\components\jar50.dll
2007-09-16 06:35 . 2007-10-14 14:24    54112    ----a-w-    c:\program files\mozilla firefox\components\jsd3250.dll
2007-09-16 06:35 . 2007-10-14 14:24    34688    ----a-w-    c:\program files\mozilla firefox\components\myspell.dll
2007-09-16 06:35 . 2007-10-14 14:24    46456    ----a-w-    c:\program files\mozilla firefox\components\spellchk.dll
2007-09-16 06:35 . 2007-10-14 14:24    171880    ----a-w-    c:\program files\mozilla firefox\components\xpinstal.dll
1601-01-01 00:03 . 1601-01-01 00:03    51712    --sha-w-    c:\windows\system32\fahofulu.dll
.
[code]<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\Common Files\Roxio Shared\System\engutil .exe
c:\program files\DNA\btdna .exe
c:\program files\IGN\Download Manager\dlm .exe
c:\program files\Java\jre1.6.0_07\bin\jusched .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\rxmon .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\Symantec\Norton Ghost 2003\ghoststarttrayapp .exe
c:\program files\VIA\VIAudioi\EnvyADeck\enmixcpl .exe
</pre>


------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2004-08-04 04:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2001-08-17 . A64013E98426E1877CB653685C5C0009 . 86656 . . [5.1.2600.0] . . c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{515af288-a40f-4e8a-bc96-dccf71f97cfd}]
1601-01-01 00:03 51712 --sha-w- c:\windows\system32\fahofulu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2010-02-14 55296]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2010-02-14 55296]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-02-14 55296]
"Google Update"="c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-14 55296]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2010-02-14 55296]
"smss32.exe"="c:\windows\system32\smss32.exe" [2010-02-14 55296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2010-02-13 55296]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2010-02-14 55296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2010-02-14 55296]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2010-02-13 55296]
"SoundMan"="SOUNDMAN.EXE" [2010-02-13 55296]
"AlcWzrd"="ALCWZRD.EXE" [2010-02-13 55296]
"EnvyHFCPL"="c:\program files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [2010-02-14 55296]
"nwiz"="nwiz.exe" [2010-02-13 55296]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2010-02-14 55296]
"advanceddefender"="c:\program files\Advanced Defender\advanceddefender.exe" [N/A]
"zodehojahi"="lizoraka.dll" [N/A]

c:\documents and settings\X\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2007-7-18 1873280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli usws1da.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-21 02:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-02-13 21:10 55296 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"seclogon"=2 (0x2)
"rpcapd"=3 (0x3)
"RemoteRegistry"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"c:\\Mod\\Tribes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe"=
"c:\\Battlefield2\\BF2.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Dynamix\\TRIBES\\TribesWithExtras.exe"=
"f:\\BackupNov05\\Trillian\\trillian.exe"=
"c:\\GUI_Tribes\\Tribes.exe"=
"c:\\haxinids_alpha_1\\Haxinids.exe"=
"c:\\Torque\\example\\torqueDemo.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"f:\\Tribes\\Tribes.exe"=
"c:\\HaxTribes\\Tribes.exe"=
"c:\\freshT\\TrOrbs\\Tribes.exe"=
"c:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Beta\\etqw.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"c:\\Plasconfig\\Tribes.exe"=
"c:\\TRIBES18\\Tribes.exe"=
"c:\\Dynamix\\Tribes\\Tribes.exe"=
"c:\\Documents and Settings\\X\\Application Data\\Aventail\\ewpca\\ewpca.exe"=
"c:\\Program Files\\QWS3270 PLUS\\AutoUpdt.exe"=
"c:\\Program Files\\QWS3270 PLUS\\QWS3287p.exe"=
"c:\\Program Files\\QWS3270 PLUS\\lpd.exe"=
"c:\\Program Files\\QWS3270 PLUS\\QWS3270p.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\ETQW\\etqw.exe"=
"c:\\ETQW\\etqwded.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\orbplasmatic\\team fortress 2\\hl2.exe"=
"c:\\GUI_Tribes_new\\Tribes.exe"=
"\\\\Ivory\\C\\tribes1.4.2\\Tribes.exe"=
"c:\\Documents and Settings\\X\\Application Data\\GarageGames\\IAPlayer\\products\\www_playtribes_mobi\\1337\\install\\Tribes.exe"=
"c:\\mod\\Editor.exe"=
"c:\\mod_old\\Tribes.exe"=
"c:\\mod_old\\Tribes_collision.exe"=
"c:\\Program Files\\Starsiege 2845 Alpha Tech Release\\SS2845\\ss2845.exe"=
"c:\\Documents and Settings\\X\\Application Data\\GarageGames\\IAPlayer\\products\\test_playtribes_com\\1337\\install\\Tribes.exe"=
"c:\\mod_1.40.638\\Tribes.exe"=
"\\\\Ivory\\C\\Server\\tribes.exe"=
"c:\\mod_1.40.638\\Editor.exe"=
"c:\\mod_1.40.655\\Tribes.exe"=
"c:\\mod_1.40.655\\Editor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Trorbs\\Tribes.exe"=
"c:\\mod_old\\stepupTribes.exe"=
"c:\\reinstall\\teamspeak3-server_win32-3.0.0-beta16\\teamspeak3-server_win32\\ts3server_win32.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\DNA\\btdna .exe"=
"c:\\WINDOWS\\system32\\regsvr32.exe"=
"c:\\Program Files\\QuickTime\\qttask .exe"=
"c:\\Program Files\\QuickTime\\qttask .exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [11/24/2007 9:10 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [11/24/2007 9:10 PM 5248]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [6/3/2008 10:51 PM 46744]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [4/17/2009 12:04 PM 224867]
R2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [3/22/2005 6:14 PM 16288]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [11/1/2008 4:15 AM 627840]
R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\windows\system32\drivers\ma730Pt.sys [3/14/2009 2:21 AM 103040]
R3 Ma730Vad;MA730 Bluetooth Audio;c:\windows\system32\drivers\Ma730Vad.sys [3/14/2009 2:21 AM 23376]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [4/17/2009 12:01 PM 25216]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [4/17/2009 12:02 PM 77952]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [4/17/2009 12:03 PM 20608]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [4/17/2009 12:03 PM 23168]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 3:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-14 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-14 17:02]

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-287218729-725345543-1003Core.job
- c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 17:02]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-287218729-725345543-1003UA.job
- c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 17:02]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
TCP: {01D9094B-6B79-4F8A-883B-0C05425544D2} = 93.188.164.56,93.188.166.62
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\X\Application Data\Mozilla\Firefox\Profiles\kzhwfqyp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\X\Application Data\Mozilla\Firefox\Profiles\kzhwfqyp.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\X\Application Data\Mozilla\Firefox\Profiles\kzhwfqyp.default\extensions\iaplayerdb@instantaction.com\plugins\npiaplayerd.dll
FF - plugin: c:\documents and settings\X\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\firefox\plugins\npbittorrent.dll
FF - plugin: c:\firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Advanced Defender - c:\program files\Advanced Defender\advanceddefender.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
EnvyHFCPL = c:\program files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1?????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\smss32.exe 55296 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5A0AE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf7586cb8
\Driver\atapi -> 0x8a5a0ae8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b9
NDIS: Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) -> SendCompleteHandler -> NDIS.sys @ 0xf7858b0a
PacketIndicateHandler -> NDIS.sys @ 0xf7863a21
SendHandler -> NDIS.sys @ 0xf7858949
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-287218729-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1177238915-287218729-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CF41039D-FA92-7B19-FA87-D3F32A73955D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abpaeigpocolagcafnpnpfpbhjkmgmppab"=hex:6a,61,62,62,68,69,6a,67,70,62,68,61,
6d,6b,65,62,61,6b,61,61,00,fb
"macbpbimnnfpjpaffhfbpllacb"=hex:6f,61,6b,66,67,66,6a,68,70,63,6e,70,6f,63,66,
62,68,69,70,69,67,6d,67,62,61,6d,70,62,70,6e,00,d6
"gacbpbimnnfpjp"=hex:6f,61,64,67,6a,6e,65,64,62,65,6b,63,66,62,6a,6b,6c,68,6a,
6a,68,6d,6f,6e,63,6b,63,67,64,62,00,00
"iabbcimbojlfnaamjo"=hex:68,61,67,6c,66,65,6f,6c,61,62,61,6c,64,63,70,64,00,38

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG04.00.00.01SERVER"="DB1E4CFC3F1FC9697097E394F41F196918EC3C49556945F7ADFAFB5E5FAF1B763B96B861F6890E6049B5ED433307FA882EEF84333B92F81FF6C9F15036A6BD09DBCE61284B550E0C4B81EC8DAC1944457D9667FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6678EDD5E5BE2F6E667A2D97226D213B555C038D530D6EB34520110E6ED238114A9D1675A99AEE8C2E73DAC9F9255F082AE263721C26817140F6B45A54A9DF4F332318AA8030BD6992109CBF9946CDF0323D912B31A40C391A62964814B2E0CB33C269AAEC9BDECE71E8CB8126ADF2D01D0505EBE20491EC946A7460867981E6C1ED1D2D7CBCFB432ED3CAF517A9EB30F9CF4FBC56674EE7D4BE58BFD75F208AACF6735C34A9DBAF342A5B2528FE74FB593C78B045E888661BA781658B3A7A76FEE3305466AD5901CEFE3076756D0E36EE25A7465611EB71CBD878D41C077E030BC8F49E6B57CC989712B351562C1D4A8DED5DF0CA9A3D7CA1ECF5D9722729DD51C70CFE01BE97F94E5C00A132AF80EC8FD74BCCD56DA417DCDA1B46FBE81C5BC9859A724E8C8CE088D0097CD0985FB24DA853DB3EBD955375E61858D655ECC36DDE3A5545699D69E4E5633E5BACD1085B4ECD67B508973F00A06096D441724083CBC61C87D303D8D3345F4B0E409402DEDA0C316502905962C1E393D7110436AA927B78BD934AA79E964BAB58AC506CD8D2E832A9AC87208C3C755DEE400278BBE76C85ECEA14C7DC2DD26B11962DF8EBEB2D590C24F2B19F3B86069F9F04F8BB79477B3A0C7D126B5EF1B95DD96CD8A50E143D7BFF5A2910737A128F1C0BD7E767F6CB3F74AF076DB6C43060AE85750350415BEEE4B4F2EE7A2A498F0247BEEFEC716B964A16064F2398BDBB5B684E204F358BD0D30AA9E266837ED00A09459FB13A054D5995F585D52A6A1DA316439F82060FD3E5AB308F58F6E8D8A92182FB799044822D12DB32044871A57DC083FF08CC3DB8B54EE01AF2E9F13E1A61954A5A9F58B823D0EC4E632E8B8ED1205D270D15B685EFBDF15CDEF68CD395F30A3D7A4F24C1425CA547D5147A645FDF4C71D97C66B878214457197253D2B96F7688A7FBB67D824B01BD6EDE33F67A1756543A0665CB96D19065D777A1B31F411E317C3D4F1B52A11470964441543D1A865503FE1E98B1880BEFBF94F502EF89FCC818D85B2F47BBE7B4D2831E92A3733F758D9A275F92E624BD519CE7C65F5C94A6D8F59A5C22F934D82BEB6B8534DBF3F126CD69364B2D97C9D6668717F133CF9A28F23F9B0316B46A843A72DD9E7FB535886F10F0D7B831626844F3509CAA5ED90E3F493B5C22865686399273AA819BFA9CA28E49BB004CE66AEF903F1EA3B28C5FC268929F52E1C0A61E33CD80ACC01A8F0F4C69B53"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(768)
c:\windows\usws1da.dll

- - - - - - - > 'explorer.exe'(2500)
c:\program files\TortoiseSVN\bin\tortoisesvn.dll
c:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\windows\usws1da.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\roxio\easy cd creator 6\audiocentral\rxmon .exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\java\jre1.6.0_07\bin\jusched .exe
c:\program files\quicktime\qttask .exe
c:\program files\via\viaudioi\envyadeck\enmixcpl .exe
c:\program files\symantec\norton ghost 2003\ghoststarttrayapp .exe
.
**************************************************************************
.
Completion time: 2010-02-14 11:09:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-14 17:08
ComboFix2.txt 2010-02-14 00:52
ComboFix3.txt 2010-02-14 00:42
ComboFix4.txt 2010-02-13 22:15
ComboFix5.txt 2010-02-14 16:30

Pre-Run: 2,046,771,200 bytes free
Post-Run: 2,007,769,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

- - End Of File - - 16DCC75E90CF9AEA2E5F5AEA178C524A
[/code]

Second log of combofix
CODE
ComboFix 10-02-12.01 - X 02/14/2010  14:35:27.8.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1666 [GMT -6:00]
Running from: C:\smack.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\smss32.exe

.
(((((((((((((((((((((((((   Files Created from 2010-01-14 to 2010-02-14  )))))))))))))))))))))))))))))))
.

2010-02-14 19:13 . 2010-02-14 19:16    --------    d-----w-    C:\smack
2010-02-14 16:26 . 2010-02-14 00:04    3857112    ----a-r-    C:\smack.exe
2010-02-14 00:43 . 2010-02-14 00:04    3857112    ----a-r-    C:\ComboFix(3).exe
2010-02-13 22:05 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\nwiz.exe
2010-02-13 22:05 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\alcwzrd.exe
2010-02-13 22:05 . 2010-02-14 17:02    55296    ----a-w-    c:\documents and settings\X\hdaudpropshortcut.exe
2010-02-13 21:11 . 2010-02-06 22:28    3849526    ----a-r-    C:\ComboFix1.exe
2010-02-13 21:10 . 2010-02-13 21:10    55296    ----a-w-    c:\windows\system32\nwiz.exe
2010-02-13 21:10 . 2010-02-13 21:10    55296    ----a-w-    c:\windows\system32\alcwzrd.exe
2010-02-13 21:10 . 2010-02-13 21:10    55296    ----a-w-    c:\windows\system32\soundman.exe
2010-02-13 20:57 . 2010-02-13 20:57    55296    ----a-w-    C:\owhjo.exe
2010-02-13 20:57 . 2010-02-13 20:57    43520    ----a-w-    C:\viqu.exe
2010-02-13 20:57 . 2010-02-13 20:57    52736    ----a-w-    C:\wgtqgxch.exe
2010-02-13 20:57 . 2010-02-13 20:57    43008    ----a-w-    C:\cdgxgtxp.exe
2010-02-13 20:57 . 2010-02-13 20:57    120    ----a-w-    c:\windows\Elajusocac.dat
2010-02-13 20:57 . 2010-02-13 20:57    0    ----a-w-    c:\windows\Cmatetuhes.bin
2010-02-13 20:54 . 2010-02-13 20:54    --------    d-----w-    c:\documents and settings\All Users\Microsoft PData
2010-02-13 20:53 . 2010-02-13 20:53    52736    ----a-w-    C:\kkalf.exe
2010-02-08 14:52 . 2010-02-08 14:53    36630343    ----a-w-    C:\tribessoundtrack.zip
2010-01-21 17:19 . 2010-01-21 17:32    --------    d-----w-    c:\documents and settings\X\Application Data\TS3Client
2010-01-21 17:18 . 2010-01-21 17:18    --------    d-----w-    c:\program files\TeamSpeak 3 Client
2010-01-21 17:15 . 2010-01-21 17:15    --------    d-----w-    c:\documents and settings\All Users\Application Data\boost_interprocess

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 19:35 . 2005-01-20 11:44    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-02-14 19:35 . 2006-05-05 22:28    --------    d-----w-    c:\program files\QuickTime
2010-02-14 19:35 . 2008-10-30 09:43    --------    d-----w-    c:\program files\DNA
2010-02-14 17:02 . 2008-10-30 09:43    --------    d-----w-    c:\documents and settings\X\Application Data\DNA
2010-02-13 21:10 . 2004-03-17 20:10    55296    ----a-w-    c:\windows\system32\hdaudpropshortcut.exe
2010-02-13 20:53 . 2010-02-13 20:53    55296    ----a-w-    c:\windows\system32\OLD6F4.tmp
2010-02-13 20:53 . 2010-02-13 20:53    55296    ----a-w-    c:\windows\system32\OLD6F1.tmp
2010-01-25 00:48 . 2004-12-06 14:00    --------    d-----w-    c:\program files\Paint Shop Pro 6
2010-01-11 03:42 . 2009-10-30 19:30    --------    d-----w-    c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-04 20:39 . 2010-01-04 20:39    183462    ----a-w-    C:\fr-041_debris.zip
2010-01-04 20:24 . 2010-01-04 20:24    100185    ----a-w-    C:\kkrieger-beta.zip
2010-01-03 20:41 . 2010-01-03 20:40    --------    d-----w-    c:\documents and settings\All Users\Application Data\Symantec
2010-01-03 20:41 . 2010-01-03 20:40    --------    d-----w-    c:\program files\Symantec
2010-01-03 20:41 . 2010-01-03 20:41    --------    d-----w-    c:\documents and settings\X\Application Data\Symantec
2010-01-03 20:41 . 2010-01-03 20:41    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2010-01-03 20:04 . 2006-09-11 11:02    --------    d-----w-    c:\documents and settings\X\Application Data\BitTorrent
2010-01-02 18:58 . 2010-01-02 18:57    --------    d-----w-    c:\program files\NVIDIA Corporation
2010-01-02 18:57 . 2010-01-02 18:57    --------    d-----w-    c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-01-02 03:59 . 2007-06-11 12:59    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 09:49 . 2009-12-30 09:49    --------    d-----w-    c:\program files\SystemRequirementsLab
2009-12-30 09:49 . 2009-12-30 09:49    --------    d-----w-    c:\documents and settings\X\Application Data\SystemRequirementsLab
2009-12-30 09:49 . 2009-12-30 09:49    290816    ----a-w-    c:\documents and settings\X\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-12-30 09:49 . 2009-12-30 09:49    290816    ----a-w-    c:\documents and settings\X\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-12-30 09:49 . 2009-12-30 09:49    290816    ----a-w-    c:\documents and settings\X\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-12-30 09:49 . 2009-12-30 09:49    290816    ----a-w-    c:\documents and settings\X\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-12-28 02:58 . 2009-12-28 02:56    160217136    ----a-w-    C:\DiscWizardSetup.en.exe
2009-12-02 10:11 . 2009-12-02 10:11    1297814    ----a-w-    C:\fwfwdfwbeercanmodelcars.zip
2009-11-30 17:31 . 2009-11-30 17:31    4886870    ----a-w-    C:\HandBrake-0.9.4-Win_GUI.exe
2009-11-24 20:49 . 2009-11-24 20:49    2169915    ----a-w-    C:\SetupImgBurn_2.5.0.0.exe
2009-11-21 02:32 . 2009-11-21 02:32    278120    ----a-w-    c:\windows\system32\nvmccs.dll
2009-11-21 02:32 . 2009-11-21 02:32    154216    ----a-w-    c:\windows\system32\nvsvc32.exe
2009-11-21 02:32 . 2009-11-21 02:32    145000    ----a-w-    c:\windows\system32\nvcolor.exe
2009-11-21 02:32 . 2009-11-21 02:32    12669544    ----a-w-    c:\windows\system32\nvcpl.dll
2009-11-21 02:32 . 2009-11-21 02:32    110184    ----a-w-    c:\windows\system32\nvmctray.dll
2009-11-21 02:32 . 2009-11-21 02:32    81920    ----a-w-    c:\windows\system32\nvwddi.dll
2009-11-20 03:42 . 2006-02-26 12:20    592488    ----a-w-    c:\windows\system32\NVUNINST.EXE
2009-11-18 05:02 . 2009-11-18 05:02    3749896    ----a-w-    C:\rcsetup132.exe
2004-05-06 18:11 . 2005-03-17 16:42    777    ----a-w-    c:\program files\trial_setup.ini
2004-05-06 18:11 . 2005-03-17 16:42    4289024    ----a-w-    c:\program files\trial_setup.msi
2004-05-06 18:11 . 2005-03-17 16:42    40448    ----a-w-    c:\program files\trial_setup.exe
1999-08-13 12:00 . 2004-12-06 14:02    4820    ----a-w-    c:\program files\CAMUNWISE.INI
2007-09-16 06:35 . 2007-10-14 14:24    66408    ----a-w-    c:\program files\mozilla firefox\components\jar50.dll
2007-09-16 06:35 . 2007-10-14 14:24    54112    ----a-w-    c:\program files\mozilla firefox\components\jsd3250.dll
2007-09-16 06:35 . 2007-10-14 14:24    34688    ----a-w-    c:\program files\mozilla firefox\components\myspell.dll
2007-09-16 06:35 . 2007-10-14 14:24    46456    ----a-w-    c:\program files\mozilla firefox\components\spellchk.dll
2007-09-16 06:35 . 2007-10-14 14:24    171880    ----a-w-    c:\program files\mozilla firefox\components\xpinstal.dll
1601-01-01 00:03 . 1601-01-01 00:03    51712    --sha-w-    c:\windows\system32\fahofulu.dll
.
[code]<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\Common Files\Roxio Shared\System\engutil .exe
c:\program files\DNA\btdna .exe
c:\program files\IGN\Download Manager\dlm .exe
c:\program files\Java\jre1.6.0_07\bin\jusched .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\rxmon .exe
c:\program files\Spybot - Search & Destroy\rundll32 .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\Symantec\Norton Ghost 2003\ghoststarttrayapp .exe
c:\program files\VIA\VIAudioi\EnvyADeck\enmixcpl .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-02-14_00.49.27 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-18 12:00 . 2010-02-14 00:31 63188 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2010-02-14 19:19 63188 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2010-02-14 19:19 403968 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2010-02-14 00:31 403968 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{515af288-a40f-4e8a-bc96-dccf71f97cfd}]
1601-01-01 00:03 51712 --sha-w- c:\windows\system32\fahofulu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2010-02-14 55296]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2010-02-14 55296]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-02-14 55296]
"Google Update"="c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-14 55296]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2010-02-14 55296]
"smss32.exe"="c:\windows\system32\smss32.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2010-02-14 55296]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2010-02-14 55296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2010-02-14 55296]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2010-02-13 55296]
"SoundMan"="SOUNDMAN.EXE" [2010-02-13 55296]
"AlcWzrd"="ALCWZRD.EXE" [2010-02-13 55296]
"EnvyHFCPL"="c:\program files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [2010-02-14 55296]
"nwiz"="nwiz.exe" [2010-02-13 55296]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2010-02-14 55296]
"advanceddefender"="c:\program files\Advanced Defender\advanceddefender.exe" [N/A]
"zodehojahi"="lizoraka.dll" [N/A]

c:\documents and settings\X\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2007-7-18 1873280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli usws1da.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-21 02:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-02-13 21:10 55296 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"seclogon"=2 (0x2)
"rpcapd"=3 (0x3)
"RemoteRegistry"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"c:\\Mod\\Tribes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire 4.2.6 Pro\\LimeWire.exe"=
"c:\\Battlefield2\\BF2.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Dynamix\\TRIBES\\TribesWithExtras.exe"=
"f:\\BackupNov05\\Trillian\\trillian.exe"=
"c:\\GUI_Tribes\\Tribes.exe"=
"c:\\haxinids_alpha_1\\Haxinids.exe"=
"c:\\Torque\\example\\torqueDemo.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"f:\\Tribes\\Tribes.exe"=
"c:\\HaxTribes\\Tribes.exe"=
"c:\\freshT\\TrOrbs\\Tribes.exe"=
"c:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142 Demo\\BF2142.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Beta\\etqw.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"c:\\Plasconfig\\Tribes.exe"=
"c:\\TRIBES18\\Tribes.exe"=
"c:\\Dynamix\\Tribes\\Tribes.exe"=
"c:\\Documents and Settings\\X\\Application Data\\Aventail\\ewpca\\ewpca.exe"=
"c:\\Program Files\\QWS3270 PLUS\\AutoUpdt.exe"=
"c:\\Program Files\\QWS3270 PLUS\\QWS3287p.exe"=
"c:\\Program Files\\QWS3270 PLUS\\lpd.exe"=
"c:\\Program Files\\QWS3270 PLUS\\QWS3270p.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\ETQW\\etqw.exe"=
"c:\\ETQW\\etqwded.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\orbplasmatic\\team fortress 2\\hl2.exe"=
"c:\\GUI_Tribes_new\\Tribes.exe"=
"\\\\Ivory\\C\\tribes1.4.2\\Tribes.exe"=
"c:\\Documents and Settings\\X\\Application Data\\GarageGames\\IAPlayer\\products\\www_playtribes_mobi\\1337\\install\\Tribes.exe"=
"c:\\mod\\Editor.exe"=
"c:\\mod_old\\Tribes.exe"=
"c:\\mod_old\\Tribes_collision.exe"=
"c:\\Program Files\\Starsiege 2845 Alpha Tech Release\\SS2845\\ss2845.exe"=
"c:\\Documents and Settings\\X\\Application Data\\GarageGames\\IAPlayer\\products\\test_playtribes_com\\1337\\install\\Tribes.exe"=
"c:\\mod_1.40.638\\Tribes.exe"=
"\\\\Ivory\\C\\Server\\tribes.exe"=
"c:\\mod_1.40.638\\Editor.exe"=
"c:\\mod_1.40.655\\Tribes.exe"=
"c:\\mod_1.40.655\\Editor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Trorbs\\Tribes.exe"=
"c:\\mod_old\\stepupTribes.exe"=
"c:\\reinstall\\teamspeak3-server_win32-3.0.0-beta16\\teamspeak3-server_win32\\ts3server_win32.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Program Files\\DNA\\btdna .exe"=
"c:\\WINDOWS\\system32\\regsvr32.exe"=
"c:\\Program Files\\QuickTime\\qttask .exe"=
"c:\\Program Files\\QuickTime\\qttask .exe"=

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [11/24/2007 9:10 PM 5248]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [6/3/2008 10:51 PM 46744]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [4/17/2009 12:02 PM 77952]
S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [11/24/2007 9:10 PM 160640]
S2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [4/17/2009 12:04 PM 224867]
S2 ScFBPNT;CanoScan FBP Port Driver;c:\windows\system32\drivers\SCFBPNT.SYS [3/22/2005 6:14 PM 16288]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [11/1/2008 4:15 AM 627840]
S3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\windows\system32\drivers\ma730Pt.sys [3/14/2009 2:21 AM 103040]
S3 Ma730Vad;MA730 Bluetooth Audio;c:\windows\system32\drivers\Ma730Vad.sys [3/14/2009 2:21 AM 23376]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [4/17/2009 12:03 PM 20608]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [4/17/2009 12:01 PM 25216]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [4/17/2009 12:03 PM 23168]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 3:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2010-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-287218729-725345543-1003Core.job
- c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 19:35]

2010-02-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-287218729-725345543-1003UA.job
- c:\documents and settings\X\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 19:35]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
TCP: {01D9094B-6B79-4F8A-883B-0C05425544D2} = 93.188.164.56,93.188.166.62
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\X\Application Data\Mozilla\Firefox\Profiles\kzhwfqyp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\X\Application Data\Mozilla\Firefox\Profiles\kzhwfqyp.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\X\Application Data\Mozilla\Firefox\Profiles\kzhwfqyp.default\extensions\iaplayerdb@instantaction.com\plugins\npiaplayerd.dll
FF - plugin: c:\documents and settings\X\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\firefox\plugins\npbittorrent.dll
FF - plugin: c:\firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
EnvyHFCPL = c:\program files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1?????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-287218729-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1177238915-287218729-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CF41039D-FA92-7B19-FA87-D3F32A73955D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abpaeigpocolagcafnpnpfpbhjkmgmppab"=hex:6a,61,62,62,68,69,6a,67,70,62,68,61,
6d,6b,65,62,61,6b,61,61,00,fb
"macbpbimnnfpjpaffhfbpllacb"=hex:6f,61,6b,66,67,66,6a,68,70,63,6e,70,6f,63,66,
62,68,69,70,69,67,6d,67,62,61,6d,70,62,70,6e,00,d6
"gacbpbimnnfpjp"=hex:6f,61,64,67,6a,6e,65,64,62,65,6b,63,66,62,6a,6b,6c,68,6a,
6a,68,6d,6f,6e,63,6b,63,67,64,62,00,00
"iabbcimbojlfnaamjo"=hex:68,61,67,6c,66,65,6f,6c,61,62,61,6c,64,63,70,64,00,38

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG04.00.00.01SERVER"="DB1E4CFC3F1FC9697097E394F41F196918EC3C49556945F7ADFAFB5E5FAF1B763B96B861F6890E6049B5ED433307FA882EEF84333B92F81FF6C9F15036A6BD09DBCE61284B550E0C4B81EC8DAC1944457D9667FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6678EDD5E5BE2F6E667A2D97226D213B555C038D530D6EB34520110E6ED238114A9D1675A99AEE8C2E73DAC9F9255F082AE263721C26817140F6B45A54A9DF4F332318AA8030BD6992109CBF9946CDF0323D912B31A40C391A62964814B2E0CB33C269AAEC9BDECE71E8CB8126ADF2D01D0505EBE20491EC946A7460867981E6C1ED1D2D7CBCFB432ED3CAF517A9EB30F9CF4FBC56674EE7D4BE58BFD75F208AACF6735C34A9DBAF342A5B2528FE74FB593C78B045E888661BA781658B3A7A76FEE3305466AD5901CEFE3076756D0E36EE25A7465611EB71CBD878D41C077E030BC8F49E6B57CC989712B351562C1D4A8DED5DF0CA9A3D7CA1ECF5D9722729DD51C70CFE01BE97F94E5C00A132AF80EC8FD74BCCD56DA417DCDA1B46FBE81C5BC9859A724E8C8CE088D0097CD0985FB24DA853DB3EBD955375E61858D655ECC36DDE3A5545699D69E4E5633E5BACD1085B4ECD67B508973F00A06096D441724083CBC61C87D303D8D3345F4B0E409402DEDA0C316502905962C1E393D7110436AA927B78BD934AA79E964BAB58AC506CD8D2E832A9AC87208C3C755DEE400278BBE76C85ECEA14C7DC2DD26B11962DF8EBEB2D590C24F2B19F3B86069F9F04F8BB79477B3A0C7D126B5EF1B95DD96CD8A50E143D7BFF5A2910737A128F1C0BD7E767F6CB3F74AF076DB6C43060AE85750350415BEEE4B4F2EE7A2A498F0247BEEFEC716B964A16064F2398BDBB5B684E204F358BD0D30AA9E266837ED00A09459FB13A054D5995F585D52A6A1DA316439F82060FD3E5AB308F58F6E8D8A92182FB799044822D12DB32044871A57DC083FF08CC3DB8B54EE01AF2E9F13E1A61954A5A9F58B823D0EC4E632E8B8ED1205D270D15B685EFBDF15CDEF68CD395F30A3D7A4F24C1425CA547D5147A645FDF4C71D97C66B878214457197253D2B96F7688A7FBB67D824B01BD6EDE33F67A1756543A0665CB96D19065D777A1B31F411E317C3D4F1B52A11470964441543D1A865503FE1E98B1880BEFBF94F502EF89FCC818D85B2F47BBE7B4D2831E92A3733F758D9A275F92E624BD519CE7C65F5C94A6D8F59A5C22F934D82BEB6B8534DBF3F126CD69364B2D97C9D6668717F133CF9A28F23F9B0316B46A843A72DD9E7FB535886F10F0D7B831626844F3509CAA5ED90E3F493B5C22865686399273AA819BFA9CA28E49BB004CE66AEF903F1EA3B28C5FC268929F52E1C0A61E33CD80ACC01A8F0F4C69B53"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(640)
c:\windows\usws1da.dll
.
Completion time: 2010-02-14 14:45:33
ComboFix-quarantined-files.txt 2010-02-14 20:45
ComboFix2.txt 2010-02-14 19:34
ComboFix3.txt 2010-02-14 00:52
ComboFix4.txt 2010-02-14 00:42
ComboFix5.txt 2010-02-14 20:30

Pre-Run: 1,979,961,344 bytes free
Post-Run: 1,965,375,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

- - End Of File - - 8AEF43CB4C0C6AF394C3459645B276DD
[/code]

I'm in safe mode now running a dr.web scan, and have found these as being infected.
app_dll.dll
r_server.exe
cdgxgtxp.exe
sdfix.exe

Edited by Pandy, 15 February 2010 - 05:14 PM.
Moved from Win XP Home and Pro ~Pandy


BC AdBot (Login to Remove)

 


#2 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 16 February 2010 - 11:38 AM

Saturday afternoon I was surfing with Firefox, when IE started up on it's own and my system started a 'security scan'. I don't recall clicking on any rogue message dialogs or popups.

I killed multiple instances of rogue processes in taskmanager - started with cmd, but they were spawning faster than I could kill them. I disconnected my lan cable and restarted. Ported combofix with a flash drive to the machine and tried to run, the virus kept closing it. Restarted in safe mode and was able to run it renamed with cmd. Combofix reported I had drive emulators running (I do) and needed to disable them just before rebooting. I think the virus was rebooting before combofix had a chance to run. This happened a few times. Now the machine will run combofix, but I cannot get the recovery console installed - with the automatic download or manually copied from another machine. Windows update is unavailable, probably blocked, as are most other windows.com pages. arcotray.exe keeps popping up with an error and closing - I think this is my sound driver.

Yesterday I ran drweb-cureit and it found some infections, but wasn't able to clean the virus. IEexplore keeps popping up in taskmanager.

Today ieexplore keeps poping up and playing sounds, they sound like advertisements, although the first one was 'congratulations, you've won'. Someone has a sense of humor... They go away when I kill ie in taskmanager. I ran msconfig and unchecked anything suspicious looking in startup and rebooted. ie has been quiet so far, and combofix is running. Still can't get the recovery console installed, even manually.

Edited by Orange Blossom, 20 February 2010 - 03:31 PM.
Merged topics nad moved to log forum. ~ OB


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:30 AM

Posted 20 February 2010 - 07:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#4 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 21 February 2010 - 10:13 PM

I've just been able to boot the machine again. When I did Windows required me to re-register windows. I am using a legitimate copy, and this was registered some 7 years ago. I'm back online. IE once again started up on it's own even though I'm using FF. I keep getting strange popups, and my focus keeps being grabbed so I have to keep clicking back into this window. Aaaargh. I would reinstall XP on this machine but I've got a large collection of programs I use here.

#5 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 22 February 2010 - 12:08 PM

I moved my firefox favorites to another machine last night, what a nightmare. I would get about 2 minutes of use out of the machine before it became unresponsive. I can no longer get to this site with it either. HALP!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:30 AM

Posted 22 February 2010 - 02:32 PM

QUOTE
Now the machine will run combofix, but I cannot get the recovery console installed


Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


However, if Combofix will run but without the recovery console then we will run it.


First though, boot into safe mode and run MBAM. Rename it mblah and change the extension to .bat (ie, mblah.bat)

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then delete your copy of Combofix and then run Combofix as below but in safe mode.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Post both of the logs in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 February 2010 - 02:28 PM

I cannot get mbam.exe onto the computer. The installer runs fine - I used a usb drive to move it to the computer as this site is now blocked -, but cannot find mbam.exe once the installer completes. I can see mbam.exe being removed if I open the folder I'm installing to while the installer is running. I even tried renaming once it was created.

edit:
ok, this is a fun virus! I installed mbam onto my laptop, renamed mbam.exe to x.exe and ported the directory over. Replacing the install. Now it pops an error code 703 (0,53) when I run it. The virus must also be deleting or changing something outside the directory.

Edited by Plasmatic, 23 February 2010 - 02:34 PM.


#8 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 February 2010 - 04:22 PM

Laptop was just attacked. Luckily I had mbam installed and updated. I had to run it with a cmd prompt.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:30 AM

Posted 23 February 2010 - 06:37 PM

So you didn't change the file extension on MBAM....but you ran it from the cmd prompt?

Did you get a log?

Are you now attempting to run Combofix?
Posted Image
m0le is a proud member of UNITE

#10 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 February 2010 - 11:11 PM

On the first infection - my desktop I did run the mbam setup as mblah.bat as you recommended, and the installer ran through the entire install process. I tried the default dir first, but when that failed I set the target dir as mam, same result. I then looked in the dir and the shortcut targets - mbam.exe were missing. I ran the installer again with the dir open and watched the files drop, then be removed.

I used my laptop to install and update mbam, renamed mbam.exe then copied the dir over to the desktop with a flash drive, no go. mbam popped an error. I reinstalled mbam in another dir without updating and tried again. Still no go.

While I was away running errands I left my laptop in the office running on battery. Shortly after I returned, I read a few posts at another forum I frequent, then the laptop went into hibernation. I got the charger and brought it out of hibernation. When I did 'Antivirus XP 2010' came up, and my security center went nuts. 5-10 shield Icons in the tray. I shut down the wireless card and tried to run mbam.exe from the desktop icon, but it wouldn't, I opened the dir and tried double click, nothing. Opened a cmd prompt and ran. First run it rebooted, but as it was I saw adaware was blocking a reg change, so I ran it again. I'm a little hesitant to pull logs with my usb as it may be how the virus transferred.

#11 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 February 2010 - 11:33 PM

First run mbam on laptop
QUOTE
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/23/2010 3:08:49 PM
mbam-log-2010-02-23 (15-08-49).txt

Scan type: Quick Scan
Objects scanned: 113702
Time elapsed: 8 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\srfgnent.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: srfgnent.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\srfgnent.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aqlb.hjo (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\4.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\D61.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\D63.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.

second run
CODE
[/code]Second run laptop
[code]Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/23/2010 4:13:26 PM
mbam-log-2010-02-23 (16-13-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 243050
Time elapsed: 56 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Plasmatic, 24 February 2010 - 12:58 AM.


#12 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 February 2010 - 11:35 PM

sorry for 2x post.

Edited by Plasmatic, 24 February 2010 - 12:57 AM.


#13 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 23 February 2010 - 11:41 PM

The laptop is still infected. MSASCui.exe keeps showing up in taskmgr when the 'Antivirus XP 2010' window pops up.
MSASCUI.EXE-04DA3D71.pf in c:\windows\prefetch is the only file with this name on the machine. I'm running the updated mbam.exe now.

edit: Nothing found by mbam with updates. Running combofix now. The recovery console installed fine manually.

edit 2: Combofix seems to have cleared it. Turned firewall and wifi card back on, getting windows updates now. I'll try this new version of combofix on the desktop.
CODE
ComboFix 10-02-23.03 - Owner 02/23/2010  23:00:20.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.502.260 [GMT -6:00]
Running from: C:\ComFix.exe
Command switches used :: C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\{D4BE0567-17AF-4268-923A-493EDA49CD94}
c:\documents and settings\Owner\Local Settings\Application Data\{D4BE0567-17AF-4268-923A-493EDA49CD94}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{D4BE0567-17AF-4268-923A-493EDA49CD94}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{D4BE0567-17AF-4268-923A-493EDA49CD94}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{D4BE0567-17AF-4268-923A-493EDA49CD94}\install.rdf
c:\documents and settings\Owner\Local Settings\Application Data\av.exe
c:\documents and settings\Owner\Local Settings\Application Data\MSASCui.exe
C:\Thumbs.db
c:\windows\ogafatah.dll
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\incognito.exe
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2010-01-24 to 2010-02-24  )))))))))))))))))))))))))))))))
.

2010-02-24 04:55 . 2010-02-24 04:49    4614888    ----a-w-    C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2010-02-24 04:55 . 2010-02-24 04:43    3870177    ----a-r-    C:\ComFix.exe
2010-02-24 04:14 . 2010-02-16 05:10    9758152    ----a-w-    C:\maliciousremovaltool.exe
2010-02-23 19:28 . 2010-02-23 19:29    --------    d-----w-    C:\mam
2010-02-23 19:13 . 2010-02-23 19:13    --------    d-----w-    c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-23 19:13 . 2010-01-07 22:07    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 19:13 . 2010-02-23 19:13    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 19:13 . 2010-02-23 19:13    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-02-23 19:13 . 2010-01-07 22:07    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-02-20 23:50 . 2010-02-20 23:50    --------    d-----w-    C:\26182-replacing-timing-belt-2-4l-without-lift-detail-instructions_files
2010-02-15 03:32 . 2010-02-15 03:32    4608744    ----a-w-    C:\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2010-02-14 00:31 . 2010-02-14 00:31    --------    d-sh--w-    c:\documents and settings\Owner\IETldCache
2010-02-14 00:31 . 2010-02-14 00:31    --------    d-sh--w-    c:\windows\system32\config\systemprofile\IETldCache
2010-02-14 00:02 . 2009-12-11 08:38    69120    ------w-    c:\windows\system32\dllcache\iecompat.dll
2010-02-14 00:00 . 2010-02-14 00:02    --------    d-----w-    c:\windows\ie8updates
2010-02-13 23:59 . 2009-10-29 07:45    12800    ------w-    c:\windows\system32\dllcache\xpshims.dll
2010-02-13 23:59 . 2009-10-29 07:45    55296    ------w-    c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-13 23:59 . 2009-10-29 07:45    594432    ------w-    c:\windows\system32\dllcache\msfeeds.dll
2010-02-13 23:59 . 2009-10-29 07:45    246272    ------w-    c:\windows\system32\dllcache\ieproxy.dll
2010-02-13 23:59 . 2009-10-29 07:45    1985536    ------w-    c:\windows\system32\dllcache\iertutil.dll
2010-02-13 23:59 . 2009-10-29 07:45    11069952    ------w-    c:\windows\system32\dllcache\ieframe.dll
2010-02-13 23:58 . 2010-02-13 23:59    --------    dc-h--w-    c:\windows\ie8
2010-02-13 21:42 . 2009-12-31 16:50    353792    ------w-    c:\windows\system32\dllcache\srv.sys
2010-02-13 21:41 . 2009-12-04 18:22    455424    ------w-    c:\windows\system32\dllcache\mrxsmb.sys
2010-02-13 21:41 . 2009-10-15 16:28    81920    ------w-    c:\windows\system32\dllcache\fontsub.dll
2010-02-13 21:41 . 2009-10-15 16:28    119808    ------w-    c:\windows\system32\dllcache\t2embed.dll
2010-02-13 21:40 . 2009-11-21 15:51    471552    ------w-    c:\windows\system32\dllcache\aclayers.dll
2010-02-13 21:36 . 2009-06-21 21:44    153088    ------w-    c:\windows\system32\dllcache\triedit.dll
2010-02-13 21:34 . 2009-07-10 13:27    1315328    ------w-    c:\windows\system32\dllcache\msoe.dll
2010-02-13 21:31 . 2009-07-31 04:35    1172480    ------w-    c:\windows\system32\dllcache\msxml3.dll
2010-02-13 21:31 . 2008-10-15 16:34    337408    ------w-    c:\windows\system32\dllcache\netapi32.dll
2010-02-13 21:31 . 2008-05-01 14:33    331776    ------w-    c:\windows\system32\dllcache\msadce.dll
2010-02-13 21:31 . 2008-04-11 19:04    691712    ------w-    c:\windows\system32\dllcache\inetcomm.dll
2010-02-13 21:30 . 2008-06-13 11:05    272128    ------w-    c:\windows\system32\dllcache\bthport.sys
2010-02-13 21:30 . 2008-05-08 14:02    203136    ------w-    c:\windows\system32\dllcache\rmcast.sys
2010-01-31 18:00 . 2010-01-31 18:00    --------    d-----w-    c:\documents and settings\Owner\Application Data\Facebook
2010-01-28 18:40 . 2010-02-23 18:37    0    ----a-w-    c:\windows\Djekocinexilahe.bin
2010-01-28 18:40 . 2010-02-23 18:37    120    ----a-w-    c:\windows\Npuxuxiqi.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 12:47 . 2007-12-29 15:52    --------    d-----w-    c:\documents and settings\Owner\Application Data\U3
2010-02-05 00:08 . 2010-02-05 00:08    50176    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Windows\mspdb22.dll
2010-01-31 18:00 . 2010-01-31 18:00    50354    ----a-w-    c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe
2010-01-27 03:21 . 2010-01-27 03:21    847040    ----a-w-    c:\documents and settings\Owner\Application Data\Facebook\axfbootloader.dll
2010-01-27 03:20 . 2010-01-27 03:20    5578752    ----a-w-    c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
2009-12-31 16:50 . 2004-08-04 08:00    353792    ----a-w-    c:\windows\system32\drivers\srv.sys
2009-12-22 05:20 . 2009-12-22 05:20    81920    ------w-    c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2004-08-04 08:00    343040    ----a-w-    c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 08:00    33280    ----a-w-    c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-04 08:00    455424    ----a-w-    c:\windows\system32\drivers\mrxsmb.sys
2009-11-28 03:36 . 2007-03-20 02:35    16    ----a-w-    c:\windows\popcinfot.dat
2009-11-27 17:11 . 2004-08-04 08:00    17920    ----a-w-    c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-08-04 08:00    1291776    ----a-w-    c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2004-08-04 08:00    8704    ----a-w-    c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 08:00    28672    ----a-w-    c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2004-08-04 08:00    84992    ----a-w-    c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 08:00    48128    ----a-w-    c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2004-08-04 08:00    11264    ----a-w-    c:\windows\system32\msrle32.dll
2009-11-27 04:47 . 2009-11-27 04:48    411368    ----a-w-    c:\windows\system32\deploytk.dll
2009-11-27 04:42 . 2009-11-27 04:42    152576    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-27 04:42 . 2009-11-27 04:42    79488    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2006-05-06 16:42 . 2006-11-15 12:56    7260160    ----a-w-    c:\program files\mozilla firefox\plugins\libvlc.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-28 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\SS2845ATR\\SS2845\\ss2845.exe"=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"c:\\Tribes\\Tribes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe"=
"c:\\reinstall\\gladiators2\\Gladiators\\gladiators.exe"=
"c:\\reinstall\\gladiators(2)\\Gladiators\\gladiators.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Odptdi;Odptdi;c:\windows\system32\drivers\odptdi.sys [8/14/2008 4:16 AM 46744]
S3 cisaspi0;Cistone ASPI Driver;\??\c:\windows\system32\Drivers\cisaspi0.sys --> c:\windows\system32\Drivers\cisaspi0.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [11/29/2006 4:12 AM 40960]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ups.com\www.remote
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7d4pgnqe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7d4pgnqe.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7d4pgnqe.default\extensions\iaplayerdb@instantaction.com\plugins\npiaplayerd.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
HKLM-Run-DetectorApp - c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
HKLM-Run-Isameluki - c:\windows\ogafatah.dll
ActiveSetup-{ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB} - c:\windows\system32\incognito.exe
AddRemove-HP Rhapsody - c:\progra~1\HPRHAP~1\Unwise32.exe
AddRemove-Super Collapse! II - c:\progra~1\GAMEHO~1\COLLAP~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 23:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...  


c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\SmartHook.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-23  23:31:26 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-24 05:31

Pre-Run: 219,791,360 bytes free
Post-Run: 1,437,085,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - EC22187FE4890362CBF6735ABCB3828D

Edited by Plasmatic, 24 February 2010 - 12:56 AM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:30 AM

Posted 24 February 2010 - 07:49 AM

That's a good job, Plasmatic. thumbup2.gif

How is the PC running overall? Any problems at all now?


Let's hunt for remnants with ESET
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push



Posted Image
m0le is a proud member of UNITE

#15 Plasmatic

Plasmatic
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 24 February 2010 - 02:26 PM

ESET just finished.
QUOTE
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\mspdb22.dll a variant of Win32/Spy.Agent.NQT trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\My Documents\FrostWire\Saved\bleep you lily allen.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\Program Files\HPQ\Default Settings\CpqsetVer.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\av.exe.vir a variant of Win32/Kryptik.COL trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\MSASCui.exe.vir a variant of Win32/Kryptik.COL trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\incognito.exe.vir Win32/Oficla.CT trojan cleaned by deleting - quarantined
I'm going to have to get after the kid, looks like the second entry was the start of it on this machine. This laptop seems to be working just fine now. Thanks!

The desktop infection is still in there, and I haven't been able to do anything with it. Any suggestions beyond trying the new version of combofix?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users