Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Virus TBD


  • This topic is locked This topic is locked
22 replies to this topic

#1 Copperred

Copperred

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 16 February 2010 - 02:07 PM

Hello,
My reports/logs are below/attached.

My computer is experiencing a number of issues, these include:

1. Browser does not seem to access certain sites.
2. Browser redirects
3. MSN Messenger Viruses whereby I get messages that were not sent with links to follow.
4. And most concerning, the computer seems to be locking up and hogging up CPU for no reason, and typing is incredibly slow, making me think I may have a key-logger or something.

All help most appreciated.

Thanks,
R


DDS (Ver_09-12-01.01) - NTFSx86
Run by RRK at 17:47:19.97 on Tue 02/16/2010
Internet Explorer: 7.0.6000.16809 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1023 [GMT 0:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 4.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\RRK\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\rrk\appdata\roaming\micros~1\windows\startm~1\programs\startup\wuala.lnk - c:\users\rrk\appdata\roaming\wuala\Wuala.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\rrk\appdata\roaming\mozilla\firefox\profiles\xvl8o19a.default\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\users\rrk\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-02-16 17:16:14 0 d-sh--w- C:\$RECYCLE.BIN
2010-02-16 16:12:44 0 d-----w- c:\program files\TrendMicro
2010-02-16 12:50:08 0 ----a-w- c:\users\rrk\defogger_reenable
2010-02-16 12:19:08 0 d-----w- c:\users\rrk\appdata\roaming\Malwarebytes
2010-02-16 12:19:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 12:19:01 0 d-----w- c:\programdata\Malwarebytes
2010-02-16 12:19:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-16 12:19:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-16 01:14:45 0 d-----w- C:\MSNCleaner
2010-02-13 18:34:28 0 d-----w- c:\program files\AVG
2010-02-13 18:25:36 42 ----a-w- c:\windows\system32\AK083E209605E394C.lie
2010-02-01 14:18:45 524288 --sha-w- c:\users\rrk\ntuser.dat{7341944d-0f3a-11df-ad72-00e0b8e56ef5}.TMContainer00000000000000000002.regtrans-ms
2010-02-01 14:18:44 65536 --sha-w- c:\users\rrk\ntuser.dat{7341944d-0f3a-11df-ad72-00e0b8e56ef5}.TM.blf
2010-02-01 14:18:44 524288 --sha-w- c:\users\rrk\ntuser.dat{7341944d-0f3a-11df-ad72-00e0b8e56ef5}.TMContainer00000000000000000001.regtrans-ms

==================== Find3M ====================

2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-20 14:48:56 196720 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-09 22:54:07 261632 ----a-w- c:\windows\PEV.exe
2009-09-02 22:52:47 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-02 22:52:47 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-02 22:52:43 86016 ----a-w- c:\windows\inf\infstor.dat
2008-07-14 20:02:46 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-02-23 18:33:39 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-02-23 18:33:39 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-02-23 18:33:39 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-08-06 14:56:21 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-08-06 14:56:21 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-08-06 14:56:21 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 17:47:38.55 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 20 February 2010 - 07:24 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Copperred

Copperred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 21 February 2010 - 10:04 AM

yes i am here.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 21 February 2010 - 11:51 AM

Well, there's nothing showing on the logs but that doesn't mean anything as some rootkits are still not being detected.

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 23 February 2010 - 08:49 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 26 February 2010 - 07:16 PM

You still there, Copperred?

Edited by m0le, 26 February 2010 - 07:17 PM.

Posted Image
m0le is a proud member of UNITE

#7 Copperred

Copperred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 26 February 2010 - 08:51 PM

Mole,
When I ran ComboFix (moments ago)...it told me that....it detected active real time scanners, these being:

antivirus: ESET Nod 32 Antivirus 4.0
antispyware: ESET Nod 32 Antivirus 4.0

ESET Nod 32 Antivirus 4.0 is NOT installed on my computer. I did install it once about 2 months ago but removed it immediately. For some reason all traces of it I cannot get to vanish. So with that I continued with the ComboFix process. Below is my log from such.


LOG:

ComboFix 10-02-26.01 - RRK 02/26/2010 17:29:35.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1215 [GMT -8:00]
Running from: c:\users\RRK\Desktop\ComFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 4.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-27 01:35 . 2010-02-27 01:35 -------- d-----w- c:\users\RRK\AppData\Local\temp
2010-02-27 01:35 . 2010-02-27 01:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-27 01:35 . 2010-02-27 01:35 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-02-27 01:35 . 2010-02-27 01:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-27 01:35 . 2010-02-27 01:35 -------- d-----w- c:\users\AppData\AppData\Local\temp
2010-02-21 22:36 . 2010-02-21 22:36 -------- d-----w- c:\program files\Google
2010-02-18 01:50 . 2010-02-18 01:55 -------- d-----w- c:\users\RRK\AppData\Roaming\CasinoOnNet
2010-02-18 01:50 . 2010-02-18 01:55 -------- d-----w- c:\program files\CasinoOnNet
2010-02-17 00:34 . 2010-02-16 03:35 -------- d-----w- C:\Tor Browser
2010-02-17 00:29 . 2010-02-17 00:31 -------- d-----w- c:\users\RRK\AppData\Roaming\tor
2010-02-17 00:28 . 2010-02-17 00:28 -------- d-----w- c:\windows\system32\Data
2010-02-16 21:11 . 2010-02-16 21:15 -------- d-----w- c:\users\RRK\AppData\Roaming\IObit
2010-02-16 21:11 . 2010-02-16 21:11 -------- d-----w- c:\program files\IObit
2010-02-16 20:48 . 2010-02-16 20:48 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-02-16 16:12 . 2010-02-16 16:12 388096 ----a-r- c:\users\RRK\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-16 16:12 . 2010-02-16 16:12 -------- d-----w- c:\program files\TrendMicro
2010-02-16 12:19 . 2010-02-16 12:19 -------- d-----w- c:\users\RRK\AppData\Roaming\Malwarebytes
2010-02-16 12:19 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 12:19 . 2010-02-16 12:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-16 12:19 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-15 23:12 . 2010-02-16 16:54 0 ----a-w- c:\users\RRK\AppData\Local\prvlcl.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 01:24 . 2009-03-08 16:00 -------- d-----w- c:\users\RRK\AppData\Roaming\Skype
2010-02-26 17:53 . 2008-10-16 18:01 256 ----a-w- c:\windows\system32\pool.bin
2010-02-26 07:14 . 2009-03-14 15:21 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-16 16:40 . 2008-07-15 00:57 -------- d-----w- c:\program files\PeerGuardian2
2010-01-25 16:49 . 2009-06-14 07:36 -------- d-----w- c:\users\RRK\AppData\Roaming\Spotify
2010-01-14 11:12 . 2009-10-04 01:29 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-14 02:03 . 2009-04-05 12:53 -------- d-----w- c:\users\RRK\AppData\Roaming\Azureus
2010-01-11 16:45 . 2007-12-05 21:23 -------- d-----w- c:\program files\Microsoft Works
2010-01-10 04:35 . 2008-08-06 16:32 -------- d-----w- c:\program files\Macromedia
2010-01-10 04:34 . 2008-08-06 16:32 -------- d-----w- c:\program files\Common Files\Macromedia
2010-01-06 00:03 . 2008-07-14 18:47 -------- d-----w- c:\users\RRK\AppData\Roaming\skypePM
2010-01-05 20:08 . 2009-12-20 14:40 -------- d-----w- c:\users\RRK\AppData\Roaming\mIRC
2010-01-05 19:02 . 2009-12-20 14:40 -------- d-----w- c:\program files\mIRC
2010-01-02 22:59 . 2009-04-05 12:51 -------- d-----w- c:\program files\Vuze
2010-01-02 00:31 . 2010-01-02 00:07 -------- d-----w- c:\program files\7000 Years Calendar
2009-12-24 21:55 . 2009-12-24 21:55 0 ----a-w- c:\windows\nsreg.dat
2009-12-20 14:48 . 2009-12-20 14:48 196720 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-18 23:15 . 2009-04-05 23:33 10686001 ----a-w- c:\users\RRK\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2010-02-21 22:36 . 2010-02-21 22:36 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-01-22 200280]
"Google Update"="c:\users\RRK\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-02-07 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-12-05 1006264]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-30 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2009-12-15 976784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-21 30192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

c:\users\RRK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Wuala.lnk - c:\users\RRK\AppData\Roaming\Wuala\Wuala.exe [2009-1-31 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1305929248-2196468230-1086222330-1000]
"EnableNotificationsRef"=dword:00000001

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2010 2:36 PM 30192]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 2:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-02-16 11:02]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1305929248-2196468230-1086222330-1000Core.job
- c:\users\RRK\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-07 00:35]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1305929248-2196468230-1086222330-1000UA.job
- c:\users\RRK\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-07 00:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\RRK\AppData\Roaming\Mozilla\Firefox\Profiles\xvl8o19a.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\users\RRK\AppData\Local\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 17:35
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\C245.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
Completion time: 2010-02-26 17:37:51
ComboFix-quarantined-files.txt 2010-02-27 01:37

Pre-Run: 33,204,887,552 bytes free
Post-Run: 33,178,546,176 bytes free

- - End Of File - - C21D69C04CDF89585E615A94836C4C63


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 26 February 2010 - 10:06 PM

No, nothing there either.

The PC is looking very clean but the NOD32 running despite the removal is something we need to address first.

There is only one ESET uninstaller around and it's an unofficial Dutch program.

Click here to download.

Run it by right clicking the file and selecting Run as administrator. Click Yes and let it do its stuff


Once that has been run please rerun Combofix and post the log as before. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 Copperred

Copperred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 26 February 2010 - 10:47 PM


I ran the Dutch ESET remover already before this combofix....no such luck......other idea?



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 26 February 2010 - 10:50 PM

Yes. Let's scan for remnants.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    *NOD32*
    *ESET*
    :Regfind
    *NOD32*
    *ESET*
    :Folderfind
    *NOD32*
    *ESET*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#11 Copperred

Copperred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 26 February 2010 - 11:14 PM

I think it found some stuff :)

-----

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:09 on 26/02/2010 by RRK (Administrator - Elevation successful)

========== filefind ==========

Searching for "*NOD32*"
No files found.

Searching for "*ESET*"
C:\Program Files\AC3Filter\ac3filter_reg_presets.reg --a--- 2707 bytes [18:24 13/05/2007] [18:24 13/05/2007] FD4FCC561F33E09FF9EC41F54DDFF012
C:\Program Files\AC3Filter\ac3filter_reg_reset.reg --a--- 4642 bytes [11:26 09/08/2007] [11:26 09/08/2007] FBF67AC50B55841650BA8C1215E14274
C:\Program Files\AC3Filter\Presets.reg --a--- 4304 bytes [12:30 23/12/2009] [08:18 04/08/2009] C021F7844C548583B8441BFDF4EAE470
C:\Program Files\AC3Filter\Reset to defaults.reg --a--- 4642 bytes [12:30 23/12/2009] [08:18 04/08/2009] A4505DCF9C58736A58D2B7C44B2E980E
C:\Program Files\Common Files\Roxio Shared\9.0\Common Resources\Shared\Generic\Images\MarkIn_Reset.PNG -ra--- 4286 bytes [07:13 16/08/2007] [07:13 16/08/2007] F2CBBB3B914588560406F27377A24FDF
C:\Program Files\Common Files\Roxio Shared\9.0\Common Resources\Shared\Generic\Images\MarkOut_Reset.PNG -ra--- 4291 bytes [07:13 16/08/2007] [07:13 16/08/2007] 1C3381E0297705AF8DAC519F5EAA93F9
C:\Program Files\IObit\Advanced SystemCare 3\Language\ChineseTrad.lng --a--- 98386 bytes [21:11 16/02/2010] [13:21 20/04/2009] D9C91AB9BFDDC577DBD26C7411BCD4AF
C:\Program Files\Malwarebytes' Anti-Malware\Languages\chineseTR.lng --a--- 8141 bytes [12:19 16/02/2010] [11:58 04/08/2008] 20A74C0E7B3959EB48D3AEF00807D298
C:\Program Files\MSN\cclitesetupui.exe --a--- 3272760 bytes [12:34 02/11/2006] [12:34 02/11/2006] 9ACEBED0514731EFC211DB0F6240163B
C:\Program Files\PamFax\FaxCoreSetup.exe --a--- 6840096 bytes [23:11 25/05/2009] [23:14 25/05/2009] AAE807B1C2D0E48349EF88934B950282
C:\Program Files\PamFax\xulrunner\components\nsResetPref.js --a--- 7049 bytes [23:14 25/05/2009] [11:28 29/10/2004] 946FC3E721AD299232A4DE8B6338E1FB
C:\Program Files\Roxio\VideoUI 9\Skins\Default\Generic\Images\Reset.PNG -ra--- 1565 bytes [12:57 09/08/2007] [12:57 09/08/2007] E769DCD34879EB14206CD8AB2A637DC7
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AC3Filter\Reset to defaults.lnk --a--- 852 bytes [12:30 23/12/2009] [12:35 23/12/2009] 40F551C319F63C9A9F9872AB0C59C1AD
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AC3Filter\Restore default presets.lnk --a--- 728 bytes [12:30 23/12/2009] [12:30 23/12/2009] E253AF466AD5D96CC4BE9073E399CAE2
C:\Tor Browser\FirefoxPortable\App\DefaultData\settings\FirefoxPortableSettings.ini --a--- 52 bytes [00:34 17/02/2010] [03:35 16/02/2010] 0FF07F4D00D4A3348A107C5DC0E24A2D
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AC3Filter\Reset to defaults.lnk --a--- 852 bytes [12:30 23/12/2009] [12:35 23/12/2009] 40F551C319F63C9A9F9872AB0C59C1AD
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AC3Filter\Restore default presets.lnk --a--- 728 bytes [12:30 23/12/2009] [12:30 23/12/2009] E253AF466AD5D96CC4BE9073E399CAE2
C:\Users\RRK\AppData\Local\Google\Chrome\Application\4.0.249.78\Resources\Inspector\Images\paneSettingsButtons.png --a--- 1422 bytes [00:36 07/02/2010] [05:05 21/01/2010] 7430C4CB73295527331FAF15B75E6DC0
C:\Users\RRK\AppData\Local\Google\Chrome\Application\4.0.249.89\Resources\Inspector\Images\paneSettingsButtons.png --a--- 1422 bytes [10:38 12/02/2010] [07:49 04/02/2010] 7430C4CB73295527331FAF15B75E6DC0
C:\Users\RRK\AppData\Local\Macromedia\Flash 8\en\Configuration\HTML\Learning Extensions Srvr Files\frameset.htm --a--- 496 bytes [16:40 06/08/2008] [02:16 06/03/2002] 40B351CF0E88C7B940D8219C068D4E40
C:\Users\RRK\AppData\Roaming\CasinoOnNet\FlashGames\002FG\FlashGameSettings.cxm --a--- 963 bytes [01:55 18/02/2010] [01:55 18/02/2010] 2730EAA492D3F898BC181CCDCF8C519E
C:\Users\RRK\AppData\Roaming\CasinoOnNet\FlashGames\003FG\FlashGameSettings.cxm --a--- 919 bytes [01:54 18/02/2010] [01:54 18/02/2010] 991E0EBBAE80648D3A8D4EBC71922BB4
C:\Users\RRK\AppData\Roaming\CasinoOnNet\FlashGames\005FG\FlashGameSettings.cxm --a--- 914 bytes [01:54 18/02/2010] [01:54 18/02/2010] 5BF76FB3829564A61D82504E31851F13
C:\Users\RRK\AppData\Roaming\CasinoOnNet\FlashGames\006FG\FlashGameSettings.cxm --a--- 972 bytes [01:55 18/02/2010] [01:55 18/02/2010] B664AB519E67D20ADD218688D43664D5
C:\Users\RRK\AppData\Roaming\CasinoOnNet\FlashGames\007FG\FlashGameSettings.cxm --a--- 968 bytes [01:55 18/02/2010] [01:55 18/02/2010] 437F75DD4913FEB9AEBDE561E75ED513
C:\Users\RRK\AppData\Roaming\CasinoOnNet\FlashGames\009FG\FlashGameSettings.cxm --a--- 972 bytes [01:54 18/02/2010] [01:54 18/02/2010] 90A18B35E9E24F94C43B50839210F951
C:\Users\RRK\AppData\Roaming\CasinoOnNet\FlashGames\068FG\FlashGameSettings.cxm --a--- 968 bytes [01:55 18/02/2010] [01:55 18/02/2010] 77F8A41B3E0CAED195863F48B17EBFF1
C:\Users\RRK\AppData\Roaming\CasinoOnNet\FlashGames\069FG\FlashGameSettings.cxm --a--- 969 bytes [01:55 18/02/2010] [01:55 18/02/2010] FDB86B6E966F0643E3A572FE9E4361D1
C:\Users\RRK\Desktop\Action\4NCapital\4NCapital Internal\4NCP B. Cards, Logos & Websites\4N BACKUP OF SITE1\administrator\components\com_extplorer\scripts\editarea\images\reset_highlight.gif --a--- 168 bytes [01:29 04/09/2009] [01:29 04/09/2009] E9C387CC80F33B14447B628DF1906639
C:\Users\RRK\Desktop\Action\4NCapital\4NCapital Internal\4NCP B. Cards, Logos & Websites\4N BACKUP OF SITE1\components\com_user\models\reset.php --a--- 6656 bytes [01:40 04/09/2009] [01:40 04/09/2009] 949A8E16D7272705EEFE69F724D2E559
C:\Windows\OPTIONS\OemReset.exe --a--- 479232 bytes [00:01 12/06/2006] [02:06 02/12/2006] CDD73F7C229012EB65D3D2F3155BCDE7
C:\Windows\OPTIONS\OEMRESET.log --a--- 390 bytes [00:04 12/06/2006] [22:52 05/12/2007] F0A1B4BC7B233B2D7A8729C94CA03780
C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-51CF5640.pf --a--- 44992 bytes [18:41 26/02/2010] [18:41 26/02/2010] 17070083363DC6B6E659CE94C09EE773
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-i..p-support.resources_31bf3856ad364e35_6.0.6001.18000_en-us_9f112b5351ba1c75\iesetup.dll.mui --a--- 61440 bytes [02:06 16/09/2008] [07:38 19/01/2008] 62307A2F0C86A3E3CFF189CD926FE37F
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6001.18000_none_c5d0b5245e79496e\iesetup.dll --a--- 69120 bytes [02:10 16/09/2008] [07:34 19/01/2008] 4546EAA7EBE7C035FED0FD9519C69A11
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18000_none_10e972c4b4d2574c\iisreset.exe --a--- 14848 bytes [02:07 16/09/2008] [07:33 19/01/2008] 33AF28024C19C978456E7693B7146EF7
C:\Windows\System32\en-US\iesetup.dll.mui --a--- 6656 bytes [12:40 02/11/2006] [12:40 02/11/2006] 9F5416DD0F67D11A0C654D68134ACC7B
C:\Windows\System32\iesetup.dll --a--- 56320 bytes [11:48 15/03/2009] [04:16 15/01/2009] 6CF30A597C040FD85C0B35FBBC3ABDF7
C:\Windows\System32\onlinesetup.cmd --a--- 843 bytes [06:25 02/11/2006] [21:43 18/09/2006] 2901049544FDF863362FABA2363EB647
C:\Windows\winsxs\Manifests\x86_microsoft-windows-f..e-arabictypesetting_31bf3856ad364e35_6.0.6000.16386_none_4e0545ddcb402831.manifest --a--- 2514 bytes [10:21 02/11/2006] [10:18 02/11/2006] B7E1966B95DBB68E9335DEBC36603FDF
C:\Windows\winsxs\Manifests\x86_microsoft-windows-w..-chinesetraditional_31bf3856ad364e35_6.0.6000.16386_none_eb758a9f5909fbee.manifest --a--- 8528 bytes [10:21 02/11/2006] [10:13 02/11/2006] 74D0BF496AF12F001CD06011A58CF3D7
C:\Windows\winsxs\Manifests\x86_microsoft-windows-w..-chinesetraditional_31bf3856ad364e35_6.0.6001.18000_none_edac4c9b55f50cc2.manifest ------ 8528 bytes [01:52 16/09/2008] [04:14 19/01/2008] B85B3D10EBE0164919F38A317A3495E6
C:\Windows\winsxs\x86_microsoft-network-internet-access_31bf3856ad364e35_6.0.6000.16386_none_b85711c14117830d\cclitesetupui.exe --a--- 3272760 bytes [12:34 02/11/2006] [12:34 02/11/2006] 9ACEBED0514731EFC211DB0F6240163B
C:\Windows\winsxs\x86_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.0.6000.16386_en-us_4e037240be512b9d\iisreset.exe.mui --a--- 2560 bytes [12:41 02/11/2006] [12:41 02/11/2006] B514F6C2883FCCC6588AFC0617311F74
C:\Windows\winsxs\x86_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.0.6001.18000_en-us_503a343cbb3c3c71\iisreset.exe.mui --a--- 2560 bytes [12:41 02/11/2006] [12:41 02/11/2006] B514F6C2883FCCC6588AFC0617311F74
C:\Windows\winsxs\x86_microsoft-windows-i..p-support.resources_31bf3856ad364e35_6.0.6000.16386_en-us_9cda695754cf0ba1\iesetup.dll.mui --a--- 6656 bytes [12:40 02/11/2006] [12:40 02/11/2006] 9F5416DD0F67D11A0C654D68134ACC7B
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16386_none_c399f328618e389a\iesetup.dll --a--- 56320 bytes [08:49 02/11/2006] [09:46 02/11/2006] 721ADD0FD018BD50896A778AC9222BD3
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16448_none_c3c73552616bf8ab\iesetup.dll --a--- 56320 bytes [21:51 05/12/2007] [21:51 05/12/2007] 287739A122CBE640DE45EE1C66113B40
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16473_none_c3a1c41c6188cdcb\iesetup.dll --a--- 56320 bytes [21:55 05/12/2007] [21:55 05/12/2007] 4AB333BBB3C4225451DB1BB44A2A65C4
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16512_none_c3e1a540615909f5\iesetup.dll --a--- 56320 bytes [22:19 05/12/2007] [22:19 05/12/2007] CDD799860AE1F27820C21AAD4D87DBE6
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16546_none_c3c536a4616dc324\iesetup.dll --a--- 56320 bytes [22:39 05/12/2007] [22:39 05/12/2007] 698A56A004DBCD2904E7AA1B18B9D6B4
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16681_none_c394f7686192b15c\iesetup.dll --a--- 56320 bytes [19:47 14/07/2008] [19:47 14/07/2008] 58E873B501C427D87A3CE6C2AEAE1D78
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16711_none_c3e0a8c26159eaec\iesetup.dll --a--- 56320 bytes [14:28 13/08/2008] [03:54 27/06/2008] 9216045EE2356F621F082DB254154BA6
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16809_none_c3f37ce4614a96da\iesetup.dll --a--- 56320 bytes [11:48 15/03/2009] [04:16 15/01/2009] 6CF30A597C040FD85C0B35FBBC3ABDF7
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20547_none_c44fd1d37a8a7f1e\iesetup.dll --a--- 56320 bytes [21:51 05/12/2007] [21:51 05/12/2007] 982B062DFF318ABE41DF081E311E8895
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20583_none_c42090fb7aae8986\iesetup.dll --a--- 56320 bytes [21:55 05/12/2007] [21:55 05/12/2007] E6F758C0B7EB1BBA3DC29CDAB9D4233C
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20627_none_c46573917a7a4463\iesetup.dll --a--- 56320 bytes [22:19 05/12/2007] [22:19 05/12/2007] B7E9A9DF34746030B876B1A2C0969944
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20663_none_c43632b97a9e4ecb\iesetup.dll --a--- 56320 bytes [22:39 05/12/2007] [22:39 05/12/2007] 817073EC7CF19C701D305C5DECFC7DB1
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20823_none_c46176357a7dd955\iesetup.dll --a--- 56320 bytes [19:46 14/07/2008] [19:46 14/07/2008] A67B6F5F7DAA838880BA93CC1D7DA2D2
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20868_none_c43b37f77a99c7cc\iesetup.dll --a--- 56320 bytes [14:28 13/08/2008] [03:46 27/06/2008] 3D7AE489FC688791ECFEA6271FBB5309
C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20996_none_c418c9857ab3e618\iesetup.dll --a--- 56320 bytes [11:48 15/03/2009] [04:15 15/01/2009] E62AFB71A404BB5D7221F12CAB71F554
C:\Windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.16386_none_0eb2b0c8b7e74678\iisreset.exe --a--- 14848 bytes [12:36 02/11/2006] [12:36 02/11/2006] 48F5D26A849ACFFFF5BDE29479539AA2
C:\Windows\winsxs\x86_microsoft.windows.c..ration.online.setup_31bf3856ad364e35_6.0.6000.16386_none_af9327d944243302\onlinesetup.cmd --a--- 843 bytes [06:25 02/11/2006] [21:43 18/09/2006] 2901049544FDF863362FABA2363EB647

========== Regfind ==========

Searching for "*NOD32*"
No data found.

Searching for "*ESET*"
No data found.

========== Folderfind ==========

Searching for "*NOD32*"
C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET NOD32 Antivirus d----- [10:45 01/12/2009]

Searching for "*ESET*"
C:\Users\RRK\Desktop\Action\4NCapital\4NCapital Internal\4NCP B. Cards, Logos & Websites\4N BACKUP OF SITE1\components\com_user\views\reset d----- [01:40 04/09/2009]
C:\Windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_microsoft-windows-w..-chinesetraditional_31bf3856ad364e35_6.0.6001.18000_none_edac4c9b55f50cc2 d----- [02:12 16/09/2008]
C:\Windows\System32\config\systemprofile\AppData\Local\ESET d----- [10:45 01/12/2009]
C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET NOD32 Antivirus d----- [10:45 01/12/2009]
C:\Windows\winsxs\x86_microsoft-windows-f..e-arabictypesetting_31bf3856ad364e35_6.0.6000.16386_none_4e0545ddcb402831 d----- [11:18 02/11/2006]
C:\Windows\winsxs\x86_microsoft-windows-w..-chinesetraditional_31bf3856ad364e35_6.0.6000.16386_none_eb758a9f5909fbee d----- [11:19 02/11/2006]
C:\Windows\winsxs\x86_microsoft-windows-w..-chinesetraditional_31bf3856ad364e35_6.0.6001.18000_none_edac4c9b55f50cc2 d----- [01:55 16/09/2008]

-=End Of File=-

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 27 February 2010 - 05:48 AM

Yes, it did. Let's remove the folder

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Files
    C:\Windows\System32\config\systemprofile\AppData\Local\ESET
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

Edited by m0le, 27 February 2010 - 05:49 AM.

Posted Image
m0le is a proud member of UNITE

#13 Copperred

Copperred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 27 February 2010 - 04:14 PM

OTM Log:

========== FILES ==========
C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET NOD32 Antivirus\Quarantine folder moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET NOD32 Antivirus folder moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\ESET folder moved successfully.

OTM by OldTimer - Version 3.1.9.0 log created on 02272010_131252


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 27 February 2010 - 06:37 PM

Hmm, think there may be registry entries still...

Let's rerun Combofix at this stage. smile.gif
Posted Image
m0le is a proud member of UNITE

#15 Copperred

Copperred
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 28 February 2010 - 12:57 AM

Mole,
I have re-ran ComboFix. It continues to detect active real time scanners, these being:

antivirus: ESET Nod 32 Antivirus 4.0
antispyware: ESET Nod 32 Antivirus 4.0

Below is the log:

ComboFix 10-02-27.04 - RRK 02/27/2010 21:41:57.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1256 [GMT -8:00]
Running from: c:\users\RRK\Desktop\ComFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET NOD32 Antivirus 4.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 05:47 . 2010-02-28 05:47 -------- d-----w- c:\users\RRK\AppData\Local\temp
2010-02-28 05:47 . 2010-02-28 05:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-28 05:47 . 2010-02-28 05:47 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-02-28 05:47 . 2010-02-28 05:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-28 05:47 . 2010-02-28 05:47 -------- d-----w- c:\users\AppData\AppData\Local\temp
2010-02-27 21:12 . 2010-02-27 21:12 -------- d-----w- C:\_OTM
2010-02-21 22:36 . 2010-02-21 22:36 -------- d-----w- c:\program files\Google
2010-02-18 01:50 . 2010-02-18 01:55 -------- d-----w- c:\users\RRK\AppData\Roaming\CasinoOnNet
2010-02-18 01:50 . 2010-02-18 01:55 -------- d-----w- c:\program files\CasinoOnNet
2010-02-17 00:34 . 2010-02-16 03:35 -------- d-----w- C:\Tor Browser
2010-02-17 00:29 . 2010-02-17 00:31 -------- d-----w- c:\users\RRK\AppData\Roaming\tor
2010-02-17 00:28 . 2010-02-17 00:28 -------- d-----w- c:\windows\system32\Data
2010-02-16 21:11 . 2010-02-16 21:15 -------- d-----w- c:\users\RRK\AppData\Roaming\IObit
2010-02-16 21:11 . 2010-02-16 21:11 -------- d-----w- c:\program files\IObit
2010-02-16 20:48 . 2010-02-16 20:48 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-02-16 16:12 . 2010-02-16 16:12 388096 ----a-r- c:\users\RRK\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-16 16:12 . 2010-02-16 16:12 -------- d-----w- c:\program files\TrendMicro
2010-02-16 12:19 . 2010-02-16 12:19 -------- d-----w- c:\users\RRK\AppData\Roaming\Malwarebytes
2010-02-16 12:19 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 12:19 . 2010-02-16 12:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-16 12:19 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-15 23:12 . 2010-02-16 16:54 0 ----a-w- c:\users\RRK\AppData\Local\prvlcl.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 05:39 . 2009-03-08 16:00 -------- d-----w- c:\users\RRK\AppData\Roaming\Skype
2010-02-27 23:41 . 2009-03-14 15:21 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-27 22:49 . 2009-06-14 07:36 -------- d-----w- c:\users\RRK\AppData\Roaming\Spotify
2010-02-26 17:53 . 2008-10-16 18:01 256 ----a-w- c:\windows\system32\pool.bin
2010-02-16 16:40 . 2008-07-15 00:57 -------- d-----w- c:\program files\PeerGuardian2
2010-01-14 11:12 . 2009-10-04 01:29 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-14 02:03 . 2009-04-05 12:53 -------- d-----w- c:\users\RRK\AppData\Roaming\Azureus
2010-01-11 16:45 . 2007-12-05 21:23 -------- d-----w- c:\program files\Microsoft Works
2010-01-10 04:35 . 2008-08-06 16:32 -------- d-----w- c:\program files\Macromedia
2010-01-10 04:34 . 2008-08-06 16:32 -------- d-----w- c:\program files\Common Files\Macromedia
2010-01-06 00:03 . 2008-07-14 18:47 -------- d-----w- c:\users\RRK\AppData\Roaming\skypePM
2010-01-05 20:08 . 2009-12-20 14:40 -------- d-----w- c:\users\RRK\AppData\Roaming\mIRC
2010-01-05 19:02 . 2009-12-20 14:40 -------- d-----w- c:\program files\mIRC
2010-01-02 22:59 . 2009-04-05 12:51 -------- d-----w- c:\program files\Vuze
2010-01-02 00:31 . 2010-01-02 00:07 -------- d-----w- c:\program files\7000 Years Calendar
2009-12-24 21:55 . 2009-12-24 21:55 0 ----a-w- c:\windows\nsreg.dat
2009-12-20 14:48 . 2009-12-20 14:48 196720 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-18 23:15 . 2009-04-05 23:33 10686001 ----a-w- c:\users\RRK\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2010-02-21 22:36 . 2010-02-21 22:36 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-01-22 200280]
"Google Update"="c:\users\RRK\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-02-07 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-12-05 1006264]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-30 303104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2009-12-15 976784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-21 30192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

c:\users\RRK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Wuala.lnk - c:\users\RRK\AppData\Roaming\Wuala\Wuala.exe [2009-1-31 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1305929248-2196468230-1086222330-1000]
"EnableNotificationsRef"=dword:00000001

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2010 2:36 PM 30192]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 2:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-28 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-02-16 11:02]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1305929248-2196468230-1086222330-1000Core.job
- c:\users\RRK\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-07 00:35]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1305929248-2196468230-1086222330-1000UA.job
- c:\users\RRK\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-07 00:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\RRK\AppData\Roaming\Mozilla\Firefox\Profiles\xvl8o19a.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\users\RRK\AppData\Local\Google\Update\1.2.183.17\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 21:47
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\C245.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
Completion time: 2010-02-27 21:49:41
ComboFix-quarantined-files.txt 2010-02-28 05:49
ComboFix2.txt 2010-02-27 01:37

Pre-Run: 31,565,135,872 bytes free
Post-Run: 31,535,509,504 bytes free

- - End Of File - - 7D0D4CD63AAEBD3EDE64E5CED4E747F6





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users