Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antivirus Soft (HijackThis Log)


  • This topic is locked This topic is locked
19 replies to this topic

#1 havoc123

havoc123

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 12 March 2010 - 01:07 PM

Thanks to everyone in advance for helping me with this problem.



So on Wednesday, March 10, my computer displayed Antivirus Soft which started running a fake scan while I was surfing my computer. The website in question was Arstechnica.org, a site I consider(ed) to be safe and reputable. I am not sure if the infection came from there or was lurking on my computer dormant.

I looked around on general malware guides such as the one on this site on how to get rid of this infection. Since MBAM seems to be the first program of choice, I downloaded that as well as HijackThis.



1. First I rebooted the computer in Safe Mode (some attempts got me stuck on the AGP440.sys driver) and made a initial HijackThis log (below).

2. I then ran rkill to remove any malware processes. None were removed since this was in Safe Mode.
(When I ran it in the normal boot mode, Antivirus Soft would block it along with HijackThis and MBAM).

3. Then I ran a full scan of MBAM (it would not update but the file was 1/9/2010). After 3 hours, it caught 4 items. (log below) Two of the items I did not recognize and I deleted. One of the other two items was a Powerpoint Presentation from one of my college classes and I deleted it since I could always reload it. The other was a MPEG-4 file that I had on my computer for almost a year without trouble. Just to be safe, I deleted that as well but made a backup copy in a blank USB drive. I then scanned that copy again with MBAM but this time, it did not catch anything.




So I have three questions.

The first is : Is my computer cleared of the infection (Antivirus Soft)? I did not reboot the computer in normal mode yet because I don't want the infection to respread everywhere.

My second question is: Even if MBAM did get rid of the infection, are there any registry values or other "objects" that I need to remove?

My second question is: "How good is MBAM in recognizing false positives and was this MPEG-4 file a false positive?"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is the first HijackThis log.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:35 PM, on 3/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\search.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O2 - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [rhifldba] C:\Documents and Settings\Nilesh\Local Settings\Application Data\ckyfhg\euslsftav.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [rhifldba] C:\Documents and Settings\Nilesh\Local Settings\Application Data\ckyfhg\euslsftav.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.angernet.org
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirementslab.co...eqlabdetect.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228547942609
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228547930625
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8068 bytes




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is the first MBAM log.



Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

3/12/2010 1:49:08 AM
mbam-log-2010-03-12 (01-48-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 358878
Time elapsed: 3 hour(s), 27 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\End of Evangelion AMV - Rammstein & Tatu.mp4 (Trojan.FakeAlert) -> No action taken.
C:\Endemism in the Southeast.ppt (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Nilesh\Local Settings\Temp\e.exe (Trojan.Dropper) -> No action taken.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



(There is another MBAM log that was created when I successfully deleted the four objects, I will post it if you say so)

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:42 AM

Posted 12 March 2010 - 04:54 PM

Hello havoc123,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

QUOTE
The first is : Is my computer cleared of the infection (Antivirus Soft)? I did not reboot the computer in normal mode yet because I don't want the infection to respread everywhere.

I have sad news. You are still infected. MBAM is better when ran in regular mode. It is designed for that.

QUOTE
My second question is: Even if MBAM did get rid of the infection, are there any registry values or other "objects" that I need to remove?
Yes there are some left.

QUOTE
My second question is: "How good is MBAM in recognizing false positives and was this MPEG-4 file a false positive?"
MBAM usually does not have fasle positives. Was this file downloaded from a p2p program. If so it probably is infected.

I can help you with your Malware situation, but you must adhere to the rules above. As in no changes to your machine or running any other tools or scanner with being told to do so. If you want my help please follow the directions below.

1.
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

3.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply:
Gmer log
Combofix.txt
How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 12 March 2010 - 07:04 PM

I am waiting for a second scan of MBAM to finish in Safe Mode (it was half done) before I start on the procedures. Just to make sure, you want me to run Defogger, rkill, etc. in normal mode instead of Safe Mode, right?

EDIT: No malware found in second Safe Mode MBAM scan, but I will follow your advice about removal of malware.


Also, using System Restore for XP will not get rid of this problem, will it? I don't think it will but I want to make sure that the solution is not this easy with me ignoring it.

Edited by havoc123, 12 March 2010 - 07:35 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:42 AM

Posted 13 March 2010 - 01:21 AM

Hello,

QUOTE
am waiting for a second scan of MBAM to finish in Safe Mode (it was half done) before I start on the procedures. Just to make sure, you want me to run Defogger, rkill, etc. in normal mode instead of Safe Mode, right?


All the tools are designed for regular mode. However if they fail to run in reg mode then use safe mode.


QUOTE
Also, using System Restore for XP will not get rid of this problem, will it? I don't think it will but I want to make sure that the solution is not this easy with me ignoring it.


What ever you do don't use system restore unless specifically asked to by my self or someone else here at BC.
Doing so can restore the malware you have already rid your self of. Once we get your machine clean we will reset your restore points so that won't happen.


Note: please do the steps in order given.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 13 March 2010 - 01:25 AM

Well I am still scanning with GMER (almost 7 hours straight), so this is a temporary update. I will put up all the logs you requested in my next reply, probably tomorrow in the morning. (Eastern US)

The infection was blocking Defogger, GMER, and almost every other application. I had to use rkill first to try and kill the malware process. At first, Antivirus Soft was blocking rkill as well. Eventually rkill did take out the malware process after a few tries.

I will post the logs for GMER, rkill, and Combofix once I can get the scans done. I am quite sure that the malware process is in the list of 4 processes that rkill did remove. The malware comes back if I restart the computer but if I run rkill, the computer acts completely normally. So my earlier attempts with MBAM did not remove the infection at all.



EDIT: I think rkill will let me use the normal boot mode if I run that first. Let me know if it is ok to use rkill first and then the other programs. My computer will not let me use anything otherwise in normal mode.

EDIT: Thanks for informing me about System Restore.

Edited by havoc123, 13 March 2010 - 01:28 AM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:42 AM

Posted 13 March 2010 - 01:43 AM

Hello,

Concerning Rkill, yes you can run it before each tool. Rkill is designed to kill certain malware processes in order for the Tools to run.
The log it creates sometimes gives us insight to what we are dealing with.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 13 March 2010 - 09:19 PM

Ok, I have posted the logs for Combofix and GMER below. There were several issues with these scans.



Here are the order of scans so you don't get confused.

Order of Scans
1. Ran rkill to kill the usual bad processes.
2. Installed Windows Recovery Console (I think)
3. Ran ComboFix and saved complete log of scan.
4. Ran GMER second time. (first time was yesterday but failed due to power outage)
- Log was saved but scan itself was incomplete. Shortly after saving the scan log, the computer crashed. Upon rebooting in Safe Mode, I discovered the option to boot from the Recovery Console.





The most important issue is that GMER did not complete its scan. It got to the directory \WildTangent in the \Program Files folder after 8 hours of scanning on the second attempt but then the scan froze (can't remember the specific file). The first attempt ended after 6 hours of useless scanning when the power went out since my laptop battery is only about a hour in length.

I am hoping that getting to the WildTangent folder (one of the last folders in the Program Files folder) will be sufficient. If not, are there any other scanning or diagnostic programs that I could use instead. GMER just takes too long and it tends to freeze at random intervals. Or should I use Safe Mode?






ComboFix did scan successfully but when it was installing the Windows Recovery Console, it froze. I quit the program and restarted the computer. I am not sure if it successfully installed the Recovery Console since it never got to ask me to scan the system. But there was an option to boot from the Recovery Console when I tried to boot later in the day in Safe Mode to make sure the computer was still working after it crashed from the second. GMER scan. To be clear, I did run the scan successfully after rebooting to fix the freeze and there were no prompts to install the Recovery Console and I did see a option to boot from it during Safe Mode later in the day. But I did not get a confirmation from ComboFix that it was installed completely or properly.



I am also concerned about these automatic deletions in the Combofix log.

Here is the list:
c:\recycler\NPROTECT
C:\Thumbs.db
c:\windows\command
c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
c:\windows\system32\drivers\DELL_XPS_MM061 .MRK


The Thumbs.db file has been present on my computer since I first started using it. I know it is a system process or file. I don't know if the deletion will affect the system stability.

The NPROTECT file and the COMMAND file as well as the two Dell XPS drivers seem important. I am not sure if I need them. My model is a Dell Inspiron E1505 (aka 6400) and XP Pro. SP 3.

Any advice on these deletions?



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix Log (complete)



ComboFix 10-03-12.04 - Nilesh 03/13/2010 9:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1338 [GMT -5:00]
Running from: E:\mechanic.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nilesh\Local Settings\Application Data\ckyfhg
c:\documents and settings\Nilesh\Local Settings\Application Data\ckyfhg\euslsftav.exe
c:\recycler\NPROTECT
C:\Thumbs.db
c:\windows\command
c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
c:\windows\system32\drivers\DELL_XPS_MM061 .MRK

.
((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-13 14:15 . 2010-03-13 14:17 -------- d-----w- C:\mechanic
2010-03-12 03:18 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-12 03:18 . 2010-03-12 03:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 03:18 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\documents and settings\Nilesh\Application Data\Malwarebytes
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-14 03:27 . 2010-02-14 03:27 -------- d-----w- c:\documents and settings\Nilesh\Application Data\ScummVM
2010-02-13 20:16 . 2010-02-13 20:16 88064 ----a-w- c:\documents and settings\Nilesh\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.62.0A.dll
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 5 - The High King
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 4 - Taran Wanderer
2010-02-13 06:51 . 2010-02-17 06:50 -------- d-----w- C:\Chronicles of Prydain 3 - The Castle of Llyr
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 2 - The Black Cauldron
2010-02-13 06:50 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 1 - The Book of Three
2010-02-13 06:48 . 2010-02-13 06:48 -------- d-----w- C:\The Chronicles of Prydain
2010-02-13 03:46 . 2010-02-13 03:47 -------- d-----w- C:\OldGames
2010-02-13 03:39 . 2010-02-13 03:39 -------- d-----w- c:\documents and settings\Nilesh\Local Settings\Application Data\DOSBox
2010-02-13 03:39 . 2010-02-13 04:02 -------- d-----w- c:\program files\DOSBox-0.73
2010-02-13 03:36 . 2010-02-13 03:36 3595301 ----a-w- C:\the-amazon-trail.zip
2010-02-13 03:36 . 2010-02-13 03:36 6539962 ----a-w- C:\monkey-island-2-lechucks-revenge.zip
2010-02-13 03:36 . 2010-02-13 03:36 3275156 ----a-w- C:\the-secret-of-monkey-island.zip
2010-02-13 03:35 . 2010-02-13 03:35 1915930 ----a-w- C:\oregon-trail-deluxe.zip
2010-02-13 03:30 . 2009-12-15 02:57 862208 ----a-w- c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\activegs@freetoolsassociation.com\platform\WINNT_x86-msvc\plugins\npActiveGS.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 00:22 . 2010-01-02 02:16 -------- d-----w- c:\documents and settings\Nilesh\Application Data\U3
2010-03-01 12:43 . 2007-08-29 03:51 -------- d-----w- c:\program files\uTorrent
2010-03-01 01:08 . 2009-02-19 04:38 -------- d-----w- c:\program files\Fox
2010-03-01 00:27 . 2007-08-29 03:51 -------- d-----w- c:\documents and settings\Nilesh\Application Data\uTorrent
2010-02-27 03:18 . 2007-08-15 03:42 -------- d-----w- c:\documents and settings\Nilesh\Application Data\IGN_DLM
2010-02-27 01:13 . 2008-03-04 18:50 -------- d-----w- c:\documents and settings\Nilesh\Application Data\Hamachi
2010-02-25 22:29 . 2008-06-09 21:48 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2010-02-21 04:13 . 2010-02-01 18:12 -------- d-----w- c:\program files\DeusEx
2010-02-14 03:27 . 2007-09-24 21:41 -------- d-----w- c:\program files\ScummVM
2010-02-13 20:16 . 2007-08-23 22:05 -------- d-----w- c:\program files\SystemRequirementsLab
2010-02-13 20:16 . 2008-07-30 20:01 -------- d-----w- c:\documents and settings\Nilesh\Application Data\SystemRequirementsLab
2010-02-12 16:04 . 2007-08-28 03:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 22:27 . 2010-01-19 22:22 -------- d-----w- c:\program files\Project64 1.6
2010-01-19 22:22 . 2010-01-19 22:22 8854 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-01-19 22:22 . 2010-01-19 22:22 40960 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-01-19 22:22 . 2010-01-19 22:22 40960 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-12-29 03:48 . 2009-12-29 03:48 138240 ----a-w- c:\documents and settings\Nilesh\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-12-29 03:48 . 2009-12-29 03:48 138240 ----a-w- c:\documents and settings\Nilesh\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-12-29 03:48 . 2009-12-29 03:48 138240 ----a-w- c:\documents and settings\Nilesh\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-12-29 03:48 . 2009-12-29 03:48 138240 ----a-w- c:\documents and settings\Nilesh\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-12-17 04:13 . 2009-12-15 23:57 152576 ----a-w- c:\documents and settings\Nilesh\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-17 04:13 . 2009-12-15 23:56 79488 ----a-w- c:\documents and settings\Nilesh\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RamBooster"="c:\program files\RamBooster\Rambooster.exe" [1999-10-07 469504]
"igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2009-05-15 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-05-29 394240]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-17 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-07 13:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 18:51 24638 ------w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
backup=c:\windows\pss\PASPortal.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Registration Prince of Persia T2T.LNK]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Registration Prince of Persia T2T.LNK
backup=c:\windows\pss\Registration Prince of Persia T2T.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Registration The Political Machine.LNK]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Registration The Political Machine.LNK
backup=c:\windows\pss\Registration The Political Machine.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Ubisoft register.lnk]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Ubisoft register.lnk
backup=c:\windows\pss\Ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2003-11-30 15:06 177152 ------w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-11-07 19:16 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-29 16:27 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-08-29 15:09 171464 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 23:21 94208 ------w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-05-15 00:03 1103216 ----a-w- c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 15:06 11776 ------w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-19 15:06 110592 ------w- c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-02-28 20:38 319280 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
2005-03-29 01:24 28616 ----a-w- c:\program files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"awhost32"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Complete Junk\\ut\\New Folder\\fd\\Splinter Cell Chaos Theory\\Chaos Theory Rip\\TC[1].SC.CT\\Tom Clancy's Splinter Cell\\System\\SPLINTERCELL3.EXE"=
"c:\\Program Files\\DeusEx\\System\\DeusEx.exe"=
"c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [8/1/2003 5:47 PM 29239]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/9/2009 1:33 PM 335240]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 6:11 PM 5632]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 1:33 PM 297752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/24/2008 1:35 PM 210216]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/26/2008 9:08 PM 29183504]
S2 mrtRate;mrtRate; [x]
S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [7/27/2004 3:05 PM 15744]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [7/6/2007 8:18 PM 107648]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/5/2007 10:05 PM 685816]
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-11 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-03-10 21:26]
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: angernet.org
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\activegs@freetoolsassociation.com\platform\WINNT_x86-msvc\plugins\npActiveGS.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
HKCU-Run-rhifldba - c:\documents and settings\Nilesh\Local Settings\Application Data\ckyfhg\euslsftav.exe
HKLM-Run-rhifldba - c:\documents and settings\Nilesh\Local Settings\Application Data\ckyfhg\euslsftav.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
MSConfigStartUp-Norton SystemWorks - c:\program files\Norton SystemWorks\cfgwiz.exe
MSConfigStartUp-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
AddRemove-HijackThis - E:\HijackThis.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%*y*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%*y*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:48,c0,9a,70,08,fe,2f,62,d0,8a,a0,c0,fe,36,94,fd,0e,8a,9f,ca,17,a5,e3,
85,3b,0c,c4,56,42,57,89,30,76,fe,37,03,96,f2,25,29,9d,4a,bc,00,b9,b3,0a,a1,\
"??"=hex:f1,a6,b3,fa,10,81,c3,2a,9e,b4,d0,55,6c,a2,40,96
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-03-13 09:37:10
ComboFix-quarantined-files.txt 2010-03-13 14:37

Pre-Run: 3,106,369,536 bytes free
Post-Run: 6,249,213,952 bytes free

- - End Of File - - 77E54FB82319D2F65F9115C19BD88B05


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GMER Log (incomplete)



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-13 19:53:30
Windows 5.1.2600 Service Pack 3
Running: q3yfpm13.exe; Driver: C:\DOCUME~1\Nilesh\LOCALS~1\Temp\fflcrpog.sys


---- System - GMER 1.0.15 ----

INT 0x01 \??\C:\DOCUME~1\Nilesh\LOCALS~1\Temp\mbr.sys BAB512A4

Code \??\C:\DOCUME~1\Nilesh\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x76 0xC1 0x6A 0xBC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7E 0xF8 0x29 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCD 0xB4 0xCE 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x05 0xB4 0xB4 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x53 0x36 0xA8 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x53 0x36 0xA8 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x58 0x2E 0xD7 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE4 0x1B 0xDC 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x77 0xD9 0xF0 0x62 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x37 0xF9 0x93 0x13 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x53 0x36 0xA8 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x53 0x36 0xA8 0x85 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x76 0xC1 0x6A 0xBC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x7E 0xF8 0x29 0xED ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCD 0xB4 0xCE 0xEE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x05 0xB4 0xB4 0x4E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x53 0x36 0xA8 0x85 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x53 0x36 0xA8 0x85 ...

Attached Files


Edited by havoc123, 13 March 2010 - 10:24 PM.


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:42 AM

Posted 13 March 2010 - 10:36 PM

Hello,


QUOTE
I am also concerned about these automatic deletions in the Combofix log.

Here is the list:
c:\recycler\NPROTECT
C:\Thumbs.db
c:\windows\command
c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
c:\windows\system32\drivers\DELL_XPS_MM061 .MRK


Sometimes Malware will infect operating system files. Malware will often name themselves the same as system files also. I you find you need these files you can call or go to DEll they should be able to supply you with them.

The good news is your logs look alot better. thumbup2.gif

1.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

2.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

3.
Please download Malwarebytes Anti-Malware (v1.43) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

4.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

5.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
MABM log
Eset log
DDS.txt
Attach.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 14 March 2010 - 12:02 PM

Ok, here we go. I have put all the logs except Attach.txt down below. The Attach log is in the attachment.

Again, we have some problems. I am quite sure that the NPZoneSB.dll file in the ESET log is a valid file belonging to ZoneAlarm.

I am quite sure that Acronis True Image is not a trojan/virus. I can scan it with VirusTotal to make sure but I have used it on 4 different computers, all with updated Symantec Corporate Edition Antivirus Programs and have never had any problems or alerts due to it. Ditto to the first six items in the ESET log that I have had for almost 2 years, and had no problems with them. False positives? I will confirm with VirusTotal to be sure.

I know that I have never seen Qoobox as a folder on the main drive. It is definitively less than a week old b/c I don't remember seeing it before the infection. The file that it contained is also the same name of the process that appeared during the infection but does not after I used ComboFix.

PowerReg Scheduler seems to be spyware, although sometimes used by legit companies. I am not satisfied with simply deleting a single file. Don't I got to uninstall or get rid of the main files?

Speaking of uninstalling, do I have to remove registry values or folders that the original infection left behind? Do we do that after all the scans show up clean?




Besides all the notes I put above, the MBAM scan was clean. I actually was able to update it this time so it seems MBAM won't catch any infections that are still present. I did a Quick Scan like you asked but wouldn't a Complete Scan have been better?

I can't interpret the DDS logs but it looks good. When I tried to use rkill before running any of this scans, it only stopped two processes instead of the three or four during the first part of the infection. I will put them below:


Legit Processes (as far as I can tell)
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\UAService7.exe


Missing Process (I think this is the infection process or one of them)
C:\Documents and Settings\Nilesh\Local Settings\Application Data\ckyfhg\euslsftav.exe





I have noticed that ESET and rkill seem to consider programs like Acronis to be malicious but my experiences with them have been very good. Other anti-spyware/antivirus programs don't seem to consider them a threat either. Like I asked above, false positives? Would VirusTotal help?




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MBAM Log (Quick Scan)





Malwarebytes' Anti-Malware 1.44
Database version: 3865
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/13/2010 11:04:52 PM
mbam-log-2010-03-13 (23-04-52).txt

Scan type: Quick Scan
Objects scanned: 123331
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DDS Log




DDS (Ver_09-12-01.01) - NTFSx86
Run by Nilesh at 23:08:04.01 on Sat 03/13/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1343 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
E:\Tools\DDS.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
BHO: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RamBooster] c:\program files\rambooster\Rambooster.exe
uRun: [igndlm.exe] c:\program files\ign\download manager\dlm.exe /windowsstart /startifwork
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: angernet.org
Trusted Zone: musicmatch.com\online
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228547942609
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228547930625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38055.5668981482
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nilesh\applic~1\mozilla\firefox\profiles\obrb4ev5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\nilesh\application data\mozilla\firefox\profiles\obrb4ev5.default\extensions\activegs@freetoolsassociation.com\platform\winnt_x86-msvc\plugins\npActiveGS.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chem3d\npChem3DPlugin.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chemdraw\NPCDP32.DLL
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-8-1 29239]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-7-6 27784]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 297752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-24 210216]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100305.004\NAVENG.sys [2010-3-5 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100305.004\NAVEX15.sys [2010-3-5 1324720]
S2 mrtRate;mrtRate; [x]
S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [2004-7-27 15744]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [2007-7-6 107648]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
S4 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2001-11-2 114749]

=============== Created Last 30 ================

2010-03-14 03:51:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 03:51:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 03:51:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 14:23:39 0 d-----w- C:\mechanic6617m
2010-03-13 14:17:26 0 d-sha-r- C:\cmdcons
2010-03-13 14:16:03 98816 ----a-w- c:\windows\sed.exe
2010-03-13 14:16:03 77312 ----a-w- c:\windows\MBR.exe
2010-03-13 14:16:03 261632 ----a-w- c:\windows\PEV.exe
2010-03-13 14:16:03 161792 ----a-w- c:\windows\SWREG.exe
2010-03-13 14:15:55 0 d-----w- C:\mechanic
2010-03-13 01:30:25 20 ----a-w- c:\documents and settings\nilesh\defogger_reenable
2010-03-12 00:22:14 0 d-----w- c:\docume~1\nilesh\applic~1\Malwarebytes
2010-03-12 00:22:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-08 01:06:43 64942 ----a-w- C:\[isoHunt] Bleach Soundtrack Collection.torrent
2010-03-06 04:35:06 422487 ----a-w- C:\hinmori killed again.jpg
2010-03-05 00:07:29 75776 ----a-w- C:\Exam1_Biology565_Spring2010 Patel.doc
2010-03-04 01:38:05 10411788 ----a-w- C:\t_deadap_jp_kasumi.mp4
2010-03-04 01:04:30 33635424 ----a-w- C:\t_haloreach_mpbeta_hd.wmv
2010-03-04 01:04:26 36470934 ----a-w- C:\t_haloreach_mpbeta_hd.mov
2010-03-02 23:24:06 423792 ----a-w- C:\046.jpg
2010-03-02 23:23:59 399043 ----a-w- C:\045.jpg
2010-03-02 03:25:58 40448 ----a-w- C:\Exam1_Biology565_Spring2010.doc
2010-02-27 21:51:57 69120 ----a-w- C:\Exam 2 Study Guide Answers.doc
2010-02-27 21:44:51 68096 ----a-w- C:\Exam 2 Study Guide.doc
2010-02-27 20:48:34 626206 ----a-w- C:\The Faust Table of MTW 2 Stats.pdf
2010-02-26 05:49:12 415744 ----a-w- C:\EC101_PracQ06_K.doc
2010-02-26 05:45:32 104960 ----a-w- C:\EC101_PracQ07_K.doc
2010-02-26 05:13:02 3307761 ----a-w- C:\Nothing Can Be Explained.mp3
2010-02-26 05:07:30 2161906 ----a-w- C:\Battle Ignition.mp3
2010-02-26 05:06:49 2553952 ----a-w- C:\Storm Center.mp3
2010-02-24 03:07:51 324970 ----a-w- C:\Color Map of Southeast Asia.pdf
2010-02-24 03:07:31 375325 ----a-w- C:\Color Map of Southeast Asia with Rivers.pdf
2010-02-24 02:58:09 290430 ----a-w- C:\Blank Map of Southeast Asia.pdf
2010-02-24 02:57:12 28160 ----a-w- C:\Southeast Asia Map Key.doc
2010-02-23 23:03:54 26338 ----a-w- C:\Spanish Daughter Dance.jpg
2010-02-23 23:01:39 160360 ----a-w- C:\English Daughter Dance.jpg
2010-02-23 23:01:14 96304 ----a-w- C:\English Daughter 1.jpg
2010-02-23 23:01:01 153895 ----a-w- C:\French Daughter 1.jpg
2010-02-22 05:08:51 29696 ----a-w- C:\Twilight in Delhi temp.doc
2010-02-21 23:59:24 33792 ----a-w- C:\Twilight in Delhi Book Report.doc
2010-02-17 07:34:44 47634 ----a-w- C:\rice - white.JPG
2010-02-17 07:31:54 57820 ----a-w- C:\rice - brown.JPG
2010-02-17 07:18:25 36587 ----a-w- C:\rice genome.JPG
2010-02-17 07:11:21 36359 ----a-w- C:\rice 2.JPG
2010-02-17 06:50:09 55570 ----a-w- C:\rice.JPG
2010-02-17 06:46:49 3089920 ----a-w- C:\Rice Plant Presentation.ppt
2010-02-17 00:20:38 37888 ----a-w- C:\Plant Project Paper - Rice.doc
2010-02-15 22:48:26 21504 ----a-w- C:\PRESENTATIONS2010.doc
2010-02-14 03:27:44 0 d-----w- c:\docume~1\nilesh\applic~1\ScummVM
2010-02-13 06:51:50 0 d-----w- C:\Chronicles of Prydain 5 - The High King
2010-02-13 06:51:42 0 d-----w- C:\Chronicles of Prydain 4 - Taran Wanderer
2010-02-13 06:51:35 0 d-----w- C:\Chronicles of Prydain 3 - The Castle of Llyr
2010-02-13 06:51:22 0 d-----w- C:\Chronicles of Prydain 2 - The Black Cauldron
2010-02-13 06:50:35 0 d-----w- C:\Chronicles of Prydain 1 - The Book of Three
2010-02-13 06:48:19 0 d-----w- C:\The Chronicles of Prydain
2010-02-13 06:47:54 1197607 ----a-w- C:\The Chronicles of Prydain.rar
2010-02-13 03:46:55 0 d-----w- C:\OldGames
2010-02-13 03:39:39 0 d-----w- c:\program files\DOSBox-0.73
2010-02-13 03:36:42 3595301 ----a-w- C:\the-amazon-trail.zip
2010-02-13 03:36:20 6539962 ----a-w- C:\monkey-island-2-lechucks-revenge.zip
2010-02-13 03:36:07 3275156 ----a-w- C:\the-secret-of-monkey-island.zip
2010-02-13 03:35:21 1915930 ----a-w- C:\oregon-trail-deluxe.zip

==================== Find3M ====================


============= FINISH: 23:09:18.73 ===============



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ESET Scan


C:\Complete Junk\SW Kotor 2\Cracktro.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Complete Junk\Useful Stuff\Acronis True Image 11 Home.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\Complete Junk\ut\New Folder\fd\New Folder\Lemonade Tycoon 2\Lemonade Tycoon 2 Setup.exe multiple threats deleted - quarantined
C:\Program Files\Diner Dash 3-in-1\Diner Dash\Diner Dash.exe a variant of Win32/ReflexiveArcade application cleaned by deleting - quarantined
C:\Program Files\Diner Dash 3-in-1\Diner Dash\Diner Dash.exe.BAK a variant of Win32/ReflexiveArcade application cleaned by deleting - quarantined
C:\Program Files\Lemonade Tycoon 2\Lemonade2.exe a variant of Win32/ReflexiveArcade application cleaned by deleting - quarantined
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Nilesh\Local Settings\Application Data\ckyfhg\euslsftav.exe.vir a variant of Win32/Kryptik.CYQ trojan cleaned by deleting - quarantined
C:\WINDOWS\pss\PowerReg Scheduler.exeStartup Win32/PowerReg application cleaned by deleting - quarantined



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Attach.txt log is in the attachments.


EDIT: Most of the games that ESET captured as viruses or trojans are actually from Reflexive Games who have had many issues with antivirus programs labeling their files as false positives. I am not sure what to do here. I don't mind removing them if they are a real threat but all indications point to the contrary.

Attached Files


Edited by havoc123, 14 March 2010 - 02:35 PM.


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:42 AM

Posted 14 March 2010 - 03:13 PM

Hello havoc123,

QUOTE
Again, we have some problems. I am quite sure that the NPZoneSB.dll file in the ESET log is a valid file belonging to ZoneAlarm.

Once again as i have told you before in my previous post malware sometimes infects or names itself legitimate file names.
This file you are referring to is also a"mywebsearch adware" file.
I need you to ask yourself one question why did I come to Bleeping Computer? If you don't trust my abilities I can get you another Malware response team member. Maybe one false positive i can see but ever time I doubt it. Another question would be is any program or my machine adversely affected by these files being removed?
Qoobox is Combofix's quarantine folder. We will remove this when the machine is all clean.

QUOTE
Missing Process (I think this is the infection process or one of them)
C:\Documents and Settings\Nilesh\Local Settings\Application Data\ckyfhg\euslsftav.exe

This if you will notice that Combofix deleted that file and Eset then found it and deleted it from Combofix's quarantine folder Qoobox.

Rkill just temporarily stops these processes until the next reboot. The services it stops are services they may be Malware or may just be services which could interfere with some of the tools we run. So therefore Acronis may not be a bad program just a program that would interfere with some of our tools.

I also need to know how your machine is running in every reply.

The good news is your logs look alot better now. We can do some cleaning up and some final preparations to get you finished up here.

1.
Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
DDS::
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
BHO: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3.
I also notice you are running Internet Explorer 6. This version has many vulnerabilities and exploits. I suggest upgrading to at least IE7. You can do this by following this link.


4.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

5.
New Adobe Reader Installation:
  • Go here and click on the Download button to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

Things to include in your next reply:
Combofix log
DDS log
Attach.txt
How is your machine running now? Any signs or symptoms of infection?





" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 14 March 2010 - 06:51 PM

Sorry about not posting how my computer was doing in the past replies. I will post all the details here.

Well, when I ran the first MBAM scans, it caught some files but the malware was still there. rkill was getting rid of the process after multiple tries b/c the malware was trying to block rkill from being accessed.

After Combofix was used for the first time, the malware stopped appearing on the computer. rkill seemed to confirm this because the process was not being stopped. There are no visible signs of the malware on my computer in terms of alerts, slowdowns, etc. I also noticed that my effective boot time (time until CPU load decreases due to startup sequences) has decreased by about 1-2 minutes. The pre-Combofix boot time was about 9 minutes but now it is about 7 minutes. The only change besides the faster bootup is that I can see the option to boot from the Recovery Console show up for a few seconds now everytime I boot up. Is this normal?

The computer seems a little bit more responsive and I can at least access all the programs on the computer (have not tried any games). My policy towards the laptop after the infection was to keep it off and unconnected from the Internet unless told to update programs or run the ESET scan from you. I figured that keeping it off would limit the damage done. It seems fine now, but I am not sure what remnants are left in the system, if any.


I updated Acrobat Reader and Java first and then ran HostXpert and then unconnected the Internet and rebooted. Then I ran the DDS and Combofix Script scans. All logs are below.

Note: The Comodo Firewall is not actually enabled on my computer. What happened was that about a year ago, I was being locked of every process and application by Comodo Firewall. I could not even log in properly. So I had to use Safe Mode and use System Restore to get rid of the Firewall. Which was very messy to the system, but I felt that I had no choice. There is no Comodo Firewall on the computer in terms of files but the computer thinks that it is still there. I can't "uninstall" it but it doesn't interfere with network traffic. The only remain of the firewall is in the Security Center which thinks the firewall is still on.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DDS Log



DDS (Ver_09-12-01.01) - NTFSx86
Run by Nilesh at 19:29:54.93 on Sun 03/14/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1254 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Tools\DDS.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
BHO: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RamBooster] c:\program files\rambooster\Rambooster.exe
uRun: [igndlm.exe] c:\program files\ign\download manager\dlm.exe /windowsstart /startifwork
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: angernet.org
Trusted Zone: musicmatch.com\online
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228547942609
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228547930625
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38055.5668981482
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nilesh\applic~1\mozilla\firefox\profiles\obrb4ev5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-8-1 29239]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-7-6 27784]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 297752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-24 210216]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-20 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-20 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100305.004\NAVENG.sys [2010-3-5 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100305.004\NAVEX15.sys [2010-3-5 1324720]
S2 mrtRate;mrtRate; [x]
S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [2004-7-27 15744]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [2007-7-6 107648]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
S4 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2001-11-2 114749]

=============== Created Last 30 ================

2010-03-14 23:10:01 0 d-----w- C:\mechanic19780m
2010-03-14 23:08:04 0 d-----w- C:\HostsXpert
2010-03-14 22:42:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-14 04:22:35 0 d-----w- c:\program files\ESET
2010-03-14 03:51:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 03:51:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 03:51:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 14:23:39 0 d-----w- C:\mechanic6617m
2010-03-13 14:17:26 0 d-sha-r- C:\cmdcons
2010-03-13 14:16:03 98816 ----a-w- c:\windows\sed.exe
2010-03-13 14:16:03 77312 ----a-w- c:\windows\MBR.exe
2010-03-13 14:16:03 261632 ----a-w- c:\windows\PEV.exe
2010-03-13 14:16:03 161792 ----a-w- c:\windows\SWREG.exe
2010-03-13 14:15:55 0 d-----w- C:\mechanic
2010-03-13 01:30:25 20 ----a-w- c:\documents and settings\nilesh\defogger_reenable
2010-03-12 00:22:14 0 d-----w- c:\docume~1\nilesh\applic~1\Malwarebytes
2010-03-12 00:22:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-08 01:06:43 64942 ----a-w- C:\[isoHunt] Bleach Soundtrack Collection.torrent
2010-03-06 04:35:06 422487 ----a-w- C:\hinmori killed again.jpg
2010-03-05 00:07:29 75776 ----a-w- C:\Exam1_Biology565_Spring2010 Patel.doc
2010-03-04 01:38:05 10411788 ----a-w- C:\t_deadap_jp_kasumi.mp4
2010-03-04 01:04:30 33635424 ----a-w- C:\t_haloreach_mpbeta_hd.wmv
2010-03-04 01:04:26 36470934 ----a-w- C:\t_haloreach_mpbeta_hd.mov
2010-03-02 23:24:06 423792 ----a-w- C:\046.jpg
2010-03-02 23:23:59 399043 ----a-w- C:\045.jpg
2010-03-02 03:25:58 40448 ----a-w- C:\Exam1_Biology565_Spring2010.doc
2010-02-27 21:51:57 69120 ----a-w- C:\Exam 2 Study Guide Answers.doc
2010-02-27 21:44:51 68096 ----a-w- C:\Exam 2 Study Guide.doc
2010-02-27 20:48:34 626206 ----a-w- C:\The Faust Table of MTW 2 Stats.pdf
2010-02-26 05:49:12 415744 ----a-w- C:\EC101_PracQ06_K.doc
2010-02-26 05:45:32 104960 ----a-w- C:\EC101_PracQ07_K.doc
2010-02-26 05:13:02 3307761 ----a-w- C:\Nothing Can Be Explained.mp3
2010-02-26 05:07:30 2161906 ----a-w- C:\Battle Ignition.mp3
2010-02-26 05:06:49 2553952 ----a-w- C:\Storm Center.mp3
2010-02-24 03:07:51 324970 ----a-w- C:\Color Map of Southeast Asia.pdf
2010-02-24 03:07:31 375325 ----a-w- C:\Color Map of Southeast Asia with Rivers.pdf
2010-02-24 02:58:09 290430 ----a-w- C:\Blank Map of Southeast Asia.pdf
2010-02-24 02:57:12 28160 ----a-w- C:\Southeast Asia Map Key.doc
2010-02-23 23:03:54 26338 ----a-w- C:\Spanish Daughter Dance.jpg
2010-02-23 23:01:39 160360 ----a-w- C:\English Daughter Dance.jpg
2010-02-23 23:01:14 96304 ----a-w- C:\English Daughter 1.jpg
2010-02-23 23:01:01 153895 ----a-w- C:\French Daughter 1.jpg
2010-02-22 05:08:51 29696 ----a-w- C:\Twilight in Delhi temp.doc
2010-02-21 23:59:24 33792 ----a-w- C:\Twilight in Delhi Book Report.doc
2010-02-17 07:34:44 47634 ----a-w- C:\rice - white.JPG
2010-02-17 07:31:54 57820 ----a-w- C:\rice - brown.JPG
2010-02-17 07:18:25 36587 ----a-w- C:\rice genome.JPG
2010-02-17 07:11:21 36359 ----a-w- C:\rice 2.JPG
2010-02-17 06:50:09 55570 ----a-w- C:\rice.JPG
2010-02-17 06:46:49 3089920 ----a-w- C:\Rice Plant Presentation.ppt
2010-02-17 00:20:38 37888 ----a-w- C:\Plant Project Paper - Rice.doc
2010-02-15 22:48:26 21504 ----a-w- C:\PRESENTATIONS2010.doc
2010-02-14 03:27:44 0 d-----w- c:\docume~1\nilesh\applic~1\ScummVM
2010-02-13 06:51:50 0 d-----w- C:\Chronicles of Prydain 5 - The High King
2010-02-13 06:51:42 0 d-----w- C:\Chronicles of Prydain 4 - Taran Wanderer
2010-02-13 06:51:35 0 d-----w- C:\Chronicles of Prydain 3 - The Castle of Llyr
2010-02-13 06:51:22 0 d-----w- C:\Chronicles of Prydain 2 - The Black Cauldron
2010-02-13 06:50:35 0 d-----w- C:\Chronicles of Prydain 1 - The Book of Three
2010-02-13 06:48:19 0 d-----w- C:\The Chronicles of Prydain
2010-02-13 06:47:54 1197607 ----a-w- C:\The Chronicles of Prydain.rar
2010-02-13 03:46:55 0 d-----w- C:\OldGames
2010-02-13 03:39:39 0 d-----w- c:\program files\DOSBox-0.73
2010-02-13 03:36:42 3595301 ----a-w- C:\the-amazon-trail.zip
2010-02-13 03:36:20 6539962 ----a-w- C:\monkey-island-2-lechucks-revenge.zip
2010-02-13 03:36:07 3275156 ----a-w- C:\the-secret-of-monkey-island.zip
2010-02-13 03:35:21 1915930 ----a-w- C:\oregon-trail-deluxe.zip

==================== Find3M ====================

2010-03-14 22:42:36 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 19:30:13.84 ===============



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attach Log




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/9/2004 5:59:00 PM
System Uptime: 3/14/2010 6:58:53 PM (1 hours ago)

Motherboard: Dell Inc. | | 0XD720
Processor: Intel® Core™2 CPU T7200 @ 2.00GHz | Microprocessor | 1995/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 5.091 GiB free.
D: is CDROM ()
E: is Removable
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1390 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&6C79FC5&0&00E0
Manufacturer: Broadcom
Name: Dell Wireless 1390 WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&6C79FC5&0&00E0
Service: BCM43XX

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\25AF0181434FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\25AF0181434FC000
Service: NIC1394

Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth PAN Network Adapter
Device ID: ROOT\NET\0000
Manufacturer: IVT Corporation
Name: Bluetooth PAN Network Adapter
PNP Device ID: ROOT\NET\0000
Service: BT

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0001
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0001
Service: hamachi

==== System Restore Points ===================

RP780: 2/21/2010 5:00:32 PM - System Checkpoint
RP781: 2/28/2010 8:08:27 PM - Installed No One Lives Forever 2
RP782: 3/5/2010 6:49:49 PM - System Checkpoint
RP783: 3/8/2010 4:48:34 PM - Avg8 Update
RP784: 3/13/2010 9:16:23 AM - ComboFix created restore point
RP785: 3/14/2010 6:26:58 PM - Removed System Requirements Lab
RP786: 3/14/2010 6:27:13 PM - Removed System Requirements Lab
RP787: 3/14/2010 6:37:36 PM - Removed Java™ 6 Update 12
RP788: 3/14/2010 6:42:27 PM - Installed Java™ 6 Update 18
RP789: 3/14/2010 6:50:26 PM - Installed Adobe Reader 9.3.

==== Installed Programs ======================

Torrent
7-Zip 4.65
Acrobat.com
AcronisTrueImageHome
Ad-Aware
Adobe Acrobat 6.0 Professional
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 9.3
Adobe Shockwave Player 11.5
AES Crypt
AGEIA PhysX v7.11.13
Ahead Nero Burning ROM
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audiosurf
AusLogics Registry Defrag
AutoUpdate
AVG Free 8.5
AVS DVD Player version 2.4
Bandwidth Monitor
Battlefield 2™ Demo
Bluesoleil2.6.0.8 Release 070517
BOINC
Bonjour
Broadcom 440x 10/100 Integrated Controller
Call of Duty - United Offensive
Call of Duty™ Game of the Year Edition
CambridgeSoft Activation Client
CambridgeSoft ChemBioDraw Ultra 11.0
CambridgeSoft ENotebook 11.0
CCI_Printing
CDisplay 1.8
ChaosPro 3.3
Conexant HDA D110 MDC V.92 Modem
DataStudio
Dell Resource CD
Dell Wireless WLAN Card
Deus Ex
Diner Dash 3-in-1
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVDXCopy Xpress 3.0.1
DW6 Demo
DYNASTY WARRIORS 6 Playable Demo
Dyson v1.08
Earthsim
EasyRecovery Professional
Emperor: Rise of the Middle Kingdom 1.0.1.0
ESET Online Scanner v3
Evil Genius
Fable - The Lost Chapters
FATE from WildGames (remove only)
FLV Player 1.3.3
Free Download Manager 2.5
Freedom Fighters
GameSpy Arcade
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)
GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)
Get Files
Hamachi 1.0.3.0
Harry Potter
Harry Potter - Quidditch World Cup
High Definition Audio Driver Package - KB835221
Hitman 2: Silent Assassin
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
|S̃K[thQ
IGN Download Manager 2.3.2
InstantCopy
Intel® PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java™ 6 Update 18
K-Lite Codec Pack 3.9.0 Full
LEGO Star Wars II
Lemonade Tycoon 2
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
LucasArts' Grim Fandango
LucasArts' Star Wars: Episode I Racer
LucasArts' The Phantom Menace
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash MX
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo Trial
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (CSSQL05)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Miro
MobileMe Control Panel
Modem Helper
Moyea FLV Downloader version 1.15.0.15
Moyea FLV Player version 1.5.2.7
Mozilla Firefox (3.0.18)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Musicmatch Jukebox
MySpaceIM
No One Lives Forever 2
Norton Ghost
OpenAL
Populus
Prince of Persia T2T
Prince of Persia The Sands of Time
Prince of Persia The Two Thrones
Project64 1.6
PunkBuster Services
Quicken 2003 Premier Home & Business
QuickSet
QuickTime
RamBooster
RealPlayer
Rome - Total War™
Rome Total War - patch 1.3
ScummVM 1.0.0
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Pirates!
SigmaTel Audio
SimCity 3000
Sniper Elite Demo
SoundMAX
SpaceTrader
SpeedFan (remove only)
Spybot - Search & Destroy
Star Wars Battlefront
Star Wars Jedi Knight Jedi Academy
Star Wars JK II Jedi Outcast
Star Wars® Knights of the Old Republic® II: The Sith Lords™
Star Wars: Knights of the Old Republic ™
SuperPower
Symantec AntiVirus Client
Symantec pcAnywhere
Synaptics Pointing Device Driver
The Political Machine
Tom Clancy's Rainbow Six 3: Raven Shield Single Player Demo
Ulead DVD PictureShow 2
Unreal Tournament 2004 Demo
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.762
Veoh Web Player Beta
VeohTV BETA
VideoLAN VLC media player 0.8.6f
WebFldrs XP
WildTangent Web Driver
Windows Driver Package - PASCO Scientific (PASCO) USB 01/17/2004 1.9.0.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Presentation Foundation
Windows XP Service Pack 3
WinFF 0.45
WinLauncherXP 2.0.5 beta
WinRAR archiver
World in Conflict - DEMO
XML Paper Specification Shared Components Pack 1.0
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

3/13/2010 9:24:25 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
3/13/2010 7:55:41 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
3/13/2010 11:48:13 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 0000001c, parameter3 00000001, parameter4 8323e00c.
3/12/2010 8:29:32 PM, error: Service Control Manager [7034] - The SecuROM User Access Service (V7) service terminated unexpectedly. It has done this 1 time(s).
3/12/2010 8:29:32 PM, error: Service Control Manager [7034] - The Acronis Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).
3/12/2010 8:22:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/12/2010 8:22:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV AvgLdx86 AvgMfx86 awlegacy Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tcpip6
3/12/2010 8:22:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
3/12/2010 8:22:01 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/12/2010 8:22:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/12/2010 8:22:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/12/2010 8:22:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/12/2010 8:22:01 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/12/2010 8:22:01 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/12/2010 11:47:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD agp440 APPDRV AvgLdx86 AvgMfx86 awlegacy BTHidMgr Fips intelppm IPSec MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss Tcpip Tcpip6
3/11/2010 7:24:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
3/11/2010 7:17:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV AvgLdx86 AvgMfx86 awlegacy Fips intelppm
3/11/2010 10:12:05 PM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\uxtheme.dll could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
3/11/2010 10:08:14 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/11/2010 10:08:14 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix Script Log




ComboFix 10-03-12.04 - Nilesh 03/14/2010 19:11:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1365 [GMT -4:00]
Running from: E:\mechanic.exe
Command switches used :: E:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-02-14 to 2010-03-14 )))))))))))))))))))))))))))))))
.

2010-03-14 23:08 . 2010-03-14 23:08 -------- d-----w- C:\HostsXpert
2010-03-14 22:51 . 2010-03-14 22:51 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-03-14 22:46 . 2010-03-14 22:46 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-14 22:46 . 2010-03-14 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-14 22:43 . 2010-03-14 22:43 -------- d-----w- c:\program files\Common Files\Java
2010-03-14 04:22 . 2010-03-14 04:22 -------- d-----w- c:\program files\ESET
2010-03-14 03:51 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 03:51 . 2010-03-14 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 03:51 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 14:23 . 2010-03-13 14:37 -------- d-----w- C:\mechanic6617m
2010-03-13 14:15 . 2010-03-13 14:17 -------- d-----w- C:\mechanic
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\documents and settings\Nilesh\Application Data\Malwarebytes
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-14 03:27 . 2010-02-14 03:27 -------- d-----w- c:\documents and settings\Nilesh\Application Data\ScummVM
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 5 - The High King
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 4 - Taran Wanderer
2010-02-13 06:51 . 2010-02-17 06:50 -------- d-----w- C:\Chronicles of Prydain 3 - The Castle of Llyr
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 2 - The Black Cauldron
2010-02-13 06:50 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 1 - The Book of Three
2010-02-13 06:48 . 2010-02-13 06:48 -------- d-----w- C:\The Chronicles of Prydain
2010-02-13 03:46 . 2010-02-13 03:47 -------- d-----w- C:\OldGames
2010-02-13 03:39 . 2010-02-13 03:39 -------- d-----w- c:\documents and settings\Nilesh\Local Settings\Application Data\DOSBox
2010-02-13 03:39 . 2010-02-13 04:02 -------- d-----w- c:\program files\DOSBox-0.73
2010-02-13 03:36 . 2010-02-13 03:36 3595301 ----a-w- C:\the-amazon-trail.zip
2010-02-13 03:36 . 2010-02-13 03:36 6539962 ----a-w- C:\monkey-island-2-lechucks-revenge.zip
2010-02-13 03:36 . 2010-02-13 03:36 3275156 ----a-w- C:\the-secret-of-monkey-island.zip
2010-02-13 03:35 . 2010-02-13 03:35 1915930 ----a-w- C:\oregon-trail-deluxe.zip
2010-02-13 03:30 . 2009-12-15 02:57 862208 ----a-w- c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\activegs@freetoolsassociation.com\platform\WINNT_x86-msvc\plugins\npActiveGS.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 22:50 . 2004-03-10 01:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-14 22:42 . 2009-01-11 05:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-14 05:58 . 2009-06-22 20:43 -------- d-----w- c:\program files\Lemonade Tycoon 2
2010-03-06 00:22 . 2010-01-02 02:16 -------- d-----w- c:\documents and settings\Nilesh\Application Data\U3
2010-03-01 12:43 . 2007-08-29 03:51 -------- d-----w- c:\program files\uTorrent
2010-03-01 01:08 . 2009-02-19 04:38 -------- d-----w- c:\program files\Fox
2010-03-01 00:27 . 2007-08-29 03:51 -------- d-----w- c:\documents and settings\Nilesh\Application Data\uTorrent
2010-02-27 03:18 . 2007-08-15 03:42 -------- d-----w- c:\documents and settings\Nilesh\Application Data\IGN_DLM
2010-02-27 01:13 . 2008-03-04 18:50 -------- d-----w- c:\documents and settings\Nilesh\Application Data\Hamachi
2010-02-25 22:29 . 2008-06-09 21:48 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2010-02-21 04:13 . 2010-02-01 18:12 -------- d-----w- c:\program files\DeusEx
2010-02-14 03:27 . 2007-09-24 21:41 -------- d-----w- c:\program files\ScummVM
2010-02-12 16:04 . 2007-08-28 03:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 22:27 . 2010-01-19 22:22 -------- d-----w- c:\program files\Project64 1.6
2010-01-19 22:22 . 2010-01-19 22:22 8854 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-01-19 22:22 . 2010-01-19 22:22 40960 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-01-19 22:22 . 2010-01-19 22:22 40960 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-12-17 04:13 . 2009-12-15 23:57 152576 ----a-w- c:\documents and settings\Nilesh\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-17 04:13 . 2009-12-15 23:56 79488 ----a-w- c:\documents and settings\Nilesh\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-13_14.35.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-14 22:59 . 2010-03-14 22:59 16384 c:\windows\Temp\Perflib_Perfdata_1b0.dat
+ 2001-08-23 12:00 . 2010-03-14 23:04 89768 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2009-11-09 19:00 89768 c:\windows\system32\perfc009.dat
+ 2010-03-14 22:48 . 2010-03-14 22:48 24576 c:\windows\Installer\928cd.msi
+ 2001-08-23 12:00 . 2010-03-14 23:04 491304 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2009-11-09 19:00 491304 c:\windows\system32\perfh009.dat
+ 2010-03-14 22:42 . 2010-03-14 22:42 153376 c:\windows\system32\javaws.exe
+ 2010-03-14 22:42 . 2010-03-14 22:42 145184 c:\windows\system32\javaw.exe
- 2009-12-17 04:14 . 2009-10-11 09:17 145184 c:\windows\system32\javaw.exe
- 2009-12-17 04:14 . 2009-10-11 09:17 145184 c:\windows\system32\java.exe
+ 2010-03-14 22:42 . 2010-03-14 22:42 145184 c:\windows\system32\java.exe
+ 2010-03-14 22:43 . 2010-03-14 22:43 180224 c:\windows\Installer\928c3.msi
+ 2010-03-14 22:42 . 2010-03-14 22:42 576000 c:\windows\Installer\928be.msi
+ 2010-03-14 22:51 . 2010-03-14 22:51 3940352 c:\windows\Installer\928d3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RamBooster"="c:\program files\RamBooster\Rambooster.exe" [1999-10-07 469504]
"igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2009-05-15 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-05-29 394240]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-17 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-07 13:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 18:51 24638 ------w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
backup=c:\windows\pss\PASPortal.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Registration Prince of Persia T2T.LNK]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Registration Prince of Persia T2T.LNK
backup=c:\windows\pss\Registration Prince of Persia T2T.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Registration The Political Machine.LNK]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Registration The Political Machine.LNK
backup=c:\windows\pss\Registration The Political Machine.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Ubisoft register.lnk]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Ubisoft register.lnk
backup=c:\windows\pss\Ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2003-11-30 15:06 177152 ------w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-11-07 19:16 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-29 16:27 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-08-29 15:09 171464 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 23:21 94208 ------w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-05-15 00:03 1103216 ----a-w- c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 15:06 11776 ------w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-19 15:06 110592 ------w- c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-02-28 20:38 319280 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
2005-03-29 01:24 28616 ----a-w- c:\program files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"awhost32"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Complete Junk\\ut\\New Folder\\fd\\Splinter Cell Chaos Theory\\Chaos Theory Rip\\TC[1].SC.CT\\Tom Clancy's Splinter Cell\\System\\SPLINTERCELL3.EXE"=
"c:\\Program Files\\DeusEx\\System\\DeusEx.exe"=
"c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [8/1/2003 6:47 PM 29239]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/9/2009 2:33 PM 335240]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 7:11 PM 5632]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 2:33 PM 297752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/24/2008 2:35 PM 210216]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/26/2008 10:08 PM 29183504]
S2 mrtRate;mrtRate; [x]
S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [7/27/2004 4:05 PM 15744]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [7/6/2007 9:18 PM 107648]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/5/2007 11:05 PM 685816]
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-03-10 21:26]
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: angernet.org
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\activegs@freetoolsassociation.com\platform\WINNT_x86-msvc\plugins\npActiveGS.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVD-uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 19:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%*y*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%*y*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:48,c0,9a,70,08,fe,2f,62,d0,8a,a0,c0,fe,36,94,fd,0e,8a,9f,ca,17,a5,e3,
85,3b,0c,c4,56,42,57,89,30,76,fe,37,03,96,f2,25,29,9d,4a,bc,00,b9,b3,0a,a1,\
"??"=hex:f1,a6,b3,fa,10,81,c3,2a,9e,b4,d0,55,6c,a2,40,96
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(736)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-14 19:26:50
ComboFix-quarantined-files.txt 2010-03-14 23:26

Pre-Run: 5,463,433,216 bytes free
Post-Run: 5,437,812,736 bytes free

- - End Of File - - 73CB0E594D0723DCEBCC4D03B32D3FCE


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:42 AM

Posted 14 March 2010 - 07:13 PM

Hello havoc123,

QUOTE
The only change besides the faster bootup is that I can see the option to boot from the Recovery Console show up for a few seconds now everytime I boot up. Is this normal?

Yes, You now have an option to boot to Recovery Console which will allow you to boot and recover your Machine in case of a more serious malware infection. Also with some malware we must boot into Recovery Console just to be able to kill the malware.

As far as Comodo I will get rid of the fact your security center thinks its still there.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
SecCenter::
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Hello, havoc123.
Congratulations! You now appear clean! specool.gif

Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 14 March 2010 - 08:46 PM

Unfortunately I renamed Combofix when I used it to "mechanic" and it was mounted on my flash drive (E:) everytime I used it. The command Combofix /Uninstall is not working. It says:

"Windows cannot find 'Combofix'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."


How should I rename or move Combofix so it does uninstall? To be clear, I did try moving it on the desktop but it still did not work.

EDIT: Never mind, renaming the file when I put it on the Desktop did work. What went wrong the first time, I am not sure about. The Qoobox folder is also gone.



I also ran OTC successfully. There seem to be no signs of either the malware or any program used to clean it up except for MBAM. However, there is 4 folders created also with the fake name "mechanic" that I renamed Combofix with. They are full of items. The first folder is "mechanic" and the others are the same name with numbers behind them. What do I do for these folders?

Hopefully this last log will pass without any problems. thumbup2.gif


Here is the CFScript Log you wanted.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 10-03-12.04 - Nilesh 03/14/2010 21:20:30.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1368 [GMT -4:00]
Running from: E:\mechanic.exe
Command switches used :: E:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
.

2010-03-14 23:10 . 2010-03-14 23:26 -------- d-----w- C:\mechanic19780m
2010-03-14 23:08 . 2010-03-14 23:08 -------- d-----w- C:\HostsXpert
2010-03-14 22:51 . 2010-03-14 22:51 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-03-14 22:46 . 2010-03-14 22:46 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-14 22:46 . 2010-03-14 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-14 22:43 . 2010-03-14 22:43 -------- d-----w- c:\program files\Common Files\Java
2010-03-14 04:22 . 2010-03-14 04:22 -------- d-----w- c:\program files\ESET
2010-03-14 03:51 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 03:51 . 2010-03-14 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 03:51 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 14:23 . 2010-03-13 14:37 -------- d-----w- C:\mechanic6617m
2010-03-13 14:15 . 2010-03-13 14:17 -------- d-----w- C:\mechanic
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\documents and settings\Nilesh\Application Data\Malwarebytes
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-14 03:27 . 2010-02-14 03:27 -------- d-----w- c:\documents and settings\Nilesh\Application Data\ScummVM
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 5 - The High King
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 4 - Taran Wanderer
2010-02-13 06:51 . 2010-02-17 06:50 -------- d-----w- C:\Chronicles of Prydain 3 - The Castle of Llyr
2010-02-13 06:51 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 2 - The Black Cauldron
2010-02-13 06:50 . 2010-02-17 07:11 -------- d-----w- C:\Chronicles of Prydain 1 - The Book of Three
2010-02-13 06:48 . 2010-02-13 06:48 -------- d-----w- C:\The Chronicles of Prydain
2010-02-13 03:46 . 2010-02-13 03:47 -------- d-----w- C:\OldGames
2010-02-13 03:39 . 2010-02-13 03:39 -------- d-----w- c:\documents and settings\Nilesh\Local Settings\Application Data\DOSBox
2010-02-13 03:39 . 2010-02-13 04:02 -------- d-----w- c:\program files\DOSBox-0.73
2010-02-13 03:36 . 2010-02-13 03:36 3595301 ----a-w- C:\the-amazon-trail.zip
2010-02-13 03:36 . 2010-02-13 03:36 6539962 ----a-w- C:\monkey-island-2-lechucks-revenge.zip
2010-02-13 03:36 . 2010-02-13 03:36 3275156 ----a-w- C:\the-secret-of-monkey-island.zip
2010-02-13 03:35 . 2010-02-13 03:35 1915930 ----a-w- C:\oregon-trail-deluxe.zip
2010-02-13 03:30 . 2009-12-15 02:57 862208 ----a-w- c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\extensions\activegs@freetoolsassociation.com\platform\WINNT_x86-msvc\plugins\npActiveGS.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 22:50 . 2004-03-10 01:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-14 22:42 . 2009-01-11 05:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-14 05:58 . 2009-06-22 20:43 -------- d-----w- c:\program files\Lemonade Tycoon 2
2010-03-06 00:22 . 2010-01-02 02:16 -------- d-----w- c:\documents and settings\Nilesh\Application Data\U3
2010-03-01 12:43 . 2007-08-29 03:51 -------- d-----w- c:\program files\uTorrent
2010-03-01 01:08 . 2009-02-19 04:38 -------- d-----w- c:\program files\Fox
2010-03-01 00:27 . 2007-08-29 03:51 -------- d-----w- c:\documents and settings\Nilesh\Application Data\uTorrent
2010-02-27 03:18 . 2007-08-15 03:42 -------- d-----w- c:\documents and settings\Nilesh\Application Data\IGN_DLM
2010-02-27 01:13 . 2008-03-04 18:50 -------- d-----w- c:\documents and settings\Nilesh\Application Data\Hamachi
2010-02-25 22:29 . 2008-06-09 21:48 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2010-02-21 04:13 . 2010-02-01 18:12 -------- d-----w- c:\program files\DeusEx
2010-02-14 03:27 . 2007-09-24 21:41 -------- d-----w- c:\program files\ScummVM
2010-02-12 16:04 . 2007-08-28 03:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 22:27 . 2010-01-19 22:22 -------- d-----w- c:\program files\Project64 1.6
2010-01-19 22:22 . 2010-01-19 22:22 8854 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-01-19 22:22 . 2010-01-19 22:22 40960 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-01-19 22:22 . 2010-01-19 22:22 40960 ----a-r- c:\documents and settings\Nilesh\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-12-17 04:13 . 2009-12-15 23:57 152576 ----a-w- c:\documents and settings\Nilesh\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-17 04:13 . 2009-12-15 23:56 79488 ----a-w- c:\documents and settings\Nilesh\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-13_14.35.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-15 01:06 . 2010-03-15 01:06 16384 c:\windows\Temp\Perflib_Perfdata_11c.dat
+ 2001-08-23 12:00 . 2010-03-15 01:11 89768 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2009-11-09 19:00 89768 c:\windows\system32\perfc009.dat
+ 2010-03-14 22:48 . 2010-03-14 22:48 24576 c:\windows\Installer\928cd.msi
+ 2001-08-23 12:00 . 2008-04-14 00:12 5120 c:\windows\system32\dllcache\sfc.dll
+ 2001-08-23 12:00 . 2010-03-15 01:11 491304 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2009-11-09 19:00 491304 c:\windows\system32\perfh009.dat
+ 2010-03-14 22:42 . 2010-03-14 22:42 153376 c:\windows\system32\javaws.exe
+ 2010-03-14 22:42 . 2010-03-14 22:42 145184 c:\windows\system32\javaw.exe
- 2009-12-17 04:14 . 2009-10-11 09:17 145184 c:\windows\system32\javaw.exe
+ 2010-03-14 22:42 . 2010-03-14 22:42 145184 c:\windows\system32\java.exe
- 2009-12-17 04:14 . 2009-10-11 09:17 145184 c:\windows\system32\java.exe
+ 2010-03-14 22:43 . 2010-03-14 22:43 180224 c:\windows\Installer\928c3.msi
+ 2010-03-14 22:42 . 2010-03-14 22:42 576000 c:\windows\Installer\928be.msi
+ 2010-03-14 22:51 . 2010-03-14 22:51 3940352 c:\windows\Installer\928d3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RamBooster"="c:\program files\RamBooster\Rambooster.exe" [1999-10-07 469504]
"igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2009-05-15 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-05-29 394240]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-17 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-07 13:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 18:51 24638 ------w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
backup=c:\windows\pss\PASPortal.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Registration Prince of Persia T2T.LNK]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Registration Prince of Persia T2T.LNK
backup=c:\windows\pss\Registration Prince of Persia T2T.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Registration The Political Machine.LNK]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Registration The Political Machine.LNK
backup=c:\windows\pss\Registration The Political Machine.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nilesh^Start Menu^Programs^Startup^Ubisoft register.lnk]
path=c:\documents and settings\Nilesh\Start Menu\Programs\Startup\Ubisoft register.lnk
backup=c:\windows\pss\Ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2003-11-30 15:06 177152 ------w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-11-07 19:16 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
2009-12-29 16:27 2043160 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-08-29 15:09 171464 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 23:21 94208 ------w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-05-15 00:03 1103216 ----a-w- c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 15:06 11776 ------w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-19 15:06 110592 ------w- c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-02-28 20:38 319280 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
2005-03-29 01:24 28616 ----a-w- c:\program files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"awhost32"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"=
"c:\\Complete Junk\\ut\\New Folder\\fd\\Splinter Cell Chaos Theory\\Chaos Theory Rip\\TC[1].SC.CT\\Tom Clancy's Splinter Cell\\System\\SPLINTERCELL3.EXE"=
"c:\\Program Files\\DeusEx\\System\\DeusEx.exe"=
"c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [8/1/2003 6:47 PM 29239]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/9/2009 2:33 PM 335240]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 7:11 PM 5632]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 2:33 PM 297752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/24/2008 2:35 PM 210216]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/26/2008 10:08 PM 29183504]
S2 mrtRate;mrtRate; [x]
S3 PASCO;PASCO PASPORT USB Driver (PSSensor.sys);c:\windows\system32\drivers\PSSensor.sys [7/27/2004 4:05 PM 15744]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\vnetusbl.sys [7/6/2007 9:18 PM 107648]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/5/2007 11:05 PM 685816]
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-03-10 21:26]
.
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: angernet.org
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Nilesh\Application Data\Mozilla\Firefox\Profiles\obrb4ev5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%*y*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**%*y*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-515967899-854245398-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:48,c0,9a,70,08,fe,2f,62,d0,8a,a0,c0,fe,36,94,fd,0e,8a,9f,ca,17,a5,e3,
85,3b,0c,c4,56,42,57,89,30,76,fe,37,03,96,f2,25,29,9d,4a,bc,00,b9,b3,0a,a1,\
"??"=hex:f1,a6,b3,fa,10,81,c3,2a,9e,b4,d0,55,6c,a2,40,96
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1056)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2680)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-14 21:35:26
ComboFix-quarantined-files.txt 2010-03-15 01:35
ComboFix2.txt 2010-03-14 23:26

Pre-Run: 5,439,078,400 bytes free
Post-Run: 5,403,000,832 bytes free

- - End Of File - - B0AD1FFEE9B7A4934AE5ED37CC88776B

Edited by havoc123, 14 March 2010 - 09:06 PM.


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:42 AM

Posted 14 March 2010 - 09:05 PM

Hello havoc123,

Yes everything looks good you are all clean! clapping.gif
Notice Comodo no longer showed up on Combofix log. I took care of that for you.
If you have no further questions I will consider this topic all done and closed.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 havoc123

havoc123
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 14 March 2010 - 09:14 PM

I am sorry to bother you with this last problem but I think my edits didn't show up as replies (?) in the forums.

There are 4 folders created also with the fake name "mechanic" that I renamed Combofix with. They are full of items. The first folder is "mechanic" and the others are the same name with numbers behind them. What do I do for these folders? The main folder "mechanic" has several applications (some are NirSoft files), application extensions, BAD file, C file, CF file, CFXXE file, Configuration Settings, DAT files, generic files with no file types, folders, MD5 file, MS-DOS applications, MS-DOS batch files, registration entries, and SED files.

Quite a list of important-looking files, and all this is in the first folder. The other folders are much smaller. One doesn't have anything in it but another has 3 CFXXE files, one has a NirSoft file, and the last one has 3 CFXXE files also but different names.

Important files, more malware, or remnants of the cleanup process by Combofix?


HostsXpert folder can also be removed, right?


On a happier note, thank you very much for fixing my malware problem and for removing the Comodo file remnant. I will definitively take a look at those suggestions you posted earlier, especially the Hosts File which I didn't know about at all. smile.gif

Edited by havoc123, 15 March 2010 - 10:59 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users