Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple malwares


  • This topic is locked This topic is locked
21 replies to this topic

#1 lanuk

lanuk

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 13 March 2010 - 04:01 AM

Hello,
Firstly, kudos to the kind souls at Bleeping Computer for doing what you'll are doing smile.gif

I am running a Windows XP Professional Service Pack 2 machine. I have an updated Kapersky Internet Security anti virus running.
However multiple malwares managed to sneak in somehow - seekDNS being one of them.

I followed the instructions on another forum on Bleeping Comp and ran:
Malwarebytes' Anti-Malware
Ad-Aware
Spybot - Search & Destroy
These threw up some culprits which the respective program tried to fix. However I feel that the system is still infected, and hence am posting here.


DDS (Ver_09-12-01.01) - FAT32x86
Run by Administrator at 13:53:35.79 on Sat 03/13/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1360 [GMT 5.5:30]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Galileo\SSL\SSLClientService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.windowsupdate.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\d6vvjtd6.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-13 64288]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-7-17 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 208616]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-6-19 68136]
R2 Galileo SSL Tunnel;Galileo SSL Tunnel;c:\program files\galileo\ssl\SSLClientService.exe [2008-12-9 24576]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-10-2 38400]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]

=============== Created Last 30 ================

2010-03-13 08:02:36 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-13 07:24:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-13 07:21:40 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-03-13 07:17:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-13 07:17:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-13 07:04:43 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-13 07:04:35 0 d-----w- c:\program files\Lavasoft
2010-03-13 05:50:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 05:50:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-13 03:41:37 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-03-13 03:41:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 03:41:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 03:41:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 03:41:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-04 17:33:17 104 ----a-w- c:\windows\system32\NvApps.xml
2010-03-04 17:33:12 16608 ----a-w- c:\windows\gdrv.sys
2010-03-04 17:32:58 0 d-sh--w- C:\FOUND.013
2010-03-04 15:04:42 0 d-sh--w- C:\FOUND.012
2010-02-17 03:47:46 1064 ----a-w- c:\windows\system32\%LocalXml%
2010-02-15 08:32:46 0 d-sh--w- C:\FOUND.011

==================== Find3M ====================

2010-03-13 07:56:46 655904 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-13 07:56:46 6204 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-13 07:56:46 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-13 07:56:46 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 13:54:02.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:52 AM

Posted 14 March 2010 - 04:15 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 lanuk

lanuk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 15 March 2010 - 01:32 PM

Hello m0le,
Im here and tracking this topic.
Waiting for your first instruction.

Also, XP ran an update and installed SP3 today. Should I re-run the DDS or GMER scan?

Thanks,
Kunal

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:52 AM

Posted 15 March 2010 - 06:22 PM

No, no need to rerun the scans.

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Files
    C:\FOUND.*
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.


Now please run MBAM on full scan. Your copy will be fine. smile.gif


Finally run ESET's online scanner.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#5 lanuk

lanuk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 16 March 2010 - 03:38 AM

OTM Log

========== FILES ==========
C:\FOUND.000 folder moved successfully.
C:\FOUND.001 folder moved successfully.
C:\FOUND.002 folder moved successfully.
C:\FOUND.003 folder moved successfully.
C:\FOUND.004 folder moved successfully.
C:\FOUND.005 folder moved successfully.
C:\FOUND.006 folder moved successfully.
C:\FOUND.013 folder moved successfully.
C:\FOUND.007 folder moved successfully.
C:\FOUND.008 folder moved successfully.
C:\FOUND.009 folder moved successfully.
C:\FOUND.010 folder moved successfully.
C:\FOUND.011 folder moved successfully.
C:\FOUND.012 folder moved successfully.

OTM by OldTimer - Version 3.1.10.0 log created on 03162010_105608



MBAM Log

Malwarebytes' Anti-Malware 1.44
Database version: 3872
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/16/2010 11:48:09 AM
mbam-log-2010-03-16 (11-48-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 371618
Time elapsed: 47 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





ESET Scan Log

C:\WINDOWS\Temp\SEE24.tmp\upgrade.exe a variant of Win32/Adware.OneStep.E application deleted - quarantined
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G7C9G9WV\upgrade[4].cab a variant of Win32/Adware.OneStep.E application deleted - quarantined
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNQLEF25\upgrade[1].cab a variant of Win32/Adware.OneStep application deleted - quarantined
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNQLEF25\upgrade[4].cab a variant of Win32/Adware.OneStep.E application deleted - quarantined
C:\Documents and Settings\Tarun\Local Settings\Temporary Internet Files\Content.IE5\ENCLODW9\gifimg[1].htm HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Documents and Settings\Kunal\Desktop\SOFTWARES\0_installed\softwares - frequently used\Windows BitDefender\Keygen_bitdefender_antivirus_2008_32b_USE THIS.rar probably a variant of Win32/Agent trojan deleted - quarantined
C:\System Volume Information\_restore{026936D5-DBCF-40A4-A6F6-0E14C1575AAE}\RP177\A0114679.dll a variant of Win32/Adware.OneStep.E application cleaned by deleting - quarantined
C:\System Volume Information\_restore{026936D5-DBCF-40A4-A6F6-0E14C1575AAE}\RP184\A0122020.DLL a variant of Win32/Adware.OneStep.E application cleaned by deleting - quarantined
D:\DATA_FAMILY\back up copy\INSTALL\Nero7\Nero-7.11.10.0_all_update.exe Win32/Toolbar.AskSBar application deleted - quarantined



#6 lanuk

lanuk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 16 March 2010 - 03:12 PM

Hello,

I wanted to mention that I have another machine which was giving me some problems. So I poster about it here http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/ (I created a separate log in on Bleeping Computer for that problem)

Why I am writing to you again is that I transferred some files from the above computer to the computer being discussed in this topic. And hence was doubting if I have got re infected with anything.

So I updated Malwarebyte and re ran a scan just now. Now, I happen to be in a different user account right now than what I was when I followed your above instructions and ran the OTM, MBAM and ESET. As mentioned in the previous post, at that time MBAM did not detect anything. But right now it detects as follows:

Malwarebytes' Anti-Malware 1.44
Database version: 3874
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/17/2010 1:39:25 AM
mbam-log-2010-03-17 (01-39-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 371864
Time elapsed: 46 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




I am not so sure if this is because of the file transfer between the 2 machines. Or is it that I need to run the scans in each of the User Accounts? Currently there are 3 administrative accounts that are there on this machine (other than one default Administrator account that came with XP, that i cant delete off and from where I had run the scans of the previous post)

Thanks once again, and I hope I haven't confused the issues with this posting.

Regards,
Kunal

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:52 AM

Posted 16 March 2010 - 05:26 PM

Run MBAM and ESET on all three user accounts, name them WORKING PC, PC2 and PC3 And post the logs for each.

Once done, log into WORKING PC and post me a new DDS log.

If there are issues on either of the other two accounts then we'll deal with them next. smile.gif
Posted Image
m0le is a proud member of UNITE

#8 lanuk

lanuk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 17 March 2010 - 04:05 PM

WORKING PC

MBAM - ran for post #5
ESET LOG - ran for post #5



WORKING PC 2

MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3875
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/17/2010 10:28:25 AM
mbam-log-2010-03-17 (10-28-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 372001
Time elapsed: 45 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ESET
D:\System Volume Information\_restore{026936D5-DBCF-40A4-A6F6-0E14C1575AAE}\RP194\A0130334.exe Win32/Toolbar.AskSBar application deleted - quarantined




WORKING PC 3

MBAM
Malwarebytes' Anti-Malware 1.44
Database version: 3875
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/17/2010 1:44:52 PM
mbam-log-2010-03-17 (13-44-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 372222
Time elapsed: 44 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET
No threats were found after the scan. Hence no Log could be generated



WORKING PC 4


MBAM
Malwarebytes' Anti-Malware 1.44
Database version: 3876
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/17/2010 10:47:36 PM
mbam-log-2010-03-17 (22-47-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 372155
Time elapsed: 45 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET
No threats were found after the scan. Hence no Log could be generated





WORKING PC - NEW DDS FILE

DDS (Ver_09-12-01.01) - FAT32x86
Run by Administrator at 2:22:38.46 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1294 [GMT 5.5:30]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
SVCHOST.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Galileo\SSL\SSLClientService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\bleeping comp log process\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.windowsupdate.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\d6vvjtd6.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-13 64288]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-7-17 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 208616]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-6-19 68136]
R2 Galileo SSL Tunnel;Galileo SSL Tunnel;c:\program files\galileo\ssl\SSLClientService.exe [2008-12-9 24576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-10-2 38400]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

=============== Created Last 30 ================

2010-03-16 06:29:49 0 d-----w- c:\program files\ESET
2010-03-16 05:26:08 0 d-----w- C:\_OTM
2010-03-15 14:52:00 0 d-----w- c:\windows\system32\scripting
2010-03-15 14:52:00 0 d-----w- c:\windows\l2schemas
2010-03-15 14:51:59 0 d-----w- c:\windows\system32\en
2010-03-15 14:51:59 0 d-----w- c:\windows\system32\bits
2010-03-15 14:47:45 0 d-----w- c:\windows\network diagnostic
2010-03-15 14:27:09 0 d-sh--w- c:\documents and settings\administrator\IECompatCache
2010-03-15 14:26:04 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-03-14 19:39:50 0 d-----w- c:\windows\system32\KB905474
2010-03-14 18:17:12 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-03-14 18:07:01 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-14 18:06:51 0 d-----w- c:\windows\ie8updates
2010-03-14 18:06:47 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-14 18:06:47 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-14 18:06:46 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-14 18:06:46 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-03-14 18:06:46 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-14 18:06:45 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-03-14 18:05:27 0 d--h--w- c:\windows\ie8
2010-03-14 13:27:13 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-03-14 03:33:53 56623 ------w- c:\windows\system32\drivers\ati1btxx.sys
2010-03-14 03:31:52 0 d-----w- c:\windows\system32\XPSViewer
2010-03-14 03:31:12 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-14 03:31:12 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-14 03:31:11 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-14 03:31:11 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-14 03:31:11 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-14 03:31:11 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-14 03:31:11 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-13 17:12:30 0 d-----w- c:\program files\MSXML 4.0
2010-03-13 11:06:48 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-03-13 11:06:47 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-03-13 11:04:00 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-03-13 10:58:33 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-03-13 10:58:33 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-03-13 10:58:20 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-03-13 10:58:20 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-03-13 10:58:20 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-03-13 10:58:19 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-03-13 10:58:19 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-03-13 10:58:19 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-03-13 10:58:19 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-03-13 10:58:19 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-03-13 10:52:29 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-13 10:40:21 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-03-13 10:40:21 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-03-13 10:39:06 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-03-13 10:28:16 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-03-13 10:25:16 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2010-03-13 10:22:51 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-03-13 09:47:47 0 d-----w- c:\windows\system32\PreInstall
2010-03-13 09:47:27 0 d-----w- c:\windows\ServicePackFiles
2010-03-13 09:47:10 0 d--h--w- c:\windows\$hf_mig$
2010-03-13 09:24:47 0 d-----w- c:\program files\SpywareBlaster
2010-03-13 08:56:14 361600 ------w- c:\windows\system32\dllcache\tcpip.sys
2010-03-13 08:56:14 245248 ------w- c:\windows\system32\dllcache\mswsock.dll
2010-03-13 08:56:14 225856 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-03-13 08:56:14 147968 ------w- c:\windows\system32\dllcache\dnsapi.dll
2010-03-13 08:56:14 138496 ------w- c:\windows\system32\dllcache\afd.sys
2010-03-13 08:56:01 74240 ------w- c:\windows\system32\dllcache\mscms.dll
2010-03-13 08:55:36 253952 ------w- c:\windows\system32\dllcache\es.dll
2010-03-13 08:48:01 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-03-13 08:23:17 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-13 08:23:17 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-13 08:23:16 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-03-13 08:23:16 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-13 08:02:36 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-13 07:24:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-13 07:21:40 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-03-13 07:17:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-13 07:17:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-13 07:04:43 0 d--h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-13 07:04:35 0 d-----w- c:\program files\Lavasoft
2010-03-13 05:50:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 05:50:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-13 03:41:37 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-03-13 03:41:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 03:41:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 03:41:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 03:41:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-04 17:33:17 104 ----a-w- c:\windows\system32\NvApps.xml
2010-03-04 17:33:12 16608 ----a-w- c:\windows\gdrv.sys
2010-02-17 03:47:46 446 ----a-w- c:\windows\system32\%LocalXml%

==================== Find3M ====================

2010-03-17 20:49:24 655904 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-17 20:49:24 6204 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-17 20:49:24 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-17 20:49:24 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-21 19:14:06 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:06 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:06 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:04 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

============= FINISH: 2:23:19.35 ===============



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:52 AM

Posted 18 March 2010 - 05:04 PM

Sorry, I didn't make it clearer. I need MBAM run again on WORKING PC. The scan you posted showed that you took no action and I need to check that it has gone.

I think it has but I like to check. A quick scan on MBAM should confirm it.

Let me know if any symptoms remain.

I would also like you to let me know what removable devices (Flashdrives, External hard drives, etc) you are using. We should make sure that they aren't infected and transferring malware between your PCs next. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#10 lanuk

lanuk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 19 March 2010 - 12:39 PM

Hello,

I ran MBAM on Working PC, it did not show up anything. Here's the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3884
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/19/2010 10:01:36 AM
mbam-log-2010-03-19 (10-01-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 373453
Time elapsed: 46 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



External Devices:
I use 2 flash drives and 2 external HDDs. The flash drives don't have any data on them that I need, so if formatting can remove any potential infections, then I could format them on this clean machine now. The external HDDs (one 80gb one and another 250gb one) have a whole lot of data on them. What should they be scanned with?

Oh, also I have an Ipod and some SD cards that have moved between the two machines in the past.

Thanks again,
Kunal

Edited by lanuk, 19 March 2010 - 01:12 PM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:52 AM

Posted 19 March 2010 - 04:00 PM

To make sure that there isn't anything lurking please run Flash Disinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Let me know when you are done so we can run the final instructions smile.gif
Posted Image
m0le is a proud member of UNITE

#12 lanuk

lanuk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 21 March 2010 - 03:23 AM

Hello,
I am not so sure if Flash Disinfector is able to do its job.

The first time I ran it, Kaspersky Anti virus detected some trojan and autorun. The program does do a scan, the screen goes blank and then it says scan completed. But, upon rebooting the computer, I dont see any autorun.inf hidden folder created - neither on the computers HDD nor on the Ipod nor on the USB drive.

The second time, I disconnected from the Internet and disabled Kaspersky before running Flash Disinfector. However, I still dont see any hidden folder created.

(Im running Windows XP, and View Hidden Files is enabled)

Edited by lanuk, 21 March 2010 - 03:24 AM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:52 AM

Posted 21 March 2010 - 07:03 AM

Plug in the USB device (if you have a hub you can plug the ones that you want) and then run Combofix. This program will also be able to clean the devices - it does a better job than the Disinfector program but is a heavier program.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 lanuk

lanuk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 21 March 2010 - 08:04 AM

I plugged in 3 of my USB devices and ran ComboFix. The log is below.
I have 2 more portable devices (external HDDs) that I havent plugged in yet.

Regards,
Kunal


ComboFix 10-03-20.04 - Kunal 03/21/2010 18:19:53.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1525 [GMT 5.5:30]
Running from: c:\documents and settings\Kunal\Desktop\comfix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Seekdns
c:\documents and settings\All Users\Application Data\Seekdns\seekdns137.exe
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SEEKDNS_SERVICE


((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-21 07:53 . 2010-03-21 07:53 -------- d-----w- C:\FOUND.000
2010-03-18 03:30 . 2010-03-18 03:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-03-17 08:48 . 2010-03-17 08:48 -------- d-----w- c:\documents and settings\Naresh Bhatia\Application Data\AdobeUM
2010-03-17 06:59 . 2010-03-17 07:00 -------- d-----w- c:\documents and settings\Naresh Bhatia\Application Data\Malwarebytes
2010-03-17 04:06 . 2010-03-17 04:06 -------- d-----w- c:\documents and settings\Tarun\Application Data\Malwarebytes
2010-03-17 04:05 . 2010-03-17 04:05 -------- d-sh--w- c:\documents and settings\Tarun\IETldCache
2010-03-16 19:12 . 2010-03-16 19:12 -------- d-----w- c:\documents and settings\Kunal\Application Data\Malwarebytes
2010-03-16 06:29 . 2010-03-16 06:29 -------- d-----w- c:\program files\ESET
2010-03-16 05:26 . 2010-03-16 05:26 -------- d-----w- C:\_OTM
2010-03-15 17:26 . 2010-03-15 17:26 -------- d-----w- c:\documents and settings\Kunal\Application Data\Ahead
2010-03-15 14:52 . 2010-03-15 14:52 -------- d-----w- c:\windows\system32\scripting
2010-03-15 14:52 . 2010-03-15 14:52 -------- d-----w- c:\windows\l2schemas
2010-03-15 14:51 . 2010-03-15 14:52 -------- d-----w- c:\windows\system32\en
2010-03-15 14:51 . 2010-03-15 14:52 -------- d-----w- c:\windows\system32\bits
2010-03-15 14:27 . 2010-03-15 14:27 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-03-15 14:26 . 2010-03-15 14:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-15 10:32 . 2010-03-15 10:33 -------- d-sh--w- c:\documents and settings\Naresh Bhatia\PrivacIE
2010-03-15 09:26 . 2010-03-15 09:26 -------- d-sh--w- c:\documents and settings\Naresh Bhatia\IETldCache
2010-03-14 19:39 . 2010-03-14 19:39 -------- d-----w- c:\windows\system32\KB905474
2010-03-14 19:39 . 2009-03-10 16:56 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-03-14 19:39 . 2009-03-10 16:48 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-03-14 18:48 . 2010-03-14 18:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-14 18:23 . 2010-03-14 18:23 -------- d-----w- c:\documents and settings\Kunal\Local Settings\Application Data\Yahoo
2010-03-14 18:18 . 2010-03-14 18:18 -------- d-sh--w- c:\documents and settings\Kunal\IETldCache
2010-03-14 18:17 . 2010-03-14 18:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-14 18:07 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-14 18:06 . 2010-03-14 18:06 -------- d-----w- c:\windows\ie8updates
2010-03-14 18:06 . 2009-12-21 19:14 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-14 18:06 . 2009-12-21 19:14 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-14 18:06 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-14 18:06 . 2009-12-21 19:14 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-14 18:06 . 2009-12-21 19:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-03-14 18:06 . 2009-12-21 19:14 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-03-14 18:05 . 2010-03-14 18:05 -------- d--h--w- c:\windows\ie8
2010-03-14 03:33 . 2004-08-03 16:59 56623 ------w- c:\windows\system32\drivers\ati1btxx.sys
2010-03-14 03:31 . 2010-03-14 03:31 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-14 03:31 . 2010-03-14 03:31 -------- d-----w- c:\program files\MSBuild
2010-03-14 03:31 . 2010-03-14 03:31 -------- d-----w- c:\program files\Reference Assemblies
2010-03-14 03:31 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-14 03:31 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-14 03:31 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-14 03:31 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-14 03:31 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-14 03:31 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-14 03:31 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-14 03:31 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-14 03:31 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-13 17:12 . 2010-03-13 17:12 -------- d-----w- c:\program files\MSXML 4.0
2010-03-13 11:06 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-03-13 11:06 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-03-13 11:04 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-03-13 10:58 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-03-13 10:58 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-03-13 10:58 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-03-13 10:58 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-03-13 10:58 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-03-13 10:58 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-03-13 10:58 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-03-13 10:58 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-03-13 10:58 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-03-13 10:58 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-03-13 10:52 . 2009-12-04 18:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-13 10:40 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-03-13 10:40 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-03-13 10:39 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-03-13 10:28 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-03-13 10:25 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2010-03-13 10:22 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-03-13 09:47 . 2010-03-13 09:47 -------- d-----w- c:\windows\ServicePackFiles
2010-03-13 09:47 . 2010-03-13 09:47 -------- d--h--w- c:\windows\$hf_mig$
2010-03-13 09:24 . 2010-03-13 09:24 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-13 09:24 . 2010-03-13 09:24 -------- d-----w- c:\program files\SpywareBlaster
2010-03-13 08:56 . 2008-08-14 10:04 138496 ------w- c:\windows\system32\dllcache\afd.sys
2010-03-13 08:56 . 2008-06-20 17:46 245248 ------w- c:\windows\system32\dllcache\mswsock.dll
2010-03-13 08:56 . 2008-06-20 17:46 147968 ------w- c:\windows\system32\dllcache\dnsapi.dll
2010-03-13 08:56 . 2008-06-20 11:51 361600 ------w- c:\windows\system32\dllcache\tcpip.sys
2010-03-13 08:56 . 2008-06-20 11:08 225856 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-03-13 08:56 . 2008-06-24 16:43 74240 ------w- c:\windows\system32\dllcache\mscms.dll
2010-03-13 08:55 . 2008-07-07 20:26 253952 ------w- c:\windows\system32\dllcache\es.dll
2010-03-13 08:48 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-03-13 08:23 . 2009-12-08 19:27 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-13 08:23 . 2009-12-08 19:26 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-13 08:23 . 2009-12-08 18:43 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-13 08:23 . 2009-12-08 18:43 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-03-13 07:24 . 2010-03-13 07:17 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-13 07:17 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-13 07:17 . 2010-03-13 07:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-13 07:17 . 2010-03-13 07:17 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-13 07:17 . 2010-03-13 07:17 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-13 07:17 . 2010-03-20 07:20 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-13 07:17 . 2010-03-13 07:17 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-13 07:17 . 2010-03-13 07:17 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-13 07:17 . 2010-03-20 07:19 210552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-03-13 07:17 . 2010-03-20 07:19 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-03-13 07:17 . 2010-03-20 07:19 565392 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-03-13 07:17 . 2010-03-20 07:19 221920 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2010-03-13 07:16 . 2010-03-20 07:19 430496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-03-13 07:16 . 2010-03-20 07:19 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-03-13 07:16 . 2010-03-13 07:16 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-13 07:16 . 2010-03-13 07:16 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-13 07:16 . 2010-03-13 07:16 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-13 07:16 . 2010-03-20 07:19 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-03-13 07:16 . 2010-03-20 07:19 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-03-13 07:16 . 2010-03-13 07:16 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-13 07:14 . 2010-03-20 07:19 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-03-13 07:14 . 2010-03-20 07:19 848160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-03-13 07:14 . 2010-03-20 07:19 855352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-03-13 07:14 . 2010-03-20 07:18 1597440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-03-13 07:14 . 2010-03-20 07:18 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-03-13 07:14 . 2010-03-20 07:18 1263728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-13 07:04 . 2010-03-13 07:04 -------- d--h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-13 07:04 . 2010-02-04 15:53 2954656 ----a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-13 07:04 . 2010-03-13 07:04 -------- d-----w- c:\program files\Lavasoft
2010-03-13 07:04 . 2010-03-13 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-13 05:50 . 2010-03-13 05:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 05:50 . 2010-03-13 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-13 04:10 . 2010-03-13 04:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-03-13 03:41 . 2010-03-13 03:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-13 03:41 . 2010-01-07 10:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 03:41 . 2010-03-13 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 03:41 . 2010-03-13 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-13 03:41 . 2010-01-07 10:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 13:07 . 2010-03-07 13:07 -------- d-----w- c:\documents and settings\Tarun\Application Data\AdobeUM
2010-03-04 17:33 . 2010-03-21 12:54 16608 ----a-w- c:\windows\gdrv.sys
2010-02-25 16:09 . 2010-02-25 16:09 -------- d-----w- c:\documents and settings\Naresh Bhatia\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-21 12:53 . 2009-07-17 11:53 655904 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-21 12:53 . 2009-07-17 11:53 6204 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-21 12:53 . 2009-07-17 11:53 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-03-21 12:53 . 2009-07-17 11:53 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-20 06:25 . 2009-07-01 04:14 80584 ----a-w- c:\documents and settings\Naresh Bhatia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 16:02 . 2010-01-15 15:16 80584 ----a-w- c:\documents and settings\Kunal\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 16:18 . 2010-02-05 16:18 -------- d-----w- c:\documents and settings\Naresh Bhatia\Application Data\Winamp
2010-02-05 05:09 . 2010-02-05 05:09 251376 ----a-w- c:\documents and settings\Naresh Bhatia\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-03 02:23 . 2010-02-03 02:23 128 ----a-w- c:\documents and settings\Kunal\Local Settings\Application Data\fusioncache.dat
2010-02-03 02:14 . 2010-02-03 02:14 -------- d-----w- c:\documents and settings\Kunal\Application Data\HP
2010-01-24 16:25 . 2010-01-24 16:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-01-24 09:44 . 2010-01-24 09:44 -------- d-----w- c:\documents and settings\Naresh Bhatia\Application Data\Ahead
2010-01-22 07:08 . 2010-01-22 07:07 -------- d-----w- c:\documents and settings\Tarun\Application Data\Winamp
2010-01-21 07:03 . 2009-06-20 07:00 80584 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-21 07:02 . 2010-01-21 07:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-01-21 06:16 . 2010-01-21 06:16 -------- d-----w- c:\documents and settings\Kunal\Application Data\Apple Computer
2010-01-21 05:22 . 2010-01-21 05:22 -------- d-----w- c:\program files\Winamp
2010-01-21 05:22 . 2010-01-21 05:22 -------- d-----w- c:\documents and settings\Kunal\Application Data\Winamp
2010-01-01 07:15 . 2010-01-01 07:15 20 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0001.dat.drv
2009-12-31 16:50 . 2004-08-03 12:14 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-03 13:56 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-24 141336]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-24 141336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"nwiz"="nwiz.exe" [2009-02-09 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-13 483328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-21 208616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kunal^Start Menu^Programs^Startup^PowerMenu.lnk]
path=c:\documents and settings\Kunal\Start Menu\Programs\Startup\PowerMenu.lnk
backup=c:\windows\pss\PowerMenu.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 10:27 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 20:27 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 02:28 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-11-24 22:30 173592 ----a-r- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 17:42 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 11:03 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 07:56 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-26 15:36 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-05-04 05:29 161328 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 17:38 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-01-13 06:37 18084864 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-24 19:41 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-06-19 14:21 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Documents and Settings\\Administrator\\temp\\TeamViewer3\\TeamViewer.exe"=
"c:\\Tally\\tally72.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Riya\\Riya.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Naresh Bhatia\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Naresh Bhatia\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/13/2010 12:47 PM 64288]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [6/19/2009 7:28 PM 68136]
R2 Galileo SSL Tunnel;Galileo SSL Tunnel;c:\program files\Galileo\SSL\SSLClientService.exe [12/9/2008 12:33 PM 24576]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [10/2/2009 3:35 PM 38400]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 9:51 PM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:22 PM 1263728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d82aa6c-5d8e-11de-871e-806d6172696f}]
\Shell\AutoRun\command - E:\AUTORUN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 07:53 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 16:20]

2010-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 16:20]

2010-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1532298954-839522115-1011Core1cab7acdddb346b.job
- c:\documents and settings\Naresh Bhatia\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-16 12:13]

2010-03-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 07:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.windowsupdate.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Banner Ad Blocker
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d6vvjtd6.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 18:24
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-1532298954-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,03,cb,c4,ac,62,25,09,4b,8d,f6,68,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,03,cb,c4,ac,62,25,09,4b,8d,f6,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1628)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\program files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-21 18:27:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 12:57

Pre-Run: 23,219,044,352 bytes free
Post-Run: 23,160,160,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ = "Microsoft Windows"

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 17FB50C399201C6E6E4B19C095644A68


#15 lanuk

lanuk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 25 March 2010 - 11:21 AM

hi,
i was wondering what should be the next step now
regards,
kunal




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users