Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alureon-FR found in atapi.sys


  • This topic is locked This topic is locked
14 replies to this topic

#1 CLStan

CLStan

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 18 March 2010 - 11:04 AM

- Last night after I got home from work I connected up to my home network and tried to access my Network Attached Storage (NAS). I got an error on my laptop that stated "The network location cannot be found." I tested access to the NAS from other computers on my network and all were successful...so I know that my problem is isolated to my laptop.
- Because of this strange behavior I decided on running a MalwareBytes scan. When it reached the ATAPI.SYS file in the System32/Drivers directory, my AVAST sounded an alert showing an infection of "Win32:Alureon-FR". MalwareBytes was frozen while waiting on my response to the AVAST dialog...I told AVAST to skip the file (for now).
- I noticed that MalwareBytes did NOT show the file as infected (maybe because AVAST intercepted it's scan first?)...I terminated the MalwareBytes scan.
---
- This morning I started my scans building my report files (as instructed in the response to my first post).
- Out of curiosity...I tried to map the NAS back to my laptop...SUCCESS!
- Could my problem be gone? I opened up the Drivers directory and just CLICKED on the atapi.sys file...BSOD.
* STOP: 0x0000008E (0xC0000005, 0xF80A1BC7, 0xED6F60EC, 0x00000000)
* smwdm.sys - Address F80A1BC7 base at F8066000, DateStamp 406c49ee
- REBOOT
- Ran the utilities as instructed...this time no random clicking around.
- Everything went ok except for GMER. After it looked like GMER was no longer scanning...I clicked SAVE and got the following errors.
* - C:\Documents and Settings\Chris\My Documents is not accessible.
Insufficient system resources exist to complete the requested service.
* - C:\Documents and Settings\Chris\Desktop is not accessible.
Insufficient system resources exist to complete the requested service.

----- LOGS ATTACHED -----


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 6:36:44.15 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.152 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100318-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Brother\BRAdminPro3\bratimer.exe
svchost.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\MNSFramework.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MozyHome\mozystat.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\BattStat.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/support/ipod
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [BattStat] c:\program files\BattStatLauncher.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [MNS] c:\program files\mobile net switch\MNS.exe
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CMCService] "c:\program files\ati\catalyst media center\CMCService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\batter~1.lnk - c:\program files\BattStat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
IE: Download All Files by HiDownload - c:\program files\hidownload\HDGetAll.htm
IE: Download by HiDownload - c:\program files\hidownload\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {16BC6A51-9F62-49E3-9F96-C842EF2FFE3E} - hxxp://202.133.244.128/CAB/WebPlayer.cab
DPF: {54CFC975-F9FB-45EB-8D18-D2D04FBC4299} - hxxp://202.133.244.128/CAB/RemoteWeb2.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: {321BCE7A-07F5-4A90-B435-1440D604E3A2} = 208.67.222.222,208.67.220.220
TCP: {F394D33D-17AC-4D7F-88AF-B7107AD5EB43} = 208.67.222.222,208.67.220.220
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\of73fcm3.default\
FF - component: c:\documents and settings\chris\application data\mozilla\firefox\profiles\of73fcm3.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\chris\application data\mozilla\firefox\profiles\of73fcm3.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\chris\application data\mozilla\firefox\profiles\of73fcm3.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\chris\application data\mozilla\firefox\profiles\of73fcm3.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\chris\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\gametap web player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-6-23 5632]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-31 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-31 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-3-31 138680]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\brother\bradminpro3\bratimer.exe [2008-9-18 65536]
R2 devdpl;devdpl;c:\windows\system32\drivers\devdpl.sys [2009-2-21 7168]
R2 litdpl;litdpl;c:\windows\system32\drivers\litdpl.sys [2009-2-21 4736]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-3-15 34064]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-3-31 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-3-31 352920]
R3 BattStatSys;BattStatSys;c:\docume~1\chris\locals~1\temp\BSS3.tmp [2010-3-17 5120]
S2 gupdate1c8e143f8bbfe6c;Google Update Service (gupdate1c8e143f8bbfe6c);c:\program files\google\update\GoogleUpdate.exe [2008-7-8 133104]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-12 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-12 7680]
S3 NGPSSER;NGPSSER;c:\windows\system32\drivers\ngpsser.sys [2009-6-23 91520]
S3 NGPSUSB;NGPSUSB;c:\windows\system32\drivers\ngpsusb.sys [2009-6-23 76928]
S3 PhDebug32;PhDebug32;\??\c:\bios\hr60\debug32.sys --> c:\bios\hr60\debug32.sys [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-6-24 91472]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]

=============== Created Last 30 ================

2010-03-18 11:18:00 176 ----a-w- c:\documents and settings\chris\defogger_reenable
2010-03-17 17:33:48 2552 ----a-w- c:\windows\system32\oodbs.lor
2010-03-14 19:42:34 525 ----a-w- c:\windows\RemoteWebInfo.INF
2010-03-12 03:08:55 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-03-12 03:08:55 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-03-12 03:04:30 45056 ----a-w- c:\windows\system32\midrv74P.dll
2010-03-12 03:01:37 0 d-----w- c:\program files\common files\NeatReceipts
2010-03-12 03:00:27 0 d-----w- c:\docume~1\alluse~1\applic~1\The Neat Company
2010-03-12 02:59:45 0 d-----w- c:\program files\NeatWorks
2010-03-12 02:59:45 0 d-----w- c:\program files\common files\The Neat Company
2010-03-10 13:04:42 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-18 21:58:16 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-02-27 23:29:21 2464 ----a-w- c:\program files\Configuration.xml
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-01 19:27:12 472560 ----a-w- c:\program files\KPTLanMon.exe
2009-09-09 23:43:16 2279 ----a-w- c:\program files\KPTLanMon.txt
2009-08-15 14:00:22 640 ----a-w- c:\program files\BlueScreenView.cfg
2009-08-08 22:22:40 15148 ----a-w- c:\program files\BlueScreenView.chm
2009-08-02 03:28:04 46592 ----a-w- c:\program files\BlueScreenView.exe
2009-07-18 04:24:03 167941 ----a-w- c:\program files\!Everio SDCopy 1.9994 beta.rar
2009-07-02 15:39:40 54 ----a-w- c:\program files\udpixel.xml
2009-06-24 20:34:43 333493 ----a-w- c:\program files\!USB 2 Serial Drivers.rar
2009-06-23 14:20:02 880233 ----a-w- c:\program files\TrueCrypt User Guide.pdf
2009-06-23 14:20:02 217664 ----a-w- c:\program files\truecrypt.sys
2009-06-23 14:20:02 1525952 ----a-w- c:\program files\TrueCrypt Format.exe
2009-06-23 14:20:02 1369792 ----a-w- c:\program files\TrueCrypt.exe
2009-06-23 14:19:38 3189144 ----a-w- c:\program files\TrueCrypt Setup 6.2a.exe
2009-06-17 20:35:46 2271 ----a-w- c:\program files\WLPGQTEnable.cmd
2009-06-17 20:35:26 2401 ----a-w- c:\program files\WLPGQTDisable.cmd
2009-06-08 15:37:16 752128 ----a-w- c:\program files\OLKF.exe
2009-05-29 15:10:19 147768 ----a-w- c:\program files\GRC-DNSBenchmark.exe
2009-03-22 18:10:18 29248 ----a-w- c:\program files\GRC-MouseTrap.exe
2008-12-19 17:10:10 1533440 ----a-w- c:\program files\Easy Duplicate Finder XP 2.2.1.exe
2008-07-04 23:39:33 1520 ----a-w- c:\program files\CDmage.ini
2008-07-01 13:54:10 29209739 ----a-w- c:\program files\!Kensington BT Plug (ToshibaBTStack 5.10.08).rar
2008-04-24 22:50:30 10919936 ----a-w- c:\program files\DLink DNS-323 EasySearch 4.2.0.0.exe
2008-03-24 21:55:19 40960 ----a-w- c:\program files\wizmo.exe
2008-02-19 14:46:37 8628 ---ha-w- c:\program files\pagedfrg.GID
2008-02-18 01:18:20 287744 ----a-w- c:\program files\BattStat.exe
2008-02-13 03:44:46 30401112 ----a-w- c:\program files\!Logitech QuickCam v11.50.exe
2007-12-19 22:23:22 401720 ----a-w- c:\program files\HiJackThis 2.0.2.exe
2007-11-26 20:31:45 40898512 ----a-w- c:\program files\!SP30791 - ATI M9100 IGP VGA Driver for XP.exe
2007-11-05 13:54:22 3564584 ----a-w- c:\program files\procexp.exe
2007-10-22 19:47:19 19772748 ----a-w- c:\program files\!D-Link BTW 1.4.2.10.rar
2007-10-20 22:26:54 3479552 ----a-w- c:\program files\!Mobile Net Switch 3.65.msi
2007-10-03 07:39:45 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-10-03 01:35:57 1696256 ----a-w- c:\program files\UndeletePlus.exe
2007-08-31 11:36:16 72138 ----a-w- c:\program files\procexp.chm
2007-08-20 03:40:16 546176 ----a-w- c:\program files\autoruns.exe
2007-08-10 10:10:03 36864 ----a-w- c:\program files\3wdecoder.exe
2007-07-09 16:48:16 48090 ----a-w- c:\program files\autoruns.chm
2007-03-17 16:18:34 111104 ----a-w- c:\program files\ipscan.exe
2007-03-01 04:55:00 73728 ----a-w- c:\program files\UDPixel22.exe
2007-02-23 03:08:08 925696 ----a-w- c:\program files\GSpot.exe
2007-02-19 22:28:02 117974 ----a-r- c:\program files\GSpot27.dat
2007-02-19 05:37:26 17920 ----a-w- c:\program files\!Mobile Net Switch 3.61 KG.exe
2007-02-15 20:34:12 37888 ----a-w- c:\program files\shexview.exe
2007-01-22 07:01:14 401408 ----a-w- c:\program files\HDTune.exe
2006-11-01 19:06:52 215928 ----a-w- c:\program files\pagedfrg.exe
2006-10-17 01:12:20 167936 ----a-w- c:\program files\StartupList 2.0.2.exe
2006-09-19 05:50:52 1139961 ----a-w- c:\program files\~mIRC617.ace
2006-07-05 03:18:38 47616 ----a-w- c:\program files\smsniff.exe
2006-05-29 13:52:32 200704 ----a-w- c:\program files\RenamerNG.exe
2006-05-29 12:19:00 666112 ----a-w- c:\program files\Zynx GPS Simulator.exe
2006-04-15 17:29:48 39424 ----a-w- c:\program files\cports.exe
2006-03-31 08:26:52 1449984 ----a-w- c:\program files\CDSpeed.exe
2005-12-15 17:21:04 418304 ----a-w- c:\program files\Zynx GPS Diagnostic.exe
2005-07-26 20:04:00 34816 ----a-w- c:\program files\IBProcMan 1.04.0.exe
2005-07-26 00:45:08 147456 ----a-w- c:\program files\TetrisAI.exe
2005-04-20 19:07:30 106496 ----a-w- c:\program files\Tcpview.exe
2004-11-12 16:41:14 57344 ----a-w- c:\program files\DropMyRights.exe
2004-06-08 14:26:28 173144 ----a-w- c:\program files\GRC-SpinRite6.exe
2004-04-26 12:30:24 388364 ----a-w- c:\program files\rockxp.exe
2004-04-19 23:28:04 425984 ----a-w- c:\program files\TCPOptimizer.exe
2002-11-21 19:03:02 26624 ----a-w- c:\program files\Internet Server ID Utility 1.01.exe
2001-03-01 19:31:44 1328640 ----a-w- c:\program files\CDmage.exe
2000-11-15 14:21:16 178688 ----a-w- c:\program files\hjsplit.exe
2000-07-24 00:58:46 8419 ----a-w- c:\program files\pagedfrg.hlp
1999-12-18 00:22:04 93184 ----a-w- c:\program files\WCAT.EXE
1999-12-18 00:22:02 12800 ----a-w- c:\program files\WCATHK.DLL
1999-10-31 03:54:32 561152 ----a-w- c:\program files\Convert.exe
2008-09-07 20:41:21 123 --sh--r- c:\windows\Regbak.dat
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-09-11 18:55:28 16384 --sh--w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 6:37:14.59 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 18 March 2010 - 03:40 PM

Good evening. smile.gif

Download RootRepeal from one of the locations below and save it to your Desktop:
    Location 1
    Location 2
    Location 3

  • You will need to unzip it before you run it.

    To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
    In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Double click RootRepeal.exe to fire up the tool and OK any Windows confirmations if necessary.
  • Ensure that the Report Tab is selected at the bottom.
  • Click the Scan button, check all the boxes in the window that appears and then click OK.
  • Check the box next to your main hard drive - usually C: and click OK
  • Put the kettle on and perhaps open a packet of biscuits - the scan will take some time.
  • Once the scan has completed a Notepad window will open with the results in.
  • These results will also be saved to the root of your main drive as \RootRepeal report date time.txt
Let me have a copy of the contents in your next reply.

So long, and thanks for all the fish.

 

 


#3 CLStan

CLStan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 18 March 2010 - 09:19 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/18 20:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDAA8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9176000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF90FE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC373000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_134.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\sqlite_259hgmjjok9knlm
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_eljpmwvfhpbuxbt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_rp2z1sfsl6zf2my
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Chris\Local Settings\Apps\2.0\OLHL1C8H.8KW\G09Q1KOR.8P3\manifests\dChat.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac86b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac8574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac8a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac814c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac864e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac808c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac80f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac876e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac872e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xedac88ae

Stealth Objects
-------------------
Object: Hidden Code [Driver: prodrv06ȅఐ卆浩1, IRP_MJ_CREATE]
Process: System Address: 0xe1d3ac30 Size: 976

Object: Hidden Code [Driver: prodrv06ȅఐ卆浩1, IRP_MJ_CLOSE]
Process: System Address: 0xe1d3ac30 Size: 976

Object: Hidden Code [Driver: prodrv06ȅఐ卆浩1, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe1d3ac30 Size: 976

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]
Process: System Address: 0xe1014a58 Size: 596

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]
Process: System Address: 0xe1014a58 Size: 596

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe1014a58 Size: 596

==EOF==

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 19 March 2010 - 03:25 PM

Good evening. smile.gif

Download HAMeb_check.exe by noahdfear from here and save it to your Desktop.
  • Double click the tool to run it - it will take a minute or two to complete.
  • Once complete it will open Notepad with the results and save a copy as HelpAsst.log to the root of your hard drive, usually C:\
  • Please post the contents in your next reply.

So long, and thanks for all the fish.

 

 


#5 CLStan

CLStan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 19 March 2010 - 05:23 PM

C:\Documents and Settings\Chris\Desktop\HAMeb_check.exe
Fri 03/19/2010 at 17:22:55.07

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys atiide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x012A14C8F !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 20 March 2010 - 02:47 PM

Good evening. smile.gif

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop - this is important.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish


  • Close all open programs as a reboot may be required.
  • Go to Start > Run, copy and paste the following into the text box and hit OK:

    "%userprofile%\desktop\tdsskiller\TDSSKiller.exe" -l report.txt

  • A Command Window will open and the tool will scan and produce a log called report.txt that can be found in the TDSSKiller folder that you unzipped.
  • If the tool prompts for a reboot, please allow it to do so; if it fails to reboot after prompting, reboot manually
Please post the contents of the log, report.txt, in your next reply.

So long, and thanks for all the fish.

 

 


#7 CLStan

CLStan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 March 2010 - 07:22 PM

No reboot was requested by the TDSS scanner

-----report.txt-----
19:18:42:390 20628 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
19:18:42:390 20628 ================================================================================
19:18:42:390 20628 SystemInfo:

19:18:42:390 20628 OS Version: 5.1.2600 ServicePack: 3.0
19:18:42:390 20628 Product type: Workstation
19:18:42:390 20628 ComputerName: NX9110
19:18:42:390 20628 UserName: Chris
19:18:42:390 20628 Windows directory: C:\WINDOWS
19:18:42:390 20628 Processor architecture: Intel x86
19:18:42:390 20628 Number of processors: 1
19:18:42:390 20628 Page size: 0x1000
19:18:42:390 20628 Boot type: Normal boot
19:18:42:390 20628 ================================================================================
19:18:43:000 20628 UnloadDriverW: NtUnloadDriver error 2
19:18:43:000 20628 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:18:43:484 20628 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:18:43:484 20628 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:18:43:484 20628 wfopen_ex: Trying to KLMD file open
19:18:43:484 20628 wfopen_ex: File opened ok (Flags 2)
19:18:43:484 20628 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:18:43:484 20628 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:18:43:484 20628 wfopen_ex: Trying to KLMD file open
19:18:43:484 20628 wfopen_ex: File opened ok (Flags 2)
19:18:43:484 20628 Initialize success
19:18:43:484 20628
19:18:43:484 20628 Scanning Services ...
19:18:44:500 20628 GetAdvancedServicesInfo: Raw services enum returned 454 services
19:18:44:515 20628
19:18:44:515 20628 Scanning Kernel memory ...
19:18:44:515 20628 Devices to scan: 2
19:18:44:515 20628
19:18:44:515 20628 Driver Name: Disk
19:18:44:515 20628 IRP_MJ_CREATE : F8C48BB0
19:18:44:515 20628 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
19:18:44:515 20628 IRP_MJ_CLOSE : F8C48BB0
19:18:44:515 20628 IRP_MJ_READ : F8C42D1F
19:18:44:515 20628 IRP_MJ_WRITE : F8C42D1F
19:18:44:515 20628 IRP_MJ_QUERY_INFORMATION : 804FA88E
19:18:44:515 20628 IRP_MJ_SET_INFORMATION : 804FA88E
19:18:44:515 20628 IRP_MJ_QUERY_EA : 804FA88E
19:18:44:515 20628 IRP_MJ_SET_EA : 804FA88E
19:18:44:515 20628 IRP_MJ_FLUSH_BUFFERS : F8C432E2
19:18:44:515 20628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
19:18:44:515 20628 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
19:18:44:515 20628 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
19:18:44:515 20628 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
19:18:44:515 20628 IRP_MJ_DEVICE_CONTROL : F8C433BB
19:18:44:515 20628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8C46F28
19:18:44:515 20628 IRP_MJ_SHUTDOWN : F8C432E2
19:18:44:515 20628 IRP_MJ_LOCK_CONTROL : 804FA88E
19:18:44:515 20628 IRP_MJ_CLEANUP : 804FA88E
19:18:44:515 20628 IRP_MJ_CREATE_MAILSLOT : 804FA88E
19:18:44:515 20628 IRP_MJ_QUERY_SECURITY : 804FA88E
19:18:44:515 20628 IRP_MJ_SET_SECURITY : 804FA88E
19:18:44:515 20628 IRP_MJ_POWER : F8C44C82
19:18:44:515 20628 IRP_MJ_SYSTEM_CONTROL : F8C4999E
19:18:44:515 20628 IRP_MJ_DEVICE_CHANGE : 804FA88E
19:18:44:515 20628 IRP_MJ_QUERY_QUOTA : 804FA88E
19:18:44:515 20628 IRP_MJ_SET_QUOTA : 804FA88E
19:18:44:562 20628 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:18:44:562 20628
19:18:44:562 20628 Driver Name: atapi
19:18:44:562 20628 IRP_MJ_CREATE : F8B116F2
19:18:44:562 20628 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
19:18:44:562 20628 IRP_MJ_CLOSE : F8B116F2
19:18:44:562 20628 IRP_MJ_READ : 804FA88E
19:18:44:562 20628 IRP_MJ_WRITE : 804FA88E
19:18:44:562 20628 IRP_MJ_QUERY_INFORMATION : 804FA88E
19:18:44:562 20628 IRP_MJ_SET_INFORMATION : 804FA88E
19:18:44:562 20628 IRP_MJ_QUERY_EA : 804FA88E
19:18:44:562 20628 IRP_MJ_SET_EA : 804FA88E
19:18:44:562 20628 IRP_MJ_FLUSH_BUFFERS : 804FA88E
19:18:44:562 20628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
19:18:44:562 20628 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
19:18:44:562 20628 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
19:18:44:562 20628 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
19:18:44:562 20628 IRP_MJ_DEVICE_CONTROL : F8B11712
19:18:44:562 20628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F90EC661
19:18:44:562 20628 IRP_MJ_SHUTDOWN : 804FA88E
19:18:44:562 20628 IRP_MJ_LOCK_CONTROL : 804FA88E
19:18:44:562 20628 IRP_MJ_CLEANUP : 804FA88E
19:18:44:562 20628 IRP_MJ_CREATE_MAILSLOT : 804FA88E
19:18:44:562 20628 IRP_MJ_QUERY_SECURITY : 804FA88E
19:18:44:562 20628 IRP_MJ_SET_SECURITY : 804FA88E
19:18:44:562 20628 IRP_MJ_POWER : F8B1173C
19:18:44:562 20628 IRP_MJ_SYSTEM_CONTROL : F8B18336
19:18:44:562 20628 IRP_MJ_DEVICE_CHANGE : 804FA88E
19:18:44:562 20628 IRP_MJ_QUERY_QUOTA : 804FA88E
19:18:44:562 20628 IRP_MJ_SET_QUOTA : 804FA88E
19:18:44:609 20628 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:18:44:609 20628
19:18:44:609 20628 Completed
19:18:44:609 20628
19:18:44:609 20628 Results:
19:18:44:609 20628 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
19:18:44:609 20628 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:18:44:609 20628 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:18:44:609 20628
19:18:44:609 20628 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:18:44:609 20628 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:18:44:609 20628 KLMD(ARK) unloaded successfully


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 22 March 2010 - 03:23 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *
  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#9 CLStan

CLStan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 March 2010 - 12:33 PM

ComboFix 10-03-22.04 - Chris 03/23/2010 11:55:59.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.325 [GMT -5:00]
Running from: c:\documents and settings\Chris\Desktop\CmbFx.exe
AV: avast! antivirus 4.8.1368 [VPS 100323-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SIntf16.dll
c:\windows\system32\Temp

.
((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-23 03:11 . 2010-03-23 03:12 -------- d-----w- c:\windows\LastGood
2010-03-17 16:41 . 2010-03-17 16:41 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\O&O
2010-03-12 03:14 . 2010-03-12 03:14 -------- d-----w- c:\documents and settings\Chris\Application Data\ScanSoft
2010-03-12 03:13 . 2010-03-12 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-03-12 03:08 . 2001-08-18 04:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-03-12 03:08 . 2001-08-18 04:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-03-12 03:04 . 2009-04-13 18:52 45056 ----a-w- c:\windows\system32\midrv74P.dll
2010-03-12 03:01 . 2010-03-23 03:11 -------- d-----w- c:\program files\Common Files\NeatReceipts
2010-03-12 03:00 . 2010-03-12 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\The Neat Company
2010-03-12 02:59 . 2010-03-23 03:11 -------- d-----w- c:\program files\Common Files\The Neat Company
2010-03-12 02:59 . 2010-03-23 03:04 -------- d-----w- c:\program files\NeatWorks
2010-03-10 13:04 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 11:53 . 2008-09-05 05:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-23 03:04 . 2009-02-20 20:41 -------- d-----w- c:\program files\Common Files\Intuit
2010-03-18 05:51 . 2008-07-01 03:50 -------- d-----w- c:\documents and settings\Chris\Application Data\Xilisoft Corporation
2010-03-17 16:34 . 2008-07-01 03:44 -------- d-----w- c:\program files\Xilisoft
2010-03-14 15:57 . 2010-01-16 05:33 -------- d-----w- c:\program files\SUPERc
2010-03-11 05:33 . 2008-06-24 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-07 03:12 . 2008-06-25 20:33 -------- d-----w- c:\documents and settings\Chris\Application Data\uTorrent
2010-03-05 15:45 . 2008-07-21 13:45 -------- d-----w- c:\documents and settings\Chris\Application Data\Skype
2010-03-05 15:43 . 2008-07-21 13:45 -------- d-----w- c:\documents and settings\Chris\Application Data\skypePM
2010-03-01 04:18 . 2008-06-27 13:47 -------- d-----w- c:\program files\GPS
2010-02-28 15:04 . 2008-06-29 20:02 -------- d-----w- c:\program files\Collectorz.com
2010-02-27 23:29 . 2008-09-12 01:51 2464 ----a-w- c:\program files\Configuration.xml
2010-02-25 13:30 . 2008-10-22 04:29 -------- d-----w- c:\documents and settings\Chris\Application Data\GetRight
2010-02-25 04:13 . 2008-06-25 20:33 -------- d-----w- c:\program files\uTorrent
2010-02-24 13:56 . 2009-08-27 20:45 2432 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-18 21:09 . 2009-10-12 16:25 -------- d-----w- c:\program files\!PortableApps
2010-02-15 17:02 . 2008-12-31 12:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-09 16:12 . 2010-02-09 16:12 -------- d-----w- c:\program files\Mexens
2010-02-05 16:54 . 2008-06-28 13:05 -------- d-----w- c:\program files\Google
2010-02-01 21:06 . 2009-02-20 20:41 -------- d-----w- c:\program files\TurboTax
2010-01-29 23:00 . 2010-01-29 23:00 -------- d-----w- c:\program files\PocketRAR
2010-01-28 21:54 . 2010-01-02 14:40 -------- d-----w- c:\program files\iWisoft
2010-01-28 14:13 . 2010-01-28 14:13 -------- d-----w- c:\documents and settings\Chris\Application Data\Seven Zip
2010-01-27 15:26 . 2009-12-22 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2010-01-27 14:30 . 2010-01-27 14:30 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 14:29 . 2008-08-11 12:06 -------- d-----w- c:\program files\Java
2010-01-21 15:50 . 2010-01-21 15:50 128 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\fusioncache.dat
2009-12-31 16:50 . 2003-03-31 19:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-10-01 19:27 . 2009-10-01 19:27 472560 ----a-w- c:\program files\KPTLanMon.exe
2009-09-09 23:43 . 2009-09-09 23:43 2279 ----a-w- c:\program files\KPTLanMon.txt
2009-08-15 14:00 . 2009-08-15 14:00 640 ----a-w- c:\program files\BlueScreenView.cfg
2009-08-08 22:22 . 2009-08-15 13:57 15148 ----a-w- c:\program files\BlueScreenView.chm
2009-08-02 03:28 . 2009-08-15 13:57 46592 ----a-w- c:\program files\BlueScreenView.exe
2009-07-18 04:24 . 2009-07-18 04:24 167941 ----a-w- c:\program files\!Everio SDCopy 1.9994 beta.rar
2009-07-02 15:39 . 2008-06-23 21:22 54 ----a-w- c:\program files\udpixel.xml
2009-06-24 20:34 . 2009-06-24 20:34 333493 ----a-w- c:\program files\!USB 2 Serial Drivers.rar
2009-06-23 14:20 . 2009-06-23 14:20 1369792 ----a-w- c:\program files\TrueCrypt.exe
2009-06-23 14:20 . 2009-01-01 23:58 880233 ----a-w- c:\program files\TrueCrypt User Guide.pdf
2009-06-23 14:20 . 2008-09-12 01:50 217664 ----a-w- c:\program files\truecrypt.sys
2009-06-23 14:20 . 2008-09-12 01:50 1525952 ----a-w- c:\program files\TrueCrypt Format.exe
2009-06-23 14:19 . 2009-06-23 14:19 3189144 ----a-w- c:\program files\TrueCrypt Setup 6.2a.exe
2009-06-17 20:35 . 2009-06-17 20:34 2271 ----a-w- c:\program files\WLPGQTEnable.cmd
2009-06-17 20:35 . 2009-06-17 20:34 2401 ----a-w- c:\program files\WLPGQTDisable.cmd
2009-06-08 15:37 . 2009-08-26 04:22 752128 ----a-w- c:\program files\OLKF.exe
2009-05-29 15:10 . 2009-03-22 18:09 147768 ----a-w- c:\program files\GRC-DNSBenchmark.exe
2009-03-22 18:10 . 2009-03-22 18:10 29248 ----a-w- c:\program files\GRC-MouseTrap.exe
2008-12-19 17:10 . 2009-03-25 12:22 1533440 ----a-w- c:\program files\Easy Duplicate Finder XP 2.2.1.exe
2008-07-04 23:39 . 2008-06-23 21:22 1520 ----a-w- c:\program files\CDmage.ini
2008-07-01 13:54 . 2008-07-01 13:53 29209739 ----a-w- c:\program files\!Kensington BT Plug (ToshibaBTStack 5.10.08).rar
2008-04-24 22:50 . 2008-07-21 02:49 10919936 ----a-w- c:\program files\DLink DNS-323 EasySearch 4.2.0.0.exe
2008-03-24 21:55 . 2008-06-23 21:22 40960 ----a-w- c:\program files\wizmo.exe
2008-02-19 14:46 . 2008-06-23 21:22 8628 ---ha-w- c:\program files\pagedfrg.GID
2008-02-18 01:18 . 2008-09-12 13:41 287744 ----a-w- c:\program files\BattStat.exe
2008-02-13 03:44 . 2008-06-23 21:22 30401112 ----a-w- c:\program files\!Logitech QuickCam v11.50.exe
2007-12-19 22:23 . 2008-06-23 21:22 401720 ----a-w- c:\program files\HiJackThis 2.0.2.exe
2007-11-26 20:31 . 2008-06-23 21:22 40898512 ----a-w- c:\program files\!SP30791 - ATI M9100 IGP VGA Driver for XP.exe
2007-11-05 13:54 . 2008-06-23 21:22 3564584 ----a-w- c:\program files\procexp.exe
2007-10-22 19:47 . 2008-06-23 21:22 19772748 ----a-w- c:\program files\!D-Link BTW 1.4.2.10.rar
2007-10-20 22:26 . 2008-06-23 21:22 3479552 ----a-w- c:\program files\!Mobile Net Switch 3.65.msi
2007-10-03 07:39 . 2008-06-23 21:21 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-10-03 01:35 . 2008-06-23 21:22 1696256 ----a-w- c:\program files\UndeletePlus.exe
2007-08-31 11:36 . 2008-06-23 21:22 72138 ----a-w- c:\program files\procexp.chm
2007-08-20 03:40 . 2008-06-23 21:22 546176 ----a-w- c:\program files\autoruns.exe
2007-08-10 10:10 . 2008-07-01 02:06 36864 ----a-w- c:\program files\3wdecoder.exe
2007-07-09 16:48 . 2008-06-23 21:22 48090 ----a-w- c:\program files\autoruns.chm
2007-03-17 16:18 . 2008-06-23 21:22 111104 ----a-w- c:\program files\ipscan.exe
2007-03-01 04:55 . 2009-05-30 12:36 73728 ----a-w- c:\program files\UDPixel22.exe
2007-02-23 03:08 . 2008-06-23 21:22 925696 ----a-w- c:\program files\GSpot.exe
2007-02-19 22:28 . 2008-06-23 21:22 117974 ----a-r- c:\program files\GSpot27.dat
2007-02-19 05:37 . 2008-06-23 21:22 17920 ----a-w- c:\program files\!Mobile Net Switch 3.61 KG.exe
2007-02-15 20:34 . 2008-06-23 21:21 37888 ----a-w- c:\program files\shexview.exe
2007-01-22 07:01 . 2008-06-23 21:22 401408 ----a-w- c:\program files\HDTune.exe
2006-11-01 19:06 . 2008-06-23 21:22 215928 ----a-w- c:\program files\pagedfrg.exe
2006-10-17 01:12 . 2008-06-23 21:22 167936 ----a-w- c:\program files\StartupList 2.0.2.exe
2006-09-19 05:50 . 2008-06-23 21:22 1139961 ----a-w- c:\program files\~mIRC617.ace
2006-07-05 03:18 . 2008-06-23 21:22 47616 ----a-w- c:\program files\smsniff.exe
2006-05-29 13:52 . 2009-08-31 19:57 200704 ----a-w- c:\program files\RenamerNG.exe
2006-05-29 12:19 . 2009-09-18 18:28 666112 ----a-w- c:\program files\Zynx GPS Simulator.exe
2006-04-15 17:29 . 2008-06-23 21:22 39424 ----a-w- c:\program files\cports.exe
2006-03-31 08:26 . 2008-06-23 21:22 1449984 ----a-w- c:\program files\CDSpeed.exe
2005-12-15 17:21 . 2009-09-18 18:28 418304 ----a-w- c:\program files\Zynx GPS Diagnostic.exe
2005-07-26 20:04 . 2008-06-23 21:22 34816 ----a-w- c:\program files\IBProcMan 1.04.0.exe
2005-07-26 00:45 . 2008-06-23 21:22 147456 ----a-w- c:\program files\TetrisAI.exe
2005-04-20 19:07 . 2008-06-23 21:22 106496 ----a-w- c:\program files\Tcpview.exe
2004-11-12 16:41 . 2004-11-12 16:41 57344 ----a-w- c:\program files\DropMyRights.exe
2004-06-08 14:26 . 2009-07-31 06:05 173144 ----a-w- c:\program files\GRC-SpinRite6.exe
2004-04-26 12:30 . 2008-06-23 21:21 388364 ----a-w- c:\program files\rockxp.exe
2004-04-19 23:28 . 2008-06-23 21:22 425984 ----a-w- c:\program files\TCPOptimizer.exe
2002-11-21 19:03 . 2008-06-23 21:22 26624 ----a-w- c:\program files\Internet Server ID Utility 1.01.exe
2001-03-01 19:31 . 2008-06-23 21:22 1328640 ----a-w- c:\program files\CDmage.exe
2000-11-15 14:21 . 2008-06-23 21:22 178688 ----a-w- c:\program files\hjsplit.exe
2000-07-24 00:58 . 2008-06-23 21:22 8419 ----a-w- c:\program files\pagedfrg.hlp
1999-12-18 00:22 . 2008-06-23 21:22 93184 ----a-w- c:\program files\WCAT.EXE
1999-12-18 00:22 . 2008-06-23 21:22 12800 ----a-w- c:\program files\WCATHK.DLL
1999-10-31 03:54 . 2008-06-23 21:22 561152 ----a-w- c:\program files\Convert.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-07 20:41 . 2008-09-07 20:41 123 --sh--r- c:\windows\Regbak.dat
2008-07-01 14:18 . 2008-07-01 13:58 24 --sh--w- c:\windows\SCA3C664B.tmp
2006-05-03 10:06 . 2010-01-16 05:33 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-01-16 05:33 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-01-16 05:33 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 17:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 17:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-10-17 196670]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-01-10 491520]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-17 49152]
"MNS"="c:\program files\Mobile Net Switch\MNS.exe" [2007-10-05 905720]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"CMCService"="c:\program files\ATI\Catalyst Media Center\CMCService.exe" [2008-06-06 172032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
Battery Statistics.lnk - c:\program files\BattStat.exe [2008-9-12 287744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DLink DNS-323 EasySearch 4.2.0.0.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EchoLink\\EchoLink.exe"=
"c:\\Program Files\\Brother\\BRAdminPro3\\discover.exe"=
"c:\\Program Files\\Brother\\BRAdminPro3\\AuditorServer.exe"=
"c:\\Program Files\\Brother\\BRAdminPro3\\bradminv3.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP\\MediaManager.exe"=
"c:\\Program Files\\OmniForm Premium 5.0\\EReg\\NAVBrowser.exe"=
"c:\\Program Files\\MyMobileR\\MyMobiler.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Heroes\\BFHeroes.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"c:\\Program Files\\Pocket Tanks Deluxe\\pockettanks.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\BBS\\TWGS\\twgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [6/23/2008 10:38 PM 5632]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/31/2009 3:25 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/31/2009 3:25 PM 20560]
R2 devdpl;devdpl;c:\windows\system32\drivers\devdpl.sys [2/21/2009 5:36 PM 7168]
R2 litdpl;litdpl;c:\windows\system32\drivers\litdpl.sys [2/21/2009 5:36 PM 4736]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [3/15/2009 3:13 PM 34064]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 10:05 AM 92008]
R3 BattStatSys;BattStatSys;\??\c:\docume~1\Chris\LOCALS~1\Temp\BSS3.tmp --> c:\docume~1\Chris\LOCALS~1\Temp\BSS3.tmp [?]
S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdminPro3\bratimer.exe [9/18/2008 7:04 PM 65536]
S2 gupdate1c8e143f8bbfe6c;Google Update Service (gupdate1c8e143f8bbfe6c);c:\program files\Google\Update\GoogleUpdate.exe [7/8/2008 4:45 PM 133104]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/12/2008 11:39 AM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/12/2008 11:39 AM 7680]
S3 NGPSSER;NGPSSER;c:\windows\system32\drivers\ngpsser.sys [6/23/2009 1:51 PM 91520]
S3 NGPSUSB;NGPSUSB;c:\windows\system32\drivers\ngpsusb.sys [6/23/2009 1:51 PM 76928]
S3 PhDebug32;PhDebug32;\??\c:\bios\hr60\debug32.sys --> c:\bios\hr60\debug32.sys [?]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [6/24/2009 8:41 AM 91472]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/24/2008 12:51 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-08 00:39]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-08 00:39]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.apple.com/support/ipod
uInternet Settings,ProxyOverride = *.local
IE: Download All Files by HiDownload - c:\program files\HiDownload\HDGetAll.htm
IE: Download by HiDownload - c:\program files\HiDownload\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: {321BCE7A-07F5-4A90-B435-1440D604E3A2} = 208.67.222.222,208.67.220.220
TCP: {F394D33D-17AC-4D7F-88AF-B7107AD5EB43} = 208.67.222.222,208.67.220.220
DPF: {16BC6A51-9F62-49E3-9F96-C842EF2FFE3E} - hxxp://202.133.244.128/CAB/WebPlayer.cab
DPF: {54CFC975-F9FB-45EB-8D18-D2D04FBC4299} - hxxp://202.133.244.128/CAB/RemoteWeb2.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\of73fcm3.default\
FF - component: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\of73fcm3.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\of73fcm3.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\of73fcm3.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\of73fcm3.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Chris\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BattStat - c:\program files\BattStatLauncher.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
ActiveSetup-Neat ADF Scanner 2008 - reg copy HKLM\Software\The Neat Company\Neat ADF Scanner 2008 HKCU\Software\The Neat Company\Neat ADF Scanner 2008
AddRemove-Allway Sync 'n' Go_is1 - o:\!allwaysync\unins000.exe
AddRemove-Battery Status - c:\\Program Files\Battery Status\setup.bat
AddRemove-BFG-Lottso! Deluxe - c:\program files\Lottso! Deluxe\Uninstall.exe
AddRemove-FastCAD - c:\program files\CC2\UNINST.EXE
AddRemove-Flash Movie Player - c:\program files\!Flash Movie Player\uninst.exe
AddRemove-HijackThis - m:\clstan\ToolZ\HijackThis.exe
AddRemove-Karen's LAN Monitor - c:\program files\KPT LAN Monitor\uninstall.exe
AddRemove-RtR object pack 1 - c:\program files\games\rule the rail\Uninst.isu
AddRemove-RtR Object pack 2 - c:\program files\games\rule the rail\Uninst.isu
AddRemove-RtR object pack 3 - c:\program files\games\rule the rail\Uninst.isu
AddRemove-RtR object pack 4 - c:\program files\games\rule the rail\Uninst.isu
AddRemove-RtR object pack 5 - c:\program files\games\rule the rail\Uninst.isu
AddRemove-RtR object pack 6 - c:\program files\games\rule the rail\Uninst.isu
AddRemove-Starships Unlimited v33.50 - c:\windows\Starships Unlimited v3\uninstall.exe
AddRemove-VisualGPS - c:\progra~1\GPS\VISUAL~1\VISUAL~1\VISUAL~1\UNWISE.EXE
AddRemove-WinFast Navigator - c:\progra~1\Leadtek\GPS\NAVIGA~1\UNWISE.EXE
AddRemove-Xilisoft iPod Video Converter - c:\program files\Xilisoft\dvd to ipod suite\iPod Video Converter 3\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 12:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?7?6?1??????? ?(?B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattStatSys]
"ImagePath"="\??\c:\docume~1\Chris\LOCALS~1\Temp\BSS3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-884357618-682003330-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"FRT"="L5jbB8KEOw9ykcMK1TUF6HQV/4pAsFTK7ftvBwr/wJ1BUlDOKd/qwg=="
"PLCK"="YzmTQP8T+Dw7pCWkKD9mzKDE6n/6qhtW"
"Percents"="0 0.1168 0.3265 0.545 0.8625 0.9292 0.9375 "
"Increment"=".002976"
"PHSH"=""

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:6b,0e,d4,a8,d0,98,fc,b2,e8,af,79,59,8c,a7,8f,e8,19,53,eb,de,79,
b9,98,95,ee,8b,2b,d1,58,f2,b0,90,95,2f,3f,85,3a,f7,98,bd,b3,79,54,42,98,90,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="C3E6E0EE179697A08427B4436B4980C00722312C34196C509E4DA3AE06E182B87568089F91FDF884E8ED42E662797EA13486B1C9FCD7F3BCF29912C93C617223E3E42B97050BA7BC8E24508AD062FB0E2954B2B37D1787535BF2807C730A6228C262D6D3196D373557CC006C18FB2E8114A4878AF3B9A241722B9767684432C1388C289726B80C5B170A85905023A0FA14349AB353841736443715EE0D6096F4603254673A64DEA316A329BDC11831FE3F646956C49FFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DA6171C11EC38DE3DA6171C11EC38DE3D85F92788C641ECA93FABDF9BC8A596578D2CE0D4B1E357E598DCEA30C573FB57A89081B3C4AA42AA104F98E67890682761AB8FDA9637192BF9ACFDCAF02D9A0F5842CEBFF67D521646CA32D102399CF350A9536D7D9971DC11F2682DCDAD55A8C59810CC9B19208637B9F8975AE0143E75F3657C2E4EBB83DE4CF2A49CD52555F623B69C899F62778FBD2D138B0CE0EB41DA741F0959090E385B571D2FCC382E45732D98A6F804C84C7985C631814B477733219001831DCF46C4C4ACECFC702EE0214F4DF04F2240C014A9577D4E4EFB2F5503AB9AD972FD04B3DD08D19263B448C66BE8F7139085943AB60D36C11A9BD39E24756FAEB335C4D43B0BEC0159845282474160F6D4A4421ABED3B4F0129D266E01113096C1F0AAD96734617ED0C5A9F71BCC6171AA8E97E8C4BE65B34DD8B9290DCA9D6A32163077DFA6E685FA834B4C112749BD7F97B85D4502CA26988C76392D8F0F484CE8226A19A8C7D33EAC0A2BCA91F55CF5F71BB3A976F7A8F158180B3DF06D110D169F6CF926E36BB2958A435B6F5D8FE44C8AABD41997DE8D442D0E0AA5B66825AA20425C2DAE12A7F4C5C6CBC806DD579525089B0A67B153B71BB7D4857FB879196AAF11F0AFD29CE68B6C97C80F930BB65D91468EB84C5D80190055916C2F21B69BFE5A48027C49EA7CEEAE4026BE7278FB92138FEE207DCF3364B369B7BCE94025FD6F2FD31F15638F8D742211B33509995CB29B065FB4BAC8E58FD3309654524AFEF9C2EA911F988C0AC207A789AC76A5C049600984BCBB0D08FA3AB736947026D59AC79BEFB73513ABE3AB569A67B66398F0B59AC900318953FA2B45D79380A3DDE4A2D215E4C9133C98ED1D0629A0684036926F309E5998550AD7E1FD6DCC04735DE00F26DFC7540C95D2102FE6F2A1959915507C6ADB6A9E9597ACEC72055C7901AFE40817886F6C8103D8BC4CCCCB7C91FC9C36EC418243016259AD273995543FE2F9E3AC4752347948311CB7317A5E06B0C229617738DC2157AB0DC4616BEEF8F00BA973223FBD8C15EBF93B0B94A4D338C9E5B6D0B88740B7FD9DB7D76FB6"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:6b,0e,d4,a8,d0,98,fc,b2,e8,af,79,59,8c,a7,8f,e8,19,53,eb,de,79,
b9,98,95,ee,8b,2b,d1,58,f2,b0,90,95,2f,3f,85,3a,f7,98,bd,b3,79,54,42,98,90,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-23 12:19:32
ComboFix-quarantined-files.txt 2010-03-23 17:19

Pre-Run: 51,945,582,592 bytes free
Post-Run: 51,919,757,312 bytes free

- - End Of File - - 083C11A7843B59B513FCB130910DAC7F


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 23 March 2010 - 03:28 PM

Good evening. smile.gif

Two things i'd like to know:

1. How is the PC behaving?
2. Did you rename ComboFix or run it as ComboFix.exe?

So long, and thanks for all the fish.

 

 


#11 CLStan

CLStan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 24 March 2010 - 08:50 AM

It seems to be behaving like it's supost to be doing. I re-enabled AVAST and went to my drivers directory and "CLICKED" on the atapi.sys file and AVAST did not report any issues. (Scanning entire Drivers directory is clean.) MBAM also shows clean system.

Yes...I changed the name of ComboFix.exe to CmbFx.exe.
The ComboFix Logs show this as well.
Running from: c:\documents and settings\Chris\Desktop\CmbFx.exe

Should I re-run DeFogger to re-enable my virtual drives?

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 24 March 2010 - 03:21 PM

Good evening. smile.gif

I'd like one last scan, just to satisfy my curiosity (such as it is):

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#13 CLStan

CLStan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 25 March 2010 - 10:44 AM

No threats detected.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 26 March 2010 - 03:29 PM

Good evening. smile.gif

In which case i'd say you were done. I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am unsure from your log whether or not you have a software firewall installed. If you have, and i've missed it, please ignore this.
If you haven't, or are using the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
There are a few free firewalls available, of which the following are some examples
Comodo Firewall Pro, available here. This download has both a firewall and anti-virus in the same package, so be sure that you uncheck the AV option if you choose to install this one.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

While you can download them all to see which one you prefer, only install one at a time - running two or more firewalls simultaneously can cause conflicts resulting in less, not more, protection.

Edited by Noviciate, 26 March 2010 - 03:30 PM.

So long, and thanks for all the fish.

 

 


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:47 AM

Posted 31 March 2010 - 02:32 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users