Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo, wouldn't go away


  • This topic is locked This topic is locked
19 replies to this topic

#1 dexy22

dexy22

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 21 March 2010 - 04:26 PM

A couple of days ago Symantec registered Vundo & Backdoor.Tidserv!inf and took action, asking to reboot. However, after reboot (and a few reboots afterwards) it found Vundo again, and again asked to reboot. Did it a bunch of times, but still every time I turn my lap top on, I get 151 counts of Vundo.

Downloaded Vundofix, it found nothing, yet I started getting a bunch of fake antivirus alerts and some antivirus shortcuts appeared on my desktop.

A couple of times my lap top froze after working some 10-15 minutes in Normal mode.

I cannot access Add/Remove programs.

Whatever it is, it disabled Malwarebytes, so i have no access to it. Now even when I try to go to the Malwarebytes site and download it, I get a page saying the link is broken.

Ran Spybot a few times and it cleaned a bunch of things, but not all.



Thanks in advance, you guys, I'll just stop using my lap top till I get an answer from you. I don't want to screw something up if I try to deal with it myself. smile.gif Here's DDS & Attach.txt along with GMER ark.txt

wacko.gif

---------------------------------------------------------------------------------------------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tsetsi at 9:30:04.28 on Sun 03/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.757 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Tsetsi\My Documents\Downloads\clean computer\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.1.27.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {a65609c4-51d8-4eec-bb52-d7ceaad0a7be} - fohuvefa.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\tsetsi\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [yevuladopo] Rundll32.exe "visoweka.dll",s
mPolicies-system: EnableLUA = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.1.27.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265598237359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.163.114,93.188.161.96
TCP: {43FEB5F0-4B05-43EA-B45B-B5AC4D90F643} = 93.188.163.114,93.188.161.96
TCP: {4FF28BBA-393A-47B1-A38D-9A2BF40FC832} = 93.188.163.114,93.188.161.96
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: befeleko.dll
LSA: Notification Packages = scecli befeleko.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tsetsi\applic~1\mozilla\firefox\profiles\sn8ct9fl.default\
FF - plugin: c:\documents and settings\tsetsi\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-3-20 93320]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-7 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100319.003\naveng.sys [2010-3-19 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100319.003\navex15.sys [2010-3-19 1324720]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

=============== Created Last 30 ================

2010-03-21 13:21:14 96512 ----a-w- c:\windows\system32\drivers\OLD4.tmp
2010-03-21 00:09:41 0 d-----w- c:\program files\common files\McAfee
2010-03-21 00:07:59 0 d-----w- c:\program files\McAfee
2010-03-20 14:08:20 0 d-----w- C:\VundoFix Backups
2010-03-20 01:43:26 128512 ----a-w- c:\windows\Utelyb.exe
2010-03-20 01:40:46 128512 ----a-w- c:\windows\Utelya.exe
2010-03-14 00:52:13 0 d-----w- c:\program files\Stanza
2010-03-14 00:44:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-13 20:05:33 0 dc-h--w- c:\windows\ie8
2010-03-13 17:14:22 0 d-----w- c:\program files\WinDjView
2010-03-13 17:13:44 57436 ----a-w- c:\windows\DASShp.dll
2010-03-13 17:13:44 0 d-----w- c:\program files\Microsoft Reader
2010-03-12 02:06:51 0 d-----w- c:\program files\DietOrganizer 2.0
2010-03-12 02:04:39 0 d-----w- c:\program files\Calorie Balance Tracker
2010-03-11 00:00:58 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 22:07:23 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-09 22:07:23 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-09 22:07:20 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-09 22:07:20 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-09 20:51:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak
2010-03-02 19:25:17 138752 -c--a-w- c:\windows\system32\dllcache\sndvol32.exe
2010-03-02 19:25:17 138752 ----a-w- c:\windows\system32\sndvol32.exe
2010-03-02 19:03:47 0 d-----w- c:\windows\system32\appmgmt
2010-03-02 02:53:51 532480 ----a-w- c:\windows\system32\FLIQLO.scr
2010-03-02 02:53:51 0 d-----w- c:\windows\system32\FLIQLO dir
2010-03-01 17:00:31 0 d-----w- c:\docume~1\tsetsi\applic~1\MSNInstaller
2010-03-01 16:52:23 0 d-----w- c:\program files\Fabio's iTunes Lyrics Downloader 2.8
2010-03-01 03:06:57 0 d-----w- c:\docume~1\tsetsi\applic~1\AMPSoft
2010-03-01 03:06:12 0 d-----w- c:\program files\AMP Font Viewer
2010-02-28 23:08:24 23664 ----a-w- c:\windows\ATMREG.ATM
2010-02-28 06:26:36 15360 ----a-w- c:\windows\system32\ATMsrvc.exe
2010-02-28 06:26:36 0 d-----w- C:\PSFONTS
2010-02-28 06:26:36 0 d-----w- c:\program files\Adobe Type Manager
2010-02-28 06:25:57 299520 ----a-w- c:\windows\uninst.exe
2010-02-28 06:25:55 0 d-----w- c:\documents and settings\tsetsi\WINDOWS
2010-02-28 06:25:50 0 d-----w- c:\temp\adobe
2010-02-27 17:15:21 0 d-----w- c:\docume~1\tsetsi\applic~1\Office Genuine Advantage
2010-02-26 21:04:51 0 d-----w- C:\Downloads
2010-02-26 21:04:50 0 d-----w- c:\docume~1\tsetsi\applic~1\BitComet
2010-02-26 21:02:15 0 d-----w- c:\program files\BitComet
2010-02-24 18:06:44 3253 ----a-w- c:\windows\system32\wbem\Outlook_01cab57c1fb18902.mof
2010-02-20 16:39:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-02-20 03:15:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-20 03:15:28 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-20 00:27:17 0 d-----w- c:\program files\K-Lite Codec Pack
2010-02-20 00:15:17 0 d-----w- c:\program files\DivX
2010-02-20 00:15:17 0 d-----w- c:\program files\common files\DivX Shared
2010-02-19 19:01:15 0 d-----w- c:\docume~1\alluse~1\applic~1\ALM

==================== Find3M ====================

2010-02-08 02:25:01 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-08 02:25:01 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-08 02:25:01 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-08 02:25:01 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-07 21:58:07 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-02 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
1601-01-01 00:03:52 65536 --sha-w- c:\windows\system32\fohuvefa.dll
1601-01-01 00:03:28 70144 --sha-w- c:\windows\system32\tiyupotu.dll
1601-01-01 00:03:52 65536 --sha-w- c:\windows\system32\visoweka.dll
1601-01-01 00:03:28 193024 --sha-w- c:\windows\system32\wifufulu.exe

============= FINISH: 9:30:48.89 ===============

Attached Files


Edited by dexy22, 21 March 2010 - 04:29 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 21 March 2010 - 07:40 PM

Hello.

I see a few things we need to do here. We'll start with Combofix and then we'll deal with the rest afterwards.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 dexy22

dexy22
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 22 March 2010 - 04:27 PM

Extremeboy, thanks a million for replying so quickly!

I ran Combofix. However, I encountered a couple of problems. I tried to disable Windows Firewall, but when I go to Control Panel and hit Security Center, I get:

Windows cannot find 'C:\WINDOWS\system32\rundll32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

I get the same message when I try to access Add/Remove Programs; the other components of Control Panel seem to work tho.

So then I tried Start-->Run--> firewall.cpl but got the "Open With" window and that was all.



Also, I don't know if it's important, but the instructions on Spybot disabling on http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ seem to be a bit off or at least not applicable to my version. What I mean to say is that I did not disable the TeaTimer SDHelper cause it wasn't mentioned and only later found out in a different post in the forum that that's what i should have done.


That said, here's the log. Thank you once again!



ComboFix 10-03-22.02 - Tsetsi 03/22/2010 16:54:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1102 [GMT -4:00]
Running from: c:\documents and settings\Tsetsi\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\befeleko.dll
c:\windows\system32\fohuvefa.dll
c:\windows\system32\spool\prtprocs\w32x86\000023a3.tmp
c:\windows\system32\visoweka.dll
c:\windows\system32\wifufulu.exe
c:\windows\Tasks\wcutjevh.job

.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-21 00:09 . 2010-03-21 00:09 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-21 00:07 . 2010-03-21 00:49 -------- d-----w- c:\program files\McAfee
2010-03-21 00:07 . 2010-03-21 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-20 14:08 . 2010-03-20 14:08 -------- d-----w- C:\VundoFix Backups
2010-03-20 01:43 . 2010-03-20 01:40 128512 ----a-w- c:\windows\Utelyb.exe
2010-03-20 01:40 . 2010-03-20 01:40 128512 ----a-w- c:\windows\Utelya.exe
2010-03-14 00:52 . 2010-03-14 00:52 -------- d-----w- c:\program files\Stanza
2010-03-14 00:43 . 2010-03-14 00:44 -------- d-----w- c:\program files\Java
2010-03-14 00:43 . 2010-03-14 00:43 -------- d-----w- c:\program files\Common Files\Java
2010-03-13 20:05 . 2010-03-13 20:06 -------- dc-h--w- c:\windows\ie8
2010-03-13 17:42 . 2010-03-13 17:42 0 ----a-w- c:\windows\nsreg.dat
2010-03-13 17:42 . 2010-03-13 17:42 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\Mozilla
2010-03-13 17:14 . 2010-03-13 17:14 -------- d-----w- c:\program files\WinDjView
2010-03-13 17:13 . 2010-03-13 17:13 -------- d-----w- c:\program files\Microsoft Reader
2010-03-13 17:13 . 2003-06-05 22:15 57436 ----a-w- c:\windows\DASShp.dll
2010-03-12 02:43 . 2010-03-12 02:43 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\DietOrganizer
2010-03-12 02:07 . 2010-03-12 02:07 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\IsolatedStorage
2010-03-12 02:06 . 2010-03-12 02:06 -------- d-----w- c:\program files\DietOrganizer 2.0
2010-03-12 02:04 . 2010-03-12 02:06 -------- d-----w- c:\program files\Calorie Balance Tracker
2010-03-11 00:00 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 22:07 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-09 22:07 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-09 22:07 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-09 22:07 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-09 20:51 . 2010-03-09 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-03-02 19:25 . 2003-03-31 12:00 138752 -c--a-w- c:\windows\system32\dllcache\sndvol32.exe
2010-03-02 19:25 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2010-03-02 02:53 . 2010-03-02 02:54 -------- d-----w- c:\windows\system32\FLIQLO dir
2010-03-02 02:53 . 2010-03-02 02:53 532480 ----a-w- c:\windows\system32\FLIQLO.scr
2010-03-01 17:00 . 2010-03-01 17:00 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\MSNInstaller
2010-03-01 16:52 . 2010-03-01 17:14 -------- d-----w- c:\program files\Fabio's iTunes Lyrics Downloader 2.8
2010-03-01 03:06 . 2010-03-01 03:06 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\AMPSoft
2010-03-01 03:06 . 2010-03-01 03:06 -------- d-----w- c:\program files\AMP Font Viewer
2010-02-28 06:26 . 2010-02-28 06:26 -------- d-----w- C:\PSFONTS
2010-02-28 06:26 . 2010-02-28 06:26 -------- d-----w- c:\program files\Adobe Type Manager
2010-02-28 06:26 . 2000-05-24 20:20 15360 ----a-w- c:\windows\system32\ATMsrvc.exe
2010-02-28 06:25 . 2000-05-24 20:02 299520 ----a-w- c:\windows\uninst.exe
2010-02-28 06:25 . 2010-02-28 06:25 -------- d-----w- c:\documents and settings\Tsetsi\WINDOWS
2010-02-28 06:25 . 2010-02-28 06:25 -------- d-----w- c:\temp\adobe
2010-02-27 17:15 . 2010-02-27 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-27 17:15 . 2010-02-27 17:15 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Office Genuine Advantage
2010-02-26 21:04 . 2010-03-03 21:38 -------- d-----w- C:\Downloads
2010-02-26 21:04 . 2010-03-16 16:11 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\BitComet
2010-02-26 21:02 . 2010-02-26 21:04 -------- d-----w- c:\program files\BitComet
2010-02-26 15:37 . 2010-03-13 23:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Download Manager
2010-02-23 03:26 . 2010-02-23 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 21:02 . 2010-02-11 22:29 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Skype
2010-03-22 21:01 . 2010-02-08 02:24 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-22 21:00 . 2010-02-16 01:00 -------- d-----w- c:\program files\Common Files\Akamai
2010-03-22 20:19 . 2010-02-11 22:32 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\skypePM
2010-03-14 00:52 . 2010-02-13 00:36 -------- d-----w- c:\program files\Bonjour
2010-03-13 18:13 . 2010-02-08 02:19 26840 ----a-w- c:\documents and settings\Tsetsi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 17:13 . 2010-02-07 22:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 00:39 . 2010-02-14 01:01 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\vlc
2010-03-12 23:55 . 2010-02-20 00:18 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\dvdcss
2010-03-12 02:06 . 2010-03-12 02:06 86358 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_bb32ea6.exe
2010-03-12 02:06 . 2010-03-12 02:06 86358 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_5af141bb.exe
2010-03-12 02:06 . 2010-03-12 02:06 1078 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_26e91eb.exe
2010-03-11 04:45 . 2010-02-11 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 20:51 . 2010-03-09 20:51 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.20.2.dll
2010-02-26 16:18 . 2010-02-09 04:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-21 08:55 . 2010-02-13 00:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Apple Computer
2010-02-20 04:02 . 2010-02-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-20 03:15 . 2010-02-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-20 02:37 . 2010-02-20 02:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\DivX
2010-02-20 00:27 . 2010-02-20 00:27 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-02-20 00:15 . 2010-02-20 00:15 -------- d-----w- c:\program files\DivX
2010-02-20 00:15 . 2010-02-20 00:15 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-19 19:01 . 2010-02-19 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-02-16 01:35 . 2010-02-16 01:35 -------- d-----w- c:\program files\Adobe Media Player
2010-02-16 01:27 . 2010-02-16 01:27 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-15 17:01 . 2010-02-15 17:01 -------- d-----w- c:\program files\YouTube Downloader
2010-02-15 08:05 . 2010-02-11 00:29 -------- d-----w- c:\program files\Microsoft Works
2010-02-14 17:43 . 2010-02-14 17:43 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-14 01:00 . 2010-02-14 01:00 -------- d-----w- c:\program files\VideoLAN
2010-02-13 01:48 . 2010-02-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-13 00:37 . 2010-02-13 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-13 00:37 . 2010-02-13 00:36 -------- d-----w- c:\program files\iTunes
2010-02-13 00:36 . 2010-02-13 00:36 -------- d-----w- c:\program files\iPod
2010-02-13 00:36 . 2010-02-13 00:34 -------- d-----w- c:\program files\Common Files\Apple
2010-02-13 00:36 . 2010-02-13 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-13 00:36 . 2010-02-13 00:35 -------- d-----w- c:\program files\QuickTime
2010-02-13 00:35 . 2010-02-13 00:35 -------- d-----w- c:\program files\Apple Software Update
2010-02-11 22:32 . 2010-02-11 22:32 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----w- c:\program files\Common Files\Skype
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----r- c:\program files\Skype
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-11 00:28 . 2010-02-11 00:28 -------- d-----w- c:\program files\Microsoft.NET
2010-02-09 04:54 . 2010-02-09 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-09 04:24 . 2010-02-09 04:24 -------- d-----w- c:\program files\MSBuild
2010-02-09 04:24 . 2010-02-09 04:24 -------- d-----w- c:\program files\Reference Assemblies
2010-02-09 04:13 . 2010-02-09 04:13 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-09 04:12 . 2010-02-09 04:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-09 04:11 . 2010-02-09 04:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-09 00:42 . 2010-02-09 00:42 -------- d-----w- c:\program files\Motorola
2010-02-09 00:40 . 2010-02-09 00:40 -------- d-----w- c:\program files\Synaptics
2010-02-09 00:38 . 2010-02-09 00:38 -------- d-----w- c:\program files\Toshiba
2010-02-09 00:28 . 2010-02-09 00:28 -------- d-----w- c:\program files\Realtek
2010-02-08 13:05 . 2010-02-07 22:00 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-08 02:44 . 2010-02-08 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-08 02:43 . 2010-02-08 02:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 02:35 . 2010-02-08 02:35 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Malwarebytes
2010-02-08 02:35 . 2010-02-08 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 02:25 . 2010-02-08 02:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-08 02:25 . 2010-02-08 02:24 -------- d-----w- c:\program files\Symantec
2010-02-08 02:25 . 2010-02-08 02:24 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-08 02:25 . 2010-02-08 02:24 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-08 02:25 . 2010-02-08 02:24 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-08 02:25 . 2010-02-08 02:24 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-08 02:24 . 2010-02-08 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-08 02:19 . 2010-02-08 02:19 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\ATI
2010-02-08 02:19 . 2010-02-08 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-02-07 23:29 . 2010-02-07 23:29 10134 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{7F311276-1CD6-1661-8BAE-DD9016FE9B8D}\ARPPRODUCTICON.exe
2010-02-07 23:25 . 2010-02-07 22:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-07 22:34 . 2010-02-07 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2010-02-07 22:01 . 2010-02-07 22:01 -------- d-----w- c:\program files\microsoft frontpage
2010-02-07 21:58 . 2010-02-07 21:58 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-02 18:00 . 2010-02-20 00:27 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-23 00:51 . 2010-01-23 00:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
1601-01-01 00:03 . 1601-01-01 00:03 70144 --sha-w- c:\windows\system32\dibiyowa.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-09 135664]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-31 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-08-07 573440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-08-07 18:11 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-05-26 01:02 786521 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\Stanza.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"17419:TCP"= 17419:TCP:BitComet 17419 TCP
"17419:UDP"= 17419:UDP:BitComet 17419 UDP
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [3/20/2010 8:08 PM 93320]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/7/2010 10:33 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-630328440-682003330-1003Core.job
- c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-09 04:10]

2010-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-630328440-682003330-1003UA.job
- c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-09 04:10]

2010-03-22 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tsetsi\Application Data\Mozilla\Firefox\Profiles\sn8ct9fl.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{a65609c4-51d8-4eec-bb52-d7ceaad0a7be} - fohuvefa.dll
HKLM-Run-yevuladopo - visoweka.dll
AddRemove-AntiVirus Plus - c:\documents and settings\Tsetsi\Application Data\AntiVirus Plus\AntiVirus Plus.55532.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-22 17:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-03-22 17:07:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-22 21:07

Pre-Run: 20,782,563,328 bytes free
Post-Run: 20,721,295,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 80E5227E78E958A20978073F8C3359A8

Edited by dexy22, 22 March 2010 - 05:09 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 22 March 2010 - 07:47 PM

Hi again,

Thanks for letting me aware of that. Let's continue here.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/304040/infected-with-vundo-wouldnt-go-away/
    Collect::[68]
    c:\windows\Utelyb.exe
    c:\windows\Utelya.exe
    c:\windows\system32\dibiyowa.dll
    Folder::
    C:\VundoFix Backups
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.
--
For that error you get while using add/remove, we'll do a registry search to see what might be causing that.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :regfind
    rundll32.exe
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please ATTACH this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Run Malwarebytes as it may also fix it, if not we'll manually deal with it.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 dexy22

dexy22
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 23 March 2010 - 10:08 AM

Hey, me again smile.gif

So, i did everything as you explained it. Luckily I was able to download MalwareBytes again, it wouldn't let me open it or go to their site just a couple of days ago. I have no access to Add/Remove or Security Center yet, but otherwise things look all right, at least I get no more fake alerts and my computer is working better. Mbam didn't find anything tho.

Here are the logs


cheers thumbup.gif


ComboFix 10-03-22.03 - Tsetsi 03/23/2010 10:33:30.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1176 [GMT -4:00]
Running from: c:\documents and settings\Tsetsi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tsetsi\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\system32\dibiyowa.dll
file zipped: c:\windows\Utelya.exe
file zipped: c:\windows\Utelyb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\system32\dibiyowa.dll
c:\windows\Utelya.exe
c:\windows\Utelyb.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-21 00:09 . 2010-03-21 00:09 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-21 00:07 . 2010-03-21 00:49 -------- d-----w- c:\program files\McAfee
2010-03-21 00:07 . 2010-03-21 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-14 00:52 . 2010-03-14 00:52 -------- d-----w- c:\program files\Stanza
2010-03-14 00:43 . 2010-03-14 00:44 -------- d-----w- c:\program files\Java
2010-03-14 00:43 . 2010-03-14 00:43 -------- d-----w- c:\program files\Common Files\Java
2010-03-13 20:05 . 2010-03-13 20:06 -------- dc-h--w- c:\windows\ie8
2010-03-13 17:42 . 2010-03-13 17:42 0 ----a-w- c:\windows\nsreg.dat
2010-03-13 17:42 . 2010-03-13 17:42 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\Mozilla
2010-03-13 17:14 . 2010-03-13 17:14 -------- d-----w- c:\program files\WinDjView
2010-03-13 17:13 . 2010-03-13 17:13 -------- d-----w- c:\program files\Microsoft Reader
2010-03-13 17:13 . 2003-06-05 22:15 57436 ----a-w- c:\windows\DASShp.dll
2010-03-12 02:43 . 2010-03-12 02:43 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\DietOrganizer
2010-03-12 02:07 . 2010-03-12 02:07 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\IsolatedStorage
2010-03-12 02:06 . 2010-03-12 02:06 86358 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_bb32ea6.exe
2010-03-12 02:06 . 2010-03-12 02:06 86358 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_5af141bb.exe
2010-03-12 02:06 . 2010-03-12 02:06 1078 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_26e91eb.exe
2010-03-12 02:06 . 2010-03-12 02:06 -------- d-----w- c:\program files\DietOrganizer 2.0
2010-03-12 02:04 . 2010-03-12 02:06 -------- d-----w- c:\program files\Calorie Balance Tracker
2010-03-11 00:00 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 22:07 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-09 22:07 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-09 22:07 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-09 22:07 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-09 20:51 . 2010-03-09 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-03-09 20:51 . 2010-03-09 20:51 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.20.2.dll
2010-03-02 19:25 . 2003-03-31 12:00 138752 -c--a-w- c:\windows\system32\dllcache\sndvol32.exe
2010-03-02 19:25 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2010-03-02 02:53 . 2010-03-02 02:54 -------- d-----w- c:\windows\system32\FLIQLO dir
2010-03-02 02:53 . 2010-03-02 02:53 532480 ----a-w- c:\windows\system32\FLIQLO.scr
2010-03-01 17:00 . 2010-03-01 17:00 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\MSNInstaller
2010-03-01 16:52 . 2010-03-01 17:14 -------- d-----w- c:\program files\Fabio's iTunes Lyrics Downloader 2.8
2010-03-01 03:06 . 2010-03-01 03:06 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\AMPSoft
2010-03-01 03:06 . 2010-03-01 03:06 -------- d-----w- c:\program files\AMP Font Viewer
2010-02-28 06:26 . 2010-02-28 06:26 -------- d-----w- C:\PSFONTS
2010-02-28 06:26 . 2010-02-28 06:26 -------- d-----w- c:\program files\Adobe Type Manager
2010-02-28 06:26 . 2000-05-24 20:20 15360 ----a-w- c:\windows\system32\ATMsrvc.exe
2010-02-28 06:25 . 2000-05-24 20:02 299520 ----a-w- c:\windows\uninst.exe
2010-02-28 06:25 . 2010-02-28 06:25 -------- d-----w- c:\documents and settings\Tsetsi\WINDOWS
2010-02-28 06:25 . 2010-02-28 06:25 -------- d-----w- c:\temp\adobe
2010-02-27 17:15 . 2010-02-27 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-27 17:15 . 2010-02-27 17:15 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Office Genuine Advantage
2010-02-26 21:04 . 2010-03-03 21:38 -------- d-----w- C:\Downloads
2010-02-26 21:04 . 2010-03-16 16:11 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\BitComet
2010-02-26 21:02 . 2010-02-26 21:04 -------- d-----w- c:\program files\BitComet
2010-02-26 15:37 . 2010-03-13 23:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Download Manager
2010-02-23 03:26 . 2010-02-23 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 14:38 . 2010-02-11 22:29 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Skype
2010-03-23 14:30 . 2010-02-08 02:24 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-23 14:11 . 2010-02-11 22:32 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\skypePM
2010-03-23 14:11 . 2010-02-16 01:00 -------- d-----w- c:\program files\Common Files\Akamai
2010-03-14 00:52 . 2010-02-13 00:36 -------- d-----w- c:\program files\Bonjour
2010-03-13 18:13 . 2010-02-08 02:19 26840 ----a-w- c:\documents and settings\Tsetsi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 17:13 . 2010-02-07 22:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 00:39 . 2010-02-14 01:01 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\vlc
2010-03-12 23:55 . 2010-02-20 00:18 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\dvdcss
2010-03-11 04:45 . 2010-02-11 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-26 16:18 . 2010-02-09 04:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-21 08:55 . 2010-02-13 00:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Apple Computer
2010-02-20 04:02 . 2010-02-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-20 03:15 . 2010-02-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-20 02:37 . 2010-02-20 02:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\DivX
2010-02-20 00:27 . 2010-02-20 00:27 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-02-20 00:15 . 2010-02-20 00:15 -------- d-----w- c:\program files\DivX
2010-02-20 00:15 . 2010-02-20 00:15 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-19 19:01 . 2010-02-19 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-02-16 01:35 . 2010-02-16 01:35 -------- d-----w- c:\program files\Adobe Media Player
2010-02-16 01:27 . 2010-02-16 01:27 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-15 17:01 . 2010-02-15 17:01 -------- d-----w- c:\program files\YouTube Downloader
2010-02-15 08:05 . 2010-02-11 00:29 -------- d-----w- c:\program files\Microsoft Works
2010-02-14 17:43 . 2010-02-14 17:43 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-14 01:00 . 2010-02-14 01:00 -------- d-----w- c:\program files\VideoLAN
2010-02-13 01:48 . 2010-02-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-13 00:37 . 2010-02-13 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-13 00:37 . 2010-02-13 00:36 -------- d-----w- c:\program files\iTunes
2010-02-13 00:36 . 2010-02-13 00:36 -------- d-----w- c:\program files\iPod
2010-02-13 00:36 . 2010-02-13 00:34 -------- d-----w- c:\program files\Common Files\Apple
2010-02-13 00:36 . 2010-02-13 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-13 00:36 . 2010-02-13 00:35 -------- d-----w- c:\program files\QuickTime
2010-02-13 00:35 . 2010-02-13 00:35 -------- d-----w- c:\program files\Apple Software Update
2010-02-11 22:32 . 2010-02-11 22:32 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----w- c:\program files\Common Files\Skype
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----r- c:\program files\Skype
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-11 00:28 . 2010-02-11 00:28 -------- d-----w- c:\program files\Microsoft.NET
2010-02-09 04:54 . 2010-02-09 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-09 04:24 . 2010-02-09 04:24 -------- d-----w- c:\program files\MSBuild
2010-02-09 04:24 . 2010-02-09 04:24 -------- d-----w- c:\program files\Reference Assemblies
2010-02-09 04:13 . 2010-02-09 04:13 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-09 04:12 . 2010-02-09 04:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-09 04:11 . 2010-02-09 04:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-09 00:42 . 2010-02-09 00:42 -------- d-----w- c:\program files\Motorola
2010-02-09 00:40 . 2010-02-09 00:40 -------- d-----w- c:\program files\Synaptics
2010-02-09 00:38 . 2010-02-09 00:38 -------- d-----w- c:\program files\Toshiba
2010-02-09 00:28 . 2010-02-09 00:28 -------- d-----w- c:\program files\Realtek
2010-02-08 13:05 . 2010-02-07 22:00 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-08 02:44 . 2010-02-08 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-08 02:43 . 2010-02-08 02:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 02:35 . 2010-02-08 02:35 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Malwarebytes
2010-02-08 02:35 . 2010-02-08 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 02:25 . 2010-02-08 02:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-08 02:25 . 2010-02-08 02:24 -------- d-----w- c:\program files\Symantec
2010-02-08 02:25 . 2010-02-08 02:24 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-08 02:25 . 2010-02-08 02:24 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-08 02:25 . 2010-02-08 02:24 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-08 02:25 . 2010-02-08 02:24 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-08 02:24 . 2010-02-08 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-08 02:19 . 2010-02-08 02:19 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\ATI
2010-02-08 02:19 . 2010-02-08 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-02-07 23:29 . 2010-02-07 23:29 10134 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{7F311276-1CD6-1661-8BAE-DD9016FE9B8D}\ARPPRODUCTICON.exe
2010-02-07 23:25 . 2010-02-07 22:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-07 22:34 . 2010-02-07 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2010-02-07 22:01 . 2010-02-07 22:01 -------- d-----w- c:\program files\microsoft frontpage
2010-02-07 21:58 . 2010-02-07 21:58 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-02 18:00 . 2010-02-20 00:27 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-23 00:51 . 2010-01-23 00:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-09 135664]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-31 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-08-07 573440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-08-07 18:11 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-05-26 01:02 786521 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\Stanza.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"17419:TCP"= 17419:TCP:BitComet 17419 TCP
"17419:UDP"= 17419:UDP:BitComet 17419 UDP
"2903:TCP"= 2903:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [3/20/2010 8:08 PM 93320]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/7/2010 10:33 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-630328440-682003330-1003Core.job
- c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-09 04:10]

2010-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-630328440-682003330-1003UA.job
- c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-09 04:10]

2010-03-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tsetsi\Application Data\Mozilla\Firefox\Profiles\sn8ct9fl.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{a65609c4-51d8-4eec-bb52-d7ceaad0a7be} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 10:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-03-23 10:40:17
ComboFix-quarantined-files.txt 2010-03-23 14:40
ComboFix2.txt 2010-03-22 21:07

Pre-Run: 19,509,198,848 bytes free
Post-Run: 19,472,420,864 bytes free

- - End Of File - - 62DFF0B5704463FFAFE5D5A7354411B1
Upload was successful













And
Malwarebytes' Anti-Malware 1.44
Database version: 3904
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/23/2010 10:58:45 AM
mbam-log-2010-03-23 (10-58-45).txt

Scan type: Quick Scan
Objects scanned: 115469
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 23 March 2010 - 04:06 PM

Hello.

Thanks. Let's run Systemlook again, was using the wrong thing need to look at something else.

Run SystemLook
  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    rundll32.exe
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 dexy22

dexy22
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 23 March 2010 - 04:25 PM

ok, here it is smile.gif




SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:22 on 23/03/2010 by Tsetsi (Administrator - Elevation successful)

========== filefind ==========

Searching for "rundll32.exe"
C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe -----c 33280 bytes [12:27 08/02/2010] [12:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\ServicePackFiles\i386\rundll32.exe ------ 33280 bytes [00:12 14/04/2008] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6

-=End Of File=-

#8 dexy22

dexy22
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 23 March 2010 - 05:53 PM

a Symantec window just popped up with BackdoorTidserv!inf --- Left Alone --- Count 2

Ran MBAM, found nothing. Yet Symantec insists it found Tidserv...

Edited by dexy22, 23 March 2010 - 11:44 PM.


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 25 March 2010 - 04:08 PM

Hello.

QUOTE
a Symantec window just popped up with BackdoorTidserv!inf --- Left Alone --- Count 2

Ran MBAM, found nothing. Yet Symantec insists it found Tidserv...

That might just be something we already quarantined. Please let me know the file in question.

Now let's run a script with Combofix. We are going to fix that error you are getting by copying the file over.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\rundll32.exe | C:\Windows\system32\rundll32.exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Let me know if you still get the error of opening add/remove.

With Regards,
Extremeboy

Edited by extremeboy, 25 March 2010 - 04:09 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 dexy22

dexy22
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 26 March 2010 - 09:41 AM

It worked! I can open everything in Control Panel thumbup2.gif
Thank you thank you thank you

ComboFix 10-03-25.02 - Tsetsi 03/25/2010 17:21:49.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1075 [GMT -4:00]
Running from: c:\documents and settings\Tsetsi\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tsetsi\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\rundll32.exe --> c:\windows\system32\rundll32.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-25 21:21 . 2008-04-14 00:12 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-03-25 21:21 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-25 04:35 . 2010-03-25 04:35 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-03-25 04:35 . 2010-03-25 04:35 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-03-24 17:40 . 2010-03-24 17:40 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\Font Fitting Room
2010-03-24 17:40 . 2010-03-24 17:40 -------- d-----w- c:\program files\Font Fitting Room Standard
2010-03-24 07:55 . 2010-03-24 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\MainType
2010-03-24 06:38 . 2010-03-24 06:36 3892808 ----a-w- c:\documents and settings\Tsetsi\Application Data\MainType\MainTypeSetup.exe
2010-03-24 06:38 . 2010-03-24 06:38 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\MainType
2010-03-24 06:38 . 2010-03-24 06:38 -------- d-----w- c:\program files\High-Logic
2010-03-24 03:01 . 2010-03-24 03:01 -------- d-----w- c:\program files\Common Files\FontLab
2010-03-24 03:01 . 2010-03-24 03:01 -------- d-----w- c:\program files\FontLab
2010-03-24 00:51 . 2010-03-24 00:51 -------- d--h--w- c:\windows\PIF
2010-03-23 14:49 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 14:49 . 2010-03-23 14:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 14:49 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 00:09 . 2010-03-21 00:09 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-21 00:07 . 2010-03-24 23:25 -------- d-----w- c:\program files\McAfee
2010-03-21 00:07 . 2010-03-21 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-14 00:52 . 2010-03-14 00:52 -------- d-----w- c:\program files\Stanza
2010-03-14 00:43 . 2010-03-14 00:44 -------- d-----w- c:\program files\Java
2010-03-14 00:43 . 2010-03-14 00:43 -------- d-----w- c:\program files\Common Files\Java
2010-03-13 20:05 . 2010-03-13 20:06 -------- dc-h--w- c:\windows\ie8
2010-03-13 17:42 . 2010-03-13 17:42 0 ----a-w- c:\windows\nsreg.dat
2010-03-13 17:42 . 2010-03-13 17:42 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\Mozilla
2010-03-13 17:14 . 2010-03-13 17:14 -------- d-----w- c:\program files\WinDjView
2010-03-13 17:13 . 2010-03-13 17:13 -------- d-----w- c:\program files\Microsoft Reader
2010-03-13 17:13 . 2003-06-05 22:15 57436 ----a-w- c:\windows\DASShp.dll
2010-03-12 02:43 . 2010-03-12 02:43 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\DietOrganizer
2010-03-12 02:07 . 2010-03-12 02:07 -------- d-----w- c:\documents and settings\Tsetsi\Local Settings\Application Data\IsolatedStorage
2010-03-12 02:06 . 2010-03-12 02:06 86358 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_bb32ea6.exe
2010-03-12 02:06 . 2010-03-12 02:06 86358 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_5af141bb.exe
2010-03-12 02:06 . 2010-03-12 02:06 1078 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{210A657D-CFDE-4C8C-B361-9DD8CCF77CA2}\_26e91eb.exe
2010-03-12 02:06 . 2010-03-12 02:06 -------- d-----w- c:\program files\DietOrganizer 2.0
2010-03-12 02:04 . 2010-03-12 02:06 -------- d-----w- c:\program files\Calorie Balance Tracker
2010-03-11 00:00 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 22:07 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-09 22:07 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-09 22:07 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-09 22:07 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-09 20:51 . 2010-03-09 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-03-09 20:51 . 2010-03-09 20:51 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.2.20.2.dll
2010-03-02 19:25 . 2003-03-31 12:00 138752 -c--a-w- c:\windows\system32\dllcache\sndvol32.exe
2010-03-02 19:25 . 2003-03-31 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe
2010-03-02 02:53 . 2010-03-02 02:54 -------- d-----w- c:\windows\system32\FLIQLO dir
2010-03-02 02:53 . 2010-03-02 02:53 532480 ----a-w- c:\windows\system32\FLIQLO.scr
2010-03-01 17:00 . 2010-03-01 17:00 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\MSNInstaller
2010-03-01 16:52 . 2010-03-01 17:14 -------- d-----w- c:\program files\Fabio's iTunes Lyrics Downloader 2.8
2010-03-01 03:06 . 2010-03-01 03:06 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\AMPSoft
2010-03-01 03:06 . 2010-03-01 03:06 -------- d-----w- c:\program files\AMP Font Viewer
2010-02-28 06:26 . 2010-02-28 06:26 -------- d-----w- C:\PSFONTS
2010-02-28 06:26 . 2010-02-28 06:26 -------- d-----w- c:\program files\Adobe Type Manager
2010-02-28 06:26 . 2000-05-24 20:20 15360 ----a-w- c:\windows\system32\ATMsrvc.exe
2010-02-28 06:25 . 2000-05-24 20:02 299520 ----a-w- c:\windows\uninst.exe
2010-02-28 06:25 . 2010-02-28 06:25 -------- d-----w- c:\documents and settings\Tsetsi\WINDOWS
2010-02-28 06:25 . 2010-02-28 06:25 -------- d-----w- c:\temp\adobe
2010-02-27 17:15 . 2010-02-27 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-27 17:15 . 2010-02-27 17:15 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Office Genuine Advantage
2010-02-26 21:04 . 2010-03-03 21:38 -------- d-----w- C:\Downloads
2010-02-26 21:04 . 2010-03-24 23:33 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\BitComet
2010-02-26 21:02 . 2010-02-26 21:04 -------- d-----w- c:\program files\BitComet
2010-02-26 15:37 . 2010-03-13 23:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 21:26 . 2010-02-11 22:29 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Skype
2010-03-25 21:19 . 2010-02-08 02:24 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-25 21:00 . 2010-02-11 22:32 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\skypePM
2010-03-25 20:59 . 2010-02-16 01:00 -------- d-----w- c:\program files\Common Files\Akamai
2010-03-24 23:05 . 2010-02-08 02:19 37848 ----a-w- c:\documents and settings\Tsetsi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 00:52 . 2010-02-13 00:36 -------- d-----w- c:\program files\Bonjour
2010-03-13 17:13 . 2010-02-07 22:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 00:39 . 2010-02-14 01:01 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\vlc
2010-03-12 23:55 . 2010-02-20 00:18 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\dvdcss
2010-03-11 04:45 . 2010-02-11 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-26 16:18 . 2010-02-09 04:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-23 03:26 . 2010-02-23 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-23 03:12 . 2010-02-23 03:12 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Media Player Classic
2010-02-21 08:55 . 2010-02-13 00:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Apple Computer
2010-02-20 04:02 . 2010-02-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-20 03:15 . 2010-02-20 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-20 02:37 . 2010-02-20 02:37 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\DivX
2010-02-20 00:27 . 2010-02-20 00:27 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-02-20 00:15 . 2010-02-20 00:15 -------- d-----w- c:\program files\DivX
2010-02-20 00:15 . 2010-02-20 00:15 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-19 19:01 . 2010-02-19 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-02-16 01:35 . 2010-02-16 01:35 -------- d-----w- c:\program files\Adobe Media Player
2010-02-16 01:27 . 2010-02-16 01:27 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-15 17:01 . 2010-02-15 17:01 -------- d-----w- c:\program files\YouTube Downloader
2010-02-15 08:05 . 2010-02-11 00:29 -------- d-----w- c:\program files\Microsoft Works
2010-02-14 17:43 . 2010-02-14 17:43 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-14 01:00 . 2010-02-14 01:00 -------- d-----w- c:\program files\VideoLAN
2010-02-13 01:48 . 2010-02-13 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-13 00:37 . 2010-02-13 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-13 00:37 . 2010-02-13 00:36 -------- d-----w- c:\program files\iTunes
2010-02-13 00:36 . 2010-02-13 00:36 -------- d-----w- c:\program files\iPod
2010-02-13 00:36 . 2010-02-13 00:34 -------- d-----w- c:\program files\Common Files\Apple
2010-02-13 00:36 . 2010-02-13 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-13 00:36 . 2010-02-13 00:35 -------- d-----w- c:\program files\QuickTime
2010-02-13 00:35 . 2010-02-13 00:35 -------- d-----w- c:\program files\Apple Software Update
2010-02-11 22:32 . 2010-02-11 22:32 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----w- c:\program files\Common Files\Skype
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----r- c:\program files\Skype
2010-02-11 22:28 . 2010-02-11 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-02-11 00:28 . 2010-02-11 00:28 -------- d-----w- c:\program files\Microsoft.NET
2010-02-09 04:54 . 2010-02-09 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-09 04:24 . 2010-02-09 04:24 -------- d-----w- c:\program files\MSBuild
2010-02-09 04:24 . 2010-02-09 04:24 -------- d-----w- c:\program files\Reference Assemblies
2010-02-09 04:13 . 2010-02-09 04:13 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-09 04:12 . 2010-02-09 04:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-09 04:11 . 2010-02-09 04:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-09 00:42 . 2010-02-09 00:42 -------- d-----w- c:\program files\Motorola
2010-02-09 00:40 . 2010-02-09 00:40 -------- d-----w- c:\program files\Synaptics
2010-02-09 00:38 . 2010-02-09 00:38 -------- d-----w- c:\program files\Toshiba
2010-02-09 00:28 . 2010-02-09 00:28 -------- d-----w- c:\program files\Realtek
2010-02-08 13:05 . 2010-02-07 22:00 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-08 02:44 . 2010-02-08 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-08 02:43 . 2010-02-08 02:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 02:35 . 2010-02-08 02:35 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\Malwarebytes
2010-02-08 02:35 . 2010-02-08 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 02:25 . 2010-02-08 02:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-08 02:25 . 2010-02-08 02:24 -------- d-----w- c:\program files\Symantec
2010-02-08 02:25 . 2010-02-08 02:24 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-08 02:25 . 2010-02-08 02:24 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-08 02:25 . 2010-02-08 02:24 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-08 02:25 . 2010-02-08 02:24 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-08 02:24 . 2010-02-08 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-08 02:19 . 2010-02-08 02:19 -------- d-----w- c:\documents and settings\Tsetsi\Application Data\ATI
2010-02-08 02:19 . 2010-02-08 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-02-07 23:29 . 2010-02-07 23:29 10134 ----a-r- c:\documents and settings\Tsetsi\Application Data\Microsoft\Installer\{7F311276-1CD6-1661-8BAE-DD9016FE9B8D}\ARPPRODUCTICON.exe
2010-02-07 23:25 . 2010-02-07 22:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-07 22:34 . 2010-02-07 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Atheros
2010-02-07 22:01 . 2010-02-07 22:01 -------- d-----w- c:\program files\microsoft frontpage
2010-02-07 21:58 . 2010-02-07 21:58 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-02 18:00 . 2010-02-20 00:27 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-23 00:51 . 2010-01-23 00:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-23_14.38.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-25 20:59 . 2010-03-25 20:59 16384 c:\windows\Temp\Perflib_Perfdata_4bc.dat
+ 2010-03-24 17:40 . 2010-03-24 17:40 781824 c:\windows\Installer\9dbffb.msi
+ 2010-02-28 21:25 . 2010-03-24 23:25 2061056 c:\windows\system32\FNTCACHE.DAT
+ 2010-03-25 03:49 . 2010-03-25 03:49 3085824 c:\windows\Installer\f06dfb.msi
+ 2010-03-25 03:48 . 2010-03-25 03:48 3174400 c:\windows\Installer\f06dc8.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-09 135664]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-31 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-08-07 573440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-08-07 18:11 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-05-26 01:02 786521 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\Stanza.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"17419:TCP"= 17419:TCP:BitComet 17419 TCP
"17419:UDP"= 17419:UDP:BitComet 17419 UDP
"2724:TCP"= 2724:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [3/20/2010 8:08 PM 93320]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/7/2010 10:33 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-630328440-682003330-1003Core.job
- c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-09 04:10]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-630328440-682003330-1003UA.job
- c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-09 04:10]

2010-03-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tsetsi\Application Data\Mozilla\Firefox\Profiles\sn8ct9fl.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Tsetsi\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{a65609c4-51d8-4eec-bb52-d7ceaad0a7be} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 17:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1112)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-03-25 17:29:07
ComboFix-quarantined-files.txt 2010-03-25 21:28
ComboFix2.txt 2010-03-23 14:43
ComboFix3.txt 2010-03-22 21:07

Pre-Run: 18,562,441,216 bytes free
Post-Run: 18,531,848,192 bytes free

- - End Of File - - 0F8CB53123A151906B17689E5A132C0F


#11 dexy22

dexy22
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 27 March 2010 - 06:54 PM

Extremeboy, I don't know if it's important, but the symantec window popped up a bunch of times in the past couple of days and Backdoor.Tidserv!inf went up from 2 to three and now action no longer says "Left alone" but "Partial"... wacko.gif Does that make any sense?

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 27 March 2010 - 09:43 PM

Can you perhaps tell me the file/entry it's detecting? A log or screenshot of something so I can visually see it.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 dexy22

dexy22
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 28 March 2010 - 09:50 AM

created a log from 3/23 to 3/27 - last night. so here it is. Vundo is no longer there tho thumbup.gif thanks a million, Extremeboy

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 28 March 2010 - 12:35 PM

Hello again,

I see what it's detecting. No need to worry, those are system restore points and will be removed during our final steps of cleaning up.

Looking good, let's just get one last online scan to get a 2nd opinion.

Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.

Take a new DDS run afterwards and post that log as well for my review. Any other problems/symptoms left?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 dexy22

dexy22
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 29 March 2010 - 06:08 PM

Hi again,

I tried to run the ESET online scan, did everything you told me to, it got to 14% and froze for over an hour. Found one thing before freezing. After an hour, I clicked STOP and saved the log, it's just one line:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntivirusPlus14.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

Then I tried to run it again, but again it got to 14% stayed there and after 15 mins I got a blue screen for a second and then my lap top crashed and restarted. I couldn't even see what was on the blue screen. I don't know if I should try it a third time... mellow.gif

Symantec's been nuts in the past few minutes, that system restore stuff is coming up like crazy, besides it found 800+ of something antivirus or another and wanted to reboot and I didn't let it, cause I have MBAM on a full scan right now. "damn" is the log for symantec again. besides, it found and quarantined a wifufulu.exe.vir which for some reason is not in the log. I don't know why these started coming up again, I've been checking every site I go to through McAfee online siteadvisor and I haven't downloaded anything but a few ttf font files and typography tools. wacko.gif

I will post the MBAM log when it finishes.




Here's the DDS tho


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tsetsi at 19:00:46.01 on Mon 03/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.912 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Tsetsi\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.1.27.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {a65609c4-51d8-4eec-bb52-d7ceaad0a7be} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Google Update] "c:\documents and settings\tsetsi\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.1.27.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265598237359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tsetsi\applic~1\mozilla\firefox\profiles\sn8ct9fl.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\tsetsi\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-3-20 93320]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-7 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100326.019\naveng.sys [2010-3-26 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100326.019\navex15.sys [2010-3-26 1324720]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

=============== Created Last 30 ================

2010-03-29 22:51:43 699904 ----a-w- c:\windows\isRS-000.tmp
2010-03-29 19:56:46 0 d-----w- c:\program files\ESET
2010-03-25 21:21:48 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-03-25 21:21:48 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-24 18:21:45 15701 ----a-w- c:\documents and settings\tsetsi\hm
2010-03-24 17:40:41 0 d-----w- c:\program files\Font Fitting Room Standard
2010-03-24 07:55:29 0 d-----w- c:\docume~1\alluse~1\applic~1\MainType
2010-03-24 06:38:51 152 ----a-w- c:\windows\fm1.cfg
2010-03-24 06:38:45 0 d-----w- c:\program files\High-Logic
2010-03-24 06:38:45 0 d-----w- c:\docume~1\tsetsi\applic~1\MainType
2010-03-24 03:01:30 0 d-----w- c:\program files\common files\FontLab
2010-03-24 03:01:28 0 d-----w- c:\program files\FontLab
2010-03-24 00:51:40 0 d--h--w- c:\windows\PIF
2010-03-23 14:49:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 14:49:42 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 14:49:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 20:51:41 0 d-sha-r- C:\cmdcons
2010-03-22 20:30:29 77312 ----a-w- c:\windows\MBR.exe
2010-03-22 20:30:29 261632 ----a-w- c:\windows\PEV.exe
2010-03-22 20:30:28 98816 ----a-w- c:\windows\sed.exe
2010-03-22 20:30:28 161792 ----a-w- c:\windows\SWREG.exe
2010-03-21 00:09:41 0 d-----w- c:\program files\common files\McAfee
2010-03-21 00:07:59 0 d-----w- c:\program files\McAfee
2010-03-14 00:52:13 0 d-----w- c:\program files\Stanza
2010-03-14 00:44:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-13 20:05:33 0 dc-h--w- c:\windows\ie8
2010-03-13 17:14:22 0 d-----w- c:\program files\WinDjView
2010-03-13 17:13:44 57436 ----a-w- c:\windows\DASShp.dll
2010-03-13 17:13:44 0 d-----w- c:\program files\Microsoft Reader
2010-03-12 02:04:39 0 d-----w- c:\program files\Calorie Balance Tracker
2010-03-11 00:00:58 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 22:07:23 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-09 22:07:23 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-09 22:07:20 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-09 22:07:20 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-09 20:51:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak
2010-03-02 19:25:17 138752 -c--a-w- c:\windows\system32\dllcache\sndvol32.exe
2010-03-02 19:25:17 138752 ----a-w- c:\windows\system32\sndvol32.exe
2010-03-02 19:03:47 0 d-----w- c:\windows\system32\appmgmt
2010-03-02 02:53:51 532480 ----a-w- c:\windows\system32\FLIQLO.scr
2010-03-02 02:53:51 0 d-----w- c:\windows\system32\FLIQLO dir
2010-03-01 17:00:31 0 d-----w- c:\docume~1\tsetsi\applic~1\MSNInstaller
2010-03-01 16:52:23 0 d-----w- c:\program files\Fabio's iTunes Lyrics Downloader 2.8
2010-03-01 03:06:57 0 d-----w- c:\docume~1\tsetsi\applic~1\AMPSoft
2010-03-01 03:06:12 0 d-----w- c:\program files\AMP Font Viewer
2010-02-28 23:08:24 24490 ----a-w- c:\windows\ATMREG.ATM
2010-02-28 06:26:36 15360 ----a-w- c:\windows\system32\ATMsrvc.exe
2010-02-28 06:26:36 0 d-----w- C:\PSFONTS
2010-02-28 06:26:36 0 d-----w- c:\program files\Adobe Type Manager
2010-02-28 06:25:57 299520 ----a-w- c:\windows\uninst.exe
2010-02-28 06:25:55 0 d-----w- c:\documents and settings\tsetsi\WINDOWS
2010-02-28 06:25:50 0 d-----w- c:\temp\adobe

==================== Find3M ====================

2010-03-24 02:47:28 111236 ----a-w- c:\windows\fonts\Cartographers_Wheel.ttf
2010-03-24 02:45:36 96452 ----a-w- c:\windows\fonts\Chiller.ttf
2010-03-24 02:44:37 112516 ----a-w- c:\windows\fonts\Lassigue_DMato.ttf
2010-03-24 02:24:16 188860 ----a-w- c:\windows\fonts\NevisonCasualSB-Regular.ttf
2010-03-24 02:23:01 82732 ----a-w- c:\windows\fonts\dearJoe_II.ttf
2010-03-24 02:21:51 31252 ----a-w- c:\windows\fonts\dearJoe_Italic.ttf
2010-03-24 02:21:23 83384 ----a-w- c:\windows\fonts\dearJoe_four.ttf
2010-03-24 02:08:28 58888 ----a-w- c:\windows\fonts\Jiggery_Pokery.ttf
2010-03-24 01:54:45 98205 ----a-w- c:\windows\fonts\37139___.TTF
2010-03-24 00:37:48 83676 ----a-w- c:\windows\fonts\Zipty_Do.ttf
2010-03-23 05:31:29 95144 ----a-w- c:\windows\fonts\P22_Cezanne_Regular.ttf
2010-03-23 05:28:56 17368 ----a-w- c:\windows\fonts\P22_Bayer_Fonetik.ttf
2010-03-23 05:28:53 28144 ----a-w- c:\windows\fonts\P22_Bayer_Universal.ttf
2010-03-23 05:27:55 12012 ----a-w- c:\windows\fonts\P22_Bauhaus_Extras.ttf
2010-03-23 05:24:35 65084 ----a-w- c:\windows\fonts\P22_Art_Nouveau_Cafe.ttf
2010-03-23 05:24:28 76704 ----a-w- c:\windows\fonts\P22_Art_Nouveau_Bistro (1).ttf
2010-03-23 05:23:44 76704 ----a-w- c:\windows\fonts\P22_Art_Nouveau_Bistro.ttf
2010-03-23 05:14:28 60200 ----a-w- c:\windows\fonts\P22_Eaglefeather_Italic.ttf
2010-03-23 05:14:06 59752 ----a-w- c:\windows\fonts\P22_Eaglefeather_BoldItalic.ttf
2010-03-23 05:13:36 52552 ----a-w- c:\windows\fonts\P22_Eaglefeather_Bold.ttf
2010-03-23 05:12:52 51888 ----a-w- c:\windows\fonts\P22_Eaglefeather.ttf
2010-03-23 05:00:04 51656 ----a-w- c:\windows\fonts\P22_Da_Vinci_Forward.ttf
2010-03-10 20:10:50 83020 ----a-w- c:\windows\fonts\Wet Dream.ttf
2010-02-08 02:25:01 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-08 02:25:01 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-08 02:25:01 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-08 02:25:01 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-07 21:58:07 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-07 04:28:42 34888 ----a-w- c:\windows\fonts\sickcapital-vice-otf.otf
2010-02-02 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll

============= FINISH: 19:01:24.34 ===============

Attached Files


Edited by dexy22, 29 March 2010 - 07:58 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users