Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirecting virus (Possibly Trojan Pakes.AV?)


  • This topic is locked This topic is locked
81 replies to this topic

#1 rmrippers

rmrippers

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 23 March 2010 - 08:45 AM

Hey, I'm having problems with various things on my laptop. I'm using Vista, and Firefox is my chosen web browser.

Firstly, my homepage for Firefox is http://en-gb.start3.mozilla.com/firefox?cl...:en-GB:official When I try to load the page it comes up with an error message saying:

"The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

* This problem can sometimes be caused by disabling or refusing to accept
cookies."

Secondly, Internet Explorer occasionally randomly opens on random websites without any prompting.

Thirdly, I kept getting notifications from my AVG that a trojan was being detected called "Trojan horse Pakes.AV" located in my svchost.exe file. However, today I have no yet received any of these messages.

Fourthly, today I received a number of AVG notifications telling me that a threat had been detected in the C:\ folder (I can't recall what the file was called, but it was of the form C:\{filename}.exe where the filename appeared to be a random string of letters with a double 'b' in there. Sorry I can't be more specific.)

Fifthly, when I try to use a search engine, the links redirect me to other search engines or random websites.

Finally, I cannot access www.malwarebytes.org despite the fact that my Internet connection seems to be in working order. When trying to access the site it comes up with:
"Server not found

Firefox can't find the server at www.malwarebytes.org.

* Check the address for typing errors such as
ww.example.com instead of
www.example.com

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web."

Here is my DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Rippers at 11:13:15.01 on 23/03/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.44.1033.18.2038.617 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Bvebaa.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Rippers\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Users\Rippers\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.uk.acer.yahoo.com
uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Javaâ„¢ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Ckoqi] rundll32.exe "c:\users\rippers\appdata\local\Aufdirm.dll",Startup
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Acer Tour]
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService]
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NPSStartup]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 93.188.162.10,93.188.166.94
TCP: {8640399F-0E7D-4BC5-8DE2-41112F179B55} = 93.188.162.10,93.188.166.94
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\rippers\appdata\roaming\mozilla\firefox\profiles\0cs5blnp.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 335240]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-3-26 27784]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080623.001\IDSvix86.sys [2008-6-24 261680]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-2-17 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-2-17 108904]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-28 297752]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-9-26 233472]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-2-17 779496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-6-24 109616]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-9-26 36608]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2006-11-21 37008]
RUnknown SASDIFSV;SASDIFSV; [x]
RUnknown SASENUM;SASENUM; [x]
RUnknown SASKUTIL;SASKUTIL; [x]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-30 21504]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2009-9-26 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2009-9-26 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2009-9-26 121856]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-26 1251720]

=============== Created Last 30 ================

2010-03-23 11:11:16 0 ----a-w- c:\users\rippers\defogger_reenable
2010-03-23 01:32:54 318912415 ----a-w- c:\windows\MEMORY.DMP
2010-03-23 00:33:59 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-23 00:33:52 0 d-----w- c:\users\rippers\appdata\roaming\SUPERAntiSpyware.com
2010-03-23 00:33:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-23 00:30:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-23 00:29:13 54156 ---ha-w- c:\windows\QTFont.qfn
2010-03-23 00:29:13 1409 ----a-w- c:\windows\QTFont.for
2010-03-23 00:27:57 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-22 16:44:40 0 d-----w- c:\program files\MagicISO
2010-03-22 16:39:08 0 d-----w- c:\program files\File Helper
2010-03-22 15:30:29 0 d-----w- c:\programdata\Azureus
2010-03-22 15:25:47 162816 ----a-w- c:\windows\Bvebaa.exe
2010-03-22 15:25:23 46592 ----a-w- c:\windows\qbwr4445.exe
2010-03-12 01:04:14 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 01:04:08 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-12 01:04:08 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-24 17:24:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 17:23:25 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 17:23:25 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 17:23:18 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 17:23:15 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 17:23:15 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 17:23:15 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 17:23:14 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 17:23:14 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 17:23:14 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 17:23:07 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 17:23:05 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-24 17:23:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-02-24 10:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2009-11-18 09:40:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 09:40:45 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 09:40:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-18 09:40:45 143360 ----a-w- c:\windows\inf\infstor.dat
2008-05-31 11:01:09 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-11-27 07:58:37 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 11:16:20.42 ===============

Attached Files


Edited by Orange Blossom, 23 March 2010 - 10:05 PM.
Fix link. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:06 AM

Posted 26 March 2010 - 05:24 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run the rootkit scanner Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 rmrippers

rmrippers
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 March 2010 - 09:52 AM

Before I post my log, I thought I'd just mention some new symptoms my laptop is showing. Firstly, when I reboot it asks me lots of User Account Control messages to let programs run. I'm not allowing them because I don't know what they are. Also I get lots and lots of messages continually asking me to allow wmpscfgs.exe to run - my computer gets swamped with them. Again, I disallow each time because I don't know what it is.

I had to run the GMER in safe mode because I kept getting blue screened (It said something about forcing a shutdown to prevent damage to my laptop.)

Thanks for the help. Here's my gmer.log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-27 14:41:03
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Rippers\AppData\Local\Temp\fwdyikoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\DRIVERS\iaStor.sys entry point in ".rsrc" section [0x828D2014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[820] ntdll.dll!NtProtectVirtualMemory 77354D34 5 Bytes JMP 001B000A
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!NtWriteVirtualMemory 77355674 5 Bytes JMP 0071000A
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!KiUserExceptionDispatcher 77355DC8 5 Bytes JMP 0018000A
.text C:\Windows\Explorer.EXE[1096] ntdll.dll!NtProtectVirtualMemory 77354D34 5 Bytes JMP 007D000A
.text C:\Windows\Explorer.EXE[1096] ntdll.dll!NtWriteVirtualMemory 77355674 5 Bytes JMP 007E000A
.text C:\Windows\Explorer.EXE[1096] ntdll.dll!KiUserExceptionDispatcher 77355DC8 5 Bytes JMP 007C000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 84E7ECA1

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:06 AM

Posted 27 March 2010 - 10:09 AM

You're right to stop that file running as it's a trojan. Gmer has tagged this as TDSS rootkit so we need to run Combofix straight off to replace the infected system file

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 rmrippers

rmrippers
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 March 2010 - 12:42 PM

Here you go. I disabled AVG Resident Shield, but it still said the antivirus stuff was running anyway. Also, I couldn't find a way to disable Norton Internet Security, so I just let ComboFix run. I hope I haven't caused any major problems. Here's the log:

ComboFix 10-03-26.02 - Rippers 27/03/2010 17:11:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.543 [GMT 0:00]
Running from: c:\users\Rippers\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\app_dll.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1871311853-3798006857-1983642938-500
c:\program files\Adobe\197030073.old
c:\program files\Adobe\244302308.old
c:\program files\Adobe\248525.old
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\users\Rippers\AppData\Local\Aufdirm.dll
c:\users\Rippers\AppData\Local\uwikujikapa.dll
c:\windows\system32\app_dll.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\rthdvcpl .exe
c:\windows\system32\SIntf16.dll
c:\windows\system32\spool\prtprocs\w32x86\00007ec5.tmp
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
D:\install.exe

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-27 17:22 . 2010-03-27 17:26 -------- d-----w- c:\users\Rippers\AppData\Local\temp
2010-03-27 17:22 . 2010-03-27 17:22 -------- d-----w- c:\users\Mummy Ripley\AppData\Local\temp
2010-03-27 17:22 . 2010-03-27 17:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-27 13:58 . 2010-03-27 13:58 -------- d-sh--w- c:\users\Rippers\AppData\Roaming\lowsec
2010-03-26 12:42 . 2010-03-27 12:25 0 ----a-w- c:\users\Rippers\AppData\Local\Akimikere.bin
2010-03-26 12:42 . 2010-03-27 14:45 120 ----a-w- c:\users\Rippers\AppData\Local\Sgacite.dat
2010-03-26 12:42 . 2010-03-26 12:42 -------- d-----w- c:\users\Rippers\AppData\Local\{390774CC-B50A-48DF-8113-C464856B5956}
2010-03-25 21:35 . 2010-03-27 13:04 94208 ----a-w- c:\windows\system32\app_dll.dll.vir
2010-03-25 17:00 . 2010-03-27 16:43 27648 ----a-w- c:\windows\system32\rthdvcpl.exe
2010-03-24 13:34 . 2010-03-24 13:34 -------- d-----w- c:\users\Rippers\AppData\Local\Apple
2010-03-23 00:33 . 2010-03-23 00:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\users\Rippers\AppData\Roaming\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-23 00:30 . 2010-03-23 00:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-23 00:27 . 2008-01-02 16:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-22 23:20 . 2010-03-22 23:20 -------- d--h--w- c:\users\Rippers\AppData\Local\acer eNM
2010-03-22 16:44 . 2010-03-22 16:51 -------- d-----w- c:\program files\MagicISO
2010-03-22 16:39 . 2010-03-22 22:44 -------- d-----w- c:\program files\File Helper
2010-03-22 16:24 . 2010-03-22 16:24 -------- d-----w- c:\windows\Sun
2010-03-22 15:30 . 2010-03-22 15:30 -------- d-----w- c:\programdata\Azureus
2010-03-22 15:25 . 2010-03-22 15:25 46592 ----a-w- c:\windows\qbwr4445.exe
2010-03-12 01:04 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 01:04 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 01:04 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 17:29 . 2008-09-05 17:26 -------- d-----w- c:\programdata\Kontiki
2010-03-27 17:29 . 2009-11-10 16:07 -------- d-----w- c:\users\Rippers\AppData\Roaming\Skype
2010-03-27 17:28 . 2009-11-10 16:09 -------- d-----w- c:\users\Rippers\AppData\Roaming\skypePM
2010-03-27 17:27 . 2008-05-30 08:48 -------- d-----w- c:\program files\iTunes
2010-03-27 17:27 . 2008-05-20 12:38 -------- d-----w- c:\program files\QuickTime
2010-03-27 17:27 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-27 17:27 . 2008-01-02 17:06 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-27 17:27 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxtray.exe
2010-03-27 17:27 . 2007-11-27 07:24 -------- d-----w- c:\program files\Launch Manager
2010-03-27 17:27 . 2006-11-02 08:48 27648 ----a-w- c:\windows\system32\rundll32.exe
2010-03-27 17:26 . 2010-03-27 16:58 94208 ----a-w- c:\windows\system32\app_dll.dll
2010-03-27 17:12 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxpers .exe
2010-03-27 17:12 . 2008-01-02 17:06 27648 ----a-w- c:\windows\system32\hkcmd .exe
2010-03-27 17:12 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxtray .exe
2010-03-27 14:46 . 2009-07-24 08:45 680 ----a-w- c:\users\Rippers\AppData\Local\d3d9caps.dat
2010-03-26 12:39 . 2007-06-25 01:38 -------- d-----w- c:\program files\Norton Internet Security
2010-03-26 12:39 . 2007-06-25 01:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-26 07:24 . 2008-05-28 14:37 0 ----a-w- c:\users\Mummy Ripley\AppData\Local\prvlcl.dat
2010-03-12 10:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 01:10 . 2007-06-25 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-02-25 09:21 . 2010-02-25 09:21 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-02-25 09:20 . 2008-03-26 17:49 100432 ----a-w- c:\users\Rippers\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 10:16 . 2009-10-05 07:58 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\users\Rippers\AppData\Roaming\Trusteer
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\program files\Trusteer
2010-02-15 16:54 . 2010-02-15 16:54 -------- d-----w- c:\programdata\Trusteer
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 17:23 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 17:23 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 17:23 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 17:24 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-06 15:39 . 2010-02-24 17:23 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 17:23 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30 . 2010-02-24 17:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2007-11-27 07:58 . 2007-11-27 07:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifsvc .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Launch Manager\lmanager .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Samsung\Samsung New PC Studio\npsagent .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\System32\hkcmd .exe
c:\windows\System32\igfxpers .exe
c:\windows\System32\igfxtray .exe
c:\windows\System32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2010-03-27 27648]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-03-27 27648]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-03-27 27648]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-27 27648]
"Ckoqi"="c:\users\Rippers\AppData\Local\Aufdirm.dll" [N/A]
"Xtabica"="c:\users\Rippers\AppData\Local\uwikujikapa.dll" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2010-03-27 27648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-27 27648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-26 27648]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-03-26 27648]
"Acer Tour"="" [N/A]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2010-03-27 27648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2010-03-27 27648]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2010-03-27 27648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-03-27 27648]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2010-03-27 27648]
"eRecoveryService"="" [N/A]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2010-03-27 27648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2010-03-26 27648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-27 27648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-27 27648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-27 27648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-27 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-27 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-27 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-03-27 27648]
"NPSStartup"="" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-27 27648]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-6-25 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:23,a9,f6,74,50,41,ca,01

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-17 335240]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080623.001\IDSvix86.sys [2008-03-12 261680]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-17 297752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-03-18 109616]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2006-11-21 37008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-27 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 17:27]

2010-03-25 c:\windows\Tasks\Norton Security Scan for Rippers.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-13 12:50]

2010-03-27 c:\windows\Tasks\User_Feed_Synchronization-{4AA846E1-A3B1-4E18-A467-B6943D08ED4E}.job
- c:\windows\system32\msfeedssync.exe [2008-05-30 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Rippers\AppData\Roaming\Mozilla\Firefox\Profiles\0cs5blnp.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 17:26
Windows 6.0.6002 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQuerySystemInformation

scanning hidden processes ...

c:\acer\Empowering Technology\eNet\eNet Service.exe [2204]
c:\program files\microsoft office\office12\groovemonitor .exe [2736]
c:\program files\itunes\ituneshelper .exe [4352]
c:\program files\java\jre6\bin\jusched .exe [4024]
c:\program files\avg\avg8\avgtray .exe [5656]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\app_dll.dll

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\app_dll.dll

- - - - - - - > 'Explorer.exe'(8500)
c:\windows\system32\app_dll.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\rthdvcpl.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-03-27 17:36:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 17:36

Pre-Run: 33,157,398,528 bytes free
Post-Run: 33,260,646,400 bytes free

- - End Of File - - 64E4017A081747C8566D208D0117674E


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:06 AM

Posted 27 March 2010 - 05:29 PM

Quite a lot taken out and still quite a bit to go.


Check this file for me at Jotti

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\qbwr4445.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal


Now back to Combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\users\Rippers\AppData\Roaming\lowsec
c:\users\Rippers\AppData\Local\Akimikere.bin
c:\users\Rippers\AppData\Local\Sgacite.dat
c:\windows\system32\app_dll.dll.vir
c:\users\Rippers\AppData\Local\{390774CC-B50A-48DF-8113-C464856B5956}
c:\users\Rippers\AppData\Local\Aufdirm.dll
c:\users\Rippers\AppData\Local\uwikujikapa.dll

Folder::
c:\users\Rippers\AppData\Roaming\lowsec

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ckoqi"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xtabica"=-

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

AtJob::


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Let me know how the PC is performing. The redirection should have already stopped with the replacement of iastor.sys thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 rmrippers

rmrippers
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 March 2010 - 07:03 PM

:D Right, my performance is definitely improving, I've not got the redirecting problem and I don't seem to get any messages asking me to run things when I boot up, but there are still a few little things which I worry could be problems e.g. Windows Explorer loading very slowly, or links to switch my firewall back on not seeming to do anything.

I'm attatching the Jotti thing. I just did a screenshot because I wasn't sure what bits you'd need.

And here's the ComboFix log. Thanks again for doing this, it's really appreciated!


ComboFix 10-03-26.02 - Rippers 27/03/2010 23:36:36.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.881 [GMT 0:00]
Running from: c:\users\Rippers\Desktop\comfix.exe
Command switches used :: c:\users\Rippers\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Rippers\AppData\Local\{390774CC-B50A-48DF-8113-C464856B5956}"
"c:\users\Rippers\AppData\Local\Akimikere.bin"
"c:\users\Rippers\AppData\Local\Aufdirm.dll"
"c:\users\Rippers\AppData\Local\Sgacite.dat"
"c:\users\Rippers\AppData\Local\uwikujikapa.dll"
"c:\users\Rippers\AppData\Roaming\lowsec"
"c:\windows\system32\app_dll.dll.vir"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\users\Rippers\AppData\Local\{390774CC-B50A-48DF-8113-C464856B5956}
c:\users\Rippers\AppData\Local\{390774CC-B50A-48DF-8113-C464856B5956}\chrome.manifest
c:\users\Rippers\AppData\Local\{390774CC-B50A-48DF-8113-C464856B5956}\chrome\content\_cfg.js
c:\users\Rippers\AppData\Local\{390774CC-B50A-48DF-8113-C464856B5956}\chrome\content\overlay.xul
c:\users\Rippers\AppData\Local\{390774CC-B50A-48DF-8113-C464856B5956}\install.rdf
c:\users\Rippers\AppData\Local\Akimikere.bin
c:\users\Rippers\AppData\Local\Sgacite.dat
c:\users\Rippers\AppData\Roaming\lowsec
c:\users\Rippers\AppData\Roaming\lowsec\local.ds
c:\users\Rippers\AppData\Roaming\lowsec\user.ds
c:\windows\system32\app_dll.dll.vir
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\rthdvcpl .exe
c:\windows\system32\rundll32 .exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-27 23:44 . 2010-03-27 23:44 -------- d-----w- c:\users\Rippers\AppData\Local\temp
2010-03-27 23:44 . 2010-03-27 23:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-27 23:44 . 2010-03-27 23:44 -------- d-----w- c:\users\Mummy Ripley\AppData\Local\temp
2010-03-27 23:44 . 2010-03-27 23:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-27 18:27 . 2010-03-27 21:34 -------- d-----w- c:\users\Rippers\AppData\Local\Adobe
2010-03-27 16:57 . 2010-03-27 17:36 -------- d-----w- C:\comfix
2010-03-25 17:00 . 2010-03-27 22:01 27648 ----a-w- c:\windows\system32\rthdvcpl.exe
2010-03-24 13:34 . 2010-03-24 13:34 -------- d-----w- c:\users\Rippers\AppData\Local\Apple
2010-03-23 00:33 . 2010-03-23 00:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\users\Rippers\AppData\Roaming\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-23 00:30 . 2010-03-23 00:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-23 00:27 . 2008-01-02 16:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-22 23:20 . 2010-03-22 23:20 -------- d--h--w- c:\users\Rippers\AppData\Local\acer eNM
2010-03-22 16:44 . 2010-03-22 16:51 -------- d-----w- c:\program files\MagicISO
2010-03-22 16:39 . 2010-03-22 22:44 -------- d-----w- c:\program files\File Helper
2010-03-22 16:24 . 2010-03-22 16:24 -------- d-----w- c:\windows\Sun
2010-03-22 15:30 . 2010-03-22 15:30 -------- d-----w- c:\programdata\Azureus
2010-03-22 15:25 . 2010-03-22 15:25 46592 ----a-w- c:\windows\qbwr4445.exe
2010-03-12 01:04 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 01:04 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 01:04 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 23:45 . 2008-09-05 17:26 -------- d-----w- c:\programdata\Kontiki
2010-03-27 23:30 . 2009-11-10 16:07 -------- d-----w- c:\users\Rippers\AppData\Roaming\Skype
2010-03-27 22:24 . 2008-05-28 14:37 0 ----a-w- c:\users\Mummy Ripley\AppData\Local\prvlcl.dat
2010-03-27 22:01 . 2008-05-30 08:48 -------- d-----w- c:\program files\iTunes
2010-03-27 22:01 . 2008-05-20 12:38 -------- d-----w- c:\program files\QuickTime
2010-03-27 22:01 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-27 22:01 . 2008-01-02 17:06 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-27 22:01 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxtray.exe
2010-03-27 22:01 . 2007-11-27 07:24 -------- d-----w- c:\program files\Launch Manager
2010-03-27 22:01 . 2006-11-02 08:48 27648 ----a-w- c:\windows\system32\rundll32.exe
2010-03-27 21:28 . 2008-05-28 09:54 -------- d-----w- c:\programdata\avg8
2010-03-27 17:28 . 2009-11-10 16:09 -------- d-----w- c:\users\Rippers\AppData\Roaming\skypePM
2010-03-27 14:46 . 2009-07-24 08:45 680 ----a-w- c:\users\Rippers\AppData\Local\d3d9caps.dat
2010-03-26 12:39 . 2007-06-25 01:38 -------- d-----w- c:\program files\Norton Internet Security
2010-03-26 12:39 . 2007-06-25 01:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-12 10:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 01:10 . 2007-06-25 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-02-25 09:21 . 2010-02-25 09:21 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-02-25 09:20 . 2008-03-26 17:49 100432 ----a-w- c:\users\Rippers\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 10:16 . 2009-10-05 07:58 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\users\Rippers\AppData\Roaming\Trusteer
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\program files\Trusteer
2010-02-15 16:54 . 2010-02-15 16:54 -------- d-----w- c:\programdata\Trusteer
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 17:23 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 17:23 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 17:23 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 17:24 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-06 15:39 . 2010-02-24 17:23 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 17:23 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-24 17:23 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 17:23 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 17:23 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 17:23 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 13:30 . 2010-02-24 17:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2007-11-27 07:58 . 2007-11-27 07:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifsvc .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Launch Manager\lmanager .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Samsung\Samsung New PC Studio\npsagent .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\System32\hkcmd .exe
c:\windows\System32\igfxpers .exe
c:\windows\System32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2010-03-27 27648]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2010-03-27 27648]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-03-27 27648]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-27 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2010-03-27 27648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-27 27648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-26 27648]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-03-26 27648]
"Acer Tour"="" [N/A]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2010-03-27 27648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2010-03-27 27648]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2010-03-27 27648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-03-27 27648]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2010-03-27 27648]
"eRecoveryService"="" [N/A]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2010-03-27 27648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2010-03-26 27648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-27 27648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-27 27648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-27 27648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-27 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-27 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-27 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-03-27 27648]
"NPSStartup"="" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-27 27648]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-6-25 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:23,a9,f6,74,50,41,ca,01

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-17 335240]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080623.001\IDSvix86.sys [2008-03-12 261680]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-17 297752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-03-18 109616]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2006-11-21 37008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-27 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-27 23:46]

2010-03-25 c:\windows\Tasks\Norton Security Scan for Rippers.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-13 12:50]

2010-03-27 c:\windows\Tasks\User_Feed_Synchronization-{4AA846E1-A3B1-4E18-A467-B6943D08ED4E}.job
- c:\windows\system32\msfeedssync.exe [2008-05-30 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Rippers\AppData\Roaming\Mozilla\Firefox\Profiles\0cs5blnp.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 23:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2010-03-27 23:48:13
ComboFix-quarantined-files.txt 2010-03-27 23:48
ComboFix2.txt 2010-03-27 17:36

Pre-Run: 32,928,858,112 bytes free
Post-Run: 32,794,112,000 bytes free

- - End Of File - - 59261F7E254FDAF433F597EC19EDE721

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:06 AM

Posted 27 March 2010 - 07:33 PM

Yeah, it looked a bad one that Jotti one so we'll take that with us too smile.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\qbwr4445.exe

AtJob::
c:\program files\internet explorer\wmpscfgs.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#9 rmrippers

rmrippers
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 March 2010 - 08:19 PM

Present for you!


ComboFix 10-03-26.02 - Rippers 28/03/2010 2:04.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.926 [GMT 1:00]
Running from: c:\users\Rippers\Desktop\comfix.exe
Command switches used :: c:\users\Rippers\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\qbwr4445.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\qbwr4445.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\rthdvcpl .exe
c:\windows\system32\rundll32 .exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 01:13 . 2010-03-28 01:13 -------- d-----w- c:\users\Rippers\AppData\Local\temp
2010-03-28 01:13 . 2010-03-28 01:13 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-28 01:13 . 2010-03-28 01:13 -------- d-----w- c:\users\Mummy Ripley\AppData\Local\temp
2010-03-28 01:13 . 2010-03-28 01:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-27 23:35 . 2010-03-27 23:48 -------- d-----w- C:\comfix3920c
2010-03-27 18:27 . 2010-03-27 21:34 -------- d-----w- c:\users\Rippers\AppData\Local\Adobe
2010-03-27 16:57 . 2010-03-27 17:36 -------- d-----w- C:\comfix
2010-03-25 17:00 . 2010-03-27 23:58 27648 ----a-w- c:\windows\system32\rthdvcpl.exe
2010-03-24 13:34 . 2010-03-24 13:34 -------- d-----w- c:\users\Rippers\AppData\Local\Apple
2010-03-23 00:33 . 2010-03-23 00:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\users\Rippers\AppData\Roaming\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-23 00:30 . 2010-03-23 00:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-23 00:27 . 2008-01-02 16:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-22 23:20 . 2010-03-22 23:20 -------- d--h--w- c:\users\Rippers\AppData\Local\acer eNM
2010-03-22 16:44 . 2010-03-22 16:51 -------- d-----w- c:\program files\MagicISO
2010-03-22 16:39 . 2010-03-22 22:44 -------- d-----w- c:\program files\File Helper
2010-03-22 16:24 . 2010-03-22 16:24 -------- d-----w- c:\windows\Sun
2010-03-22 15:30 . 2010-03-22 15:30 -------- d-----w- c:\programdata\Azureus
2010-03-12 01:04 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 01:04 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 01:04 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 01:13 . 2008-09-05 17:26 -------- d-----w- c:\programdata\Kontiki
2010-03-28 00:57 . 2009-11-10 16:07 -------- d-----w- c:\users\Rippers\AppData\Roaming\Skype
2010-03-28 00:24 . 2008-05-28 14:37 0 ----a-w- c:\users\Mummy Ripley\AppData\Local\prvlcl.dat
2010-03-28 00:08 . 2009-11-10 16:09 -------- d-----w- c:\users\Rippers\AppData\Roaming\skypePM
2010-03-27 23:58 . 2008-05-30 08:48 -------- d-----w- c:\program files\iTunes
2010-03-27 23:58 . 2008-05-20 12:38 -------- d-----w- c:\program files\QuickTime
2010-03-27 23:58 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-27 23:58 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxtray.exe
2010-03-27 23:58 . 2007-11-27 07:24 -------- d-----w- c:\program files\Launch Manager
2010-03-27 23:58 . 2006-11-02 08:48 27648 ----a-w- c:\windows\system32\rundll32.exe
2010-03-27 23:46 . 2008-01-02 17:06 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-27 21:28 . 2008-05-28 09:54 -------- d-----w- c:\programdata\avg8
2010-03-27 14:46 . 2009-07-24 08:45 680 ----a-w- c:\users\Rippers\AppData\Local\d3d9caps.dat
2010-03-26 12:39 . 2007-06-25 01:38 -------- d-----w- c:\program files\Norton Internet Security
2010-03-26 12:39 . 2007-06-25 01:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-12 10:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 01:10 . 2007-06-25 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-02-25 09:21 . 2010-02-25 09:21 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-02-25 09:20 . 2008-03-26 17:49 100432 ----a-w- c:\users\Rippers\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 10:16 . 2009-10-05 07:58 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\users\Rippers\AppData\Roaming\Trusteer
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\program files\Trusteer
2010-02-15 16:54 . 2010-02-15 16:54 -------- d-----w- c:\programdata\Trusteer
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 17:23 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 17:23 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 17:23 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 17:24 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-06 15:39 . 2010-02-24 17:23 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 17:23 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-24 17:23 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 17:23 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 17:23 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 17:23 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 13:30 . 2010-02-24 17:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2007-11-27 07:58 . 2007-11-27 07:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifsvc .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Launch Manager\lmanager .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Samsung\Samsung New PC Studio\npsagent .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\System32\hkcmd .exe
c:\windows\System32\igfxpers .exe
c:\windows\System32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2010-03-28 27648]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2010-03-28 27648]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-03-28 27648]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-28 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2010-03-28 27648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-28 27648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-26 27648]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-03-26 27648]
"Acer Tour"="" [N/A]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2010-03-28 27648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2010-03-28 27648]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2010-03-28 27648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-03-28 27648]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2010-03-28 27648]
"eRecoveryService"="" [N/A]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2010-03-28 27648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2010-03-26 27648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-28 27648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-28 27648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-28 27648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-28 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-28 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-28 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-03-28 27648]
"NPSStartup"="" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-28 27648]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-6-25 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:23,a9,f6,74,50,41,ca,01

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-17 335240]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080623.001\IDSvix86.sys [2008-03-12 261680]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-17 297752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-03-18 109616]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2006-11-21 37008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At25.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At26.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At27.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At28.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At29.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At30.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At31.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At32.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At33.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At34.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At35.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At36.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At37.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At38.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At39.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At40.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At41.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At42.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At43.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At44.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At45.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At46.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At47.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At48.job
- c:\program files\adobe\acrotray .exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-28 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 01:15]

2010-03-25 c:\windows\Tasks\Norton Security Scan for Rippers.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-13 12:50]

2010-03-28 c:\windows\Tasks\User_Feed_Synchronization-{4AA846E1-A3B1-4E18-A467-B6943D08ED4E}.job
- c:\windows\system32\msfeedssync.exe [2008-05-30 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Rippers\AppData\Roaming\Mozilla\Firefox\Profiles\0cs5blnp.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 02:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

c:\acer\Empowering Technology\eNet\eNet Service.exe [3420]
c:\program files\synaptics\syntp\syntpenh .exe [2396]
c:\program files\intel\intel matrix storage manager\iaanotif .exe [4976]
c:\program files\cyberlink\powerdvd\pdvdserv .exe [5024]
c:\program files\launch manager\lmanager .exe [5168]
c:\program files\microsoft office\office12\groovemonitor .exe [5332]
c:\program files\avg\avg8\avgtray .exe [5352]
c:\program files\samsung\samsung new pc studio\npsagent .exe [5576]
c:\program files\itunes\ituneshelper .exe [5584]
c:\program files\skype\phone\skype .exe [5592]
c:\program files\java\jre6\bin\jusched .exe [5632]
c:\acer\empowering technology\edatasecurity\edsloader .exe [4388]
c:\users\Rippers\AppData\Local\Temp\f4803395 .exe [17756]
acrotray .exe [20364]
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2010-03-28 02:17:20
ComboFix-quarantined-files.txt 2010-03-28 01:17
ComboFix2.txt 2010-03-27 23:48
ComboFix3.txt 2010-03-27 17:36

Pre-Run: 32,719,822,848 bytes free
Post-Run: 32,693,768,192 bytes free

- - End Of File - - B5220F3AF7127CE1C37B3126AC92939E


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:06 AM

Posted 27 March 2010 - 08:41 PM

Something is still running things here and I missed a file. Let's try a different tool to remove these files. It's faster and should be as efficient.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Files
    c:\windows\Tasks\At*.job
    c:\program files\Internet Explorer\wmpscfgs.exe
    c:\program files\adobe\acrotray .exe
    :Commands
    [EmptyTemp]
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

Then please run Combofix again. This will let me know if anything's continuing to regenerate.

Thanks smile.gif

Edited by m0le, 27 March 2010 - 08:42 PM.

Posted Image
m0le is a proud member of UNITE

#11 rmrippers

rmrippers
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 March 2010 - 09:03 PM

Here's the OTM thing. ComboFix coming riiiiiiiiiiiight up smile.gif

All processes killed
========== FILES ==========
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At49.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At50.job moved successfully.
c:\windows\Tasks\At51.job moved successfully.
c:\windows\Tasks\At52.job moved successfully.
c:\windows\Tasks\At53.job moved successfully.
c:\windows\Tasks\At54.job moved successfully.
c:\windows\Tasks\At55.job moved successfully.
c:\windows\Tasks\At56.job moved successfully.
c:\windows\Tasks\At57.job moved successfully.
c:\windows\Tasks\At58.job moved successfully.
c:\windows\Tasks\At59.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At60.job moved successfully.
c:\windows\Tasks\At61.job moved successfully.
c:\windows\Tasks\At62.job moved successfully.
c:\windows\Tasks\At63.job moved successfully.
c:\windows\Tasks\At64.job moved successfully.
c:\windows\Tasks\At65.job moved successfully.
c:\windows\Tasks\At66.job moved successfully.
c:\windows\Tasks\At67.job moved successfully.
c:\windows\Tasks\At68.job moved successfully.
c:\windows\Tasks\At69.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At70.job moved successfully.
c:\windows\Tasks\At71.job moved successfully.
c:\windows\Tasks\At72.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
c:\program files\Internet Explorer\wmpscfgs.exe moved successfully.
c:\program files\adobe\acrotray .exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mummy Ripley
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 131191316 bytes
->Java cache emptied: 120267397 bytes
->FireFox cache emptied: 59560938 bytes
->Flash cache emptied: 865193 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Rippers
->Temp folder emptied: 946603 bytes
->Temporary Internet Files folder emptied: 12181021 bytes
->Java cache emptied: 67361015 bytes
->FireFox cache emptied: 38635932 bytes
->Flash cache emptied: 47800 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 7017470 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 12879076 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 430.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 03282010_025118

Files moved on Reboot...
File C:\Users\Rippers\AppData\Local\Temp\fla5366.tmp not found!
File C:\Users\Rippers\AppData\Local\Temp\fla5490.tmp not found!
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYRU6ZL5\st[1] moved successfully.
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYRU6ZL5\st[2] moved successfully.
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYRU6ZL5\st[3] moved successfully.
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYRU6ZL5\st[4] moved successfully.
File C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DX3RF698\01[1].htm not found!
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\81IKAVPS\st[1] moved successfully.
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\81IKAVPS\st[2] moved successfully.
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\81IKAVPS\st[3] moved successfully.
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\81IKAVPS\st[4] moved successfully.
C:\Users\Rippers\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...


#12 rmrippers

rmrippers
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 March 2010 - 09:41 PM

The ComboFix as promised. I should day the laptop shut down a few times without me asking it to when ComboFix was running, and just before it gave me the log it said, "The system cannot find the file whitedir01." Don't know if that's important.

Right, I'm going to bed. I'll check the thread again when I wake up. Thanks for all the help so far smile.gif


ComboFix 10-03-26.02 - Rippers 28/03/2010 3:12.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.875 [GMT 1:00]
Running from: c:\users\Rippers\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\4804222.old
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\app_dll.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\rthdvcpl .exe
c:\windows\system32\rundll32 .exe

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 02:22 . 2010-03-28 02:26 -------- d-----w- c:\users\Rippers\AppData\Local\temp
2010-03-28 02:22 . 2010-03-28 02:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-28 02:22 . 2010-03-28 02:22 -------- d-----w- c:\users\Mummy Ripley\AppData\Local\temp
2010-03-28 02:22 . 2010-03-28 02:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-28 02:04 . 2010-03-28 02:04 -------- d-----w- C:\32788R22FWJFW
2010-03-28 01:51 . 2010-03-28 01:51 -------- d-----w- C:\_OTM
2010-03-28 01:02 . 2010-03-28 01:17 -------- d-----w- C:\comfix9876c
2010-03-27 23:35 . 2010-03-27 23:48 -------- d-----w- C:\comfix3920c
2010-03-27 18:27 . 2010-03-27 21:34 -------- d-----w- c:\users\Rippers\AppData\Local\Adobe
2010-03-27 16:57 . 2010-03-27 17:36 -------- d-----w- C:\comfix
2010-03-25 17:00 . 2010-03-28 02:10 27648 ----a-w- c:\windows\system32\rthdvcpl.exe
2010-03-24 13:34 . 2010-03-24 13:34 -------- d-----w- c:\users\Rippers\AppData\Local\Apple
2010-03-23 00:33 . 2010-03-23 00:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\users\Rippers\AppData\Roaming\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-23 00:30 . 2010-03-23 00:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-23 00:27 . 2008-01-02 16:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-22 23:20 . 2010-03-22 23:20 -------- d--h--w- c:\users\Rippers\AppData\Local\acer eNM
2010-03-22 16:44 . 2010-03-22 16:51 -------- d-----w- c:\program files\MagicISO
2010-03-22 16:39 . 2010-03-22 22:44 -------- d-----w- c:\program files\File Helper
2010-03-22 16:24 . 2010-03-22 16:24 -------- d-----w- c:\windows\Sun
2010-03-22 15:30 . 2010-03-22 15:30 -------- d-----w- c:\programdata\Azureus
2010-03-12 01:04 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 01:04 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 01:04 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 02:30 . 2008-09-05 17:26 -------- d-----w- c:\programdata\Kontiki
2010-03-28 02:27 . 2010-03-28 01:15 94208 ----a-w- c:\windows\system32\app_dll.dll
2010-03-28 02:26 . 2008-05-30 08:48 -------- d-----w- c:\program files\iTunes
2010-03-28 02:26 . 2008-05-20 12:38 -------- d-----w- c:\program files\QuickTime
2010-03-28 02:26 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-28 02:26 . 2008-01-02 17:06 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-28 02:26 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxtray.exe
2010-03-28 02:26 . 2007-11-27 07:24 -------- d-----w- c:\program files\Launch Manager
2010-03-28 02:26 . 2006-11-02 08:48 27648 ----a-w- c:\windows\system32\rundll32.exe
2010-03-28 02:01 . 2009-11-10 16:09 -------- d-----w- c:\users\Rippers\AppData\Roaming\skypePM
2010-03-28 01:59 . 2009-11-10 16:07 -------- d-----w- c:\users\Rippers\AppData\Roaming\Skype
2010-03-28 00:24 . 2008-05-28 14:37 0 ----a-w- c:\users\Mummy Ripley\AppData\Local\prvlcl.dat
2010-03-27 21:28 . 2008-05-28 09:54 -------- d-----w- c:\programdata\avg8
2010-03-27 14:46 . 2009-07-24 08:45 680 ----a-w- c:\users\Rippers\AppData\Local\d3d9caps.dat
2010-03-26 12:39 . 2007-06-25 01:38 -------- d-----w- c:\program files\Norton Internet Security
2010-03-26 12:39 . 2007-06-25 01:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-12 10:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 01:10 . 2007-06-25 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-02-25 09:21 . 2010-02-25 09:21 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-02-25 09:20 . 2008-03-26 17:49 100432 ----a-w- c:\users\Rippers\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 10:16 . 2009-10-05 07:58 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\users\Rippers\AppData\Roaming\Trusteer
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\program files\Trusteer
2010-02-15 16:54 . 2010-02-15 16:54 -------- d-----w- c:\programdata\Trusteer
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 17:23 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 17:23 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 17:23 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 17:24 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-06 15:39 . 2010-02-24 17:23 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 17:23 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-24 17:23 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 17:23 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 17:23 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 17:23 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 13:30 . 2010-02-24 17:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2007-11-27 07:58 . 2007-11-27 07:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifsvc .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Launch Manager\lmanager .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Samsung\Samsung New PC Studio\npsagent .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2010-03-28 27648]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-03-28 27648]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-28 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2010-03-28 27648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-28 27648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-26 27648]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-03-26 27648]
"Acer Tour"="" [N/A]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2010-03-28 27648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2010-03-28 27648]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2010-03-28 27648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-03-28 27648]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2010-03-28 27648]
"eRecoveryService"="" [N/A]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2010-03-28 27648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2010-03-26 27648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-28 27648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-28 27648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-28 27648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-28 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-28 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-28 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-03-28 27648]
"NPSStartup"="" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-28 27648]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-6-25 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:23,a9,f6,74,50,41,ca,01

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-17 335240]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080623.001\IDSvix86.sys [2008-03-12 261680]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-17 297752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-03-18 109616]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2006-11-21 37008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-28 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-28 02:29]

2010-03-25 c:\windows\Tasks\Norton Security Scan for Rippers.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-13 12:50]

2010-03-28 c:\windows\Tasks\User_Feed_Synchronization-{4AA846E1-A3B1-4E18-A467-B6943D08ED4E}.job
- c:\windows\system32\msfeedssync.exe [2008-05-30 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Rippers\AppData\Roaming\Mozilla\Firefox\Profiles\0cs5blnp.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

c:\acer\Empowering Technology\eNet\eNet Service.exe [2808]
c:\program files\synaptics\syntp\syntpenh .exe [5592]
c:\program files\cyberlink\powerdvd\pdvdserv .exe [5712]
c:\program files\intel\intel matrix storage manager\iaanotif .exe [6024]
c:\program files\launch manager\lmanager .exe [6056]
c:\program files\avg\avg8\avgtray .exe [4204]
c:\program files\microsoft office\office12\groovemonitor .exe [1076]
c:\program files\itunes\ituneshelper .exe [4268]
c:\program files\samsung\samsung new pc studio\npsagent .exe [864]
c:\program files\java\jre6\bin\jusched .exe [4912]
c:\program files\skype\phone\skype .exe [804]
c:\program files\windows live\messenger\msnmsgr .exe [5528]
c:\acer\empowering technology\edatasecurity\edsloader .exe [5848]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\app_dll.dll

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\app_dll.dll

- - - - - - - > 'Explorer.exe'(10120)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\rthdvcpl.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\windows\servicing\TrustedInstaller.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-03-28 03:33:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 02:33
ComboFix2.txt 2010-03-28 01:17
ComboFix3.txt 2010-03-27 23:48
ComboFix4.txt 2010-03-27 17:36

Pre-Run: 32,873,820,160 bytes free
Post-Run: 32,740,429,824 bytes free

- - End Of File - - E188FAFB60509D32A52E58160ED3E836


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:06 AM

Posted 28 March 2010 - 06:51 AM

Majorly stubborn, there is still one process that won't die.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RenV::
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifsvc .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Launch Manager\lmanager .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Samsung\Samsung New PC Studio\npsagent .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe

AtJob::

File::
c:\program files\internet explorer\wmpscfgs.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Next run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Edited by m0le, 28 March 2010 - 06:53 AM.

Posted Image
m0le is a proud member of UNITE

#14 rmrippers

rmrippers
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 28 March 2010 - 10:39 AM

Here's the COmbofix. MalwareBytes on its way:

ComboFix 10-03-26.02 - Rippers 28/03/2010 15:02:48.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.824 [GMT 1:00]
Running from: c:\users\Rippers\Desktop\comfix.exe
Command switches used :: c:\users\Rippers\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\program files\internet explorer\wmpscfgs.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Adobe\240132.old
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\internet explorer\wmpscfgs.exe
c:\windows\system32\app_dll.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\rthdvcpl .exe
c:\windows\system32\rundll32 .exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 14:14 . 2010-03-28 14:38 -------- d-----w- c:\users\Rippers\AppData\Local\temp
2010-03-28 14:14 . 2010-03-28 14:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-28 14:14 . 2010-03-28 14:14 -------- d-----w- c:\users\Mummy Ripley\AppData\Local\temp
2010-03-28 14:14 . 2010-03-28 14:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-28 13:32 . 2010-03-28 14:38 94208 ----a-w- c:\windows\system32\app_dll.dll
2010-03-28 01:51 . 2010-03-28 01:51 -------- d-----w- C:\_OTM
2010-03-28 01:02 . 2010-03-28 01:17 -------- d-----w- C:\comfix9876c
2010-03-27 23:35 . 2010-03-27 23:48 -------- d-----w- C:\comfix3920c
2010-03-27 18:27 . 2010-03-27 21:34 -------- d-----w- c:\users\Rippers\AppData\Local\Adobe
2010-03-27 16:57 . 2010-03-27 17:36 -------- d-----w- C:\comfix
2010-03-25 17:00 . 2010-03-28 14:38 27648 ----a-w- c:\windows\system32\rthdvcpl.exe
2010-03-24 13:34 . 2010-03-24 13:34 -------- d-----w- c:\users\Rippers\AppData\Local\Apple
2010-03-23 00:33 . 2010-03-23 00:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\users\Rippers\AppData\Roaming\SUPERAntiSpyware.com
2010-03-23 00:33 . 2010-03-23 11:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-23 00:30 . 2010-03-23 00:30 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-23 00:27 . 2008-01-02 16:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-22 23:20 . 2010-03-22 23:20 -------- d--h--w- c:\users\Rippers\AppData\Local\acer eNM
2010-03-22 16:44 . 2010-03-22 16:51 -------- d-----w- c:\program files\MagicISO
2010-03-22 16:39 . 2010-03-22 22:44 -------- d-----w- c:\program files\File Helper
2010-03-22 16:24 . 2010-03-22 16:24 -------- d-----w- c:\windows\Sun
2010-03-22 15:30 . 2010-03-22 15:30 -------- d-----w- c:\programdata\Azureus
2010-03-12 01:04 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-12 01:04 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-12 01:04 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 14:40 . 2008-09-05 17:26 -------- d-----w- c:\programdata\Kontiki
2010-03-28 14:38 . 2008-05-30 08:48 -------- d-----w- c:\program files\iTunes
2010-03-28 14:38 . 2008-05-20 12:38 -------- d-----w- c:\program files\QuickTime
2010-03-28 14:38 . 2007-11-27 07:24 -------- d-----w- c:\program files\Launch Manager
2010-03-28 14:03 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-28 14:03 . 2008-01-02 17:06 27648 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-28 14:03 . 2008-01-02 17:07 27648 ----a-w- c:\windows\system32\igfxtray.exe
2010-03-28 14:03 . 2006-11-02 08:48 27648 ----a-w- c:\windows\system32\rundll32.exe
2010-03-28 13:30 . 2009-11-10 16:09 -------- d-----w- c:\users\Rippers\AppData\Roaming\skypePM
2010-03-28 13:29 . 2008-05-28 09:54 -------- d-----w- c:\programdata\avg8
2010-03-28 12:38 . 2009-11-10 16:07 -------- d-----w- c:\users\Rippers\AppData\Roaming\Skype
2010-03-28 00:24 . 2008-05-28 14:37 0 ----a-w- c:\users\Mummy Ripley\AppData\Local\prvlcl.dat
2010-03-27 14:46 . 2009-07-24 08:45 680 ----a-w- c:\users\Rippers\AppData\Local\d3d9caps.dat
2010-03-26 12:39 . 2007-06-25 01:38 -------- d-----w- c:\program files\Norton Internet Security
2010-03-26 12:39 . 2007-06-25 01:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-12 10:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-12 01:10 . 2007-06-25 01:48 -------- d-----w- c:\programdata\Microsoft Help
2010-02-25 09:21 . 2010-02-25 09:21 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-02-25 09:20 . 2008-03-26 17:49 100432 ----a-w- c:\users\Rippers\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 10:16 . 2009-10-05 07:58 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\users\Rippers\AppData\Roaming\Trusteer
2010-02-15 16:55 . 2010-02-15 16:55 -------- d-----w- c:\program files\Trusteer
2010-02-15 16:54 . 2010-02-15 16:54 -------- d-----w- c:\programdata\Trusteer
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 17:23 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 17:23 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 17:23 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 17:23 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 17:23 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 17:23 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 17:24 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-06 15:39 . 2010-02-24 17:23 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-24 17:23 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:38 . 2010-02-24 17:23 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 17:23 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 15:38 . 2010-02-24 17:23 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 17:23 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 13:30 . 2010-02-24 17:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2007-11-27 07:58 . 2007-11-27 07:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
CODE
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\pifsvc .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Samsung\Samsung New PC Studio\npsagent .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Windows Live\Messenger\msnmsgr       .exe
c:\program files\Windows Live\Messenger\msnmsgr      .exe
c:\program files\Windows Live\Messenger\msnmsgr     .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2010-03-28 27648]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2010-03-28 27648]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-03-28 27648]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-28 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2010-03-28 27648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-26 27648]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-03-26 27648]
"Acer Tour"="" [N/A]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-13 178712]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2010-03-28 27648]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2010-03-28 27648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-26 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"eRecoveryService"="" [N/A]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2010-03-26 27648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-28 27648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-28 27648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-28 27648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-20 2046816]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NPSStartup"="" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-6-25 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:23,a9,f6,74,50,41,ca,01

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-17 335240]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080623.001\IDSvix86.sys [2008-03-12 261680]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-02-17 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-02-17 108904]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-17 297752]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-02-17 779496]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-03-18 109616]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2006-11-21 37008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 c:\windows\Tasks\Norton Security Scan for Rippers.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-13 12:50]

2010-03-28 c:\windows\Tasks\User_Feed_Synchronization-{4AA846E1-A3B1-4E18-A467-B6943D08ED4E}.job
- c:\windows\system32\msfeedssync.exe [2008-05-30 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Rippers\AppData\Roaming\Mozilla\Firefox\Profiles\0cs5blnp.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

c:\acer\Empowering Technology\eNet\eNet Service.exe [2640]
c:\program files\cyberlink\powerdvd\pdvdserv .exe [5448]
c:\program files\synaptics\syntp\syntpenh .exe [5516]
c:\program files\intel\intel matrix storage manager\iaanotif .exe [5612]
c:\program files\itunes\ituneshelper .exe [5624]
c:\program files\launch manager\lmanager .exe [5888]
c:\program files\avg\avg8\avgtray .exe [5916]
c:\program files\microsoft office\office12\groovemonitor .exe [5928]
c:\program files\java\jre6\bin\jusched .exe [6080]
c:\program files\samsung\samsung new pc studio\npsagent .exe [6128]
c:\program files\windows live\messenger\msnmsgr .exe [4272]
c:\program files\skype\phone\skype .exe [3836]
c:\acer\empowering technology\edatasecurity\edsloader .exe [4676]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\app_dll.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\app_dll.dll

- - - - - - - > 'Explorer.exe'(9856)
c:\windows\system32\app_dll.dll
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2010-03-28 15:46:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 14:45
ComboFix2.txt 2010-03-28 02:33
ComboFix3.txt 2010-03-28 01:17
ComboFix4.txt 2010-03-27 23:48
ComboFix5.txt 2010-03-28 13:37

Pre-Run: 32,423,858,176 bytes free
Post-Run: 32,296,349,696 bytes free

- - End Of File - - EF2C5CCC5D7BAC7A71521CC5DD9D4A39


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:06 AM

Posted 28 March 2010 - 11:56 AM

Okay, let me tell you where we are. You have a Vundo infection, this one comes with a file infector. We have done all we can to try and deal with the infected files and we have also cleaned the PC - the MBAM report should confirm this.

After all the work there are still uncleanable programs on the Combofix log and they will need to be uninstalled and reinstalled.

After the MBAM run we will deal with that.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users