Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with spcgame


  • This topic is locked This topic is locked
17 replies to this topic

#1 hughc

hughc

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 23 March 2010 - 09:59 AM

Hi,

My computer has a malware. The IExplorer opens and display 5 different windows in succession. The most comman website spcgame.com. This happens every hour.
Its been chased with malwarebyte, AVG, Windows defender and Spybot Search and destroy. None have helped.
I removed IE using windows add/remove windows components but the IE windows still opened.
My list of programs in add/remove programs has an entry-
Sereby's Updatepack - IE 8 Add On Version 1.0.7.
There is no removal tool.
I don't think this is the about blank virus.
The logs are attached.

Hugh

Attached Files



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 PM

Posted 23 March 2010 - 10:10 AM

Please download autoruns from the below link and save it to your desktop:

http://live.sysinternals.com/autoruns.exe

Once downloaded, double-click on autoruns.exe and agree to the license.

When the program opens it will start filling up with data.

Then click on the File menu and select Save

Change the save as type to text and save the autoruns.txt to your desktop.

Then post the autoruns.txt as an attachment to your next post.

#3 hughc

hughc
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 23 March 2010 - 10:16 AM

Attached is the Autoruns log.

Thanks,

Hugh

Attached Files



#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 PM

Posted 23 March 2010 - 10:38 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#5 hughc

hughc
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 23 March 2010 - 11:21 AM

Here is the log from combofix.

hugh

Attached Files



#6 hughc

hughc
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 23 March 2010 - 12:29 PM

As a note, the problem is still on the system after running ComboFix.

Hugh

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 PM

Posted 23 March 2010 - 12:33 PM

Going forward please post the logs directly into the body of the reply. No need to attach them unless asked to. Thanks
Does this file exist?

c:\windows\system32\winsys2.exe

If so, please submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=3

Also do you have a C:\log.txt file?

Do this please:

[/color] Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    sfcfiles.dll
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log and the ark.txt from the gmer scan in your next reply


#8 hughc

hughc
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 23 March 2010 - 12:51 PM

This is the output from SystemLook.

Thanks for your trouble,

Hugh


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:46 on 23/03/2010 by hughc (Administrator - Elevation successful)

========== filefind ==========

Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll --a--- 1614848 bytes [13:35 05/11/2009] [13:35 05/11/2009] 600D58665D16BFBB776EFEFB0E80532D

-=End Of File=-

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 PM

Posted 23 March 2010 - 01:45 PM

First download SfcFiles.dll from the following location and save it to your C:\ folder.

http://download.bleepingcomputer.com/winfiles/sfcfiles.dll

Then reboot your computer.

On the black screen with the startup menu select Microsoft Windows Recovery Console.

When the recovery console has started there is a menu where your asked to select which windows installation you want to login to, usually there is only one:

1. C:\WINDOWS

Select the number and press Enter

If it ask you to type the administrator password, do so then press Enter. If you unsure as to what the administrator password is, do not type anything and press enter.

It should then come up with C:\WINDOWS>

Now type in the following line and press Enter.

COPY C:\windows\system32\sfcfiles.dll C:\Windows\System32\sfcfiles.bak

Then type in the following line and press Enter.

COPY C:\sfcfiles.dll C:\windows\system32\dllcache\sfcfiles.dll

It will then ask if you want to overwrite sfcfiles.dll, press Y then Enter

If successful it should say "1 file(s) copied"

Now type in the following line, then press Enter.

COPY C:\sfcfiles.dll C:\windows\system32\sfcfiles.dll

It will then ask if you want to overwrite sfcfiles.dll, press Y then Enter

If successful it should say "1 file(s) copied"

Then type EXIT and press Enter to reboot the machine.

When your computer has rebooted perform the following:
  • Double-click the SystemLook program again and copy/paste the following into the box
    CODE
    :filefind
    sfcfiles.dll
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log and the ark.txt from the gmer scan in your next reply


#10 hughc

hughc
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 24 March 2010 - 08:29 AM

Hi,

The file find -
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:05 on 23/03/2010 by hughc (Administrator - Elevation successful)

========== filefind ==========

Searching for "sfcfiles.dll"
C:\sfcfiles.dll --a--- 1614848 bytes [19:55 23/03/2010] [19:55 23/03/2010] 9DD07AF82244867CA36681EA2D29CE79
C:\WINDOWS\system32\dllcache\sfcfiles.dll --a--c 1614848 bytes [19:55 23/03/2010] [19:55 23/03/2010] 9DD07AF82244867CA36681EA2D29CE79
C:\WINDOWS\system32\sfcfiles.dll --a--- 1614848 bytes [19:55 23/03/2010] [19:55 23/03/2010] 9DD07AF82244867CA36681EA2D29CE79

-=End Of File=-

The scan took all night. It spent hours checking this directory
c:\documents and setting\hughc\ocal\application data\microsoft\media player\Art Cache\localMLS\*
I have 25000 albums on this systems e drive!


And the scan-

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-24 06:27:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\hughc\LOCALS~1\Temp\uxtdypod.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs B2B6A400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{9BA71FCD-08E0-A7B6-4E00-07FD5BD86CB8}\InprocServer32@ query.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{9BA71FCD-08E0-A7B6-4E00-07FD5BD86CB8}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{D47D7B35-4F6A-80E6-C096-141DBD025A47}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{D47D7B35-4F6A-80E6-C096-141DBD025A47}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{D47D7B35-4F6A-80E6-C096-141DBD025A47}\ProgID@ Scriptlet.TypeLib



Hugh



#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 PM

Posted 24 March 2010 - 09:37 AM

Ok thanks. Yeah, it can take forever if you have folders with tons of files in it.

We now have the right version of sfcfiles.dll installed.

Please submit the C:\Windows\System32\sfcfiles.bak file to http://www.bleepingcomputer.com/submit-malware.php?channel=3

Also resubmit the c:\windows\system32\winsys2.exe file to the above url as well. We had problems with the submission system yesterday

Thanks

#12 hughc

hughc
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 24 March 2010 - 10:24 AM

The files are uploaded.
Thanks for the assistance. I'll monitor for a while and see what happens.
Following simple instructions was more difficult then it should have been. I'll have to work on it!

Hugh

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 PM

Posted 25 March 2010 - 04:16 PM

Can you zip up and submit the following folder:

C:\Documents and Settings\user name\Application Data\Macromedia\Flash Player\

to http://www.bleepingcomputer.com/submit-malware.php?channel=3


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:31 PM

Posted 26 March 2010 - 01:35 PM

Give me a new combofix log please.

#15 hughc

hughc
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 26 March 2010 - 03:17 PM

Thanks again for all your assistance. The virus hasn't been seen in days.

Hugh

The output from Combofix follows. It updated automatically.

ComboFix 10-03-26.01 - hughc 03/26/2010 13:03:28.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1204 [GMT -7:00]
Running from: c:\documents and settings\hughc\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-23 19:55 . 2010-03-23 19:55 1614848 -c--a-w- c:\windows\system32\dllcache\sfcfiles.dll
2010-03-23 19:55 . 2010-03-23 19:55 1614848 ----a-w- c:\windows\system32\sfcfiles.dll
2010-03-23 19:55 . 2010-03-23 19:55 1614848 ----a-w- C:\sfcfiles.dll
2010-03-22 04:00 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-03-22 03:59 . 2010-03-26 14:15 -------- d-----w- c:\documents and settings\hughc\Application Data\XBMC
2010-03-22 03:59 . 2010-03-22 04:02 -------- d-----w- c:\program files\XBMC
2010-03-13 18:09 . 2010-03-13 18:09 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-03-13 16:54 . 2010-03-13 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-13 16:54 . 2010-03-13 16:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 02:29 . 2009-11-13 20:23 32824 ----a-w- c:\windows\system32\rrMon.sys
2010-03-10 02:29 . 2010-03-10 02:29 -------- d-----w- c:\program files\Registrar Registry Manager
2010-02-27 19:41 . 2009-09-05 01:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-02-27 19:41 . 2006-09-29 00:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-02-25 15:28 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-25 15:28 . 2010-02-25 15:28 -------- d-----w- c:\program files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 14:46 . 2010-02-14 16:16 -------- d-----w- c:\documents and settings\hughc\Application Data\Doppler
2010-03-25 02:11 . 2010-02-20 14:47 -------- d-----w- c:\documents and settings\hughc\Application Data\vlc
2010-03-25 02:09 . 2010-02-20 14:47 -------- d-----w- c:\documents and settings\hughc\Application Data\dvdcss
2010-03-23 17:18 . 2010-02-07 20:51 -------- d-----w- c:\program files\RealFlightG3
2010-02-28 03:07 . 2010-02-27 19:40 -------- d-----w- c:\documents and settings\hughc\Application Data\Winamp
2010-02-27 19:41 . 2010-02-27 19:40 -------- d-----w- c:\program files\Winamp
2010-02-27 19:40 . 2010-02-27 19:40 -------- d-----w- c:\program files\Winamp Detect
2010-02-25 15:24 . 2010-02-23 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-24 16:04 . 2010-02-24 16:04 -------- d-----w- c:\program files\Common Files\Java
2010-02-24 16:04 . 2010-02-24 16:04 348160 ----a-w- c:\documents and settings\hughc\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fee6af9-n\msvcr71.dll
2010-02-24 16:04 . 2010-02-24 16:04 503808 ----a-w- c:\documents and settings\hughc\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fee6af9-n\msvcp71.dll
2010-02-24 16:04 . 2010-02-24 16:04 61440 ----a-w- c:\documents and settings\hughc\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-239b3a40-n\decora-sse.dll
2010-02-24 16:04 . 2010-02-24 16:04 499712 ----a-w- c:\documents and settings\hughc\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fee6af9-n\jmc.dll
2010-02-24 16:04 . 2010-02-24 16:04 12800 ----a-w- c:\documents and settings\hughc\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-239b3a40-n\decora-d3d.dll
2010-02-24 16:04 . 2010-02-24 16:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 16:04 . 2010-02-24 16:04 -------- d-----w- c:\program files\Java
2010-02-23 15:38 . 2010-02-24 14:17 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-23 15:38 . 2010-02-24 14:17 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-23 15:38 . 2010-02-23 15:38 -------- d-----w- c:\program files\AVG
2010-02-20 16:13 . 2010-02-20 16:13 -------- d-----w- c:\documents and settings\hughc\Application Data\Malwarebytes
2010-02-20 16:13 . 2010-02-20 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 16:13 . 2010-02-20 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-20 14:49 . 2010-02-07 17:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-20 14:49 . 2010-02-07 18:12 -------- d-----w- c:\program files\CyberLink
2010-02-20 14:49 . 2010-02-07 17:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-20 14:45 . 2010-02-20 14:45 -------- d-----w- c:\program files\VideoLAN
2010-02-19 14:45 . 2010-02-19 14:45 -------- d-----w- c:\program files\PowerISO
2010-02-15 14:33 . 2010-02-07 18:03 12728 ----a-w- c:\documents and settings\hughc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 14:29 . 2010-02-15 14:29 -------- d-----w- c:\program files\MSBuild
2010-02-15 14:28 . 2010-02-15 14:28 -------- d-----w- c:\program files\Reference Assemblies
2010-02-15 14:23 . 2010-02-07 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-15 14:22 . 2010-02-15 14:22 50 ----a-w- c:\windows\system32\bridf08b.dat
2010-02-15 14:22 . 2010-02-15 14:22 -------- d-----w- c:\program files\Brother
2010-02-15 14:22 . 2010-02-15 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2010-02-14 16:16 . 2010-02-14 16:15 -------- d-----w- c:\program files\Doppler
2010-02-13 16:24 . 2010-02-13 16:23 -------- d-----w- c:\program files\Google
2010-02-11 15:29 . 2010-02-10 15:45 -------- d-----w- c:\documents and settings\hughc\Application Data\Apple Computer
2010-02-11 15:28 . 2010-02-10 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-11 14:54 . 2010-02-11 14:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-10 15:45 . 2010-02-10 15:44 -------- d-----w- c:\program files\iTunes
2010-02-10 15:45 . 2010-02-10 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-10 15:44 . 2010-02-10 15:44 -------- d-----w- c:\program files\iPod
2010-02-10 15:44 . 2010-02-10 15:42 -------- d-----w- c:\program files\Common Files\Apple
2010-02-10 15:44 . 2010-02-10 15:44 -------- d-----w- c:\program files\Bonjour
2010-02-10 15:44 . 2010-02-10 15:44 -------- d-----w- c:\program files\QuickTime
2010-02-10 15:44 . 2010-02-10 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-10 15:43 . 2010-02-10 15:43 -------- d-----w- c:\program files\Apple Software Update
2010-02-09 09:29 . 2010-02-08 00:21 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-08 19:12 . 2010-02-08 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-02-08 04:48 . 2010-02-08 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-02-08 04:25 . 2010-02-07 20:51 -------- d-----w- c:\program files\Common Files\KnifeEdge
2010-02-08 00:23 . 2010-02-08 00:23 -------- d-----w- c:\program files\microsoft frontpage
2010-02-08 00:19 . 2010-02-08 00:19 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-08 00:18 . 2010-02-08 00:18 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-07 21:37 . 2010-02-07 21:37 -------- d-----w- c:\documents and settings\hughc\Application Data\CyberLink
2010-02-07 21:09 . 2010-02-07 21:09 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-02-07 21:05 . 2010-02-07 21:05 0 ----a-w- c:\windows\nsreg.dat
2010-02-07 18:15 . 2010-02-07 18:15 -------- d-----w- c:\program files\LiveUpdate
2010-02-07 18:08 . 2010-02-07 18:07 -------- d-----w- c:\program files\ASRock Utility
2010-02-07 18:06 . 2010-02-07 18:06 -------- d-----w- c:\program files\AMD
2010-02-07 18:06 . 2010-02-07 18:06 -------- d-----w- c:\documents and settings\hughc\Application Data\InstallShield
2010-02-07 18:05 . 2010-02-07 18:05 -------- d-----w- c:\program files\Realtek
2010-02-07 17:49 . 2010-02-07 17:49 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-04 17:01 . 2010-03-22 04:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 17:01 . 2010-03-22 04:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 17:01 . 2010-03-22 04:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 17:01 . 2010-03-22 04:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-01-23 03:51 . 2010-01-23 03:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-08 00:07 . 2010-02-20 16:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2010-02-20 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 20:08 . 2010-02-19 15:06 57856 ----a-w- c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 20:08 . 2010-02-19 15:06 545280 ----a-w- c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 20:08 . 2010-02-19 15:06 4726272 ----a-w- c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 20:08 . 2010-02-19 15:06 4725760 ----a-w- c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 20:08 . 2010-02-19 15:06 344064 ----a-w- c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 20:08 . 2010-02-19 15:06 153600 ----a-w- c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-06 20:08 . 2010-02-19 15:06 103424 ----a-w- c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-12-31 16:50 . 2009-11-05 12:53 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-23_16.10.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-24 13:49 . 2010-03-24 13:49 16384 c:\windows\Temp\Perflib_Perfdata_4b0.dat
+ 2008-04-14 11:00 . 2010-03-24 13:53 67516 c:\windows\system32\perfc009.dat
- 2008-04-14 11:00 . 2010-03-23 14:45 67516 c:\windows\system32\perfc009.dat
+ 2008-04-14 11:00 . 2010-03-24 13:53 432686 c:\windows\system32\perfh009.dat
- 2008-04-14 11:00 . 2010-03-23 14:45 432686 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASRockIES"="c:\program files\ASRock Utility\IES\AsrIes.exe" [2008-12-08 5317128]
"BTCLiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2004-03-08 430080]
"zASRockInstantBoot"="c:\program files\ASRock Utility\InstantBoot\InstantBoot.exe" [2008-11-20 1489408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 17331200]
"WinSys2"="c:\windows\system32\winsys2.exe" [2009-08-25 208896]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-22 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE8"="advpack.dll" [2009-11-05 128512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 23:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 09:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Brother\\Brmfl08b\\FAXRX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 AsrIbDrv;AsrIbDrv;\??\c:\windows\system32\Drivers\AsrIbDrv.sys --> c:\windows\system32\Drivers\AsrIbDrv.sys [?]
R3 IesDrv;IesDrv;\??\c:\windows\system32\Drivers\IesDrv.sys --> c:\windows\system32\Drivers\IesDrv.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [8/21/2009 9:24 PM 57248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2010 9:23 AM 135664]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 16:23]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 16:23]

2010-03-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2010-03-26 c:\windows\Tasks\User_Feed_Synchronization-{BA9DD05B-81A8-4D0A-B556-CEEE66B044B6}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 12:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\hughc\Application Data\Mozilla\Firefox\Profiles\vlzm07lk.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 13:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(512)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-26 13:13:27
ComboFix-quarantined-files.txt 2010-03-26 20:13
ComboFix2.txt 2010-03-23 16:17

Pre-Run: 78,642,601,984 bytes free
Post-Run: 78,685,941,760 bytes free

- - End Of File - - F24DB92DE7F7BAF6346C0DE82A9BCDB8





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users