Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I guess its TDSS !!


  • Please log in to reply
33 replies to this topic

#1 sreez

sreez

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:10:55 PM

Posted 08 April 2010 - 07:52 AM

Hello Guys,

This is one of computer in our office which is been infected, actually when it was first infected I ran MBAM and thought it was all clear but after a few days later my client saying the computer is so slow dry.gif

When I checked it there was infection found and MBAM will remove it and when we restart the computer the infection comes back, as I am still in training level over here and don't want to play with tools yet !

Anyways here is the recent MBAM logs as you can see the infections comes back again and again, I am using clients login tongue.gif as the infection comes with more entries in here login account but not in mine.

Also I was able to run DDS, but when I ran GMER the system just went blue for sometime and went blank in between of scanning and I had to reboot the system, therefore no log of GMER sad.gif

So please help me in removal of this one and please tell me why using those particular tools or entries for reduction (if possible) thumbup.gif

Malwarebytes' Anti-Malware 1.44
Database version: 3816
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

07/04/2010 17:08:26
mbam-log-2010-04-07 (17-08-26).txt

Scan type: Quick Scan
Objects scanned: 203702
Time elapsed: 10 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer (Disable.MCProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\ConnectionsTab (Hijack.ConnectionControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (4) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lauren\Application Data\mshppj32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.44
Database version: 3816
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

07/04/2010 18:07:00
mbam-log-2010-04-07 (18-07-00).txt

Scan type: Quick Scan
Objects scanned: 203655
Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





DDS (Ver_10-03-17.01) - NTFSx86
Run by lauren at 13:10:45.95 on 08/04/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1020.640 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Alt-N Technologies\ComAgent\ComAgent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\userinit.exe
\\PARKBOX\Distributed\FOLDERS\Lauren\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = about:blank
mDefault_Page_URL = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\mskyqq32.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [userinit] c:\documents and settings\lauren\application data\mshppj32.exe
mRun: [IgfxTray] REM c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] REM c:\windows\system32\hkcmd.exe
mRun: [Persistence] REM c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] REM RTHDCPL.EXE
mRun: [SoundMan] REM SOUNDMAN.EXE
mRun: [AlcWzrd] REM ALCWZRD.EXE
mRun: [Alcmtr] REM ALCMTR.EXE
mRun: [SunJavaUpdateSched] REM c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [RemoteControl] REM "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] REM c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] REM "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [googletalk] REM "c:\program files\google\google talk\googletalk.exe" /autostart
mRun: [ATIModeChange] REM Ati2mdxx.exe
mRun: [BCMSMMSG] REM BCMSMMSG.exe
mRun: [CARPService] REM carpserv.exe
mRun: [C-Media Mixer] REM Mixer.exe /startup
mRun: [CoolSwitch] REM c:\windows\system32\taskswitch.exe
mRun: [igfxhkcmd] REM c:\windows\system32\hkcmd.exe
mRun: [igfxpers] REM c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] REM RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] REM RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] REM nwiz.exe /install
mRun: [S3TRAY2] REM S3tray2.exe
mRun: [SigmatelSysTrayApp] REM stsystra.exe
mRun: [SoundMAXPnP] REM c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] REM c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynTPLpr] REM c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [VTPreset] REM VTPreset.exe
mRun: [VTTimer] REM VTTimer.exe
mRun: [VTTrayp] REM VTtrayp.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\lauren\startm~1\programs\startup\alt-nc~1.lnk - c:\program files\alt-n technologies\comagent\ComAgent.exe
uPolicies-explorer: NoToolbarCustomize = 1 (0x1)
uPolicies-explorer: NoBandCustomize = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoNetConnectDisconnect = 1 (0x1)
uPolicies-explorer: NoManageMyComputerVerb = 1 (0x1)
uPolicies-explorer: EnforceShellExtensionSecurity = 1 (0x1)
uPolicies-explorer: NoHardwareTab = 1 (0x1)
uPolicies-explorer: NoSecurityTab = 1 (0x1)
uPolicies-explorer: NoRunasInstallPrompt = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoPropertiesMyDocuments = 1 (0x1)
uPolicies-explorer: NoPropertiesMyComputer = 1 (0x1)
uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoRun = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoChangeStartMenu = 1 (0x1)
uPolicies-explorer: NoSetTaskbar = 1 (0x1)
uPolicies-explorer: RestrictCpl = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: NoDispCPL = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 172.24.1.13 NPI0CA344
Hosts: 172.24.1.204 kamborio.net
Hosts: 172.24.1.204 www.clubboulevard.com
Hosts: 172.24.1.14 NPI0C8351

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lauren\applic~1\mozilla\firefox\profiles\gispuqws.default\
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 iteraid;iteraid;c:\windows\system32\drivers\iteraid.sys [2008-1-9 25423]

=============== Created Last 30 ================

2010-04-08 12:10:15 100352 ----a-r- c:\docume~1\lauren\applic~1\mshppj32.exe
2010-04-01 15:53:18 0 d-----w- c:\program files\ESET
2010-03-17 13:01:03 5968 ----a-w- c:\documents and settings\lauren\.recently-used.xbel
2010-03-17 12:59:21 0 d-----w- c:\documents and settings\lauren\.thumbnails
2010-03-17 12:59:21 0 d-----w- c:\documents and settings\lauren\.gimp-2.4
2010-03-17 12:59:20 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_291d1c77
2010-03-17 12:59:20 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_251a847b
2010-03-17 12:59:20 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_1fed047b
2010-03-17 12:59:20 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_1084271a
2010-03-17 12:59:19 0 d-----w- c:\documents and settings\lauren\Contacts
2010-03-17 12:59:19 0 d-----w- c:\docume~1\lauren\applic~1\Sun_NTFRS_291c3b10
2010-03-17 12:59:19 0 d-----w- c:\docume~1\lauren\applic~1\Sun_NTFRS_2519731b
2010-03-17 12:59:19 0 d-----w- c:\docume~1\lauren\applic~1\Sun_NTFRS_1fec09cf
2010-03-17 12:59:19 0 d-----w- c:\docume~1\lauren\applic~1\Sun_NTFRS_10830f61
2010-03-17 12:48:37 54311 ----a-w- c:\windows\hppins01.dat
2010-03-17 12:48:37 2392 ------w- c:\windows\hppmdl01.dat
2010-03-17 12:46:14 0 d-----w- c:\windows\system32\NtmsData
2010-03-12 12:46:40 103720 ----a-w- c:\documents and settings\lauren\GoToAssistDownloadHelper.exe
2010-03-12 11:52:23 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_0b5b9232
2010-03-12 11:52:23 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_063c73b6
2010-03-10 13:16:23 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N
2010-03-10 11:31:27 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_04cb3e9f
2010-03-10 10:11:21 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_01525d18

==================== Find3M ====================

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 13:10:52.75 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 18/02/2008 20:04:20
System Uptime: 04/08/2010 12:57:19 (-2831 hours ago)

Motherboard: Dell Inc. | | 0CU409
Processor: Intel® Pentium® Dual CPU E2140 @ 1.60GHz | Socket 775 | 1596/200mhz
Processor: Intel® Pentium® Dual CPU E2140 @ 1.60GHz | Socket 775 | 1596/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 211.549 GiB free.
D: is CDROM ()
E: is Removable
H: is NetworkDisk (NTFS) - 1 GiB total, 126.504 GiB free.
X: is NetworkDisk (NTFS) - 128 GiB total, 101.976 GiB free.
Y: is NetworkDisk (NTFS) - 1 GiB total, 37.554 GiB free.
Z: is NetworkDisk (NTFS) - 1 GiB total, 126.504 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


2007 Microsoft Office Suite Service Pack 2 (SP2)
AC3Filter (remove only)
Adobe Reader 8.1.1
Alt-N ComAgent
AutoUpdate
Citrix Presentation Server Client
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
DivX
DivX Player
ESET Online Scanner v3
GIMP 2.4.2
Google Talk (remove only)
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB936357-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Color LaserJet 2820/2830/2840 2.0
HP Image Zone 4.7
hppFaxUtility
hppIOFiles
hppManuals2800
hppscan2800
hppTooCool
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
JAlbum 7.4
Java™ 6 Update 3
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft AutoRoute 2007
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Reader
Microsoft Reader Text-to-Speech for English
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.15)
Mozilla Firefox (3.5.6)
Mozilla Thunderbird (2.0.0.9)
MSVCRT
MSXML 6 Service Pack 2 (KB973686)
Nero OEM
oggcodecs 0.71.0946
Opera 9.25
Outlook Connector for MDaemon Plug-in
PowerDVD
QFolder
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Skype™ 3.6
Skype™ 4.1
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB977724)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb979895)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.2 final uninstall
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

06/04/2010 10:51:29, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {0C0A3666-30C9-11D0-8F20-00805F2CD064} to the user PARKBOX\lauren SID (S-1-5-21-1202660629-73586283-725345543-1719). This security permission can be modified using the Component Services administrative tool.
01/04/2010 16:33:33, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor iteatapi iteraid viamraid

==== End Of File ===========================


LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 08 April 2010 - 08:35 AM

Hi,

First of all, please update MalwareBytes, because it's Malwarebytes version 1.45 now and the database version is also outdated.
  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:10:55 PM

Posted 09 April 2010 - 10:25 AM

First I am so glad to meet you in here clapping.gif clapping.gif I have read many tutorials and posts made by you in study hall.


Here is update MBAM log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3971

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

09/04/2010 16:24:54
mbam-log-2010-04-09 (16-24-54).txt

Scan type: Quick scan
Objects scanned: 193924
Time elapsed: 11 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 10
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer (Disable.MCProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\ConnectionsTab (Hijack.ConnectionControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (4) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lauren\Application Data\mshppj32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.



LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 09 April 2010 - 01:39 PM

Hi,

Well, the very first thing you should learn in studyhall is to make sure you don't get your own computer infected :D

Anyway, can you also post a new DDS scan log please?
Just post the main DDS scan log, don't post the EXTRA log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:10:55 PM

Posted 09 April 2010 - 03:32 PM

QUOTE(miekiemoes @ Apr 9 2010, 07:39 PM) View Post
Hi,

Well, the very first thing you should learn in studyhall is to make sure you don't get your own computer infected :D



QUOTE
This is one of computer in our office which is been infected, actually when it was first infected I ran MBAM and thought it was all clear but after a few days later my client saying the computer is so slow dry.gif


Therefore that system isnt mine..Anyways mate I cant post any logs till monday as its office system and I dont go there till monday smile.gif

Btw is this system ok to be connected to the network in office or should i disconnect and do all the stuff transfering from USB !!

Thanks,
Sreez

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 09 April 2010 - 03:43 PM

Ouch, this is even worse since this is a computer at the office. sad.gif
No, don't connect this pc to the network!!! Because you're dealing with a backdoor bot with passwordstealing "components" and other malware, so you cannot take that risk at the office at all!!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:10:55 PM

Posted 10 April 2010 - 06:37 AM

Ok.

I have already disconnected that system from the network. Will update you with logs on monday. Sorry for the delay Great man

sreez

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 10 April 2010 - 06:56 AM

QUOTE
Sorry for the delay Great man
Still female though tongue.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:10:55 PM

Posted 12 April 2010 - 07:11 AM

QUOTE
QUOTE
Sorry for the delay Great man
Still female though tongue.gif


Ohh apologies Great Lady bowdown.gif

Here is the fresh DDS log. I am connecting this computer to internet and office network while posting this reply and also to run the required tools, Is that ok ?

Also I am using the clients login(Lauren) to do these steps the reason being initially I got more infected entries on MBAM when I used her login then my login or the system admin login accounts. Also please let me know if her profile is OK or NOT cause I have given her another computer and she is using her login account therefore she might reinfect other systems too wacko.gif


DDS (Ver_10-03-17.01) - NTFSx86
Run by lauren at 13:02:30.22 on 12/04/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1020.509 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Alt-N Technologies\ComAgent\ComAgent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
\\PARKBOX\Distributed\FOLDERS\Lauren\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = about:blank
mDefault_Page_URL = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\mskyqq32.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IgfxTray] REM c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] REM c:\windows\system32\hkcmd.exe
mRun: [Persistence] REM c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] REM RTHDCPL.EXE
mRun: [SoundMan] REM SOUNDMAN.EXE
mRun: [AlcWzrd] REM ALCWZRD.EXE
mRun: [Alcmtr] REM ALCMTR.EXE
mRun: [SunJavaUpdateSched] REM c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [RemoteControl] REM "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] REM c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] REM "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [googletalk] REM "c:\program files\google\google talk\googletalk.exe" /autostart
mRun: [ATIModeChange] REM Ati2mdxx.exe
mRun: [BCMSMMSG] REM BCMSMMSG.exe
mRun: [CARPService] REM carpserv.exe
mRun: [C-Media Mixer] REM Mixer.exe /startup
mRun: [CoolSwitch] REM c:\windows\system32\taskswitch.exe
mRun: [igfxhkcmd] REM c:\windows\system32\hkcmd.exe
mRun: [igfxpers] REM c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] REM RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] REM RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] REM nwiz.exe /install
mRun: [S3TRAY2] REM S3tray2.exe
mRun: [SigmatelSysTrayApp] REM stsystra.exe
mRun: [SoundMAXPnP] REM c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] REM c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynTPLpr] REM c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [VTPreset] REM VTPreset.exe
mRun: [VTTimer] REM VTTimer.exe
mRun: [VTTrayp] REM VTtrayp.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\lauren\startm~1\programs\startup\alt-nc~1.lnk - c:\program files\alt-n technologies\comagent\ComAgent.exe
uPolicies-explorer: NoBandCustomize = 1 (0x1)
uPolicies-explorer: NoNetConnectDisconnect = 1 (0x1)
uPolicies-explorer: NoManageMyComputerVerb = 1 (0x1)
uPolicies-explorer: EnforceShellExtensionSecurity = 1 (0x1)
uPolicies-explorer: NoHardwareTab = 1 (0x1)
uPolicies-explorer: NoSecurityTab = 1 (0x1)
uPolicies-explorer: NoRunasInstallPrompt = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoPropertiesMyDocuments = 1 (0x1)
uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoChangeStartMenu = 1 (0x1)
uPolicies-explorer: NoSetTaskbar = 1 (0x1)
uPolicies-explorer: RestrictCpl = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 172.24.1.13 NPI0CA344
Hosts: 172.24.1.204 kamborio.net
Hosts: 172.24.1.204 www.clubboulevard.com
Hosts: 172.24.1.14 NPI0C8351

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lauren\applic~1\mozilla\firefox\profiles\gispuqws.default\
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S0 iteraid;iteraid;c:\windows\system32\drivers\iteraid.sys [2008-1-9 25423]

=============== Created Last 30 ================

2010-04-01 15:53:18 0 d-----w- c:\program files\ESET
2010-03-17 13:01:03 5968 ----a-w- c:\documents and settings\lauren\.recently-used.xbel
2010-03-17 12:59:21 0 d-----w- c:\documents and settings\lauren\.thumbnails
2010-03-17 12:59:21 0 d-----w- c:\documents and settings\lauren\.gimp-2.4
2010-03-17 12:59:20 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_291d1c77
2010-03-17 12:59:20 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_251a847b
2010-03-17 12:59:20 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_1fed047b
2010-03-17 12:59:20 0 d-----w- c:\docume~1\lauren\applic~1\Alt-N_NTFRS_1084271a
2010-03-17 12:59:19 0 d-----w- c:\documents and settings\lauren\Contacts
2010-03-17 12:59:19 0 d-----w- c:\docume~1\lauren\applic~1\Sun_NTFRS_291c3b10
2010-03-17 12:59:19 0 d-----w- c:\docume~1\lauren\applic~1\Sun_NTFRS_2519731b
2010-03-17 12:59:19 0 d-----w- c:\docume~1\lauren\applic~1\Sun_NTFRS_1fec09cf
2010-03-17 12:59:19 0 d-----w- c:\docume~1\lauren\applic~1\Sun_NTFRS_10830f61
2010-03-17 12:48:37 54311 ----a-w- c:\windows\hppins01.dat
2010-03-17 12:48:37 2392 ------w- c:\windows\hppmdl01.dat
2010-03-17 12:46:14 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 12:46:40 103720 ----a-w- c:\documents and settings\lauren\GoToAssistDownloadHelper.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 13:04:12.85 ===============

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 12 April 2010 - 07:36 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.



AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:10:55 PM

Posted 12 April 2010 - 08:58 AM

Miekiemoes,

Can you please tell me about the questions I asked before. thumbup2.gif

Here is combofix report

ComboFix 10-04-11.06 - lauren 12/04/2010 14:46:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1020.631 [GMT 1:00]
Running from: \\PARKBOX\Distributed\FOLDERS\Lauren\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\documents and settings\amar\Local Settings\Temporary Internet Files\6xY5XJp.jpg
c:\documents and settings\amar\Local Settings\Temporary Internet Files\mJbao602y.jpg
c:\documents and settings\amar\Local Settings\Temporary Internet Files\Mjmj71Lb.jpg
c:\documents and settings\amar\Local Settings\Temporary Internet Files\x2B4y.jpg
c:\documents and settings\srinivas\Application Data\bcrypt.html

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 13:39 . 2009-02-09 10:20 100352 ----a-r- c:\documents and settings\Lauren\Application Data\mshppj32.exe
2010-04-01 15:53 . 2010-04-01 15:53 -------- d-----w- c:\program files\ESET
2010-04-01 15:51 . 2010-04-01 15:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 12:54 . 2010-03-17 12:54 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-17 12:48 . 2010-03-17 12:57 54311 ----a-w- c:\windows\hppins01.dat
2010-03-17 12:48 . 2005-04-08 16:52 2392 ------w- c:\windows\hppmdl01.dat
2010-03-17 12:46 . 2010-03-17 12:46 -------- d-----w- c:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 13:49 . 2009-12-16 13:41 -------- d---a-w- c:\documents and settings\Lauren\Application Data\Skype
2010-04-09 12:24 . 2010-03-03 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 12:10 . 2009-05-13 11:54 -------- d---a-w- c:\documents and settings\srinivas\Application Data\ComAgent
2010-04-06 09:15 . 2008-02-18 20:36 -------- d-----w- c:\program files\Google
2010-03-31 02:21 . 2009-12-23 12:30 -------- d---a-w- c:\documents and settings\srinivas\Application Data\FileZilla
2010-03-31 02:21 . 2010-03-05 15:31 -------- d-----w- c:\documents and settings\srinivas\Application Data\Lexmark Productivity Studio
2010-03-31 02:21 . 2009-05-13 11:54 -------- d---a-w- c:\documents and settings\srinivas\Application Data\gtk-2.0
2010-03-29 23:46 . 2010-03-03 00:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2010-03-03 00:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 17:59 . 2009-05-13 11:54 -------- d---a-w- c:\documents and settings\srinivas\Application Data\Skype
2010-03-26 16:04 . 2009-05-13 11:54 -------- d---a-w- c:\documents and settings\srinivas\Application Data\skypePM
2010-03-24 09:11 . 2009-10-14 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
2010-03-17 13:31 . 2009-12-22 15:19 69992 ----a-w- c:\documents and settings\Lauren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 12:54 . 2008-08-07 13:14 -------- d-----w- c:\program files\HP
2010-03-17 12:44 . 2009-12-16 13:42 -------- d---a-w- c:\documents and settings\Lauren\Application Data\ComAgent
2010-03-17 10:11 . 2009-12-16 13:59 -------- d---a-w- c:\documents and settings\Lauren\Application Data\skypePM
2010-03-12 12:46 . 2010-03-12 12:46 103720 ----a-w- c:\documents and settings\Lauren\GoToAssistDownloadHelper.exe
2010-03-12 12:46 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_291c3b10
2010-03-12 12:46 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_2519731b
2010-03-12 12:46 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_1fec09cf
2010-03-12 12:46 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_10830f61
2010-03-11 17:51 . 2009-07-07 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 12:38 . 2008-01-09 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-01-09 17:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-01-09 17:49 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 13:16 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_291d1c77
2010-03-10 13:16 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_251a847b
2010-03-10 13:16 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_1fed047b
2010-03-10 13:16 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_1084271a
2010-03-10 13:16 . 2010-03-12 11:52 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_0b5b9232
2010-03-10 13:16 . 2010-03-12 11:52 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_063c73b6
2010-03-10 11:15 . 2010-03-10 11:31 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_04cb3e9f
2010-03-05 10:13 . 2010-03-10 10:11 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_01525d18
2010-03-04 10:15 . 2010-03-05 10:08 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_09e63e2c
2010-03-03 18:22 . 2010-03-03 10:09 -------- d-----w- c:\documents and settings\Lauren\Application Data\Malwarebytes
2010-03-03 10:42 . 2010-03-04 10:10 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_04d0df3c
2010-03-03 00:31 . 2010-03-03 00:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-03 00:31 . 2010-03-03 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 00:29 . 2010-03-03 00:29 0 ----a-w- c:\windows\nsreg.dat
2010-03-03 00:26 . 2010-03-02 22:50 -------- d-sh--w- c:\documents and settings\amar\Application Data\lowsec
2010-03-03 00:20 . 2010-03-03 00:20 69992 ----a-w- c:\documents and settings\amar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-02 17:52 . 2010-03-02 22:50 -------- d---a-w- c:\documents and settings\amar\Application Data\ComAgent
2010-03-01 17:34 . 2010-01-14 16:30 664 ----a-w- c:\documents and settings\Lauren\Local Settings\Application Data\d3d9caps.dat
2010-02-23 18:02 . 2010-03-03 10:08 -------- d---a-w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_02c5db73
2010-02-19 15:45 . 2010-03-03 10:08 -------- d-----w- c:\documents and settings\Lauren\Application Data\WinRAR_NTFRS_02c12805
2010-02-18 14:43 . 2010-03-05 15:31 503808 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6950dd10-n\msvcp71.dll
2010-02-18 14:43 . 2010-03-05 15:31 499712 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6950dd10-n\jmc.dll
2010-02-18 14:43 . 2010-03-05 15:31 348160 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6950dd10-n\msvcr71.dll
2010-02-18 14:43 . 2010-03-05 15:31 61440 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54120230-n\decora-sse.dll
2010-02-18 14:43 . 2010-03-05 15:31 12800 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54120230-n\decora-d3d.dll
2010-01-29 13:15 . 2010-03-05 15:31 8854 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\UNINST_Uninstall_C_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\RunUVC.exe21_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\RunUVC.exe2_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\RunUVC.exe1_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\RunUVC.exe_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\IS_VIDEOCAP_SHORTC_431A5BB6E5E2444E8AF370E6BF16DEF6_1.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\IS_VIDEOCAP_SHORTC_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 10134 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-07 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="REM" [X]
"HotKeysCmds"="REM" [X]
"Persistence"="REM" [X]
"SunJavaUpdateSched"="REM" [X]
"RemoteControl"="REM" [X]
"NeroFilterCheck"="REM" [X]
"TkBellExe"="REM" [X]
"googletalk"="REM" [X]
"CoolSwitch"="REM" [X]
"igfxhkcmd"="REM" [X]
"igfxpers"="REM" [X]
"SoundMAXPnP"="REM" [X]
"SynTPEnh"="REM" [X]
"SynTPLpr"="REM" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\nick\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

c:\documents and settings\srinivas\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]
Shortcut to taskmgr.lnk - c:\windows\system32\taskmgr.exe [2008-1-9 135680]

c:\documents and settings\visitor\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

c:\documents and settings\amar\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

c:\documents and settings\bornandco\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

c:\documents and settings\david\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]
Windows Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-1-9 135680]

c:\documents and settings\Lauren\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)
"NoNetConnectDisconnect"= 1 (0x1)
"NoManageMyComputerVerb"= 1 (0x1)
"EnforceShellExtensionSecurity"= 1 (0x1)
"NoHardwareTab"= 1 (0x1)
"NoSecurityTab"= 1 (0x1)
"NoRunasInstallPrompt"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoPropertiesMyDocuments"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoChangeStartMenu"= 1 (0x1)
"NoSetTaskbar"= 1 (0x1)
"RestrictCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\mskyqq32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1109\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1109\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1109\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1109\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1128\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1128\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1128\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1128\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1130\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1130\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1130\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1130\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1164\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1164\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1164\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1164\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1185\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1185\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1185\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1185\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1661\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1661\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1661\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1661\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1664\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1664\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1664\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1664\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1674\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1674\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1674\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1674\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1685\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1685\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1685\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1685\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1719\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1719\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1719\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1719\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 iteraid;iteraid;c:\windows\system32\drivers\iteraid.sys [09/01/2008 18:40 25423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lauren\Application Data\Mozilla\Firefox\Profiles\gispuqws.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RTHDCPL - REM RTHDCPL.EXE
HKLM-Run-SoundMan - REM SOUNDMAN.EXE
HKLM-Run-AlcWzrd - REM ALCWZRD.EXE
HKLM-Run-ATIModeChange - REM Ati2mdxx.exe
HKLM-Run-BCMSMMSG - REM BCMSMMSG.exe
HKLM-Run-CARPService - REM carpserv.exe
HKLM-Run-C-Media Mixer - REM Mixer.exe
HKLM-Run-NvCplDaemon - REM RUNDLL32.EXE
HKLM-Run-NvMediaCenter - REM RUNDLL32.EXE
HKLM-Run-nwiz - REM nwiz.exe
HKLM-Run-S3TRAY2 - REM S3tray2.exe
HKLM-Run-SigmatelSysTrayApp - REM stsystra.exe
HKLM-Run-VTPreset - REM VTPreset.exe
HKLM-Run-VTTimer - REM VTTimer.exe
HKLM-Run-VTTrayp - REM VTtrayp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 14:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\wininet.dll
.
Completion time: 2010-04-12 14:53:40
ComboFix-quarantined-files.txt 2010-04-12 13:53

Pre-Run: 227,207,827,456 bytes free
Post-Run: 227,669,766,144 bytes free

- - End Of File - - 1DB4BC343F666BF87BF53E91E15CA49A

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 12 April 2010 - 09:49 AM

Hi,

As long as this computer is infected, I do not recommend to use it at all except for cleaning the infection.. and that's what we are trying to do asap..;

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

QUOTE
Collect::[8]
c:\windows\system32\mskyqq32.exe
c:\documents and settings\Lauren\Application Data\mshppj32.exe
Folder::
c:\documents and settings\amar\Application Data\lowsec
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe,"


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:10:55 PM

Posted 12 April 2010 - 10:42 AM

Hello,

I have uploaded the zip file. The system was rebooted while doing the combofix and here is the log contents after its been rebooted.

ComboFix 10-04-11.06 - lauren 12/04/2010 16:26:28.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1020.475 [GMT 1:00]
Running from: \\PARKBOX\Distributed\FOLDERS\Lauren\Desktop\ComboFix.exe
Command switches used :: \\PARKBOX\Distributed\FOLDERS\Lauren\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

file zipped: c:\documents and settings\Lauren\Application Data\mshppj32.exe
file zipped: c:\windows\system32\mskyqq32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\amar\Application Data\lowsec
c:\documents and settings\amar\Application Data\lowsec\local.ds
c:\documents and settings\amar\Application Data\lowsec\user.ds
c:\documents and settings\Lauren\Application Data\mshppj32.exe
c:\windows\system32\mskyqq32.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-01 15:53 . 2010-04-01 15:53 -------- d-----w- c:\program files\ESET
2010-04-01 15:51 . 2010-04-01 15:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 12:54 . 2010-03-17 12:54 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-17 12:48 . 2010-03-17 12:57 54311 ----a-w- c:\windows\hppins01.dat
2010-03-17 12:48 . 2005-04-08 16:52 2392 ------w- c:\windows\hppmdl01.dat
2010-03-17 12:46 . 2010-03-17 12:46 -------- d-----w- c:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 15:09 . 2009-12-16 13:59 -------- d---a-w- c:\documents and settings\Lauren\Application Data\skypePM
2010-04-12 14:39 . 2009-12-16 13:41 -------- d---a-w- c:\documents and settings\Lauren\Application Data\Skype
2010-04-09 12:24 . 2010-03-03 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-08 12:10 . 2009-05-13 11:54 -------- d---a-w- c:\documents and settings\srinivas\Application Data\ComAgent
2010-04-06 09:15 . 2008-02-18 20:36 -------- d-----w- c:\program files\Google
2010-03-31 02:21 . 2009-12-23 12:30 -------- d---a-w- c:\documents and settings\srinivas\Application Data\FileZilla
2010-03-31 02:21 . 2010-03-05 15:31 -------- d-----w- c:\documents and settings\srinivas\Application Data\Lexmark Productivity Studio
2010-03-31 02:21 . 2009-05-13 11:54 -------- d---a-w- c:\documents and settings\srinivas\Application Data\gtk-2.0
2010-03-29 23:46 . 2010-03-03 00:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2010-03-03 00:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 17:59 . 2009-05-13 11:54 -------- d---a-w- c:\documents and settings\srinivas\Application Data\Skype
2010-03-26 16:04 . 2009-05-13 11:54 -------- d---a-w- c:\documents and settings\srinivas\Application Data\skypePM
2010-03-24 09:11 . 2009-10-14 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
2010-03-17 13:31 . 2009-12-22 15:19 69992 ----a-w- c:\documents and settings\Lauren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 12:54 . 2008-08-07 13:14 -------- d-----w- c:\program files\HP
2010-03-17 12:44 . 2009-12-16 13:42 -------- d---a-w- c:\documents and settings\Lauren\Application Data\ComAgent
2010-03-12 12:46 . 2010-03-12 12:46 103720 ----a-w- c:\documents and settings\Lauren\GoToAssistDownloadHelper.exe
2010-03-12 12:46 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_291c3b10
2010-03-12 12:46 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_2519731b
2010-03-12 12:46 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_1fec09cf
2010-03-12 12:46 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_10830f61
2010-03-11 17:51 . 2009-07-07 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-11 12:38 . 2008-01-09 17:51 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2008-01-09 17:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2008-01-09 17:49 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-10 13:16 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_291d1c77
2010-03-10 13:16 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_251a847b
2010-03-10 13:16 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_1fed047b
2010-03-10 13:16 . 2010-03-17 12:59 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_1084271a
2010-03-10 13:16 . 2010-03-12 11:52 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_0b5b9232
2010-03-10 13:16 . 2010-03-12 11:52 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_063c73b6
2010-03-10 11:15 . 2010-03-10 11:31 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_04cb3e9f
2010-03-05 10:13 . 2010-03-10 10:11 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_01525d18
2010-03-04 10:15 . 2010-03-05 10:08 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_09e63e2c
2010-03-03 18:22 . 2010-03-03 10:09 -------- d-----w- c:\documents and settings\Lauren\Application Data\Malwarebytes
2010-03-03 10:42 . 2010-03-04 10:10 -------- d-----w- c:\documents and settings\Lauren\Application Data\Alt-N_NTFRS_04d0df3c
2010-03-03 00:31 . 2010-03-03 00:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-03 00:31 . 2010-03-03 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 00:29 . 2010-03-03 00:29 0 ----a-w- c:\windows\nsreg.dat
2010-03-03 00:20 . 2010-03-03 00:20 69992 ----a-w- c:\documents and settings\amar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-02 17:52 . 2010-03-02 22:50 -------- d---a-w- c:\documents and settings\amar\Application Data\ComAgent
2010-03-01 17:34 . 2010-01-14 16:30 664 ----a-w- c:\documents and settings\Lauren\Local Settings\Application Data\d3d9caps.dat
2010-02-23 18:02 . 2010-03-03 10:08 -------- d---a-w- c:\documents and settings\Lauren\Application Data\Sun_NTFRS_02c5db73
2010-02-19 15:45 . 2010-03-03 10:08 -------- d-----w- c:\documents and settings\Lauren\Application Data\WinRAR_NTFRS_02c12805
2010-02-18 14:43 . 2010-03-05 15:31 503808 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6950dd10-n\msvcp71.dll
2010-02-18 14:43 . 2010-03-05 15:31 499712 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6950dd10-n\jmc.dll
2010-02-18 14:43 . 2010-03-05 15:31 348160 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6950dd10-n\msvcr71.dll
2010-02-18 14:43 . 2010-03-05 15:31 61440 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54120230-n\decora-sse.dll
2010-02-18 14:43 . 2010-03-05 15:31 12800 ----a-w- c:\documents and settings\srinivas\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-54120230-n\decora-d3d.dll
2010-01-29 13:15 . 2010-03-05 15:31 8854 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\UNINST_Uninstall_C_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\RunUVC.exe21_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\RunUVC.exe2_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\RunUVC.exe1_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\RunUVC.exe_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\IS_VIDEOCAP_SHORTC_431A5BB6E5E2444E8AF370E6BF16DEF6_1.exe
2010-01-29 13:15 . 2010-03-05 15:31 40960 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\IS_VIDEOCAP_SHORTC_431A5BB6E5E2444E8AF370E6BF16DEF6.exe
2010-01-29 13:15 . 2010-03-05 15:31 10134 ----a-r- c:\documents and settings\srinivas\Application Data\Microsoft\Installer\{431A5BB6-E5E2-444E-8AF3-70E6BF16DEF6}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-12-07 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="REM" [X]
"HotKeysCmds"="REM" [X]
"Persistence"="REM" [X]
"SunJavaUpdateSched"="REM" [X]
"RemoteControl"="REM" [X]
"NeroFilterCheck"="REM" [X]
"TkBellExe"="REM" [X]
"googletalk"="REM" [X]
"CoolSwitch"="REM" [X]
"igfxhkcmd"="REM" [X]
"igfxpers"="REM" [X]
"SoundMAXPnP"="REM" [X]
"SynTPEnh"="REM" [X]
"SynTPLpr"="REM" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\nick\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

c:\documents and settings\srinivas\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]
Shortcut to taskmgr.lnk - c:\windows\system32\taskmgr.exe [2008-1-9 135680]

c:\documents and settings\visitor\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

c:\documents and settings\amar\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

c:\documents and settings\bornandco\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

c:\documents and settings\david\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]
Windows Task Manager.lnk - c:\windows\system32\taskmgr.exe [2008-1-9 135680]

c:\documents and settings\Lauren\Start Menu\Programs\Startup\
Alt-N ComAgent 9.5.5.lnk - c:\program files\Alt-N Technologies\ComAgent\ComAgent.exe [2008-2-18 1273920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)
"NoNetConnectDisconnect"= 1 (0x1)
"NoManageMyComputerVerb"= 1 (0x1)
"EnforceShellExtensionSecurity"= 1 (0x1)
"NoHardwareTab"= 1 (0x1)
"NoSecurityTab"= 1 (0x1)
"NoRunasInstallPrompt"= 1 (0x1)
"NoNetworkConnections"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoPropertiesMyDocuments"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoChangeStartMenu"= 1 (0x1)
"NoSetTaskbar"= 1 (0x1)
"RestrictCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1109\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1109\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1109\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1109\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1128\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1128\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1128\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1128\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1130\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1130\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1130\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1130\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1164\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1164\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1164\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1164\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1185\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1185\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1185\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1185\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1661\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1661\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1661\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1661\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1664\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1664\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1664\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1664\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1674\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1674\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1674\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1674\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1685\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1685\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1685\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1685\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1719\Scripts\Logoff\0\0]
"Script"=Profile.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1719\Scripts\Logon\0\0]
"Script"=Network.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1719\Scripts\Logon\0\1]
"Script"=Outlook.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1202660629-73586283-725345543-1719\Scripts\Logon\0\2]
"Script"=Printers.cmd

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 iteraid;iteraid;c:\windows\system32\drivers\iteraid.sys [09/01/2008 18:40 25423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lauren\Application Data\Mozilla\Firefox\Profiles\gispuqws.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 16:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3388)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-04-12 16:36:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 15:36
ComboFix2.txt 2010-04-12 13:53

Pre-Run: 227,607,834,624 bytes free
Post-Run: 227,585,392,640 bytes free

- - End Of File - - DDC2BFE07F0C5C1D07AE78094809BA91

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:55 PM

Posted 12 April 2010 - 10:50 AM

Hi,

Thank you for the submission.
This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

By the way, keep in mind that all passwords needs to get changed here, because this computer was dealing with a passwordstealer.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:10:55 PM

Posted 12 April 2010 - 11:32 AM

Hello,

Thats good to hear smile.gif I am not sure of the performance but for me computer seems to be OK. But when I scanner MBAM

I was resulted with this 2 infections again mellow.gif

QUOTE
So please help me in removal of this one and please tell me why using those particular tools or entries for reduction (if possible) thumbup.gif
I know that you are trying to solve the issue quickly but I would like what particular infection we are looking at which is password stealer. I tried to look for
CODE
c:\windows\system32\mskyqq32.exe
c:\documents and settings\Lauren\Application Data\mshppj32.exe
in this tutorial but I found nothing dry.gif So if its ok with you please advise me how you finding those infections. Thanks thumbup2.gif

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3971

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

12/04/2010 17:22:57
mbam-log-2010-04-12 (17-22-57).txt

Scan type: Quick scan
Objects scanned: 178663
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users