Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Links Redirecting Problem


  • This topic is locked This topic is locked
16 replies to this topic

#1 kaplan81

kaplan81

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 24 April 2010 - 04:39 PM

Lately I've been having problems clicking on links in Google search results. I'll end up redirected to some other site. Additionally, for some reason a couple of programs haven't been running at startup like they should. I'm not sure if this is related, but GoogleTalk and McAfee should run at system startup, but they no longer do. I've used Ad-aware, Spybot, and Malwarebytes, but haven't been able to fix the problem. Any help would be much appreciated.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 15:42:19.48 on Sat 04/24/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.264 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\dell\quickset\quickset .exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Google\Google Talk\googletalk .exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15784&l=dis
uURLSearchHooks: H - No File
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
mRun: [Acepiyubader] rundll32.exe "c:\windows\ucadarib.dll",Startup
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\c9f2pbvn.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\whitt\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\whitt\application data\move networks\plugins\npqmp071705000014.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {BBC55631-36D3-43CA-8056-28F8AAA6C536} - c:\documents and settings\administrator\local settings\application data\{BBC55631-36D3-43CA-8056-28F8AAA6C536}
FF - HiddenExtension: XULRunner: {80CB1EB3-F167-4B2F-B0F2-CBD6921F0499} - c:\documents and settings\whitt\local settings\application data\{80cb1eb3-f167-4b2f-b0f2-cbd6921f0499}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-26 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-26 93320]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-7-26 72904]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-7-26 34344]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-7-26 177672]
S2 0158741269552172mcinstcleanup;McAfee Application Installer Cleanup (0158741269552172);c:\windows\temp\015874~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\015874~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 vwblka;vwblka; [x]

=============== Created Last 30 ================

2010-04-22 03:03:40 0 d-----w- c:\program files\Ask.com
2010-04-22 01:24:40 0 d-----w- c:\docume~1\admini~1\applic~1\Canneverbe_Limited
2010-04-22 01:04:27 4 ----a-w- c:\program files\165656.dat
2010-04-22 00:53:02 23936 ------w- c:\windows\UNNeroBurnRights.cfg
2010-04-22 00:40:44 65536 ----a-w- c:\windows\system32\NeroCo.dll
2010-04-22 00:40:44 57344 ----a-w- c:\windows\system32\NeroBurnRights.cpl
2010-04-22 00:40:44 2031616 ------w- c:\windows\UNNeroBurnRights.exe
2010-04-21 23:19:48 38912 ----a-r- c:\windows\system32\picn20.dll
2010-04-21 23:19:45 569344 ----a-r- c:\windows\system32\imagr5.dll
2010-04-21 23:19:45 544768 ----a-r- c:\windows\system32\imagx5.dll
2010-04-21 23:19:44 283920 ----a-r- c:\windows\system32\ImagXpr5.dll
2010-04-21 23:19:40 155648 ----a-r- c:\windows\system32\nerocheck .exe
2010-04-21 21:36:19 0 ----a-w- c:\windows\Awoceweweciqusol.bin
2010-04-21 21:36:18 120 ----a-w- c:\windows\Tlamiwol.dat
2010-04-21 20:43:36 0 d-----w- C:\MOSS
2010-04-14 22:36:10 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-12 16:15:29 0 d--h--w- C:\$AVG
2010-04-06 22:34:29 1223 ----a-w- c:\docume~1\alluse~1\applic~1\_VOIDmfeklnmal.dll
2010-04-06 21:47:38 4 ----a-w- c:\program files\60546.dat
2010-04-06 21:47:38 4 ----a-w- c:\program files\60468.dat
2010-04-06 21:47:38 4 ----a-w- c:\program files\60156.dat
2010-04-03 22:33:35 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-03 22:32:41 0 d-----w- c:\program files\LimeWire
2010-04-03 22:32:35 0 d-----w- c:\windows\system32\rmdll
2010-04-03 22:32:22 0 d-----w- c:\program files\Broadcom
2010-04-03 22:28:52 0 d-----w- c:\windows\system32\CatRoot_bak
2010-04-03 01:12:09 0 d-----w- c:\docume~1\admini~1\applic~1\Sun(2)
2010-04-02 22:21:06 0 d-----w- c:\program files\CDBurnerXP(2)
2010-04-02 21:36:09 0 d-----w- c:\program files\Support Tools(2)
2010-04-02 20:41:53 0 d-----w- c:\program files\Trend Micro
2010-04-02 18:45:56 0 d-----w- C:\spoolerlogs
2010-04-02 17:58:14 0 d-----w- c:\program files\Broadcom(2)
2010-04-02 14:13:14 0 d-----w- c:\windows\system32\scripting
2010-04-02 14:13:13 0 d-----w- c:\windows\l2schemas
2010-04-02 14:08:05 0 d-----w- c:\windows\network diagnostic

==================== Find3M ====================

2010-04-22 23:05:04 204800 ----a-w- c:\windows\system32\dwwin.exe.tmp
2010-04-22 05:00:35 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-04-02 15:49:06 5 ----a-w- c:\windows\system32\drivers\DELL_XPS_MXC061 .MRK
2010-04-02 15:49:06 5 ----a-w- c:\windows\system32\drivers\1028_DELL_XPS_MXC061 .MRK
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 05:21:20 1506304 ----a-w- c:\windows\system32\shdocvw(2)(2).dll
2010-03-10 05:21:13 1023488 ----a-w- c:\windows\system32\browseui(4).dll
2010-03-10 05:21:13 1023488 ----a-w- c:\windows\system32\browseui(3).dll
2010-03-10 05:21:13 1023488 ----a-w- c:\windows\system32\browseui(2).dll
2010-03-02 03:42:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 02:56:52 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet(5).dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet(4).dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet(3).dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet(2)(2).dll
2010-02-26 06:12:23 624640 ----a-w- c:\windows\system32\urlmon(5).dll
2010-02-26 06:12:23 624640 ----a-w- c:\windows\system32\urlmon(4).dll
2010-02-26 06:12:23 624640 ----a-w- c:\windows\system32\urlmon(3).dll
2010-02-26 06:12:23 624640 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2010-02-26 06:12:22 474112 ----a-w- c:\windows\system32\shlwapi(2)(2).dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 04:41:38 56136 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 15:43:30.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 29 April 2010 - 06:45 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run Gmer, a rootkit scanner

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 kaplan81

kaplan81
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 01 May 2010 - 09:55 AM

Thanks for responding. Here's the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-01 09:48:53
Windows 5.1.2600 Service Pack 2
Running: 1tt1y8zh.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwtdakow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF752D87E]
SSDT spwg.sys ZwEnumerateKey [0xF72DADA4]
SSDT spwg.sys ZwEnumerateValueKey [0xF72DB132]
SSDT spwg.sys ZwOpenKey [0xF72BC0C0]
SSDT spwg.sys ZwQueryKey [0xF72DB20A]
SSDT spwg.sys ZwQueryValueKey [0xF72DB08A]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF752DBFE]

INT 0x62 ? 86F66BF8
INT 0x74 ? 86CF2BF8
INT 0x82 ? 86F66BF8
INT 0x84 ? 86CF2BF8
INT 0x94 ? 86CF2BF8

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA2997144]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA2997170]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA299715A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA299719C]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1686 5 Bytes JMP A29971A0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621FE4 7 Bytes JMP A299715E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A5A 7 Bytes JMP A2997148 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C2A 7 Bytes JMP A2997174 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spwg.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xF7261314]
.text USBPORT.SYS!DllUnload F585B68E 5 Bytes JMP 86CF21D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1004] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A0000A
.text C:\WINDOWS\Explorer.EXE[1004] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AE000A
.text C:\WINDOWS\Explorer.EXE[1004] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009F000C
.text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0082000A
.text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0083000A
.text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0081000C
.text C:\WINDOWS\System32\svchost.exe[1844] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 011A000A
.text C:\WINDOWS\System32\svchost.exe[1844] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 0119000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72BD042] spwg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72BD13E] spwg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72BD0C0] spwg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72BD800] spwg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72BD6D6] spwg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72CCE9C] spwg.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F651F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{0428E35E-48A8-4E25-A543-0DCD27E5995E} 851601F8

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 86C431F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86FD81F8
Device \Driver\dmio \Device\DmControl\DmConfig 86FD81F8
Device \Driver\dmio \Device\DmControl\DmPnP 86FD81F8
Device \Driver\dmio \Device\DmControl\DmInfo 86FD81F8
Device \Driver\usbuhci \Device\USBPDO-1 86C431F8
Device \Driver\usbuhci \Device\USBPDO-2 86C431F8
Device \Driver\usbuhci \Device\USBPDO-3 86C431F8
Device \Driver\usbehci \Device\USBPDO-4 86CDB1F8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86F671F8
Device \Driver\Cdrom \Device\CdRom0 86C0B1F8
Device \Driver\atapi \Device\Ide\IdePort0 86F661F8
Device \Driver\atapi \Device\Ide\IdePort1 86F661F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 86F661F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 851601F8
Device \Driver\NetBT \Device\NetbiosSmb 851601F8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{4AEEFFB6-EE2B-46AA-9B30-3133CFD6468C} 851601F8

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 86C431F8
Device \Driver\usbuhci \Device\USBFDO-1 86C431F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84FAC1F8
Device \Driver\usbuhci \Device\USBFDO-2 86C431F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84FAC1F8
Device \Driver\usbuhci \Device\USBFDO-3 86C431F8
Device \Driver\usbehci \Device\USBFDO-4 86CDB1F8
Device \Driver\Ftdisk \Device\FtControl 86F671F8
Device \FileSystem\Cdfs \Cdfs 86D08500
Device -> \Driver\atapi \Device\Harddisk0\DR0 86E73AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0x50 0x47 0x4F ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xEC 0xF5 0xA2 0xC1 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4B 0x0F 0xA5 0xF2 ...
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDvfyphgkuuk.sys
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDc
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDd
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_VOIDsrcr
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_voidserf
Reg HKLM\SYSTEM\ControlSet001\Services\_VOIDd.sys\modules@_voidbbr
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0x50 0x47 0x4F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xEC 0xF5 0xA2 0xC1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4B 0x0F 0xA5 0xF2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDvfyphgkuuk.sys
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDc
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDd
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDsrcr
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidserf
Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidbbr
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x07 0xF3 0x07 0x49 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x07 0xF3 0x07 0x49 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 01 May 2010 - 11:44 AM

You have the newer variant of the rootkit TDSS.


Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 kaplan81

kaplan81
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 01 May 2010 - 03:29 PM

Alrighty. I'll copy and paste and attach the file for good measure.

ComboFix 10-04-30.03 - Administrator 05/01/2010 15:06:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.345 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Comfix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3515990736-188927346-2086036714-1000
c:\documents and settings\Administrator\Local Settings\Application Data\{BBC55631-36D3-43CA-8056-28F8AAA6C536}
c:\documents and settings\Administrator\Local Settings\Application Data\{BBC55631-36D3-43CA-8056-28F8AAA6C536}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{BBC55631-36D3-43CA-8056-28F8AAA6C536}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{BBC55631-36D3-43CA-8056-28F8AAA6C536}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{BBC55631-36D3-43CA-8056-28F8AAA6C536}\install.rdf
c:\documents and settings\Administrator\Local Settings\Application Data\MSASCui.exe
c:\documents and settings\All Users\Application Data\_VOIDmfeklnmal.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\MSASCui.exe
c:\recycler\S-1-5-21-725345543-2147208981-299502267-500
c:\recycler\S-1-5-21-861567501-2025429265-1417001333-1003
c:\windows\system32\drivers\1028_DELL_XPS_MXC061 .MRK
c:\windows\system32\drivers\DELL_XPS_MXC061 .MRK
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\nerocheck .exe
c:\windows\system32\rundll32 .exe
c:\windows\ucadarib.dll

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-04-25 23:43 . 2010-04-25 23:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\DOSBox
2010-04-25 23:41 . 2006-08-29 19:48 -------- d-----w- C:\Crime
2010-04-25 21:56 . 2010-04-25 21:56 -------- d-----w- c:\program files\iPod
2010-04-25 21:56 . 2010-04-25 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-25 21:54 . 2010-04-25 21:55 -------- d-----w- c:\program files\QuickTime
2010-04-25 21:52 . 2010-04-25 21:52 -------- d-----w- c:\program files\Apple Software Update
2010-04-25 21:52 . 2010-04-25 21:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2010-04-25 21:49 . 2010-04-25 21:49 -------- d-----w- c:\program files\Bonjour
2010-04-25 01:00 . 2010-04-25 01:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-23 20:21 . 2010-04-23 20:21 -------- d-----w- c:\documents and settings\Whitt\Local Settings\Application Data\{80CB1EB3-F167-4B2F-B0F2-CBD6921F0499}
2010-04-22 04:47 . 2010-04-22 04:47 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-22 03:27 . 2010-04-22 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImgBurn
2010-04-22 03:19 . 2010-04-22 03:19 -------- d-----w- c:\program files\ImgBurn
2010-04-22 03:03 . 2010-04-22 03:03 -------- d-----w- c:\program files\Ask.com
2010-04-22 01:24 . 2010-04-22 01:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canneverbe_Limited
2010-04-22 01:04 . 2010-04-22 01:04 4 ----a-w- c:\program files\165656.dat
2010-04-22 00:40 . 2004-08-05 20:58 65536 ----a-w- c:\windows\system32\NeroCo.dll
2010-04-22 00:40 . 2004-08-04 19:19 2031616 ------w- c:\windows\UNNeroBurnRights.exe
2010-04-21 23:19 . 2001-06-26 07:15 38912 ----a-r- c:\windows\system32\picn20.dll
2010-04-21 23:19 . 2001-07-06 13:41 569344 ----a-r- c:\windows\system32\imagr5.dll
2010-04-21 23:19 . 2001-07-06 11:44 544768 ----a-r- c:\windows\system32\imagx5.dll
2010-04-21 23:19 . 2001-07-06 17:24 283920 ----a-r- c:\windows\system32\ImagXpr5.dll
2010-04-21 23:19 . 2010-04-21 23:19 -------- d-----w- c:\program files\Common Files\Ahead
2010-04-21 23:19 . 2010-04-22 00:40 -------- d-----w- c:\program files\Ahead
2010-04-21 21:36 . 2010-05-01 13:32 0 ----a-w- c:\windows\Awoceweweciqusol.bin
2010-04-21 21:36 . 2010-05-01 18:26 120 ----a-w- c:\windows\Tlamiwol.dat
2010-04-21 21:29 . 2010-04-21 21:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2010-04-21 20:43 . 2010-04-22 11:55 -------- d-----w- C:\MOSS
2010-04-12 16:15 . 2010-04-12 16:15 -------- d-----w- C:\$AVG
2010-04-06 21:47 . 2010-04-06 21:47 4 ----a-w- c:\program files\60546.dat
2010-04-06 21:47 . 2010-04-06 21:47 4 ----a-w- c:\program files\60468.dat
2010-04-06 21:47 . 2010-04-06 21:47 4 ----a-w- c:\program files\60156.dat
2010-04-06 21:45 . 2010-04-12 17:20 -------- d-----w- c:\documents and settings\Whitt\Application Data\015CD9817343056DAD827D61C4D32461
2010-04-04 15:29 . 2010-04-04 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-03 22:33 . 2010-04-03 22:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 22:32 . 2010-04-06 22:24 -------- d-----w- c:\program files\LimeWire
2010-04-03 22:32 . 2010-04-03 22:32 -------- d-----w- c:\program files\CDBurnerXP
2010-04-03 22:32 . 2010-04-03 22:32 -------- d-----w- c:\windows\system32\rmdll
2010-04-03 22:32 . 2010-04-03 22:32 -------- d-----w- c:\program files\Broadcom
2010-04-02 14:13 . 2010-04-02 14:13 -------- d-----w- c:\windows\system32\scripting
2010-04-02 14:13 . 2010-04-02 14:13 -------- d-----w- c:\windows\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 22:27 . 2006-02-28 12:00 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-04-27 01:42 . 2009-08-03 03:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-04-26 02:05 . 2009-11-23 20:28 -------- d-----w- c:\program files\DOSBox-0.73
2010-04-25 21:58 . 2009-07-25 19:17 -------- d-----w- c:\program files\iTunes
2010-04-25 21:56 . 2009-07-25 19:15 -------- d-----w- c:\program files\Common Files\Apple
2010-04-25 21:54 . 2009-07-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-25 21:30 . 2009-11-26 02:03 -------- d-----w- c:\program files\Alcohol Soft
2010-04-23 04:22 . 2009-10-01 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-22 23:28 . 2009-07-24 02:18 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-04-22 23:05 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\dwwin.exe.tmp
2010-04-22 01:54 . 2010-03-17 22:02 439816 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-04-06 22:31 . 2009-07-26 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 22:26 . 2010-03-18 18:10 -------- d-----w- c:\documents and settings\Whitt\Application Data\uTorrent
2010-04-06 22:25 . 2009-08-26 22:37 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 22:27 . 2009-08-01 18:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-04-03 22:27 . 2010-04-02 17:58 -------- d-----w- c:\program files\Broadcom(2)
2010-04-03 22:27 . 2010-04-02 21:36 -------- d-----w- c:\program files\Support Tools(2)
2010-04-03 22:20 . 2009-07-24 23:45 -------- d-----w- c:\documents and settings\Whitt\Application Data\U3
2010-04-03 22:20 . 2009-07-25 03:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-03 22:20 . 2010-04-02 22:21 -------- d-----w- c:\program files\CDBurnerXP(2)
2010-04-03 22:19 . 2010-04-03 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sun(2)
2010-04-02 21:33 . 2009-07-24 01:41 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-02 20:41 . 2010-04-02 20:41 -------- d-----w- c:\program files\Trend Micro
2010-04-01 08:23 . 2009-07-26 21:53 -------- d-----w- c:\program files\McAfee
2010-03-30 05:46 . 2009-07-26 22:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2009-07-26 22:13 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 06:48 . 2010-03-26 06:48 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-24 21:19 . 2010-03-24 21:14 20846064 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-18 19:52 . 2009-11-23 04:20 -------- d-----w- c:\program files\Comical
2010-03-18 18:10 . 2010-03-18 18:10 -------- d-----w- c:\program files\uTorrent
2010-03-17 22:08 . 2009-07-25 23:47 68456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 08:02 . 2006-02-28 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 05:21 . 2006-02-28 12:00 1506304 ----a-w- c:\windows\system32\shdocvw(2)(2).dll
2010-03-10 05:21 . 2006-02-28 12:00 1023488 ----a-w- c:\windows\system32\browseui(4).dll
2010-03-10 05:21 . 2006-02-28 12:00 1023488 ----a-w- c:\windows\system32\browseui(3).dll
2010-03-10 05:21 . 2006-02-28 12:00 1023488 ----a-w- c:\windows\system32\browseui(2).dll
2010-03-09 06:58 . 2010-03-09 06:58 8405312 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-09 06:57 . 2010-03-09 06:57 149000 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-09 06:57 . 2010-03-09 06:57 10309448 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-09 06:55 . 2010-03-09 06:55 283280 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-09 06:55 . 2010-03-09 06:55 181768 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-09 06:55 . 2010-03-09 06:55 79368 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-09 06:55 . 2010-03-09 06:55 52288 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-09 06:55 . 2010-03-09 06:55 64000 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-09 06:55 . 2010-03-09 06:55 50688 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-09 06:55 . 2010-03-09 06:55 49152 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-09 06:55 . 2010-03-09 06:55 118784 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-08 22:55 . 2010-03-08 22:55 439816 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\setup.exe
2010-03-02 03:42 . 2010-03-02 03:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 03:42 . 2010-03-02 03:42 152576 ----a-w- c:\documents and settings\Whitt\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet(5).dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet(4).dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet(3).dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet(2)(2).dll
2010-02-26 06:12 . 2006-02-28 12:00 624640 ----a-w- c:\windows\system32\urlmon(5).dll
2010-02-26 06:12 . 2006-02-28 12:00 624640 ----a-w- c:\windows\system32\urlmon(4).dll
2010-02-26 06:12 . 2006-02-28 12:00 624640 ----a-w- c:\windows\system32\urlmon(3).dll
2010-02-26 06:12 . 2006-02-28 12:00 624640 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2010-02-26 06:12 . 2006-02-28 12:00 474112 ----a-w- c:\windows\system32\shlwapi(2)(2).dll
2010-02-26 06:12 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2006-02-28 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 17:35 . 2006-02-28 12:00 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 16:57 . 2004-08-03 22:59 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 16:46 . 2010-02-12 16:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46 . 2010-02-12 16:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:47 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 04:41 . 2010-02-11 04:41 56136 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-11 04:40 . 2009-08-12 02:58 68456 ----a-w- c:\documents and settings\Whitt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Creative\Mixer\ctsvolfe .exe
c:\program files\Dell\QuickSet\quickset                        .exe
c:\program files\Google\Google Talk\googletalk .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\shstat .exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\dell\quickset\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe" [N/A]
"Acepiyubader"="c:\windows\ucadarib.dll" [N/A]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [N/A]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Whitt\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-12-18 256000]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Whitt^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Whitt\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
c:\program files\Nero\Nero 9\InCD\InCD.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 06:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBHGui]
c:\program files\Nero\Nero 9\InCD\NBHGui.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
c:\windows\system32\NeroCheck.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroRebootSetup]
c:\documents and settings\Whitt\Local Settings\Temp\nro.tmp\SetupX.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-03-02 03:43 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/26/2009 8:55 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/26/2009 5:31 PM 93320]
S2 0158741269552172mcinstcleanup;McAfee Application Installer Cleanup (0158741269552172);c:\windows\TEMP\015874~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\015874~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/25/2009 8:23 PM 722416]
S4 vwblka;vwblka; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 02:56]

2010-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-05-01 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uthsc.edu/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c9f2pbvn.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Whitt\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Whitt\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {80CB1EB3-F167-4B2F-B0F2-CBD6921F0499} - c:\documents and settings\Whitt\Local Settings\Application Data\{80CB1EB3-F167-4B2F-B0F2-CBD6921F0499}\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 15:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-01 15:25:43
ComboFix-quarantined-files.txt 2010-05-01 20:25

Pre-Run: 208,372,776,960 bytes free
Post-Run: 208,648,855,552 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 73B772BEBFD9EAE757FC619C8DF17F55

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 01 May 2010 - 03:46 PM

There's a file infector that needs stopping. Please run Combofix again

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Creative\Mixer\ctsvolfe .exe
c:\program files\Dell\QuickSet\quickset                        .exe
c:\program files\Google\Google Talk\googletalk .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\McAfee\VirusScan Enterprise\shstat .exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acepiyubader"=-

Files::
c:\windows\ucadarib.dll

Driver::
vwblka


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 kaplan81

kaplan81
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 01 May 2010 - 05:35 PM

ComboFix 10-04-30.03 - Administrator 05/01/2010 15:58:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.563 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Comfix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Whitt\Local Settings\Application Data\{80CB1EB3-F167-4B2F-B0F2-CBD6921F0499}
c:\documents and settings\Whitt\Local Settings\Application Data\{80CB1EB3-F167-4B2F-B0F2-CBD6921F0499}\chrome.manifest
c:\documents and settings\Whitt\Local Settings\Application Data\{80CB1EB3-F167-4B2F-B0F2-CBD6921F0499}\chrome\content\_cfg.js
c:\documents and settings\Whitt\Local Settings\Application Data\{80CB1EB3-F167-4B2F-B0F2-CBD6921F0499}\chrome\content\overlay.xul
c:\documents and settings\Whitt\Local Settings\Application Data\{80CB1EB3-F167-4B2F-B0F2-CBD6921F0499}\install.rdf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VWBLKA
-------\Service_vwblka


((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-04-25 23:43 . 2010-04-25 23:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\DOSBox
2010-04-25 23:41 . 2006-08-29 19:48 -------- d-----w- C:\Crime
2010-04-25 21:56 . 2010-04-25 21:56 -------- d-----w- c:\program files\iPod
2010-04-25 21:56 . 2010-04-25 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-25 21:54 . 2010-04-25 21:55 -------- d-----w- c:\program files\QuickTime
2010-04-25 21:52 . 2010-04-25 21:52 -------- d-----w- c:\program files\Apple Software Update
2010-04-25 21:52 . 2010-04-25 21:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2010-04-25 21:49 . 2010-04-25 21:49 -------- d-----w- c:\program files\Bonjour
2010-04-25 01:00 . 2010-04-25 01:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-22 04:47 . 2010-04-22 04:47 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-22 03:27 . 2010-04-22 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImgBurn
2010-04-22 03:19 . 2010-04-22 03:19 -------- d-----w- c:\program files\ImgBurn
2010-04-22 03:03 . 2010-04-22 03:03 -------- d-----w- c:\program files\Ask.com
2010-04-22 01:24 . 2010-04-22 01:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canneverbe_Limited
2010-04-22 01:04 . 2010-04-22 01:04 4 ----a-w- c:\program files\165656.dat
2010-04-22 00:40 . 2004-08-05 20:58 65536 ----a-w- c:\windows\system32\NeroCo.dll
2010-04-22 00:40 . 2004-08-04 19:19 2031616 ------w- c:\windows\UNNeroBurnRights.exe
2010-04-21 23:19 . 2001-06-26 07:15 38912 ----a-r- c:\windows\system32\picn20.dll
2010-04-21 23:19 . 2001-07-06 13:41 569344 ----a-r- c:\windows\system32\imagr5.dll
2010-04-21 23:19 . 2001-07-06 11:44 544768 ----a-r- c:\windows\system32\imagx5.dll
2010-04-21 23:19 . 2001-07-06 17:24 283920 ----a-r- c:\windows\system32\ImagXpr5.dll
2010-04-21 23:19 . 2010-04-21 23:19 -------- d-----w- c:\program files\Common Files\Ahead
2010-04-21 23:19 . 2010-04-22 00:40 -------- d-----w- c:\program files\Ahead
2010-04-21 21:36 . 2010-05-01 13:32 0 ----a-w- c:\windows\Awoceweweciqusol.bin
2010-04-21 21:36 . 2010-05-01 18:26 120 ----a-w- c:\windows\Tlamiwol.dat
2010-04-21 21:29 . 2010-04-21 21:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ahead
2010-04-21 20:43 . 2010-04-22 11:55 -------- d-----w- C:\MOSS
2010-04-12 16:15 . 2010-04-12 16:15 -------- d-----w- C:\$AVG
2010-04-06 21:47 . 2010-04-06 21:47 4 ----a-w- c:\program files\60546.dat
2010-04-06 21:47 . 2010-04-06 21:47 4 ----a-w- c:\program files\60468.dat
2010-04-06 21:47 . 2010-04-06 21:47 4 ----a-w- c:\program files\60156.dat
2010-04-06 21:45 . 2010-04-12 17:20 -------- d-----w- c:\documents and settings\Whitt\Application Data\015CD9817343056DAD827D61C4D32461
2010-04-04 15:29 . 2010-04-04 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-03 22:33 . 2010-04-03 22:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 22:32 . 2010-04-06 22:24 -------- d-----w- c:\program files\LimeWire
2010-04-03 22:32 . 2010-04-03 22:32 -------- d-----w- c:\program files\CDBurnerXP
2010-04-03 22:32 . 2010-04-03 22:32 -------- d-----w- c:\windows\system32\rmdll
2010-04-03 22:32 . 2010-04-03 22:32 -------- d-----w- c:\program files\Broadcom
2010-04-02 14:13 . 2010-04-02 14:13 -------- d-----w- c:\windows\system32\scripting
2010-04-02 14:13 . 2010-04-02 14:13 -------- d-----w- c:\windows\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 22:27 . 2006-02-28 12:00 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-04-27 01:42 . 2009-08-03 03:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-04-26 02:05 . 2009-11-23 20:28 -------- d-----w- c:\program files\DOSBox-0.73
2010-04-25 21:58 . 2009-07-25 19:17 -------- d-----w- c:\program files\iTunes
2010-04-25 21:56 . 2009-07-25 19:15 -------- d-----w- c:\program files\Common Files\Apple
2010-04-25 21:54 . 2009-07-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-25 21:30 . 2009-11-26 02:03 -------- d-----w- c:\program files\Alcohol Soft
2010-04-23 04:22 . 2009-10-01 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-22 23:28 . 2009-07-24 02:18 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-04-22 23:05 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\dwwin.exe.tmp
2010-04-22 01:54 . 2010-03-17 22:02 439816 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-04-06 22:31 . 2009-07-26 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 22:26 . 2010-03-18 18:10 -------- d-----w- c:\documents and settings\Whitt\Application Data\uTorrent
2010-04-06 22:25 . 2009-08-26 22:37 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 22:27 . 2009-08-01 18:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-04-03 22:27 . 2010-04-02 17:58 -------- d-----w- c:\program files\Broadcom(2)
2010-04-03 22:27 . 2010-04-02 21:36 -------- d-----w- c:\program files\Support Tools(2)
2010-04-03 22:20 . 2009-07-24 23:45 -------- d-----w- c:\documents and settings\Whitt\Application Data\U3
2010-04-03 22:20 . 2009-07-25 03:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-03 22:20 . 2010-04-02 22:21 -------- d-----w- c:\program files\CDBurnerXP(2)
2010-04-03 22:19 . 2010-04-03 01:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sun(2)
2010-04-02 21:33 . 2009-07-24 01:41 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-02 20:41 . 2010-04-02 20:41 -------- d-----w- c:\program files\Trend Micro
2010-04-01 08:23 . 2009-07-26 21:53 -------- d-----w- c:\program files\McAfee
2010-03-30 05:46 . 2009-07-26 22:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2009-07-26 22:13 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 06:48 . 2010-03-26 06:48 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-24 21:19 . 2010-03-24 21:14 20846064 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-18 19:52 . 2009-11-23 04:20 -------- d-----w- c:\program files\Comical
2010-03-18 18:10 . 2010-03-18 18:10 -------- d-----w- c:\program files\uTorrent
2010-03-17 22:08 . 2009-07-25 23:47 68456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 08:02 . 2006-02-28 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 05:21 . 2006-02-28 12:00 1506304 ----a-w- c:\windows\system32\shdocvw(2)(2).dll
2010-03-10 05:21 . 2006-02-28 12:00 1023488 ----a-w- c:\windows\system32\browseui(4).dll
2010-03-10 05:21 . 2006-02-28 12:00 1023488 ----a-w- c:\windows\system32\browseui(3).dll
2010-03-10 05:21 . 2006-02-28 12:00 1023488 ----a-w- c:\windows\system32\browseui(2).dll
2010-03-09 06:58 . 2010-03-09 06:58 8405312 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-09 06:57 . 2010-03-09 06:57 149000 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-09 06:57 . 2010-03-09 06:57 10309448 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-09 06:55 . 2010-03-09 06:55 283280 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-09 06:55 . 2010-03-09 06:55 181768 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-09 06:55 . 2010-03-09 06:55 79368 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-09 06:55 . 2010-03-09 06:55 52288 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-09 06:55 . 2010-03-09 06:55 64000 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-09 06:55 . 2010-03-09 06:55 50688 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-09 06:55 . 2010-03-09 06:55 49152 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-09 06:55 . 2010-03-09 06:55 118784 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-08 22:55 . 2010-03-08 22:55 439816 ----a-w- c:\documents and settings\Whitt\Application Data\Real\Update\setup3.10\setup.exe
2010-03-02 03:42 . 2010-03-02 03:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 03:42 . 2010-03-02 03:42 152576 ----a-w- c:\documents and settings\Whitt\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet(5).dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet(4).dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet(3).dll
2010-02-26 06:12 . 2006-02-28 12:00 662016 ----a-w- c:\windows\system32\wininet(2)(2).dll
2010-02-26 06:12 . 2006-02-28 12:00 624640 ----a-w- c:\windows\system32\urlmon(5).dll
2010-02-26 06:12 . 2006-02-28 12:00 624640 ----a-w- c:\windows\system32\urlmon(4).dll
2010-02-26 06:12 . 2006-02-28 12:00 624640 ----a-w- c:\windows\system32\urlmon(3).dll
2010-02-26 06:12 . 2006-02-28 12:00 624640 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2010-02-26 06:12 . 2006-02-28 12:00 474112 ----a-w- c:\windows\system32\shlwapi(2)(2).dll
2010-02-26 06:12 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2006-02-28 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 17:35 . 2006-02-28 12:00 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 16:57 . 2004-08-03 22:59 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 16:46 . 2010-02-12 16:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46 . 2010-02-12 16:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:47 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 04:41 . 2010-02-11 04:41 56136 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-11 04:40 . 2009-08-12 02:58 68456 ----a-w- c:\documents and settings\Whitt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\dell\quickset\quickset.exe" [2007-05-14 1191936]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

c:\documents and settings\Whitt\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-12-18 256000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Whitt^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Whitt\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 06:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2008-03-14 09:00 136512 ----a-w- c:\program files\McAfee\Common Framework\udaterui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
2008-10-07 01:50 111952 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-03-02 03:43 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-08-05 04:32 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/26/2009 8:55 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/26/2009 5:31 PM 93320]
S2 0158741269552172mcinstcleanup;McAfee Application Installer Cleanup (0158741269552172);c:\windows\TEMP\015874~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\015874~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/25/2009 8:23 PM 722416]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 02:56]

2010-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-05-01 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uthsc.edu/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\c9f2pbvn.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Whitt\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Whitt\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-PC Connection Agent - c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
MSConfigStartUp-InCD - c:\program files\Nero\Nero 9\InCD\InCD.exe
MSConfigStartUp-NBHGui - c:\program files\Nero\Nero 9\InCD\NBHGui.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-NeroRebootSetup - c:\documents and settings\Whitt\Local Settings\Temp\nro.tmp\SetupX.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 16:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2632)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-05-01 16:17:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-01 21:17
ComboFix2.txt 2010-05-01 20:25

Pre-Run: 208,652,984,320 bytes free
Post-Run: 208,549,588,992 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 06FD1393CF213B020BEBAA6D66FF3FDA



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 01 May 2010 - 05:59 PM

Can you check this file for me:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\program files\165656.dat

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal



Posted Image
m0le is a proud member of UNITE

#9 kaplan81

kaplan81
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 01 May 2010 - 07:01 PM

Filename: INTPPM_Backup.bak
Status:
Scan finished. 0 out of 20 scanners reported malware.

Additional info:

File size: 4 bytes
Filetype: Unknown
MD5: 4352d88a78aa39750bf70cd6f27bcaa5
SHA1: 3c585604e87f855973731fea83e21fab9392d2fc



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 01 May 2010 - 07:11 PM

Good. thumbup2.gif

Use Windows Explorer to find and delete these files:

c:\windows\Awoceweweciqusol.bin
c:\windows\Tlamiwol.dat

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



Next

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#11 kaplan81

kaplan81
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 02 May 2010 - 12:23 PM

Here's the ESET results.

C:\Documents and Settings\Whitt\Desktop\Nero-9.4.13.2_Softonic_trial_e.exe Win32/Toolbar.AskSBar application deleted - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\MSASCui.exe.vir probably a variant of Win32/Kryptik.EAQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\MSASCui.exe.vir probably a variant of Win32/Kryptik.EAQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\ucadarib.dll.vir a variant of Win32/Cimag.CI trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ftdisk.sys.vir Win32/Patched.EQ trojan deleted - quarantined
C:\System Volume Information\_restore{0236B0A7-FD51-4687-B238-D90FD5254010}\RP11\A0006317.sys Win32/Patched.EQ trojan deleted - quarantined
C:\System Volume Information\_restore{0236B0A7-FD51-4687-B238-D90FD5254010}\RP11\A0006361.exe probably a variant of Win32/Kryptik.EAQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{0236B0A7-FD51-4687-B238-D90FD5254010}\RP11\A0006363.exe probably a variant of Win32/Kryptik.EAQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{0236B0A7-FD51-4687-B238-D90FD5254010}\RP11\A0006369.dll a variant of Win32/Cimag.CI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{0236B0A7-FD51-4687-B238-D90FD5254010}\RP11\A0006663.exe Win32/Toolbar.AskSBar application deleted - quarantined
C:\System Volume Information\_restore{2220CB69-407E-4E49-B603-2126069E1EED}\RP11\A0009565.EXE multiple threats deleted - quarantined

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 02 May 2010 - 12:56 PM

That's looking good. Only the top entry is actually malware as such.

How's the PC running?
Posted Image
m0le is a proud member of UNITE

#13 kaplan81

kaplan81
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 02 May 2010 - 02:19 PM

Seems to be running well now. Google is behaving normally and the programs that weren't running on startup now are. Thanks for the help. Am I good to go, or is there anything else I need to clean up?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 02 May 2010 - 02:52 PM

A bit of clear-up first.

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it kaplan81, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#15 kaplan81

kaplan81
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 AM

Posted 05 May 2010 - 03:40 PM

Wow. Thanks a lot for all the help. You really saved the day. I appreciate it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users