Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Win32.Blackhole + more - logs attached


  • This topic is locked This topic is locked
13 replies to this topic

#1 skinnyjeans

skinnyjeans

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 29 April 2010 - 12:48 PM

A couple of weeks ago my computer crashed with a blue screen that referenced a ntskrnl error. I managed to boot with a bart pe cd and restored the registry to an earlier time.

So far, Arovax, a program I'm not too familiar with, found and quarantined:
- Backdoor.Win32.Blackhole
- XferPro
- Win32.TrojanClick.Spywad.b.
- Spyware: .Realspy, .Elgolf, .Emailspy and .NSKeylogger
Malwarebytes, M.Security Essential, Bazooka, Hitman pro, Avast5 (among others) haven't found anything else (Arovax was one of the first programs used)

At this point, I don't know exactly what my computer is infected with but I know there is more because certain problems still exist.

This is a family home computer with two user accounts, the safemode administrator and the administrator user account I'm on now... a few weeks ago, my administrative rights were dropped... in trying to figure out why and reestablish authority, I searched around and discovered under system properties > user profiles, a new user account. If I deleted it, it came right back after restart. To temporarily fix this, I changed the permissions to me and copied the entire contents of the account to a folder on my desktop - zipped it and then threw the actual folder away. My rights were restored.

Then the other day I lost my rights again, I also noticed files were missing from my desktop. I tried recovery software and then system restore but nothing worked. I went under desktop properties and noticed my desktop was being synchronized with an unknown account. I deleted it and turned off active desktop. I'm the administrator again.

Another problem is with my Internet connection, I can connect to the Internet even though my network adapter says it's still acquiring the network address. Furthermore, the activity for packet data sent and received is unusually high and if I try to disable the connection (by right clicking), it won't let me. I have a cable modem connected to linksys. Currently the wireless is turned off because all of the home laptops are infected too. I disconnected the x box, thinking it could be the problem. Maybe an exploit in the home network?

For the last year or so, every so often there is a strange sound which stems directly from the desktop but not through the external speakers. The sound is quick, lasting about a second or two and happens every 10 -15 minutes, sometimes the stretches are longer. Very spyware sounding if that makes any sense. On top of that, my keyboard makes faint click sounds, not with every keystroke, sometimes after I finish typing or pause. Also, every time i boot the computer it says the keyboard and mouse are not present.

Furthermore, one of the cd drives, the Region has been changed to two (instead of one) and it won't let me change it back.

These are a few of the problems I can think of off the top of my head - I may have done more damage then good, any advice or help is much appreciated.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 13:04:02.17 on Wed 04/28/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Immunet Protect *On-access scanning enabled* (Updated) {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
SP: Spy Emergency *disabled* (Updated) {82117492-906E-4b02-A33A-84D42A2DD907}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=74.87.151.153:8000
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Immunet Protect] "c:\program files\immunet protect\1.0.26\iptray.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\autoru~1\system~1\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 6 (0x6)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-system: DisableCMD = 1 (0x1)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
mPolicies-explorer: NoFavoritesMenu = 1 (0x1)
mPolicies-explorer: NoSMMyPictures = 1 (0x1)
mPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: {8F379D27-A517-49D4-AC60-5B7130E1027B} - c:\program files\freshdevices\freshdownload\fd.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {AD9E6088-E00B-42f9-9F0C-8480525D234E} - {FF5073C0-28A0-4223-9BDF-59FF020FE77C}
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {A8C3ACDD-D65A-4459-9076-63BE80E58782} = 69.1.30.11,69.1.30.10
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: AutorunsDisabled - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\s40nulcr.default\
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-04-28 15:03:11 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-28 15:03:09 0 d-----w- c:\windows\system32\ZoneLabs
2010-04-28 15:03:06 422437 ----a-w- c:\windows\system32\vsconfig.xml
2010-04-28 15:03:03 0 d-----w- c:\program files\Zone Labs
2010-04-27 19:27:46 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-27 19:25:02 0 d-----w- c:\documents and settings\owner\mex
2010-04-27 19:25:02 0 d-----w- c:\documents and settings\owner\Kodak Pictures
2010-04-27 19:25:02 0 d-----r- c:\documents and settings\owner\My Pictures
2010-04-27 19:21:03 0 d-----w- C:\Fraps
2010-04-27 19:00:49 0 d-----w- c:\windows\Internet Logs
2010-04-27 18:45:00 0 d-----w- c:\windows\Internet Logs(2)
2010-04-27 16:51:45 0 d-----w- c:\documents and settings\owner\desktop(4)
2010-04-27 16:42:08 0 d-----w- c:\program files\FolderSizes
2010-04-27 15:08:41 0 d-----w- c:\documents and settings\owner\desktop(3)
2010-04-27 14:55:47 0 d-----w- c:\documents and settings\owner\Desktop(2)
2010-04-23 19:40:46 0 ----a-w- c:\documents and settings\owner\fport
2010-04-23 19:34:27 0 d-----w- c:\program files\Winternals
2010-04-23 01:45:34 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-22 17:45:39 0 d--h--r- c:\windows\system32\VProRecovery
2010-04-22 17:31:48 0 d-----w- C:\desktopbckup
2010-04-22 17:10:04 215144 ----a-r- c:\windows\patchw32.dll
2010-04-22 17:04:36 0 d-----w- c:\docume~1\owner\applic~1\Symantec
2010-04-22 17:04:02 215144 ----a-r- c:\windows\pw32a.dll
2010-04-22 02:17:54 0 d-----w- c:\program files\Symantec
2010-04-22 02:15:49 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2010-04-22 02:15:46 15088 ------w- c:\windows\system32\drivers\vproeventmonitor.sys
2010-04-22 02:15:42 38112 ----a-w- c:\windows\system32\drivers\v2imount.sys
2010-04-22 02:15:37 138464 ----a-w- c:\windows\system32\drivers\symsnap.sys
2010-04-22 02:14:26 0 d-----w- c:\program files\common files\Symantec Shared
2010-04-22 02:13:15 0 d-----w- c:\program files\Norton Ghost
2010-04-21 23:33:02 0 d-----w- c:\program files\Bazooka Scanner
2010-04-21 06:37:52 9216 ----a-w- c:\windows\system32\drivers\SE_Filter.sys
2010-04-20 18:22:37 0 ----a-w- c:\windows\system32\FOXIT_PDF
2010-04-20 18:13:50 0 d-----w- c:\program files\Lavalys
2010-04-20 04:50:21 0 d-----w- c:\docume~1\alluse~1\applic~1\FreeHideIP
2010-04-20 04:45:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-19 21:38:21 0 d-----w- c:\documents and settings\owner\DoctorWeb
2010-04-19 19:35:30 0 d-----w- c:\documents and settings\owner\recent recov
2010-04-19 18:25:31 0 d-----w- C:\VundoFix Backups
2010-04-19 14:51:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-19 14:51:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-18 23:32:30 131176 ----a-w- c:\windows\winkeylogon.7z
2010-04-18 14:13:26 853 ------w- c:\windows\system32\Winlogonevents.exp
2010-04-17 20:01:06 0 d-----w- c:\program files\TrendMicro
2010-04-17 17:50:14 73728 ------r- c:\windows\system32\psProxy.dll
2010-04-17 17:50:13 188416 ------r- c:\windows\system32\pocketHTTP.dll
2010-04-17 17:50:13 110676 ------r- c:\windows\system32\psDime.dll
2010-04-17 17:50:12 53248 ------w- c:\windows\system32\Winlogonevents.dll
2010-04-17 17:50:12 380928 ------r- c:\windows\system32\pSOAP32.dll
2010-04-17 17:35:26 1044 ----a-w- c:\windows\SecurityandPrivacy3.ini
2010-04-17 17:18:49 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_btguard_01007.Wdf
2010-04-17 17:18:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-04-17 17:18:41 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-04-17 03:36:43 0 d-----w- c:\docume~1\owner\applic~1\RagTime
2010-04-17 03:36:20 0 d-----w- c:\program files\RagTime Solo
2010-04-17 03:35:59 0 d-----w- c:\documents and settings\owner\WINDOWS
2010-04-16 16:54:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2010-04-16 14:53:45 0 d-----w- c:\docume~1\owner\applic~1\Serif
2010-04-16 14:51:50 0 d-----w- c:\program files\Serif
2010-04-16 14:21:55 0 d-----w- c:\documents and settings\owner\.scribus
2010-04-16 14:13:10 0 d-----w- c:\program files\Scribus 1.3.3.14
2010-04-16 02:08:42 29640 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys
2010-04-16 02:08:37 20040 ----a-w- c:\windows\system32\drivers\ImmunetMonitor.sys
2010-04-16 02:08:33 38856 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys
2010-04-16 02:08:25 0 d-----w- c:\program files\Immunet Protect
2010-04-15 15:28:12 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-15 15:09:28 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 15:09:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-15 06:35:55 0 d-----w- c:\program files\Arovax AntiSpyware
2010-04-15 03:49:44 0 d-----w- c:\windows\.jagex_cache_32
2010-04-15 03:49:36 0 d-----w- c:\program files\Safari(2)
2010-04-15 03:41:18 0 d-----w- c:\docume~1\alluse~1\applic~1\FunGames
2010-04-15 03:30:10 0 d-----w- c:\program files\Broadcom
2010-04-13 14:22:35 0 d-----w- c:\program files\LSoft Technologies
2010-04-12 01:54:08 1374 ----a-w- c:\windows\imsins.BAK
2010-04-10 05:30:35 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-09 20:48:18 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-09 03:08:12 57344 ----a-w- c:\windows\system32\ndisapi.dll
2010-04-09 03:08:11 184320 ----a-w- c:\windows\system32\Prifw.dll
2010-04-07 20:53:14 0 d-----w- c:\windows\Intuit

==================== Find3M ====================

2010-04-28 15:03:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-20 00:37:21 9036 --sha-w- c:\windows\system32\sys_drv.dat
2010-04-20 00:37:21 7028 --sha-w- c:\windows\system32\sys_drv_2.dat
2010-04-19 17:15:33 71844 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-15 18:28:48 32 ----a-w- c:\program files\CodeStuff.7z
2010-04-15 18:28:24 8726 ----a-w- c:\program files\CodeBlocks.7z
2010-04-15 02:44:32 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-10-12 04:44:58 55296 ----a-w- c:\program files\Seconfig XP.exe
2006-03-25 15:17:32 24064 ----a-w- c:\program files\aklogNT+.exe
2009-09-01 21:53:07 2 --shatr- c:\windows\winstart.bat

============= FINISH: 13:09:36.20 ===============

Attached Files

  • Attached File  ark.txt   10.14KB   6 downloads


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 03 May 2010 - 03:14 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 skinnyjeans

skinnyjeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 03 May 2010 - 03:41 PM

Hey m0le,
This morning I noticed my administrative rights were dropped.
Also, under Documents and Settings, the Network Service folder is gone.
Arovax found another keylogger too.

Your help is appreciated,
skinnyjeans

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 03 May 2010 - 03:43 PM

It sounds like you have been severely copromised.

Please run the following programs

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then


Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Finally,


Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 skinnyjeans

skinnyjeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 04 May 2010 - 01:01 AM

M0le,
I had a problem with Combofix installing the recovery console - my connection to the
internet kept dropping every time it tried to download the files from microsoft.
I tried to install the rc manually with a slipstreamed windows XP SP2 cd I created but kept receiving an error message
stating my drives weren't connected.
I ended up downloading rc.iso and burning it to a cd. (will check if it was done correctly next)

Scans requested:

exeHelper by Raktor
Build 20100414
Run at 16:35:01 on 05/03/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
----------------------------------------------------
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 05/03/2010 at 17:33:48.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Owner\Desktop\dload\rkill.scr


Rkill completed on 05/03/2010 at 17:34:01.
---------------------------------------------------------
ComboFix 10-05-03.03 - Owner 05/03/2010 19:22:29.2.1 - x86
Running from: c:\documents and settings\Owner\Desktop\dload\ComboFix.exe
AV: Immunet Protect *On-access scanning disabled* (Updated) {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Spy Emergency *disabled* (Updated) {82117492-906E-4b02-A33A-84D42A2DD907}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\documents and settings\Owner\Application Data\.#
C:\ipconfig.txt
c:\program files\Common Files\Uninstall
c:\program files\WindowsUpdate
c:\windows\Debug\dcpromo.log
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\fad.sys
c:\windows\system32\ndisapi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFPANSI
-------\Service_AFPAnsi


((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-01 01:56 . 2006-12-04 22:53 187184 ----a-w- C:\pssuspend.exe
2010-05-01 01:56 . 2008-01-09 21:36 107560 ----a-w- C:\psservice.exe
2010-05-01 01:56 . 2009-05-07 06:25 177024 ----a-w- C:\psloglist.exe
2010-05-01 01:56 . 2006-12-04 22:53 125744 ----a-w- C:\pslist.exe
2010-05-01 01:56 . 2006-12-04 22:53 105264 ----a-w- C:\psloggedon.exe
2010-05-01 01:56 . 2007-07-09 16:23 243072 ----a-w- C:\Psinfo.exe
2010-05-01 01:55 . 2006-12-04 22:53 187184 ----a-w- C:\psgetsid.exe
2010-05-01 01:55 . 2006-12-04 22:53 105264 ----a-w- C:\psfile.exe
2010-04-30 01:06 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-04-30 01:06 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-04-30 01:06 . 2004-08-04 03:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-30 01:06 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-28 15:03 . 2009-11-22 20:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-28 15:03 . 2009-11-22 20:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-04-28 15:03 . 2009-11-22 20:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-28 15:03 . 2010-04-28 15:03 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-28 15:03 . 2010-04-28 15:03 -------- d-----w- c:\program files\Zone Labs
2010-04-28 14:38 . 2010-04-28 14:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-04-27 19:27 . 2010-04-27 19:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-27 19:25 . 2010-04-27 19:25 -------- d-----w- c:\documents and settings\Owner\mex
2010-04-27 19:25 . 2010-04-27 19:25 -------- d-----w- c:\documents and settings\Owner\Kodak Pictures
2010-04-27 19:25 . 2010-04-27 19:25 -------- d-----r- c:\documents and settings\Owner\My Pictures
2010-04-27 19:21 . 2010-04-27 19:21 -------- d-----w- C:\Fraps
2010-04-27 19:15 . 2010-04-27 19:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\HuluDesktop
2010-04-27 19:15 . 2010-04-27 19:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Happy Hour Code, LLC
2010-04-27 19:15 . 2010-04-27 19:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2010-04-27 19:15 . 2010-04-27 19:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Axialis
2010-04-27 19:00 . 2010-05-04 00:37 -------- d-----w- c:\windows\Internet Logs
2010-04-27 18:45 . 2010-04-27 18:45 -------- d-----w- c:\windows\Internet Logs(2)
2010-04-27 16:51 . 2010-04-27 19:06 -------- d-----w- c:\documents and settings\Owner\desktop(4)
2010-04-27 16:42 . 2010-04-27 19:11 -------- d-----w- c:\program files\FolderSizes
2010-04-27 15:08 . 2010-04-27 19:11 -------- d-----w- c:\documents and settings\Owner\desktop(3)
2010-04-27 14:55 . 2010-04-27 19:11 -------- d-----w- c:\documents and settings\Owner\Desktop(2)
2010-04-23 19:34 . 2010-04-23 19:34 -------- d-----w- c:\program files\Winternals
2010-04-22 17:45 . 2010-04-22 17:45 -------- d--h--r- c:\windows\system32\VProRecovery
2010-04-22 17:31 . 2010-04-24 01:31 -------- d-----w- C:\desktopbckup
2010-04-22 17:10 . 2009-08-03 21:14 215144 ----a-r- c:\windows\patchw32.dll
2010-04-22 17:04 . 2010-04-22 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Symantec
2010-04-22 17:04 . 2010-04-22 17:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Symantec_Corporation
2010-04-22 17:04 . 2009-08-03 21:14 215144 ----a-r- c:\windows\pw32a.dll
2010-04-22 02:17 . 2010-04-22 02:17 -------- d-----w- c:\program files\Symantec
2010-04-22 02:15 . 2008-01-20 01:12 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2010-04-22 02:15 . 2008-01-20 00:40 15088 ------w- c:\windows\system32\drivers\vproeventmonitor.sys
2010-04-22 02:15 . 2008-08-13 22:07 38112 ----a-w- c:\windows\system32\drivers\v2imount.sys
2010-04-22 02:15 . 2009-07-01 16:28 138464 ----a-w- c:\windows\system32\drivers\symsnap.sys
2010-04-22 02:14 . 2010-04-22 02:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-22 02:13 . 2010-04-22 02:13 -------- d-----w- c:\program files\Norton Ghost
2010-04-21 23:33 . 2010-04-22 00:30 -------- d-----w- c:\program files\Bazooka Scanner
2010-04-21 06:37 . 2010-04-21 06:37 9216 ----a-w- c:\windows\system32\drivers\SE_Filter.sys
2010-04-20 18:13 . 2010-04-22 00:32 -------- d-----w- c:\program files\Lavalys
2010-04-20 04:50 . 2010-04-26 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeHideIP
2010-04-20 04:45 . 2010-05-03 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-19 21:38 . 2010-04-22 00:29 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2010-04-19 19:35 . 2010-04-22 00:29 -------- d-----w- c:\documents and settings\Owner\recent recov
2010-04-19 18:25 . 2010-04-22 00:33 -------- d-----w- C:\VundoFix Backups
2010-04-19 15:21 . 2010-04-22 00:33 -------- d-----w- c:\program files\QuickTime
2010-04-19 14:51 . 2010-04-19 14:50 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 20:01 . 2010-04-22 00:33 -------- d-----w- c:\program files\TrendMicro
2010-04-17 17:50 . 2006-03-14 12:05 73728 ------r- c:\windows\system32\psProxy.dll
2010-04-17 17:50 . 2006-03-14 12:05 188416 ------r- c:\windows\system32\pocketHTTP.dll
2010-04-17 17:50 . 2006-03-14 12:05 110676 ------r- c:\windows\system32\psDime.dll
2010-04-17 17:50 . 2009-02-20 15:35 53248 ------w- c:\windows\system32\Winlogonevents.dll
2010-04-17 17:50 . 2006-03-14 12:05 380928 ------r- c:\windows\system32\pSOAP32.dll
2010-04-17 17:18 . 2008-03-21 18:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-04-17 03:36 . 2010-04-21 17:29 -------- d-----w- c:\documents and settings\Owner\Application Data\RagTime
2010-04-17 03:36 . 2010-04-22 00:33 -------- d-----w- c:\program files\RagTime Solo
2010-04-17 03:35 . 2010-04-22 00:29 -------- d-----w- c:\documents and settings\Owner\WINDOWS
2010-04-16 16:54 . 2010-04-16 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-16 14:53 . 2010-04-16 14:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Serif
2010-04-16 14:51 . 2010-04-22 00:33 -------- d-----w- c:\program files\Serif
2010-04-16 14:21 . 2010-04-16 14:41 -------- d-----w- c:\documents and settings\Owner\.scribus
2010-04-16 14:13 . 2010-04-22 00:33 -------- d-----w- c:\program files\Scribus 1.3.3.14
2010-04-16 02:08 . 2010-04-16 02:08 29640 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys
2010-04-16 02:08 . 2010-04-16 02:08 20040 ----a-w- c:\windows\system32\drivers\ImmunetMonitor.sys
2010-04-16 02:08 . 2010-04-16 02:08 38856 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys
2010-04-16 02:08 . 2010-05-03 21:46 -------- d-----w- c:\program files\Immunet Protect
2010-04-15 15:28 . 2010-04-15 15:28 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-15 15:09 . 2010-04-15 15:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 15:09 . 2010-04-15 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-15 06:35 . 2010-05-03 20:03 -------- d-----w- c:\program files\Arovax AntiSpyware
2010-04-15 04:14 . 2010-04-22 00:33 -------- d-----w- c:\program files\Safari
2010-04-15 03:49 . 2010-04-15 03:49 -------- d-----w- c:\windows\.jagex_cache_32
2010-04-15 03:49 . 2010-04-22 00:33 -------- d-----w- c:\program files\Safari(2)
2010-04-15 03:41 . 2010-04-15 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\FunGames
2010-04-15 03:30 . 2010-04-22 00:30 -------- d-----w- c:\program files\Broadcom
2010-04-13 14:22 . 2010-04-22 00:32 -------- d-----w- c:\program files\LSoft Technologies
2010-04-10 05:30 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-09 03:08 . 2003-09-12 16:08 184320 ----a-w- c:\windows\system32\Prifw.dll
2010-04-07 20:53 . 2010-04-22 00:33 -------- d-----w- c:\windows\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-03 21:06 . 2010-04-28 16:32 4609804 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-05-02 22:48 . 2010-05-03 13:52 1617408 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-05-02 22:48 . 2010-05-03 13:51 374272 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-05-01 20:46 . 2010-02-03 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Jarte
2010-04-30 17:36 . 2009-10-21 20:55 -------- d-----w- c:\program files\Foxit Software
2010-04-30 05:13 . 2010-04-30 14:50 554496 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-04-28 23:13 . 2010-04-28 23:13 19829633 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_04_28_18_06_21_full.dmp.zip
2010-04-28 16:59 . 2009-10-22 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Inkscape
2010-04-28 15:03 . 2010-01-31 21:14 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-28 13:30 . 2009-04-15 14:55 104000 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 14:56 . 2009-04-14 13:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-23 19:34 . 2009-04-14 02:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 04:09 . 2009-04-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-22 00:32 . 2009-04-17 17:27 -------- d-----w- c:\program files\Paint.NET
2010-04-22 00:31 . 2009-08-03 00:45 -------- d-----w- c:\program files\Harden-It
2010-04-22 00:30 . 2009-09-11 01:26 -------- d-----w- c:\program files\Common Files\Kodak
2010-04-21 16:54 . 2009-04-17 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2010-04-20 00:37 . 2009-10-08 13:27 9036 --sha-w- c:\windows\system32\sys_drv.dat
2010-04-20 00:37 . 2009-10-08 13:27 7028 --sha-w- c:\windows\system32\sys_drv_2.dat
2010-04-19 17:15 . 2009-08-27 21:03 71844 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-19 15:32 . 2010-03-08 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Arovax
2010-04-17 17:18 . 2010-04-17 17:18 9062 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{6D0208BB-266C-49E5-9F60-0B59B7068027}\ARPPRODUCTICON.exe
2010-04-17 17:18 . 2010-04-17 17:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_btguard_01007.Wdf
2010-04-17 17:18 . 2010-04-17 17:18 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-04-15 18:28 . 2010-04-15 18:28 32 ----a-w- c:\program files\CodeStuff.7z
2010-04-15 18:28 . 2010-04-15 18:26 8726 ----a-w- c:\program files\CodeBlocks.7z
2010-04-15 17:50 . 2009-10-22 17:16 -------- d-----w- c:\documents and settings\Owner\Application Data\ZipGenius
2010-04-15 03:57 . 2009-04-17 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 02:44 . 2010-02-26 00:05 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-07 20:38 . 2009-10-05 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-04-07 20:04 . 2009-05-11 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-10 06:15 . 2002-09-03 17:09 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 22:29 . 2010-03-05 22:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Returnil
2010-03-04 09:00 . 2010-03-04 09:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-25 06:24 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:16 . 2010-01-31 17:48 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 12:31 . 2002-09-03 16:42 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2002-09-03 16:50 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2002-08-29 01:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2002-09-03 16:26 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 19:36 . 2010-02-11 19:36 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-11 12:01 . 2002-09-03 17:06 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-06 10:37 . 2009-09-11 01:30 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2006-10-12 04:44 . 2009-08-05 03:45 55296 ----a-w- c:\program files\Seconfig XP.exe
2009-09-01 21:53 . 2009-09-01 21:53 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\Owner\Start Menu\Programs\Startup\AutorunsDisabled\SystemExplorerDisabled
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
"MaxRecentDocs"= 6 (0x6)
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2005-06-22 04:44 348160 ----a-w- c:\windows\system32\igfxsrvc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Wipe tray agent.lnk]
backup=c:\windows\pss\Wipe tray agent.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Immunet Protect]
2010-04-16 02:08 1315656 ----a-w- c:\program files\Immunet Protect\1.0.26\iptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm ]
2009-11-22 20:42 1037192 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-11-22 20:42 1037192 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nmservice"=2 (0x2)
"SvcOnlineArmor"=2 (0x2)
"OAcat"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"N360"="c:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360\562C4DD5\3.0.0.135\InstStub.exe" /RELAUNCH /RUNONCE /PRODID N360
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2009-07-01 1562096]
R4 ImmunetProtect;Immunet Protect;c:\program files\Immunet Protect\1.0.26\agent.exe [2010-04-16 717552]
R4 KernelHooks;KernelHooks;c:\documents and settings\Owner\My Documents\My Completed Downloads\KernelHooks.sys [x]
R4 LADriver;LADriver;c:\windows\system32\drivers\LADriver.sys [2005-09-22 27136]
R4 LDDriver;LDDriver;c:\windows\system32\drivers\LDDriver.sys [2005-09-22 24064]
R4 LHDriver;LHDriver;c:\windows\system32\drivers\LHDriver.sys [2005-09-22 14336]
R4 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [x]
R4 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1.tmp [x]
R4 PFNet;Privacyware network service;c:\program files\Privacyware\Privatefirewall 7.0\pfsvc.exe [x]
R4 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [x]
R4 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2009-10-08 10752]
R4 XDva311;XDva311;c:\windows\system32\XDva311.sys [x]
S0 BTGUARD;Blue Ridge Networks Boot Guard;c:\windows\system32\DRIVERS\btguard.sys [2009-05-18 10496]
S1 ImmunetMonitorDriver;ImmunetMonitorDriver;c:\windows\system32\DRIVERS\ImmunetMonitor.sys [2010-04-16 20040]
S1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\DRIVERS\ImmunetProtect.sys [2010-04-16 38856]
S1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\DRIVERS\ImmunetSelfProtect.sys [2010-04-16 29640]

.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\User_Feed_Synchronization-{9F455464-EE0C-4114-953D-1FE40DC0A13B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

2010-02-11 c:\windows\Tasks\User_Feed_Synchronization-{F7007431-B029-49C9-9972-834348C426DD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=74.87.151.153:8000
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{8F379D27-A517-49D4-AC60-5B7130E1027B} - c:\program files\FreshDevices\FreshDownload\fd.exe
TCP: {A8C3ACDD-D65A-4459-9076-63BE80E58782} = 208.67.222.222,208.67.220.220
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\s40nulcr.default\
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
SafeBoot-Wdf01000.sys
AddRemove-ESSMDM - c:\windows\remvdsi



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,e3,cb,48,bd,df,4a,40,91,83,6c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,e3,cb,48,bd,df,4a,40,91,83,6c,\

[HKEY_USERS\S-1-5-21-117609710-746137067-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1892)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-05-03 19:43:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 00:43

Pre-Run: 133,773,324,288 bytes free
Post-Run: 133,678,141,440 bytes free

- - End Of File - - AA3EE7FA4BCAB940B3CA28E3ACE1B0E6


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 04 May 2010 - 06:59 PM

Not seeing a lot of malware in that log, but signs of previous activity definitely.

Please rerun Combofix so we can straighten out your permissions

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Next please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#7 skinnyjeans

skinnyjeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 05 May 2010 - 05:58 PM

m0le - I ran combofix then malwarebytes like you said, after that I'm afraid I strayed off-course...
I opened arovax so I could delete the quarantined files, instead of deleting them, I actually restored
them by mistake.
Feeling like I undid everything you had helped me with, I ran combofix again, then malwarebytes... incidentally, the first malwarebytes scan quarantined the Rogue.Antivir2010 in two places, surprisingly, the second m.bytes scan didn't find anything so.. I ran arovax again and for the most part, it found everything I had restored.

Here is my question, should I post that first combofix and malwarebytes scan
or should I redo the scans again?

thanks,
sk

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 05 May 2010 - 06:27 PM

Rerun Combofix only please thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 skinnyjeans

skinnyjeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 05 May 2010 - 11:06 PM

Combofix scan:

ComboFix 10-05-04.06 - Owner 05/05/2010 22:23:09.6.1 - x86
Running from: c:\documents and settings\Owner\Desktop\dload\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\dload\New Folder\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Spy Emergency *disabled* (Updated) {82117492-906E-4b02-A33A-84D42A2DD907}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-05 16:14 . 2010-05-05 16:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-05-05 16:14 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-05 16:14 . 2010-05-05 16:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 16:14 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-01 01:56 . 2006-12-04 22:53 187184 ----a-w- C:\pssuspend.exe
2010-05-01 01:56 . 2008-01-09 21:36 107560 ----a-w- C:\psservice.exe
2010-05-01 01:56 . 2009-05-07 06:25 177024 ----a-w- C:\psloglist.exe
2010-05-01 01:56 . 2006-12-04 22:53 125744 ----a-w- C:\pslist.exe
2010-05-01 01:56 . 2006-12-04 22:53 105264 ----a-w- C:\psloggedon.exe
2010-05-01 01:56 . 2007-07-09 16:23 243072 ----a-w- C:\Psinfo.exe
2010-05-01 01:55 . 2006-12-04 22:53 187184 ----a-w- C:\psgetsid.exe
2010-05-01 01:55 . 2006-12-04 22:53 105264 ----a-w- C:\psfile.exe
2010-04-30 01:06 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-04-30 01:06 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-04-30 01:06 . 2004-08-04 03:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-30 01:06 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-28 15:03 . 2009-11-22 20:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-04-28 15:03 . 2009-11-22 20:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-04-28 15:03 . 2009-11-22 20:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-04-28 15:03 . 2010-04-28 15:03 -------- d-----w- c:\windows\system32\ZoneLabs
2010-04-28 15:03 . 2010-04-28 15:03 -------- d-----w- c:\program files\Zone Labs
2010-04-28 14:38 . 2010-04-28 14:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-04-27 19:27 . 2010-04-27 19:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-27 19:25 . 2010-04-27 19:25 -------- d-----w- c:\documents and settings\Owner\mex
2010-04-27 19:25 . 2010-04-27 19:25 -------- d-----w- c:\documents and settings\Owner\Kodak Pictures
2010-04-27 19:25 . 2010-04-27 19:25 -------- d-----r- c:\documents and settings\Owner\My Pictures
2010-04-27 19:15 . 2010-04-27 19:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\HuluDesktop
2010-04-27 19:15 . 2010-04-27 19:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Happy Hour Code, LLC
2010-04-27 19:15 . 2010-04-27 19:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2010-04-27 19:15 . 2010-04-27 19:15 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Axialis
2010-04-27 19:00 . 2010-05-06 03:24 -------- d-----w- c:\windows\Internet Logs
2010-04-27 18:45 . 2010-04-27 18:45 -------- d-----w- c:\windows\Internet Logs(2)
2010-04-27 16:51 . 2010-04-27 19:06 -------- d-----w- c:\documents and settings\Owner\desktop(4)
2010-04-27 16:42 . 2010-04-27 19:11 -------- d-----w- c:\program files\FolderSizes
2010-04-27 15:08 . 2010-04-27 19:11 -------- d-----w- c:\documents and settings\Owner\desktop(3)
2010-04-27 14:55 . 2010-04-27 19:11 -------- d-----w- c:\documents and settings\Owner\Desktop(2)
2010-04-23 19:34 . 2010-04-23 19:34 -------- d-----w- c:\program files\Winternals
2010-04-22 17:45 . 2010-04-22 17:45 -------- d--h--r- c:\windows\system32\VProRecovery
2010-04-22 17:31 . 2010-04-24 01:31 -------- d-----w- C:\desktopbckup
2010-04-22 17:10 . 2009-08-03 21:14 215144 ----a-r- c:\windows\patchw32.dll
2010-04-22 17:04 . 2010-04-22 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Symantec
2010-04-22 17:04 . 2010-04-22 17:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Symantec_Corporation
2010-04-22 17:04 . 2009-08-03 21:14 215144 ----a-r- c:\windows\pw32a.dll
2010-04-22 02:17 . 2010-04-22 02:17 -------- d-----w- c:\program files\Symantec
2010-04-22 02:15 . 2008-01-20 01:12 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2010-04-22 02:15 . 2008-01-20 00:40 15088 ------w- c:\windows\system32\drivers\vproeventmonitor.sys
2010-04-22 02:15 . 2008-08-13 22:07 38112 ----a-w- c:\windows\system32\drivers\v2imount.sys
2010-04-22 02:15 . 2009-07-01 16:28 138464 ----a-w- c:\windows\system32\drivers\symsnap.sys
2010-04-22 02:14 . 2010-04-22 02:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-22 02:13 . 2010-04-22 02:13 -------- d-----w- c:\program files\Norton Ghost
2010-04-21 23:33 . 2010-04-22 00:30 -------- d-----w- c:\program files\Bazooka Scanner
2010-04-21 06:37 . 2010-04-21 06:37 9216 ----a-w- c:\windows\system32\drivers\SE_Filter.sys
2010-04-20 18:13 . 2010-04-22 00:32 -------- d-----w- c:\program files\Lavalys
2010-04-20 04:50 . 2010-04-26 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeHideIP
2010-04-20 04:45 . 2010-05-03 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-19 21:38 . 2010-04-22 00:29 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2010-04-19 19:35 . 2010-04-22 00:29 -------- d-----w- c:\documents and settings\Owner\recent recov
2010-04-19 18:25 . 2010-04-22 00:33 -------- d-----w- C:\VundoFix Backups
2010-04-19 15:21 . 2010-04-22 00:33 -------- d-----w- c:\program files\QuickTime
2010-04-19 14:51 . 2010-04-19 14:50 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 20:01 . 2010-04-22 00:33 -------- d-----w- c:\program files\TrendMicro
2010-04-17 17:50 . 2006-03-14 12:05 73728 ------r- c:\windows\system32\psProxy.dll
2010-04-17 17:50 . 2006-03-14 12:05 188416 ------r- c:\windows\system32\pocketHTTP.dll
2010-04-17 17:50 . 2006-03-14 12:05 110676 ------r- c:\windows\system32\psDime.dll
2010-04-17 17:50 . 2009-02-20 15:35 53248 ------w- c:\windows\system32\Winlogonevents.dll
2010-04-17 17:50 . 2006-03-14 12:05 380928 ------r- c:\windows\system32\pSOAP32.dll
2010-04-17 17:18 . 2010-04-17 17:18 9062 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{6D0208BB-266C-49E5-9F60-0B59B7068027}\ARPPRODUCTICON.exe
2010-04-17 17:18 . 2008-03-21 18:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-04-17 03:36 . 2010-04-21 17:29 -------- d-----w- c:\documents and settings\Owner\Application Data\RagTime
2010-04-17 03:36 . 2010-04-22 00:33 -------- d-----w- c:\program files\RagTime Solo
2010-04-17 03:35 . 2010-04-22 00:29 -------- d-----w- c:\documents and settings\Owner\WINDOWS
2010-04-16 16:54 . 2010-04-16 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-04-16 14:53 . 2010-04-16 14:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Serif
2010-04-16 14:51 . 2010-04-22 00:33 -------- d-----w- c:\program files\Serif
2010-04-16 14:21 . 2010-04-16 14:41 -------- d-----w- c:\documents and settings\Owner\.scribus
2010-04-16 14:13 . 2010-04-22 00:33 -------- d-----w- c:\program files\Scribus 1.3.3.14
2010-04-16 02:08 . 2010-05-05 15:37 -------- d-----w- c:\program files\Immunet Protect
2010-04-15 15:28 . 2010-04-15 15:28 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-15 15:09 . 2010-04-15 15:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-15 15:09 . 2010-04-15 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-15 06:35 . 2010-05-05 20:59 -------- d-----w- c:\program files\Arovax AntiSpyware
2010-04-15 04:14 . 2010-04-22 00:33 -------- d-----w- c:\program files\Safari
2010-04-15 03:49 . 2010-04-15 03:49 -------- d-----w- c:\windows\.jagex_cache_32
2010-04-15 03:41 . 2010-04-15 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\FunGames
2010-04-13 14:22 . 2010-04-22 00:32 -------- d-----w- c:\program files\LSoft Technologies
2010-04-10 05:30 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-09 03:08 . 2003-09-12 16:08 184320 ----a-w- c:\windows\system32\Prifw.dll
2010-04-07 20:53 . 2010-04-22 00:33 -------- d-----w- c:\windows\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 00:25 . 2010-04-28 16:32 1819313 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-05-05 15:33 . 2009-10-17 07:12 -------- d-----w- c:\program files\Vasilios Applications
2010-05-02 22:48 . 2010-05-03 13:52 1617408 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-05-02 22:48 . 2010-05-03 13:51 374272 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-05-01 20:46 . 2010-02-03 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Jarte
2010-04-30 17:36 . 2009-10-21 20:55 -------- d-----w- c:\program files\Foxit Software
2010-04-30 05:13 . 2010-04-30 14:50 554496 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-04-28 23:13 . 2010-04-28 23:13 19829633 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_04_28_18_06_21_full.dmp.zip
2010-04-28 15:03 . 2010-01-31 21:14 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-28 13:30 . 2009-04-15 14:55 104000 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 14:56 . 2009-04-14 13:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-23 19:34 . 2009-04-14 02:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 04:09 . 2009-04-15 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-22 00:32 . 2009-04-17 17:27 -------- d-----w- c:\program files\Paint.NET
2010-04-22 00:31 . 2009-08-03 00:45 -------- d-----w- c:\program files\Harden-It
2010-04-22 00:30 . 2009-09-11 01:26 -------- d-----w- c:\program files\Common Files\Kodak
2010-04-21 16:54 . 2009-04-17 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2010-04-20 00:37 . 2009-10-08 13:27 9036 --sha-w- c:\windows\system32\sys_drv.dat
2010-04-20 00:37 . 2009-10-08 13:27 7028 --sha-w- c:\windows\system32\sys_drv_2.dat
2010-04-19 17:15 . 2009-08-27 21:03 71844 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-19 15:32 . 2010-03-08 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Arovax
2010-04-17 17:18 . 2010-04-17 17:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_btguard_01007.Wdf
2010-04-17 17:18 . 2010-04-17 17:18 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-04-15 18:28 . 2010-04-15 18:28 32 ----a-w- c:\program files\CodeStuff.7z
2010-04-15 18:28 . 2010-04-15 18:26 8726 ----a-w- c:\program files\CodeBlocks.7z
2010-04-15 17:50 . 2009-10-22 17:16 -------- d-----w- c:\documents and settings\Owner\Application Data\ZipGenius
2010-04-15 03:57 . 2009-04-17 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 02:44 . 2010-02-26 00:05 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-07 20:38 . 2009-10-05 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-04-07 20:04 . 2009-05-11 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-10 06:15 . 2002-09-03 17:09 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 09:00 . 2010-03-04 09:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-25 06:24 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:16 . 2010-01-31 17:48 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 12:31 . 2002-09-03 16:42 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2002-09-03 16:50 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2002-08-29 01:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2002-09-03 16:26 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 19:36 . 2010-02-11 19:36 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-02-11 12:01 . 2002-09-03 17:06 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-06 10:37 . 2009-09-11 01:30 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2006-10-12 04:44 . 2009-08-05 03:45 55296 ----a-w- c:\program files\Seconfig XP.exe
2009-09-01 21:53 . 2009-09-01 21:53 2 --shatr- c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot@2010-05-04_00.37.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-06 01:47 . 2010-05-06 02:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-13 22:59 . 2010-05-04 00:36 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-13 22:59 . 2010-05-06 02:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-13 22:59 . 2010-05-04 00:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-06 01:47 . 2010-05-06 02:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-13 22:59 . 2010-05-04 00:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

c:\documents and settings\Owner\Start Menu\Programs\Startup\AutorunsDisabled\SystemExplorerDisabled
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
"MaxRecentDocs"= 6 (0x6)
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2005-06-22 04:44 348160 ----a-w- c:\windows\system32\igfxsrvc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Wipe tray agent.lnk]
backup=c:\windows\pss\Wipe tray agent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2009-11-22 20:42 1037192 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nmservice"=2 (0x2)
"SvcOnlineArmor"=2 (0x2)
"OAcat"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"N360"="c:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360\562C4DD5\3.0.0.135\InstStub.exe" /RELAUNCH /RUNONCE /PRODID N360
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2009-07-01 1562096]
R4 KernelHooks;KernelHooks;c:\documents and settings\Owner\My Documents\My Completed Downloads\KernelHooks.sys [x]
R4 LADriver;LADriver;c:\windows\system32\drivers\LADriver.sys [2005-09-22 27136]
R4 LDDriver;LDDriver;c:\windows\system32\drivers\LDDriver.sys [2005-09-22 24064]
R4 LHDriver;LHDriver;c:\windows\system32\drivers\LHDriver.sys [2005-09-22 14336]
R4 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [x]
R4 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1.tmp [x]
R4 PFNet;Privacyware network service;c:\program files\Privacyware\Privatefirewall 7.0\pfsvc.exe [x]
R4 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [x]
R4 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2009-10-08 10752]
R4 XDva311;XDva311;c:\windows\system32\XDva311.sys [x]
S0 BTGUARD;Blue Ridge Networks Boot Guard;c:\windows\system32\DRIVERS\btguard.sys [2009-05-18 10496]

.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\User_Feed_Synchronization-{9F455464-EE0C-4114-953D-1FE40DC0A13B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

2010-02-11 c:\windows\Tasks\User_Feed_Synchronization-{F7007431-B029-49C9-9972-834348C426DD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=74.87.151.153:8000
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{8F379D27-A517-49D4-AC60-5B7130E1027B} - c:\program files\FreshDevices\FreshDownload\fd.exe
TCP: {A8C3ACDD-D65A-4459-9076-63BE80E58782} = 208.67.222.222,208.67.220.220
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\s40nulcr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 22:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-746137067-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-05 22:35:09
ComboFix-quarantined-files.txt 2010-05-06 03:35
ComboFix2.txt 2010-05-06 00:38
ComboFix3.txt 2010-05-05 18:08
ComboFix4.txt 2010-05-05 16:06
ComboFix5.txt 2010-05-06 03:22

Pre-Run: 133,169,020,928 bytes free
Post-Run: 133,127,626,752 bytes free

- - End Of File - - 894A202E90132621375A334FDFA4DED1


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 06 May 2010 - 02:20 PM

The log looks good. thumbup2.gif


Please run the ESET online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#11 skinnyjeans

skinnyjeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 07 May 2010 - 02:10 AM

wow, Eset scan took around 5 hours

Results:
C:\Documents and Settings\Owner\My Documents\Downloads\Downloads\My Completed Downloads\pctimemachine20091030.exe
probably a variant of Win32/TrojanDownloader.Agent trojan deleted - quarantined
C:\System Volume Information\_restore{C4CDC7FD-A7A6-4F40-94B9-EEB7050D7E52}\RP152\A0042496.exe probably a variant of Win32/TrojanDownloader.Agent trojan deleted - quarantine

When we started doing all of these scans I uninstalled the virus protection.. so currently, I have no virus protection installed - okay to install something now?

thanks
sk

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 07 May 2010 - 03:42 PM

Yes, install an antivirus now.

The ESET scan is quite detailed and it found the infected file. It also found something in System Restore but nothing to worry about.

Once the antivirus is on you can complete this clean up as follows: (oh, by the way....)

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it skinnyjeans, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#13 skinnyjeans

skinnyjeans
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 07 May 2010 - 07:07 PM

Yes, isolated and exterminated - thanks to you!

I appreciate your help, patience and expertise,

Cheers to You TOO

skinnyjeans

smile.gif

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:13 PM

Posted 12 May 2010 - 06:50 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users