Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Std AV tools cannot identify pest... please help


  • This topic is locked This topic is locked
32 replies to this topic

#1 50BMG

50BMG

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 18 May 2010 - 09:54 PM

Hello, this is my first post here.

I believe I have infected myself somehow, and the tools I've tried don't seem to know there is any pest. I would appreciate help. I've tried to follow the existing threads, but don't find anything that seems to pertain to my situation. [as I understand it]

I have performed the suggested steps to begin a topic [in the Preparation Guide], and hope I've have the followed the instructions correctly. [nice job on that Guide BTW]

It would be great to get help disinfecting this machine, but I'd sleep much better if I knew how I did this, as I have several other machines [and older drives for this one] that run the same configuration of tools and software. If they are in jeopardy, I really need to understand that.

Odd Behaviors:
  • Microsoft Malware Removal tools never complete. All cpu cycles attributed to another benign process.
  • cannot uninstall Sun Java Runtime Engine [may not be related]... uninstall does not complete.
  • When I run a seemingly "local" process [I.E. regedit] and try to save a file [as-in "export"] there is a pause and my firewalls detect an attempt by my PC to contact an internet ftp server. I have traced this with a sniffer and have a capture file of what it tries to do on that server, if it's important.
  • Any save of an unknown file type is identified as an Adobe Rights Management File and is appended with an .rmf extension. [This drives me absolutely nutz and I find no reference to this problem anywhere either]
    Firefox Won't let me copy text or urls to the clipboard [intermittent]
    Windows misses mouse clicks and keyboard hits. [subtle]
What I've tried:
  • AVG Antivirus Bootable CD Emergency Recovery Disk - found some old infected files, but not an active infection. Problem persists.
  • AVAST - found a few less things, again old files, same result - no joy.
  • SpyBOTsd - clean bill of health
  • ShellExView - Shell Extension viewer - Poking around in desperation.
This is an old system drive I migrated from about 7 years ago, but ressurected recently. So I can risk losing it. We are free to try radical things. [I can ghost it if we really want to keep at it till it's beaten into submission] I'm not much for re-installing Windows as a curative, and still run the original install on this [and most] machines I own.

Thank you in advance for any assistance or even consideration, whatsoever. I can promise I won't get flustered, and won't give up if you don't. Let the adventure begin.

DDS.TXT Contents:


CODE
DDS (Ver_10-03-17.01) - FAT32x86  
Run by Administrator at 21:13:17.01 on Tue 05/18/2010
Internet Explorer: 5.00.3700.1000 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 2000 Professional  5.0.2195.4.1252.1.1033.18.543.367 [GMT -5:00]


============== Running Processes ===============

C:WINNTsystem32spoolsv.exe
C:WINNTSystem32ati2evxx.exe
C:WINNTsystem32hidserv.exe
C:WINNTsystem32smtpauth.exe
C:WINNTsystem32stisvc.exe
C:Program FilesUPHCleanuphclean.exe
C:WINNTsystem32ZONELABSvsmon.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:Program FilesORLVNCWinVNC.exe
C:WINNTExplorer.EXE
C:WINNTsystem32Atiptaxx.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesSynapticsSynTPSynTPLpr.exe
C:WINNTsystem32PRPCUI.exe
C:WINNTGWHotKey.exe
C:WINNTsystem32LMSTATUS.EXE
C:Program FilesCommon FilesFotoNationEvLstnr.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:Program FilesMailWasher ProMailWasher.exe
C:WINNTsystem32netdde.exe
C:WINNTsystem32clipsrv.exe
C:Program FilesNetscapeCommunicatorProgramnetscape.exe
C:PROGRA~1MOZILL~1FIREFOX.EXE
C:WINNTsystem32rundll32.exe
C:WINNTsystem32dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://www.msn.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre6binssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
mRun: [AtiPTA] Atiptaxx.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [SynTPLpr] c:program filessynapticssyntpSynTPLpr.exe
mRun: [PRPCMonitor] PRPCUI.exe
mRun: [Multi-function Keyboard] GWHotKey.exe
mRun: [LM Status] LMSTATUS.EXE
mRun: [EVENTLISTENER] c:program filescommon filesfotonationEvLstnr.exe
mRun: [Zone Labs Client] c:program fileszone labszonealarmzlclient.exe
mRun: [WinVNC] "c:program filesorlvncWinVNC.exe" -servicehelper
mRun: [SunJavaUpdateSched] c:program filesjavajre6binjusched.exe
dRunOnce: [^SetupICWDesktop] c:program filesinternet explorerconnection wizardicwconn1.exe /desktop
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%webrelated.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:program filesjavajre6binssv.dll
Trusted Zone: coair.comwww
DPF: DirectAnimation Java Classes - file://c:winntjavaclassesdajava.cab
DPF: Microsoft XML Parser for Java - file://c:winntjavaclassesxmldso.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 192.168.0.6 192.168.88.6
AppInit_DLLs: c:winntsystem32wmfhotfix.dll  c:winntsystem32wmfhotfix.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1admini~1applic~1mozillafirefoxprofiles3jb1mujv.default
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.enabled - false
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.closed", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.document", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.frames", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.history", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.length", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.opener", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.parent", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.self", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.top", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.default.Window.window", "allAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("network.cookie.p3plevel",             1); // 0=low, 1=medium, 2=high, 3=custom
c:program filesmozilla firefoxgreprefsall.js - pref("network.enablePad",                   false); // Allow client to do proxy autodiscovery
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.search.param.Google.1.custom",  "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:winntsystem32vsdatant.sys [2010-2-24 279880]
R2 AtiBt829;ATI WDM 829 Video Capture;c:winntsystem32driversatinbtxx.sys [2000-10-18 58640]
R2 MAC_MOT;MAC_MOT;c:winntsystem32driversMAC_MOT.SYS [2000-12-19 9472]
R2 parpeppy;parpeppy;c:winntsystem32driversParpeppy.sys [2000-12-24 10256]
R2 PRPC;PRPC;c:winntsystem32driversprpc.sys [2000-9-15 12182]
R2 SmtpAuth;SmtpAuth Version 1.04;c:winntsystem32smtpauth.exe dummy_service --> c:winntsystem32smtpauth.exe dummy_service [?]
R2 vsmon;TrueVector Internet Monitor;c:winntsystem32zonelabsvsmon.exe -service --> c:winntsystem32zonelabsvsmon.exe -service [?]
R3 ati2mpab;ati2mpab;c:winntsystem32driversati2mpab.sys [2000-10-19 283085]
R3 ltmdmnt;Actiontec 56K V.90 Modem Driver;c:winntsystem32driversltmdmnt.sys [1980-1-1 511194]
R3 maestro;ESS Maestro2E Audio Driver (WDM);c:winntsystem32driversmaestro.sys [1980-1-1 130119]
S2 DriverX;DriverX;c:winntsystem32driversdriverx.sys [2001-3-5 28352]
S3 BULKUSB;Plantronics USB Bulk Driver;c:winntsystem32driversUSBPLANT.sys [2001-5-2 10756]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;c:winntsystem32driverscben5.sys [2000-4-14 46770]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:winntsystem32driversel575ND5.sys [2000-10-12 77072]
S4 ramdisk;AR Soft RAM Disk Service;c:winntsystem32driversramdisk.sys [2002-10-12 10431]

============== File Associations ===============

.scr=AutoCADScript

=============== Created Last 30 ================

2010-05-19 02:13:18    16384    ----a-w-    c:winntsystem32Perflib_Perfdata_2dc.dat
2010-05-19 02:12:54    525824    ----a-w-    c:winntsystem32dds.scr
2010-05-19 02:09:54    0    ----a-w-    c:documents and settingsadministratordefogger_reenable
2010-05-17 01:13:03    0    ----a-w-    c:winntsystem32REN53.tmp
2010-05-17 01:13:03    0    ----a-w-    c:winntsystem32REN52.tmp
2010-05-17 01:13:03    0    ----a-w-    c:winntsystem32REN51.tmp

==================== Find3M  ====================

2010-05-13 01:07:40    107134    ----a-w-    c:winntUninstallFirefox.exe
2010-05-13 01:07:36    7068    ----a-w-    c:winntmozver.dat
2010-04-19 01:47:34    1524    ----a-w-    c:winntsystem32d3d8caps.dat
2010-02-25 02:44:16    4212    ---h--w-    c:winntsystem32zllictbl.dat
2000-09-15 23:16:00    271    ---h--w-    c:program filesdesktop.ini
2000-09-15 23:16:00    21952    ---h--w-    c:program filesfolder.htt
1999-12-07 17:00:00    32528    ----a-w-    c:winntinfwbfirdma.sys

============= FINISH: 21:13:38.46 ===============


I forgot an additional symptom or two...

Recently I've been getting Shell restarts... the error log has:
Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 5/8/2010
Time: 19:02:13
User: N/A
Computer: CER
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

and also, when I try to save a file from Firefox, the save window does not contain folders that I know are present in the save location. [This symptom is intermittent]

Merged posts. ~ OB

Thank you for that merge OB.

I see that I have erroniously omitted a report from my earlier post as well.

Merged posts again. ~ OB

Attached Files


Edited by Orange Blossom, 19 May 2010 - 03:07 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 AM

Posted 20 May 2010 - 07:31 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 50BMG

50BMG
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 21 May 2010 - 05:09 PM

Hi m0le, good to meet you.

I am now subscribed to this topic with immediate notification. [I thought I did that in the inital post, but apparently not]

I will not make any changes, or seek any assistance elsewhere that you don't know of from this point forward.

I will be here all evening, and if I know when you might be, I'll arrange my time to suit.
Thank You. thumbup2.gif



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 AM

Posted 21 May 2010 - 07:48 PM

Can you start by running OTL, this is a scanner like DDS but with a bit more detail
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#5 50BMG

50BMG
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 21 May 2010 - 08:04 PM

Thank you.
  • Downloaded OTL - no problem
  • Ran OTL with suggested options
  • Scan began, but OTL apparently "exited" without output, or error notices, after about a minute.


The only "application" running at the time was Windows Explorer, on the desktop folder which has my BleepingComputer files.

I think you've got it scared.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 AM

Posted 21 May 2010 - 08:10 PM

Hmm, please run Rkill

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Now run Combofix


Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 50BMG

50BMG
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 21 May 2010 - 08:47 PM

Yeah... you've definitely got it's attention.

rkill.log contents:
CODE
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 05/21/2010 at 21:12:37.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Administrator\Desktop\rkill.exe


Rkill completed on 05/21/2010  at 21:12:53.


Combofix.log [run as comfix.exe]
CODE
ComboFix 10-05-21.04 - Administrator 05/21/2010  21:18:56.1.1 - FAT32x86
Microsoft Windows 2000 Professional  5.0.2195.4.1252.1.1033.18.543.330 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\VB40032.DLL
c:\winnt\Web\default.htt

.
(((((((((((((((((((((((((   Files Created from 2010-04-22 to 2010-05-22  )))))))))))))))))))))))))))))))
.

2010-05-19 02:13 . 2010-05-19 02:13    16384    ----a-w-    c:\winnt\system32\Perflib_Perfdata_2dc.dat
2010-05-19 02:12 . 2010-05-19 02:08    525824    ----a-w-    c:\winnt\system32\dds.scr
2010-05-17 01:11 . 2010-05-17 01:11    --------    d-----w-    c:\program files\Java
2010-05-17 01:10 . 2010-05-17 01:11    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 02:40 . 2000-10-04 00:46    65625    ----a-w-    c:\winnt\nsreg.dat
2010-05-17 01:13 . 2010-05-17 01:13    0    ----a-w-    c:\winnt\system32\REN53.tmp
2010-05-17 01:13 . 2010-05-17 01:13    0    ----a-w-    c:\winnt\system32\REN52.tmp
2010-05-17 01:13 . 2010-05-17 01:13    0    ----a-w-    c:\winnt\system32\REN51.tmp
2010-05-13 01:07 . 2010-03-27 22:09    107134    ----a-w-    c:\winnt\UninstallFirefox.exe
2010-05-13 01:07 . 2001-01-19 23:07    7068    ----a-w-    c:\winnt\mozver.dat
2010-04-19 01:47 . 2001-05-30 23:13    1524    ----a-w-    c:\winnt\system32\d3d8caps.dat
2010-04-16 03:27 . 2010-04-16 03:27    3584    ----a-r-    c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-04-16 03:27 . 2010-04-16 03:27    --------    d-----w-    c:\program files\Windows Installer Clean Up
2010-04-16 03:26 . 2010-04-16 03:26    --------    d-----w-    c:\program files\MSECACHE
2010-04-15 20:25 . 2010-04-15 20:24    1680349    ------w-    c:\winnt\Internet Logs\tvDebug.zip
2010-03-29 19:06 . 2010-03-29 19:06    --------    d-----w-    c:\program files\Common Files\Java
2010-03-27 22:27 . 2010-03-27 22:27    --------    d-----w-    c:\documents and settings\Administrator\Application Data\AdobeUM
2010-02-25 04:09 . 2010-02-25 04:15    43008    ------w-    c:\winnt\Internet Logs\xDB4.tmp
2010-02-25 04:09 . 2010-02-25 04:15    671744    ------w-    c:\winnt\Internet Logs\xDB3.tmp
2010-02-25 03:48 . 2010-02-25 03:56    573440    ------w-    c:\winnt\Internet Logs\xDB2.tmp
2010-02-25 03:44 . 2010-02-25 03:56    1196032    ------w-    c:\winnt\Internet Logs\xDB1.tmp
2010-02-25 02:44 . 2010-02-25 02:34    4212    ---h--w-    c:\winnt\system32\zllictbl.dat
2010-02-25 02:18 . 2010-02-25 02:18    15781    ----a-w-    c:\winnt\system32\drivers\mdc8021x.sys
2000-09-15 23:16 . 2000-09-15 23:15    21952    ---h--w-    c:\program files\folder.htt
2008-12-17 18:59 . 2010-02-28 06:53    34944    ----a-w-    c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 18:59 . 2010-02-28 06:53    46712    ----a-w-    c:\program files\mozilla firefox\components\spellchk.dll
2010-05-13 01:07 . 2010-02-28 06:53    60518    ----a-w-    c:\program files\mozilla firefox\components\jar50.dll
2010-05-13 01:07 . 2010-02-28 06:53    165992    ----a-w-    c:\program files\mozilla firefox\components\xpinstal.dll
2010-05-13 01:07 . 2010-02-28 06:53    49248    ----a-w-    c:\program files\mozilla firefox\components\jsd3250.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="Atiptaxx.exe" [2000-10-19 188416]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2000-04-21 225280]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2000-04-21 94208]
"PRPCMonitor"="PRPCUI.exe" [2000-01-06 32768]
"Multi-function Keyboard"="GWHotKey.exe" [2000-05-03 69120]
"LM Status"="LMSTATUS.EXE" [1998-09-28 13312]
"EVENTLISTENER"="c:\program files\Common Files\FotoNation\EvLstnr.exe" [2000-06-21 53248]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-04-19 935688]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [2001-03-16 208896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

R2 AtiBt829;ATI WDM 829 Video Capture;c:\winnt\system32\drivers\atinbtxx.sys [10/18/2000 16:46 58640]
R2 MAC_MOT;MAC_MOT;c:\winnt\system32\drivers\MAC_MOT.SYS [12/19/2000 13:48 9472]
R2 parpeppy;parpeppy;c:\winnt\system32\drivers\Parpeppy.sys [12/24/2000 16:32 10256]
R2 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [9/15/2000 18:27 12182]
R3 ati2mpab;ati2mpab;c:\winnt\system32\drivers\ati2mpab.sys [10/19/2000 12:08 283085]
R3 ltmdmnt;Actiontec 56K V.90 Modem Driver;c:\winnt\system32\drivers\ltmdmnt.sys [1/1/1980 511194]
R3 maestro;ESS Maestro2E Audio Driver (WDM);c:\winnt\system32\drivers\maestro.sys [1/1/1980 130119]
S2 DriverX;DriverX;c:\winnt\system32\drivers\driverx.sys [3/5/2001 10:09 28352]
S2 SmtpAuth;SmtpAuth Version 1.04;c:\winnt\system32\smtpauth.exe dummy_service --> c:\winnt\system32\smtpauth.exe dummy_service [?]
S3 BULKUSB;Plantronics USB Bulk Driver;c:\winnt\system32\drivers\USBPLANT.sys [5/2/2001 15:15 10756]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family;c:\winnt\system32\drivers\cben5.sys [4/14/2000 14:49 46770]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\winnt\system32\drivers\el575ND5.sys [10/12/2000 11:41 77072]
S4 ramdisk;AR Soft RAM Disk Service;c:\winnt\system32\drivers\ramdisk.sys [10/12/2002 20:14 10431]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXTDQPOW
*Deregistered* - pxtdqpow
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: coair.com\www
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3jb1mujv.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.enabled - false
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel",             1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad",                   false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom",  "chrome://branding/content/searchconfig.properties");
.
.
------- File Associations -------
.
.scr=AutoCADScript
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 21:24
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(172)
c:\winnt\System32\wmfhotfix.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(236)
c:\winnt\System32\wmfhotfix.dll
.
Completion time: 2010-05-21  21:25:52
ComboFix-quarantined-files.txt  2010-05-22 02:25

Pre-Run: 3,704,438,784 bytes free
Post-Run: 3,709,140,992 bytes free

- - End Of File - - 9A3AF43434BB01F171D3A52CECD7ACBF


Notes:
  • Machine is Win2000 sp4, no AV installed at this time
  • ComboFix did not ask to install recovery console
  • ComboFix did put up a warning about sites that it was NOT affiliated with, admonition to cancel any payment for the program, and permission to proceed - which was given
  • ComboFix did make a registry backup [at least partially]
  • then proceeded with scan and removal. [log given]
  • Afterward the machine runs Internet Explorer as the default web browser [was firefox]
  • When I ran firefox to re-contact this topic, it hung complaining a script did not finish]
  • I am using another machine to converse with you from now on.


#8 50BMG

50BMG
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 21 May 2010 - 11:46 PM

UPDATE -

Ok, I've had an unexpected power interruption. [Tornados in the area]

Unfortunately, power was lost on the PC we're cleaning. Consequently, there will be a re-start required before I can continue where we leaft off. I wanted to give you the opportunity to have me take any special precautions before powering up.

I'll leave it off until I hear back from you.

Thank you for all your efforts, and I hope you have a good week end.



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 AM

Posted 22 May 2010 - 09:22 AM

Nothing we can do about the power down but also nothing to worry about.

Combofix removed two files which were not malware but which you don't need. It did find a service which is better gone though.
CODE
*NewlyCreated* - PXTDQPOW
*Deregistered* - pxtdqpow



Please run MBAM and we'll try and find any other adware/spyware

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#10 50BMG

50BMG
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 May 2010 - 09:48 AM

Just posting a quickie to let you know I'm on your latest request. PC powered up ok BTW - with a long pause during login to "Apply Security Policies" ... I think that's what it said.

One other thing... the "other PC" that I was using to communicate with you... now has a symptom that appeared on the infected one some time ago. I didn't know it was related until it happened again just now. When I open firefox [from a shortcut] it opens two instances, not just one like it's supposed to. On the infected machine, I thought it was related to my re-installation of stuff, but now I'm not so sure. I know it a tangent to what we're doing, but I thought it was worth a mention.

I'm on the Malwarebytes.

P.S. - This was posted from the infected machine again.

P.S.S. - There is apparently a script or something that crashes firefox when I try to open the cnet page you gave me for Malwarebytes. This has destabilized things somewhat. The download link for it looks like a redirect from dw.com.com... is that right?


Edited by 50BMG, 22 May 2010 - 09:56 AM.


#11 50BMG

50BMG
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 May 2010 - 10:09 AM

MBAM is installed running, but if I had to guess, I'd say it's hung. All the cpu cycles are going to the mousepad service according to taskmgr. This is what happens when I run the Microsoft Malware Removal tool on this machine too.

How long should I wait for it to complete?

UPDATE:

MBAM is definitely overwhelmed. The MBAM app got no cpu cycles beyond 21 seconds. The system has been so inert that power management spun down the hard drive.

I'd like to propose more extraordinary measures.
  • Next time the machine needs to be power cycled, I'd like to remove the hard drive and perform a ghost image backup. Think of it as a "Hardware restore point".
  • Then I'd like isolate the machine from the internet. I'll perform all my interactions with you on another machine. Any software you want me to install will be downloaded on that machine, burned to a CD, and sneaker-net'd to the target machine.
If this is acceptable to you, I'll do so on the next opportunity.

Edited by 50BMG, 22 May 2010 - 10:53 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 AM

Posted 22 May 2010 - 04:26 PM

Let's try a similar idea.

In order to resolve your problem we will need to to download a program called OTLPE. This program is quite large, at 292MB, so it will take a while to download. In order to get this program setup properly, please print out these instructions so you can follow them when you are at the computer we will be working on.

First

Please download ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Please keep me informed about the other PC, if that gets infected we would need to deal with that one first.
Posted Image
m0le is a proud member of UNITE

#13 50BMG

50BMG
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 May 2010 - 08:54 PM

Nice tool that OTLPE.

Now that I've seen the way the tool works, I think I should point out a few things. As I said in earlier posts, this system drive had been unused for several years, having migrated the system to a newer, larger drive.

In late february, I had a problem with that newer drive, and fell back to this earlier one. That was February 24 as I recall. At that time I applied Service Pack 4 and other updates before beginning to use it. I then applied other software I have come to use since that drive was retired, among these Firefox.

So, a fair number of the files in the system date to that time. I am not sure when I finally came to the conclusion that the system had a pest. As far as I know it was clean when I retired it. If I had to venture a guess, I think I infected myself when I installed Firefox with the DOM inspector.

However it happened, I felt it was important to give you the time line because of how OLTPE thinks.

Here now is the result of the scan you requested. [I also ran scans set to 90 days and "All" which I can send]

Thank you once again for your continued help.

CODE
OTL logfile created on: 5/22/2010 9:40:20 PM - Run
OTLPE by OldTimer - Version 3.1.39.0     Folder = X:\Programs\OTLPE
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195) - Type = SYSTEM
Internet Explorer (Version = 5.00.3700.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

543.00 Mb Total Physical Memory | 356.00 Mb Available Physical Memory | 65.00% Memory free
491.00 Mb Paging File | 359.00 Mb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 814 864 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 3.56 Gb Free Space | 19.14% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [On_Demand] --  -- (PictureTaker)
SRV - File not found [On_Demand] --  -- (JavaQuickStarterService)
SRV - [2005/12/07 06:35:12 | 000,073,728 | ---- | M] () [Auto] -- C:\WINNT\System32\smtpauth.exe -- (SmtpAuth)
SRV - [2005/04/19 18:05:26 | 001,210,112 | ---- | M] (Zone Labs, LLC) [Auto] -- C:\WINNT\System32\ZONELABS\vsmon.exe -- (vsmon)
SRV - [2004/09/07 08:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2004/03/05 00:45:34 | 000,192,573 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2003/06/19 12:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 12:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 12:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 12:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 12:05:04 | 000,061,712 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\stisvc.exe -- (StiSvc)
SRV - [2003/06/19 12:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 12:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\hidserv.exe -- (HidServ)
SRV - [2001/03/16 14:21:52 | 000,208,896 | ---- | M] (AT&T Research Labs Cambridge) [Auto] -- C:\Program Files\ORL\VNC\WinVNC.exe -- (winvnc)
SRV - [2000/09/15 18:05:48 | 000,000,000 | ---D | M] [Unavailable] -- C:\WINNT\system32\ias -- (IAS)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - File not found [Kernel | System] --  -- (tga)
DRV - File not found [Kernel | System] --  -- (sglfb)
DRV - File not found [Kernel | System] --  -- (PCIDump)
DRV - File not found [Kernel | System] --  -- (lbrtfdc)
DRV - File not found [Kernel | System] --  -- (Changer)
DRV - File not found [Kernel | On_Demand] --  -- (catchme)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/02/24 21:18:46 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto] -- C:\WINNT\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2005/04/19 18:05:14 | 000,279,880 | ---- | M] (Zone Labs, LLC) [Kernel | System] -- C:\WINNT\system32\vsdatant.sys -- (vsdatant)
DRV - [2003/12/03 19:19:42 | 000,330,400 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2003/09/25 22:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Dual-Band Wireless A+G Notebook Adapter\GTNDIS5.sys -- (GTNDIS5)
DRV - [2003/06/19 12:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 12:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot] -- C:\WINNT\system32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 12:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 12:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 12:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\WINNT\system32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 12:05:04 | 000,009,808 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2003/06/19 12:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINNT\system32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 12:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled] -- C:\WINNT\system32\drivers\dmload.sys -- (dmload)
DRV - [2002/10/12 20:14:54 | 000,010,431 | ---- | M] (AR Soft) [Kernel | Disabled] -- C:\WINNT\system32\drivers\ramdisk.sys -- (ramdisk)
DRV - [2002/07/17 08:53:02 | 000,016,877 | ---- | M] (Adaptec) [Kernel | Auto] -- C:\WINNT\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2000/10/19 12:08:08 | 000,283,085 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\ati2mpab.sys -- (ati2mpab)
DRV - [2000/10/18 16:46:36 | 000,058,640 | ---- | M] () [Kernel | Auto] -- C:\WINNT\system32\drivers\atinbtxx.sys -- (AtiBt829)
DRV - [2000/09/05 07:37:44 | 000,010,756 | R--- | M] (Plantronics USB Bulk Driver) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\USBPLANT.sys -- (BULKUSB)
DRV - [2000/04/21 11:26:56 | 000,203,568 | R--- | M] (Synaptics, Inc.) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2000/04/14 14:49:18 | 000,046,770 | ---- | M] (Xircom, Inc.) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\cben5.sys -- (CBEN5)
DRV - [2000/03/15 10:38:30 | 000,056,944 | ---- | M] (Adaptec, Inc.) [Kernel | Boot] -- C:\WINNT\system32\drivers\aic78xx.sys -- (aic78xx)
DRV - [2000/03/14 11:26:40 | 000,511,194 | ---- | M] (LT) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\ltmdmnt.sys -- (ltmdmnt)
DRV - [2000/01/06 08:00:00 | 000,012,182 | ---- | M] (Intel Corp.) [Kernel | Auto] -- C:\WINNT\system32\drivers\prpc.sys -- (PRPC)
DRV - [1999/12/13 12:48:26 | 000,130,119 | ---- | M] (ESS Technology, Inc.) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\maestro.sys -- (maestro) ESS Maestro2E Audio Driver (WDM)
DRV - [1999/12/07 12:00:00 | 000,102,160 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINNT\system32\drivers\nbf.sys -- (Nbf)
DRV - [1999/12/07 12:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [1999/12/07 12:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [1999/10/19 14:50:42 | 000,077,072 | ---- | M] (3Com Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\el575ND5.sys -- (el575nd5)
DRV - [1999/10/12 15:57:12 | 000,068,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [1999/09/28 15:14:04 | 000,019,376 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\WINNT\system32\drivers\sparrow.sys -- (Sparrow)
DRV - [1999/09/25 11:11:42 | 000,011,280 | ---- | M] (Microsoft Corporation) [Kernel | Disabled] -- C:\WINNT\system32\drivers\fd16_700.sys -- (Fd16_700)
DRV - [1999/09/25 10:35:16 | 000,002,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [1999/09/25 10:34:58 | 000,016,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [1999/05/14 11:26:40 | 000,028,352 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINNT\System32\Drivers\driverx.sys -- (DriverX)
DRV - [1999/05/14 00:00:00 | 000,009,472 | ---- | M] () [Kernel | Auto] -- C:\WINNT\system32\drivers\MAC_MOT.SYS -- (MAC_MOT)
DRV - [1998/09/28 08:31:56 | 000,010,256 | ---- | M] (Zenographics, Inc.) [Kernel | Auto] -- C:\WINNT\system32\drivers\Parpeppy.sys -- (parpeppy)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.order.2: ""
FF - prefs.js..browser.search.order.Yahoo: ""
FF - prefs.js..browser.search.order.Yahoo.1: ""
FF - prefs.js..browser.search.order.Yahoo.2: ""
FF - prefs.js..browser.search.param.Google.1.custom: ""
FF - prefs.js..browser.search.param.Google.1.default: ""
FF - prefs.js..browser.search.param.yahoo-f-CN: ""
FF - prefs.js..browser.search.param.yahoo-fr: ""
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: ""
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..keyword.enabled: false

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2010/02/28 01:53:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2010/02/28 01:53:32 | 000,000,000 | ---D | M]

[2010/02/25 19:28:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3jb1mujv.default\extensions
[2010/02/28 01:53:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/17 16:27:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/12/17 13:59:34 | 000,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2008/12/17 13:59:34 | 000,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2010/05/12 20:07:28 | 000,060,518 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2010/05/12 20:07:28 | 000,165,992 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2010/05/12 20:07:30 | 000,049,248 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2008/03/21 16:34:12 | 001,328,488 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2010/04/17 16:27:02 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/05/12 20:07:36 | 000,001,056 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.src
[2010/05/12 20:07:36 | 000,000,539 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.src
[2010/05/12 20:07:36 | 000,000,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.gif
[2010/05/12 20:07:36 | 000,000,718 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.src
[2010/05/12 20:07:36 | 000,001,007 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.src
[2010/05/12 20:07:36 | 000,000,210 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.gif
[2010/05/12 20:07:36 | 000,000,741 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.src
[2010/05/12 20:07:36 | 000,001,122 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.src
[2010/05/12 20:07:36 | 000,000,356 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.png
[2010/05/12 20:07:36 | 000,001,076 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.gif
[2010/05/12 20:07:36 | 000,000,680 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.png
[2010/05/12 20:07:36 | 000,001,150 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.png

O1 HOSTS File: ([2010/05/21 21:23:48 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -  File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -  File not found
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} -  File not found
O4 - HKLM..\Run: [AtiPTA] C:\WINNT\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [EVENTLISTENER] C:\Program Files\Common Files\FotoNation\EvLstnr.exe (FotoNation Inc.)
O4 - HKLM..\Run: [LM Status] C:\WINNT\System32\LMSTATUS.EXE ()
O4 - HKLM..\Run: [Multi-function Keyboard] C:\WINNT\GWHotKey.exe (BillP Studios)
O4 - HKLM..\Run: [PRPCMonitor] C:\WINNT\System32\prpcui.exe (Intel Corporation)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\ORL\VNC\WinVNC.exe (AT&T Research Labs Cambridge)
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll File not found
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000041 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000042 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000043 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000044 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000045 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000046 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000047 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000048 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000049 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000050 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000051 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000052 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000053 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000054 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000055 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000056 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000057 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O12 - Plugin for: .cgi - C:\Program Files\Netscape\Communicator\Program\Plugins\nppdf32.dll (Adobe Systems Inc.)
O12 - Plugin for: .swf - C:\Program Files\Netscape\Communicator\Program\Plugins\npswf32.dll ()
O16 - DPF: {00000075-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/02/01 15:44:50 | 000,000,107 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/05/22 17:28:12 | 000,000,000 | -HSD | C] -- C:\Recycled
[2010/05/22 10:59:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/05/22 10:58:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/05/22 10:58:46 | 000,019,288 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/05/22 10:58:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/21 21:46:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\WinoTek
[2010/05/21 21:25:55 | 000,000,000 | ---D | C] -- C:\WINNT\temp
[2010/05/21 21:16:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2010/05/21 21:16:49 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2010/05/21 21:16:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2010/05/21 21:16:49 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2010/05/21 21:16:30 | 000,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2010/05/21 21:15:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/18 21:10:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\BPPC
[2010/05/16 20:11:49 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/05/16 20:10:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
[2010/05/11 14:06:02 | 000,000,000 | -H-D | C] -- C:\WINNT\$MSI31Uninstall_KB893803v2$
[2010/05/09 02:03:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\u505
[2010/05/08 23:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\shell issues
[4 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010/05/22 20:06:28 | 002,281,472 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/22 20:06:28 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/22 17:28:28 | 000,001,255 | ---- | M] () -- C:\WINNT\win.ini
[2010/05/22 10:37:56 | 000,000,890 | -H-- | M] () -- C:\WINNT\System32\vsconfig.xml
[2010/05/22 10:37:18 | 000,000,001 | ---- | M] () -- C:\WINNT\System32\smtpauth.st1
[2010/05/21 21:25:54 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/05/21 21:24:04 | 000,000,320 | ---- | M] () -- C:\WINNT\system.ini
[2010/05/21 20:30:20 | 000,000,225 | ---- | M] () -- C:\WINNT\netscape.INI
[2010/05/20 21:40:46 | 000,065,625 | ---- | M] () -- C:\WINNT\nsreg.dat
[2010/05/18 21:13:20 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_2dc.dat
[2010/05/18 21:09:56 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/05/18 21:08:54 | 000,525,824 | ---- | M] () -- C:\WINNT\System32\dds.scr
[2010/05/12 20:49:02 | 000,001,385 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Mozilla Firefox.lnk
[2010/05/12 20:07:40 | 000,107,134 | ---- | M] () -- C:\WINNT\UninstallFirefox.exe
[2010/05/12 20:07:36 | 000,007,068 | ---- | M] () -- C:\WINNT\mozver.dat
[2010/05/11 14:06:44 | 000,001,410 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/05/07 21:02:10 | 000,000,427 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to clipbrd.exe.lnk
[2010/05/07 18:04:08 | 000,100,352 | ---- | M] () -- C:\WINNT\System32\dfrg.msc
[2010/05/07 13:25:50 | 000,000,060 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CPUID.URL
[2010/05/03 09:12:26 | 000,000,436 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Run VNCviewer.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:24 | 000,019,288 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/04/28 00:58:10 | 000,000,102 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Winotek Price List.url
[2010/04/26 15:58:14 | 000,256,512 | ---- | M] () -- C:\WINNT\PEV.exe
[4 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010/05/21 21:16:49 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
[2010/05/21 21:16:49 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2010/05/21 21:16:49 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2010/05/21 21:16:49 | 000,077,312 | ---- | C] () -- C:\WINNT\MBR.exe
[2010/05/21 21:16:49 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2010/05/18 21:13:18 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_2dc.dat
[2010/05/18 21:12:54 | 000,525,824 | ---- | C] () -- C:\WINNT\System32\dds.scr
[2010/05/18 21:09:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/05/12 21:28:32 | 000,000,473 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MailWasher Pro.lnk
[2010/05/07 21:02:08 | 000,000,427 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to clipbrd.exe.lnk
[2010/05/07 13:25:48 | 000,000,060 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CPUID.URL
[2010/04/28 00:57:57 | 000,000,102 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Winotek Price List.url
[2010/03/02 00:12:37 | 000,000,200 | ---- | C] () -- C:\WINNT\System32\smtpauth.ini
[2010/02/25 19:23:49 | 000,003,584 | ---- | C] () -- C:\WINNT\System32\wmfhotfix.dll
[2010/02/24 21:18:41 | 000,040,960 | ---- | C] () -- C:\WINNT\System32\Dual_55G.dll
[2010/02/24 21:18:40 | 000,651,264 | ---- | C] () -- C:\WINNT\System32\libeay32.dll
[2010/02/24 21:18:39 | 000,147,456 | ---- | C] () -- C:\WINNT\System32\ssleay32.dll
[2010/02/24 21:18:35 | 000,000,492 | ---- | C] () -- C:\WINNT\System32\wlan.ini
[2003/02/16 14:00:29 | 000,000,035 | ---- | C] () -- C:\WINNT\render.ini
[2002/11/18 18:19:16 | 000,005,642 | ---- | C] () -- C:\WINNT\Pictor.ini
[2002/11/18 18:17:19 | 000,005,643 | ---- | C] () -- C:\WINNT\Pictor bak.ini
[2002/11/18 16:36:26 | 000,000,000 | ---- | C] () -- C:\WINNT\schedule.INI
[2002/11/18 15:55:38 | 000,001,287 | ---- | C] () -- C:\WINNT\IP2000.INI
[2002/06/03 14:27:18 | 000,103,424 | R--- | C] () -- C:\WINNT\System32\jpegcode.dll
[2002/05/19 09:45:14 | 000,000,022 | ---- | C] () -- C:\WINNT\kodakpcd.ini
[2001/05/16 16:49:58 | 000,146,432 | ---- | C] () -- C:\WINNT\System32\qasf.dll
[2001/03/05 10:09:43 | 000,000,000 | ---- | C] () -- C:\WINNT\DEVCON.INI
[2001/01/31 15:06:40 | 000,000,018 | ---- | C] () -- C:\WINNT\gwhotkey.ini
[2001/01/19 19:52:37 | 000,000,120 | ---- | C] () -- C:\WINNT\MSMAIL32.INI
[2001/01/15 07:21:04 | 000,000,339 | ---- | C] () -- C:\WINNT\qex.ini
[2001/01/05 20:09:47 | 000,000,121 | ---- | C] () -- C:\WINNT\Winamp.ini
[2000/12/24 16:32:39 | 000,000,558 | ---- | C] () -- C:\WINNT\SHSFTSET.INI
[2000/12/24 16:32:39 | 000,000,342 | ---- | C] () -- C:\WINNT\spipcl4a.ini
[2000/12/24 16:32:38 | 000,001,106 | ---- | C] () -- C:\WINNT\sd4.ini
[2000/12/19 13:48:57 | 000,009,472 | ---- | C] () -- C:\WINNT\System32\drivers\MAC_MOT.SYS
[2000/12/19 11:09:58 | 000,000,000 | ---- | C] () -- C:\WINNT\UITCLSH.INI
[2000/12/19 10:58:18 | 000,000,067 | ---- | C] () -- C:\WINNT\Tornado.INI
[2000/11/19 14:20:24 | 000,000,211 | ---- | C] () -- C:\WINNT\QUICKEN.INI
[2000/11/19 14:20:24 | 000,000,061 | ---- | C] () -- C:\WINNT\MAXLINK.INI
[2000/10/25 16:03:47 | 000,000,063 | ---- | C] () -- C:\WINNT\mdm.ini
[2000/10/25 16:03:41 | 000,000,000 | ---- | C] () -- C:\WINNT\NSREX.INI
[2000/10/25 15:25:42 | 000,000,022 | ---- | C] () -- C:\WINNT\icdesk.INI
[2000/10/18 16:46:36 | 000,058,640 | ---- | C] () -- C:\WINNT\System32\drivers\atinbtxx.sys
[2000/10/18 10:37:44 | 000,000,120 | ---- | C] () -- C:\WINNT\setihome.ini
[2000/10/18 10:27:06 | 000,000,000 | ---- | C] () -- C:\WINNT\MTSTACK.INI
[2000/10/12 10:47:00 | 000,000,225 | ---- | C] () -- C:\WINNT\netscape.INI
[2000/09/15 18:41:51 | 000,000,141 | ---- | C] () -- C:\WINNT\QAWIN32.INI
[2000/09/15 18:28:06 | 000,204,288 | ---- | C] () -- C:\WINNT\System32\LSXConfig.dll
[2000/09/15 18:27:05 | 000,001,011 | ---- | C] () -- C:\WINNT\ODBC.INI
[2000/09/15 18:26:53 | 000,065,536 | ---- | C] () -- C:\WINNT\System32\MSRTEDIT.DLL
[2000/09/15 18:26:53 | 000,040,448 | ---- | C] () -- C:\WINNT\System32\REGOBJ.DLL
[2000/09/15 18:24:28 | 000,073,728 | R--- | C] () -- C:\WINNT\System32\SynTPCoI.dll
[2000/09/15 18:24:26 | 000,057,344 | ---- | C] () -- C:\WINNT\uninstBVRP.dll
[2000/09/15 18:24:26 | 000,000,029 | ---- | C] () -- C:\WINNT\wgedit.ini
[2000/09/15 18:23:26 | 000,000,370 | ---- | C] () -- C:\WINNT\System32\OEMINFO.INI
[2000/09/15 18:23:05 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2000/09/15 18:23:04 | 000,106,496 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2000/09/15 18:23:03 | 002,281,472 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2000/09/15 18:15:58 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2000/02/25 15:26:30 | 000,044,416 | ---- | C] () -- C:\WINNT\System32\drivers\atinrvxx.sys
[2000/02/25 15:26:30 | 000,031,056 | ---- | C] () -- C:\WINNT\System32\drivers\atinraxx.sys
[2000/02/25 15:26:30 | 000,021,904 | ---- | C] () -- C:\WINNT\System32\drivers\atintuxx.sys
[2000/02/25 15:26:30 | 000,021,888 | ---- | C] () -- C:\WINNT\System32\drivers\atinxbxx.sys
[2000/02/25 15:26:30 | 000,021,072 | ---- | C] () -- C:\WINNT\System32\drivers\atinsnxx.sys
[1999/09/25 10:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 10:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
[1998/02/13 16:23:22 | 000,027,648 | ---- | C] () -- C:\WINNT\System32\drivers\format32.dll
[1998/02/13 16:23:18 | 000,004,480 | ---- | C] () -- C:\WINNT\System32\drivers\format16.dll
[1997/09/12 00:00:00 | 000,024,576 | ---- | C] () -- C:\WINNT\System32\ODBCMON.DLL
[1997/09/12 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINNT\System32\ODBCSTF.DLL
[1997/09/12 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINNT\System32\DOCOBJ.DLL
[1997/09/12 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINNT\System32\HLINKPRX.DLL
[1980/01/01 00:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1980/01/01 00:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[1980/01/01 00:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[1980/01/01 00:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[1980/01/01 00:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini

[color=#E56717]========== LOP Check ==========[/color]

[2002/09/29 17:47:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MailWasher
[2003/03/18 21:10:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MailWasherPro

[color=#E56717]========== Purity Check ==========[/color]


< End of report >


#14 50BMG

50BMG
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 May 2010 - 09:11 PM

I just noticed that my hosts file has been emptied of everything but a single line "127.0.0.1 localhost" and that internet shortcuts dragged to Firefox no longer work.

Double clicking on an internet shortcut opens Internet Explorer, but does not pass it the url in the shortcut. [stays at the blank startup page I have set]

I can see that my "ftp" pest is still with me - BTW.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:57 AM

Posted 23 May 2010 - 10:53 AM

QUOTE
I just noticed that my hosts file has been emptied of everything but a single line "127.0.0.1 localhost" and that internet shortcuts dragged to Firefox no longer work.

Double clicking on an internet shortcut opens Internet Explorer, but does not pass it the url in the shortcut. [stays at the blank startup page I have set]


Combofix sets the browser defaults.


Two desktop items that I don't recognise. These yours?

QUOTE
[2010/05/09 02:03:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\u505
[2010/05/08 23:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\shell issues

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users