Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 Actuaryman

Actuaryman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 04 June 2010 - 10:07 AM

ComboFix 10-06-03.01 - sharon 06/04/2010 10:21:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.553 [GMT -4:00]
Running from: c:\documents and settings\sharon\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sharon\GoToAssistDownloadHelper.exe
c:\documents and settings\sharon\Local Settings\Application Data\Windows Server
c:\documents and settings\sharon\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\sharon\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\program files\Common
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\system32\bin
c:\windows\system32\drivers\qtjb.sys
c:\windows\system32\ki3
c:\windows\system32\noerthcd.ini
c:\windows\system32\orAadMoq.ini
c:\windows\system32\orAadMoq.ini2
c:\windows\system32\uv9
c:\windows\system32\VC
c:\windows\Tasks\owlmobpw.job

Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_qfasfjp
-------\Service_qfasfjp


((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-04 13:50 . 2010-06-04 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-06-04 12:59 . 2010-06-04 12:59 -------- d-----w- c:\program files\Radmin Viewer 3
2010-06-03 03:10 . 2010-06-03 03:12 -------- dc-h--w- c:\windows\ie8
2010-06-03 03:04 . 2010-06-03 03:04 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-03 03:01 . 2010-06-03 03:02 164 ----a-w- c:\windows\install.dat
2010-06-03 00:01 . 2010-06-03 00:01 -------- dc----w- C:\3a11614746604e8115125c
2010-06-03 00:01 . 2010-06-03 00:01 -------- dc----w- C:\073bc5dff4571c1ca7dc5a7731952e3b
2010-06-03 00:01 . 2010-06-03 00:01 -------- dc----w- C:\de9d8407890b75a96d9499daabc9ea
2010-06-03 00:01 . 2010-06-03 00:01 -------- dc----w- C:\13250992207a64a0041257ef
2010-06-03 00:01 . 2010-06-03 00:01 -------- dc----w- C:\6b389f1336382ab262869c50
2010-06-03 00:00 . 2010-06-03 00:00 -------- dc----w- C:\ccf3d4286672ec77c2425eea0b
2010-06-02 23:58 . 2010-06-02 23:58 -------- dc----w- C:\b404ad6acc7f0d3df19fae562b
2010-06-02 22:32 . 2010-06-03 02:45 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\wikdegdpw
2010-06-02 13:06 . 2010-06-02 13:06 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\Threat Expert
2010-06-02 02:28 . 2010-06-03 14:17 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-01 14:15 . 2010-06-01 14:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-01 14:15 . 2010-06-03 02:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sofyny
2010-06-01 14:15 . 2010-06-01 14:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Huyf
2010-06-01 01:25 . 2010-06-01 01:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-31 23:54 . 2010-05-31 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-31 23:52 . 2010-05-31 23:52 -------- d-sh--w- c:\documents and settings\sharon\PrivacIE
2010-05-31 23:49 . 2010-05-31 23:49 -------- d-sh--w- c:\documents and settings\sharon\IETldCache
2010-05-24 22:18 . 2010-05-24 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-05-24 22:17 . 2010-05-24 22:18 -------- d-----w- c:\program files\DVD Shrink
2010-05-24 22:14 . 2010-05-24 22:14 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\WinZip
2010-05-24 22:05 . 2010-05-24 22:05 -------- d-----w- c:\documents and settings\sharon\Application Data\Nero
2010-05-24 22:02 . 2010-05-24 22:03 -------- d-----w- c:\program files\Nero
2010-05-24 22:02 . 2010-05-24 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-05-24 22:02 . 2010-05-24 22:04 -------- d-----w- c:\program files\Common Files\Nero
2010-05-24 16:09 . 2010-05-24 16:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Roxio
2010-05-24 12:24 . 2010-05-24 18:57 -------- d-----w- c:\documents and settings\TEMP
2010-05-24 04:37 . 2010-05-24 04:37 -------- d-----w- c:\windows\system32\XPSViewer
2010-05-24 04:37 . 2010-05-24 04:37 -------- d-----w- c:\program files\MSBuild
2010-05-24 04:37 . 2010-05-24 04:37 -------- d-----w- c:\program files\Reference Assemblies
2010-05-24 04:36 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-05-24 04:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-05-24 04:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-05-24 04:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-05-24 04:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-05-24 04:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-05-24 04:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-05-24 04:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-05-24 04:36 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-05-24 01:48 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-05-24 01:47 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-05-24 01:47 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-05-24 01:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-05-24 01:46 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-05-24 01:36 . 2010-05-12 15:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-24 01:23 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-05-24 01:23 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-05-24 01:23 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-05-24 01:23 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-05-24 01:23 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-05-24 01:23 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-05-24 01:23 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-05-24 01:23 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-05-24 01:22 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-05-24 01:22 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-05-24 01:13 . 2010-05-24 01:13 -------- d-----w- c:\program files\Common Files\Windows Live
2010-05-24 00:10 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2010-05-23 23:56 . 2010-05-24 22:39 -------- d-----w- c:\documents and settings\sharon\Local Settings\Application Data\WMTools Downloaded Files
2010-05-17 22:25 . 2010-05-17 22:25 -------- d-----w- c:\program files\PIXELA
2010-05-14 20:56 . 2010-05-14 20:56 1885464 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-05-14 20:48 . 2010-05-14 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-14 20:48 . 2010-05-14 20:48 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-05-14 20:48 . 2010-05-14 20:48 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-05-14 20:47 . 2010-05-14 20:47 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2010-05-14 20:46 . 2010-05-14 20:47 -------- d-----w- c:\program files\Common Files\Seagate
2010-05-14 20:46 . 2010-05-14 20:46 -------- d-----w- c:\program files\Seagate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 14:32 . 2008-11-16 02:18 -------- d-----w- c:\program files\DNA
2010-06-04 14:32 . 2008-11-16 02:18 -------- d-----w- c:\documents and settings\sharon\Application Data\DNA
2010-06-04 04:27 . 2009-05-08 01:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio
2010-06-03 13:59 . 2008-12-12 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-03 03:00 . 2008-07-22 19:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-03 03:00 . 2008-07-22 19:50 -------- d-----w- c:\program files\Symantec
2010-06-03 03:00 . 2008-07-22 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-03 03:00 . 2008-07-22 19:50 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-02 22:00 . 2009-01-14 04:29 -------- d-----w- c:\program files\Norton Security Scan
2010-06-02 19:27 . 2009-11-15 04:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-01 13:03 . 2008-12-05 00:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 22:24 . 2008-10-03 13:34 -------- d-----w- c:\documents and settings\sharon\Application Data\Image Zone Express
2010-05-24 19:02 . 2008-07-29 19:18 100744 ----a-w- c:\documents and settings\sharon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-24 18:36 . 2009-01-26 03:37 -------- d-----w- c:\program files\MozyHome
2010-05-17 22:25 . 2008-07-22 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-14 20:48 . 2010-01-20 01:51 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-05-14 02:00 . 2010-01-20 01:51 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
2010-05-13 20:39 . 2009-01-26 03:37 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2010-05-13 16:47 . 2008-07-29 22:02 -------- d-----w- c:\program files\Google
2010-05-12 22:11 . 2008-11-16 02:18 -------- d-----w- c:\documents and settings\sharon\Application Data\BitTorrent
2010-05-02 03:16 . 2008-12-04 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-29 19:39 . 2008-12-05 00:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-12-05 00:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 18:47 . 2010-04-29 18:47 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-27 01:15 . 2008-12-21 01:55 -------- d-----w- c:\documents and settings\sharon\Application Data\TaxCut
2010-04-27 01:09 . 2010-04-27 01:03 -------- d-----w- c:\program files\HRBlock2009
2010-04-27 01:05 . 2008-12-21 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-04-13 21:33 . 2008-07-22 18:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 14:33 . 2010-05-12 16:54 1496064 ----a-w- c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\ngq0w43a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 14:33 . 2010-05-12 16:54 43008 ----a-w- c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\ngq0w43a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 14:33 . 2010-05-12 16:54 339456 ----a-w- c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\ngq0w43a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 14:32 . 2010-05-12 16:54 346112 ----a-w- c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\ngq0w43a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-10 11:48 . 2010-03-10 11:48 3309072 ----a-w- c:\documents and settings\sharon\Application Data\YouSendIt\Downloads\YouSendIt_Express.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-05-13 20:39 2224440 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-05-13 20:39 2224440 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-07 323392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-05 68856]
"YouSendIt.exe"="c:\program files\YouSendIt\Express\YouSendIt.exe" [2008-11-10 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2007-04-09 19456]
"CTxfiHlp"="c:\windows\system32\CTXFIHLP.EXE" [2007-04-09 19968]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2005-03-22 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-03-05 244208]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2008-03-05 113136]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-09-01 75048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 136472]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\sharon\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - c:\documents and settings\sharon\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe [2009-4-1 801032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor Ver.6.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.6\Transfer Utility\CameraMonitor.exe [2010-5-17 537968]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-5-13 2407224]
VPN Client.lnk - c:\windows\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2008-8-1 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^sharon^Start Menu^Programs^Startup^Backyard Hockey 2005 Registration.lnk]
path=c:\documents and settings\sharon\Start Menu\Programs\Startup\Backyard Hockey 2005 Registration.lnk
backup=c:\windows\pss\Backyard Hockey 2005 Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-11-07 19:16 111936 ------w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-10 14:51 289064 ------w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 ------w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-05 01:49 68856 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YouSendIt.exe]
2008-11-10 23:24 81920 ------w- c:\program files\YouSendIt\Express\YouSendIt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Defender\\MpCmdRun.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/12/2008 5:02 PM 29808]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/15 00:09];c:\program files\CyberLink\PowerDVD9\000.fcl [9/1/2009 5:59 PM 87536]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:24 PM 135664]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [3/5/2008 8:32 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [3/5/2008 8:32 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [3/5/2008 8:32 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\sharon\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\sharon\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [3/5/2008 8:32 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [3/5/2008 8:31 AM 1120752]
S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [11/2/2007 5:48 AM 767240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-29 02:29]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:24]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:24]

2010-06-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]

2010-06-02 c:\windows\Tasks\Norton Security Scan for sharon.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 09:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\ngq0w43a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\documents and settings\sharon\Application Data\Mozilla\Firefox\Profiles\ngq0w43a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\sharon\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\sharon\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{FDD712AD-A164-4686-8493-DABF1F88DBB1} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-NavLogon - (no file)
Notify-vtUlJbaW - vtUlJbaW.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 10:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-448539723-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:9c,f0,3b,a0,4f,81,d7,94,cf,38,89,93,9c,c9,fc,9f,b0,c5,a6,9b,52,
26,cb,2e,99,20,b7,07,77,3a,0a,22,2e,3e,7b,19,ad,e8,1f,0b,6f,31,fb,12,81,e4,\
"rkeysecu"=hex:f6,90,9b,a3,05,a2,f0,45,7c,66,69,d0,38,59,5b,d5

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1288)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3980)
c:\program files\MozyHome\mozyshell.dll
c:\program files\MozyHome\LIBEAY32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\MozyHome\mozybackup.exe
c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Java\jre1.6.0_06\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-06-04 10:38:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 14:37

Pre-Run: 846,385,541,120 bytes free
Post-Run: 850,023,895,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0C4D3BEEAB02DDE1872D07DB94DF584D


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:12 PM

Posted 06 June 2010 - 08:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:12 PM

Posted 13 June 2010 - 08:33 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users