Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue.DigitalProtection Encountered in MBAM Log


  • This topic is locked This topic is locked
18 replies to this topic

#1 smegly

smegly

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 13 June 2010 - 12:17 PM

A little over a month ago my mother got the Digital Protection thing and I had her run MWB's(she had to do it in the safe mode). That seemed to do the trick but then two days later when I had her run it again, something else came up(pragma???.exe). The computer seemed usable and she wasn't competent enough to do anything more so we let it slide until now when I can sit at her computer and follow your instructions.

GMER locked up the computer on the first go, but on the second it seemed to run just fine, but at some point an hour or more into running the system crashed. Nothing in the event log that I can see, which seems ominously strange.

IN EDIT: Tried GMER again(3rd time) this time with AV disabled and defogger run to shut down any CD Emulators. Still no go. The computer reboots after an hour or so and there's nothing in the event logs about it.

IN EDIT: On fifth try I did get GMER to work. Had to do it in the safe mode however. Also, it took six hours to complete. Is that normal if I followed the instructions regarding the checkboxes for the scan set-up?

Also the secondary HDD doesn't show up in My Computer. Haven't checked for visibility in the bios as yet.

Anyway, pretty sure that MWB's didn't do the whole job(rootkits, backdoor trojan?)

Thanks...

Here's the DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Craig at 9:10:56.20 on Sun 06/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2054 [GMT -5:00]

AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Craig\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60181
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Secure Online Account Numbers Helper: {435eaa86-d32b-484f-869c-53745fcb1642} - c:\program files\discover\soan\DiscoverSOANHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll
BHO: Fast Browser Search Toolbar Helper: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\fast browser search\ie\FBStoolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: Secure Online Account Numbers: {a8c7c2ca-6dfd-4e16-8458-592361564d38} - c:\program files\discover\soan\DiscoverSOANToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRunOnce: [FlashPlayerUpdate] c:\program files\opera\program\plugins\NPSWF32_FlashUtil.exe -p
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [HostManager] c:\program files\common files\aol\1166639880\ee\AOLSoftware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Secure Online Account Numbers] c:\progra~1\discover\soan\DISCOV~1.EXE /dontopenmycards
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\craig\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171467784843
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://www.imgag.com/cp/install/Crusher.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\craig\applic~1\mozilla\firefox\profiles\edkpey7m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={041996C5-0DD9-34A0-1831-7D6829E5CB39}&q=
FF - component: c:\documents and settings\craig\application data\mozilla\firefox\profiles\edkpey7m.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - component: c:\program files\discover\soan\components\SlimOrbAddonDiscoverSOAN.dll
FF - plugin: c:\documents and settings\craig\application data\mozilla\firefox\profiles\edkpey7m.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\craig\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\opera\program\plugins\np-mswmp.dll
FF - plugin: c:\program files\opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-1 304464]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-1 20952]
S2 gupdate1c9f2d230d30f5a;Google Update Service (gupdate1c9f2d230d30f5a);c:\program files\google\update\GoogleUpdate.exe [2009-6-21 133104]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2008-6-24 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\drivers\kwflower.sys --> c:\windows\system32\drivers\kwflower.sys [?]

=============== Created Last 30 ================

2010-06-11 19:09:06 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-29 16:10:28 0 d-----w- C:\DSCN0911
2010-05-29 16:10:11 4122272 ----a-w- C:\DSCN0911.zip
2010-05-15 14:56:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-15 14:56:17 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-05-21 14:55:43 327590 ----a-w- c:\program files\Online Store Malwarebytes.mht
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-06 09:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2010-03-07 18:14:30 1849592 ----a-w- c:\program files\mapquest_toolbar.exe
2010-02-17 14:43:25 432821 ----a-w- c:\program files\EBrokerageTitaniumServlet
2010-02-16 16:48:25 25740144 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2010-02-14 20:09:45 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe
2009-05-16 00:48:54 74302760 ----a-w- c:\program files\iTunesSetup.exe
2009-04-01 02:34:10 200192 ----a-w- c:\program files\bd_rem_tool_gui.exe
2009-04-01 02:34:09 137216 ----a-w- c:\program files\bd_rem_tool_console.exe
2009-04-01 02:34:08 102400 ----a-w- c:\program files\bdcore.dll
2009-02-07 15:51:31 2041069 ----a-w- c:\program files\SnapactSetup.exe
2009-01-25 18:21:27 6282254 ----a-w- c:\program files\MC_setup.exe
2008-03-05 04:31:14 1069935 ----a-w- c:\program files\RegCure_Setup_15_RW.exe
2008-02-24 04:07:05 6280 ----a-w- c:\program files\billing_188745615_47c0ed610f3ab.pdf
2008-02-18 00:19:15 277616 ----a-w- c:\program files\TheWeatherChannel_dw5_Stubgooglesearch.exe
2008-02-08 14:27:52 32279040 ----a-w- c:\program files\dell_support_center.msi
2008-01-11 16:49:35 382352 ----a-w- c:\program files\jre-6u3-windows-i586-p-iftw.exe
2007-02-12 16:58:44 21822168 ----a-w- c:\program files\AdbeRdr80_en_US.exe
2007-01-01 17:43:00 497808 ----a-w- c:\program files\deskshopInstall.exe
2007-03-30 15:13:10 88 --sh--r- c:\windows\system32\18ED9EC0A2.sys
2007-04-25 17:53:29 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-11-24 20:37:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112420081125\index.dat
2010-01-04 23:25:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
2009-11-27 21:52:00 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-11-27 21:52:00 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-11-27 21:52:00 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 9:11:33.19 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-14 06:52:07
Windows 5.1.2600 Service Pack 3
Running: fk3ff4zl.exe; Driver: C:\DOCUME~1\Craig\LOCALS~1\Temp\awliapow.sys


---- System - GMER 1.0.15 ----

SSDT spfl.sys ZwCreateKey [0xF74D70E0]
SSDT spfl.sys ZwEnumerateKey [0xF74F5CA2]
SSDT spfl.sys ZwEnumerateValueKey [0xF74F6030]
SSDT spfl.sys ZwOpenKey [0xF74D70C0]
SSDT spfl.sys ZwQueryKey [0xF74F6108]
SSDT spfl.sys ZwQueryValueKey [0xF74F5F88]
SSDT spfl.sys ZwSetValueKey [0xF74F619A]

INT 0x62 ? 8ABC5BF8
INT 0x63 ? 8AB55BF8
INT 0x84 ? 8A15BBF8
INT 0x94 ? 8A15BBF8
INT 0xA4 ? 8A15BBF8
INT 0xB4 ? 8A15BBF8

---- Kernel code sections - GMER 1.0.15 ----

? spfl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload BA5548AC 5 Bytes JMP 8A15B1D8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8ABC31F8
Device \Driver\usbuhci \Device\USBPDO-0 8A15A1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AB561F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AB561F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AB561F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AB561F8
Device \Driver\usbehci \Device\USBPDO-1 8A158500
Device \Driver\usbuhci \Device\USBPDO-2 8A15A1F8
Device \Driver\usbuhci \Device\USBPDO-3 8A15A1F8
Device \Driver\usbuhci \Device\USBPDO-4 8A15A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8ABC61F8
Device \Driver\Cdrom \Device\CdRom0 8A11F1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8ABC61F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8ABC61F8
Device \Driver\iastor \Device\Ide\iaStor0 [F7B4B020] iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 [F7B4B020] iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume4 8ABC61F8
Device \Driver\usbuhci \Device\USBFDO-0 8A15A1F8
Device \Driver\usbuhci \Device\USBFDO-1 8A15A1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A15A1F8
Device \Driver\usbuhci \Device\USBFDO-3 8A15A1F8
Device \Driver\usbehci \Device\USBFDO-4 8A158500
Device \Driver\Ftdisk \Device\FtControl 8ABC61F8
Device \FileSystem\Fastfat \Fat 89FE31F8
Device \FileSystem\Fastfat \Fat B9ACE297
Device \FileSystem\Cdfs \Cdfs 8A0131F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\LocalServer32@ C:\Program Files\Microsoft Works\wkgdcach.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ MicrosoftWorks.GdiCache.FontCache.5
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\TypeLib@ {C3E7A4D1-AF8B-11D2-BD0F-00C04F72DBBC}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ MicrosoftWorks.GdiCache.FontCache
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\Program Files\Common Files\Ahead\Lib\GCCapture.ax
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Both

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Craig\My Documents\Downloads\Total Training for Adobe CS3 Web Design - Workflow\Total Training for Adobe CS3 Web Design - Workflow\Project Files\Lesson 01\website\C-\Documents and Settings\Administrator\Desktop\Project Files - CS3 Web Design\Lesson 09 0 bytes
File C:\Documents and Settings\Craig\My Documents\Downloads\Total Training for Adobe CS3 Web Design - Workflow\Total Training for Adobe CS3 Web Design - Workflow\Project Files\Lesson 01\website\C-\Documents and Settings\Administrator\Desktop\Project Files - CS3 Web Design\Lesson 09\flash_slideshow.swf 414096 bytes

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by smegly, 14 June 2010 - 07:11 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 AM

Posted 18 June 2010 - 07:13 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 smegly

smegly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 18 June 2010 - 08:14 PM

Hi M0le,

I'm here. Been checking every couple of hours. Surprised I missed you by this much.

Thanks for the help.

I might add that while I can see my optical drive in My Computer, none of the applications that would write to the drive can see it. So, I'm fairly hobbled here.

Let's get started...

smegly

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 AM

Posted 19 June 2010 - 05:22 PM

MBAM won't deal with PRAGMA so we need to run something a bit more powerful.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 smegly

smegly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 19 June 2010 - 06:13 PM

Hey M0le,

Here's the combofix, looks like I did have some major stuff. Never got bothered with the Search Guard Plus, so I'm surprised to see it:

ComboFix 10-06-18.03 - Craig 06/19/2010 17:33:33.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2597 [GMT -5:00]
Running from: c:\documents and settings\Craig\Desktop\ComFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Craig\Application Data\alot
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.exe
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\program files\Search Guard PlusU\sgpUpdaters.exe
c:\program files\Search Guard PlusU\Tmp\removesgp0.exe
c:\program files\Search Guard PlusU\uninstalSGPU.exe
c:\windows\system32\Chip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMAprrpebdmcx
-------\Service_PRAGMAprrpebdmcx


((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-18 07:30 . 2010-06-18 19:41 -------- d-----w- c:\temp\Unthinkable 2010 BDRip DVDr-sailo1
2010-06-15 08:14 . 2010-05-17 17:11 229376 ----a-w- c:\windows\system32\PuranDefragS.exe
2010-06-15 08:14 . 2010-05-17 17:11 221184 ----a-w- c:\windows\system32\PuranDC.exe
2010-06-15 08:14 . 2010-05-17 17:11 1110016 ----a-w- c:\windows\system32\PuranFD.exe
2010-06-15 08:14 . 2010-05-17 17:11 107008 ----a-w- c:\windows\system32\PuranDefragBT.exe
2010-06-15 08:14 . 2010-01-27 18:58 212992 ----a-w- c:\windows\system32\PuranDefrag.dll
2010-06-15 08:14 . 2010-06-15 09:22 -------- d-----w- c:\program files\Puran Defrag
2010-06-15 06:30 . 2010-06-15 06:30 -------- d-----w- c:\program files\NT Registry Optimizer
2010-06-14 13:56 . 2010-06-14 13:56 -------- d-----w- c:\program files\Viewpoint
2010-06-12 02:10 . 2010-06-12 02:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-12 02:00 . 2010-06-12 02:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes
2010-06-11 19:09 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-29 16:10 . 2010-05-29 16:10 -------- d-----w- C:\DSCN0911
2010-05-29 16:10 . 2010-05-29 16:10 4122272 ----a-w- C:\DSCN0911.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 22:45 . 2008-06-22 14:15 -------- d-----w- c:\program files\DNA
2010-06-19 22:45 . 2008-06-22 14:15 -------- d-----w- c:\documents and settings\Craig\Application Data\DNA
2010-06-19 19:14 . 2006-07-28 20:15 -------- d-----w- c:\program files\Dl_cats
2010-06-18 19:19 . 2008-06-22 14:15 -------- d-----w- c:\documents and settings\Craig\Application Data\BitTorrent
2010-06-18 16:37 . 2008-06-14 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-18 01:36 . 2006-07-26 21:25 -------- d-----w- c:\program files\MagChat
2010-06-15 16:27 . 2009-07-12 05:19 -------- d-----w- c:\documents and settings\Craig\Application Data\Vso
2010-06-15 07:12 . 2006-08-04 20:03 -------- d-----w- c:\program files\Yahoo!
2010-06-14 17:26 . 2006-07-19 16:41 -------- d-----w- c:\program files\Google
2010-06-14 13:56 . 2006-07-19 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-11 13:44 . 2006-07-26 21:17 -------- d-----w- c:\program files\Opera
2010-06-05 00:54 . 2008-04-12 15:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-23 01:46 . 2008-06-12 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-05-23 01:46 . 2009-06-24 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-05-23 01:37 . 2006-08-04 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-05-22 15:10 . 2006-11-28 18:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-21 14:55 . 2010-05-21 14:55 327590 ----a-w- c:\program files\Online Store Malwarebytes.mht
2010-05-21 14:51 . 2009-06-17 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 01:19 . 2009-12-10 20:04 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-15 14:55 . 2010-05-15 14:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 10:41 . 2005-08-16 08:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 13:27 . 2006-07-26 21:35 85224 ----a-w- c:\documents and settings\Craig\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:22 . 2005-08-16 08:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 00:53 . 2010-05-01 00:52 -------- d-----w- c:\program files\QuickTime
2010-04-29 20:39 . 2010-05-02 03:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-05-02 03:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2005-08-16 08:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-07 18:14 . 2010-03-07 18:14 1849592 ----a-w- c:\program files\mapquest_toolbar.exe
2010-02-17 14:43 . 2010-02-14 20:15 432821 ----a-w- c:\program files\EBrokerageTitaniumServlet
2009-04-01 02:34 . 2009-03-16 23:23 200192 ----a-w- c:\program files\bd_rem_tool_gui.exe
2009-04-01 02:34 . 2009-03-16 22:27 137216 ----a-w- c:\program files\bd_rem_tool_console.exe
2009-04-01 02:34 . 2008-09-03 11:42 102400 ----a-w- c:\program files\bdcore.dll
2009-02-07 15:51 . 2009-02-07 15:51 2041069 ----a-w- c:\program files\SnapactSetup.exe
2009-01-25 18:21 . 2009-01-24 23:25 6282254 ----a-w- c:\program files\MC_setup.exe
2008-03-05 04:31 . 2008-03-05 04:31 1069935 ----a-w- c:\program files\RegCure_Setup_15_RW.exe
2008-02-24 04:07 . 2008-02-24 04:07 6280 ----a-w- c:\program files\billing_188745615_47c0ed610f3ab.pdf
2008-02-18 00:19 . 2008-02-18 00:19 277616 ----a-w- c:\program files\TheWeatherChannel_dw5_Stubgooglesearch.exe
2008-02-08 14:27 . 2008-02-01 04:14 32279040 ----a-w- c:\program files\dell_support_center.msi
2008-01-11 16:49 . 2008-01-11 16:49 382352 ----a-w- c:\program files\jre-6u3-windows-i586-p-iftw.exe
2007-01-01 17:43 . 2007-01-01 17:42 497808 ----a-w- c:\program files\deskshopInstall.exe
2007-03-30 15:13 . 2006-07-30 18:41 88 --sh--r- c:\windows\system32\18ED9EC0A2.sys
2007-04-25 17:53 . 2006-07-30 18:41 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-20 323392]
"Google Update"="c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\Craig\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^Bettye Siebels^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1166639880\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-06-16 08:52 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-08-01 00:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2009\MemOptimizer.exe" autostart
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Secure Online Account Numbers"=c:\progra~1\Discover\SOAN\SOAN.exe /dontopenmycards
"HostManager"=c:\program files\Common Files\AOL\1166639880\ee\AOLSoftware.exe
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166639880\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Chami\\HTML-Kit\\Bin\\HTMLKit.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/11/2009 11:45 AM 717296]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/1/2010 10:13 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/1/2010 10:13 PM 20952]
S2 gupdate1c9f2d230d30f5a;Google Update Service (gupdate1c9f2d230d30f5a);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2009 7:41 PM 133104]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [6/24/2008 9:36 AM 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [6/15/2010 3:14 AM 229376]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 00:41]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 00:41]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1582070327-1521580496-3092845763-1006Core.job
- c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-17 23:43]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1582070327-1521580496-3092845763-1006UA.job
- c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-17 23:43]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Craig\Application Data\Mozilla\Firefox\Profiles\edkpey7m.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - component: c:\documents and settings\Craig\Application Data\Mozilla\Firefox\Profiles\edkpey7m.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - component: c:\program files\Discover\SOAN\components\SlimOrbAddonDiscoverSOAN.dll
FF - plugin: c:\documents and settings\Craig\Application Data\Mozilla\Firefox\Profiles\edkpey7m.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Craig\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Opera\program\plugins\np-mswmp.dll
FF - plugin: c:\program files\Opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\NPMetaStream3.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Adobe Digital Editions - c:\documents and settings\craig\application data\macromedia\flash player\www.macromedia.com\bin\digitaleditions1x5\digitaleditions1x5.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 17:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spmg.sys hal.dll >>UNKNOWN [0x8A739938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9e47cb8
\Driver\atapi -> atapi.sys @ 0xb9ddcb40
\Driver\iaStor -> iastor.sys @ 0xb9d3f020
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® PRO/1000 PL Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9bfabb0
PacketIndicateHandler -> NDIS.sys @ 0xb9c07a21
SendHandler -> NDIS.sys @ 0xb9be587b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68729E13-42EF-06A0-0177-42FE6DD9F4FE}\MiscStatus]
@Denied: (2) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\System32\TUProgSt.exe
c:\windows\wanmpsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\Discover\SOAN\DISCOV~1.EXE
c:\windows\system32\OBroker.exe
c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\scrnsave.scr
.
**************************************************************************
.
Completion time: 2010-06-19 17:59:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 22:59
ComboFix2.txt 2009-06-30 19:54

Pre-Run: 164,948,111,360 bytes free
Post-Run: 164,999,168,000 bytes free

- - End Of File - - CB02EA771884768821421437998560B0


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 AM

Posted 19 June 2010 - 06:32 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68729E13-42EF-06A0-0177-42FE6DD9F4FE}\MiscStatus]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Now please run System Look

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :reg
    HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68729E13-42EF-06A0-0177-42FE6DD9F4FE}\MiscStatus /sub

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#7 smegly

smegly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 19 June 2010 - 07:07 PM

M0le,

Thanks so much. Machine is definitely starting up faster....

ComboFix 10-06-18.03 - Craig 06/19/2010 18:43:51.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2612 [GMT -5:00]
Running from: c:\documents and settings\Craig\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\Craig\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-18 07:30 . 2010-06-18 19:41 -------- d-----w- c:\temp\Unthinkable 2010 BDRip DVDr-sailo1
2010-06-15 08:14 . 2010-05-17 17:11 229376 ----a-w- c:\windows\system32\PuranDefragS.exe
2010-06-15 08:14 . 2010-05-17 17:11 221184 ----a-w- c:\windows\system32\PuranDC.exe
2010-06-15 08:14 . 2010-05-17 17:11 1110016 ----a-w- c:\windows\system32\PuranFD.exe
2010-06-15 08:14 . 2010-05-17 17:11 107008 ----a-w- c:\windows\system32\PuranDefragBT.exe
2010-06-15 08:14 . 2010-01-27 18:58 212992 ----a-w- c:\windows\system32\PuranDefrag.dll
2010-06-15 08:14 . 2010-06-15 09:22 -------- d-----w- c:\program files\Puran Defrag
2010-06-15 06:30 . 2010-06-15 06:30 -------- d-----w- c:\program files\NT Registry Optimizer
2010-06-14 13:56 . 2010-06-14 13:56 -------- d-----w- c:\program files\Viewpoint
2010-06-13 07:24 . 2010-06-13 07:24 503808 ----a-w- c:\documents and settings\Craig\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23ca59d2-n\msvcp71.dll
2010-06-13 07:24 . 2010-06-13 07:24 499712 ----a-w- c:\documents and settings\Craig\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23ca59d2-n\jmc.dll
2010-06-13 07:24 . 2010-06-13 07:24 348160 ----a-w- c:\documents and settings\Craig\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-23ca59d2-n\msvcr71.dll
2010-06-13 07:24 . 2010-06-13 07:24 61440 ----a-w- c:\documents and settings\Craig\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5249762c-n\decora-sse.dll
2010-06-13 07:24 . 2010-06-13 07:24 12800 ----a-w- c:\documents and settings\Craig\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5249762c-n\decora-d3d.dll
2010-06-12 02:10 . 2010-06-12 02:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-12 02:00 . 2010-06-12 02:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes
2010-06-11 19:09 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-29 16:10 . 2010-05-29 16:10 -------- d-----w- C:\DSCN0911
2010-05-29 16:10 . 2010-05-29 16:10 4122272 ----a-w- C:\DSCN0911.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 23:41 . 2008-06-22 14:15 -------- d-----w- c:\documents and settings\Craig\Application Data\DNA
2010-06-19 22:45 . 2008-06-22 14:15 -------- d-----w- c:\program files\DNA
2010-06-19 19:14 . 2006-07-28 20:15 -------- d-----w- c:\program files\Dl_cats
2010-06-18 19:19 . 2008-06-22 14:15 -------- d-----w- c:\documents and settings\Craig\Application Data\BitTorrent
2010-06-18 16:37 . 2008-06-14 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-18 01:36 . 2006-07-26 21:25 -------- d-----w- c:\program files\MagChat
2010-06-15 16:27 . 2009-07-12 05:19 -------- d-----w- c:\documents and settings\Craig\Application Data\Vso
2010-06-15 07:12 . 2006-08-04 20:03 -------- d-----w- c:\program files\Yahoo!
2010-06-14 17:26 . 2006-07-19 16:41 -------- d-----w- c:\program files\Google
2010-06-14 13:56 . 2006-07-19 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-11 13:44 . 2006-07-26 21:17 -------- d-----w- c:\program files\Opera
2010-06-05 00:54 . 2008-04-12 15:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-23 01:46 . 2008-06-12 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-05-23 01:46 . 2009-06-24 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-05-23 01:37 . 2006-08-04 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-05-22 15:10 . 2006-11-28 18:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-21 14:55 . 2010-05-21 14:55 327590 ----a-w- c:\program files\Online Store Malwarebytes.mht
2010-05-21 14:51 . 2009-06-17 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 01:19 . 2009-12-10 20:04 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-15 14:55 . 2010-05-15 14:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 10:41 . 2005-08-16 08:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 13:27 . 2006-07-26 21:35 85224 ----a-w- c:\documents and settings\Craig\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:22 . 2005-08-16 08:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 00:53 . 2010-05-01 00:52 -------- d-----w- c:\program files\QuickTime
2010-04-29 20:39 . 2010-05-02 03:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-05-02 03:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2005-08-16 08:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-07 18:14 . 2010-03-07 18:14 1849592 ----a-w- c:\program files\mapquest_toolbar.exe
2010-02-17 14:43 . 2010-02-14 20:15 432821 ----a-w- c:\program files\EBrokerageTitaniumServlet
2009-04-01 02:34 . 2009-03-16 23:23 200192 ----a-w- c:\program files\bd_rem_tool_gui.exe
2009-04-01 02:34 . 2009-03-16 22:27 137216 ----a-w- c:\program files\bd_rem_tool_console.exe
2009-04-01 02:34 . 2008-09-03 11:42 102400 ----a-w- c:\program files\bdcore.dll
2009-02-07 15:51 . 2009-02-07 15:51 2041069 ----a-w- c:\program files\SnapactSetup.exe
2009-01-25 18:21 . 2009-01-24 23:25 6282254 ----a-w- c:\program files\MC_setup.exe
2008-03-05 04:31 . 2008-03-05 04:31 1069935 ----a-w- c:\program files\RegCure_Setup_15_RW.exe
2008-02-24 04:07 . 2008-02-24 04:07 6280 ----a-w- c:\program files\billing_188745615_47c0ed610f3ab.pdf
2008-02-18 00:19 . 2008-02-18 00:19 277616 ----a-w- c:\program files\TheWeatherChannel_dw5_Stubgooglesearch.exe
2008-02-08 14:27 . 2008-02-01 04:14 32279040 ----a-w- c:\program files\dell_support_center.msi
2008-01-11 16:49 . 2008-01-11 16:49 382352 ----a-w- c:\program files\jre-6u3-windows-i586-p-iftw.exe
2007-01-01 17:43 . 2007-01-01 17:42 497808 ----a-w- c:\program files\deskshopInstall.exe
2007-03-30 15:13 . 2006-07-30 18:41 88 --sh--r- c:\windows\system32\18ED9EC0A2.sys
2007-04-25 17:53 . 2006-07-30 18:41 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-20 323392]
"Google Update"="c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\Craig\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^Bettye Siebels^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1166639880\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-06-16 08:52 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-08-01 00:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2009\MemOptimizer.exe" autostart
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Secure Online Account Numbers"=c:\progra~1\Discover\SOAN\SOAN.exe /dontopenmycards
"HostManager"=c:\program files\Common Files\AOL\1166639880\ee\AOLSoftware.exe
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1166639880\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Chami\\HTML-Kit\\Bin\\HTMLKit.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/1/2010 10:13 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/1/2010 10:13 PM 20952]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/11/2009 11:45 AM 717296]
S2 gupdate1c9f2d230d30f5a;Google Update Service (gupdate1c9f2d230d30f5a);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2009 7:41 PM 133104]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [6/24/2008 9:36 AM 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [6/15/2010 3:14 AM 229376]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 00:41]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 00:41]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1582070327-1521580496-3092845763-1006Core.job
- c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-17 23:43]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1582070327-1521580496-3092845763-1006UA.job
- c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-17 23:43]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\Craig\Application Data\Mozilla\Firefox\Profiles\edkpey7m.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - component: c:\documents and settings\Craig\Application Data\Mozilla\Firefox\Profiles\edkpey7m.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - component: c:\program files\Discover\SOAN\components\SlimOrbAddonDiscoverSOAN.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2010-06-19 18:59:15
ComboFix-quarantined-files.txt 2010-06-19 23:59
ComboFix2.txt 2010-06-19 22:59
ComboFix3.txt 2009-06-30 19:54

Pre-Run: 165,014,773,760 bytes free
Post-Run: 164,996,542,464 bytes free

- - End Of File - - C1C613E2F15BD843F43821860E726103

=============================================

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:02 on 19/06/2010 by Craig (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68729E13-42EF-06A0-0177-42FE6DD9F4FE}\MiscStatus]
(No values found)


-=End Of File=-


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 AM

Posted 19 June 2010 - 07:17 PM

Please run ESET's online scan next

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 smegly

smegly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 19 June 2010 - 07:23 PM

Hi M0le,

You sure you want me to run ESET? That's my main AV and I already had run that about a week ago. And as I mentioned, this virus infected the computer well over a month ago.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 AM

Posted 19 June 2010 - 08:29 PM

This ESET is the online scanner and not your antivirus. They look for different things.
Posted Image
m0le is a proud member of UNITE

#11 smegly

smegly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 20 June 2010 - 02:44 AM

Hi M0le,

Here's the ESET results:

D:\AOL Downloads\cuteftppro.zip Win32/Adware.TimeSink application deleted - quarantined
D:\AOL Downloads\cuteftppro\cuteFTP.zip Win32/Adware.TimeSink application deleted - quarantined
D:\Betty\America Online 8.0\Radio@AOL15\setup.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
D:\Betty\America Online 8.0\Radio@AOL16\radio.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
D:\Documents and Settings\Administrator\Desktop\cuteftppro.zip Win32/Adware.TimeSink application deleted - quarantined
D:\Documents and Settings\Administrator\Desktop\cuteftppro\cuteFTP.zip Win32/Adware.TimeSink application deleted - quarantined
D:\Documents and Settings\Administrator\My Documents\cuteFTP.zip Win32/Adware.TimeSink application deleted - quarantined
D:\Program Files\tbinstall.exe probably a variant of Win32/Adware.SearchIt.AA application deleted - quarantined


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 AM

Posted 20 June 2010 - 03:52 PM

What is your D drive?
Posted Image
m0le is a proud member of UNITE

#13 smegly

smegly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 20 June 2010 - 04:01 PM

Hi M0le,

The D drive is just a secondary internal drive on the computer. When I was setting up the ESET scan I wasn't sure which scan to choose so I went with the full scan. From your question, I gather that a 'quick scan' was what you wanted.

Edited by smegly, 20 June 2010 - 04:04 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:44 AM

Posted 20 June 2010 - 04:10 PM

The PC looks clean and it is running faster.

Is there anything else before we clear up and let you loose on the web again? smile.gif
Posted Image
m0le is a proud member of UNITE

#15 smegly

smegly
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 20 June 2010 - 04:28 PM

M0le,

Just one quick and easy question. Now that Combofix installed the Recovery Console, when I reboot the option to boot into the recovery console flashes by so fast that it would be difficult for ME to catch it much less the octogenarian owner. Is there any way to add some seconds when that screen comes up so she doesn't have to have the reflexes of Michael Jordan in order to select the Recovery Console?

And thanks so much for your efforts....

smegly




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users