Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirecting and Pop Ups


  • This topic is locked This topic is locked
20 replies to this topic

#1 arney1432

arney1432

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 03 July 2010 - 08:07 PM

When I search something with google and click on a link I usually get redirected to a different website, not just a specific site many different sites. Some tabs containing ads also appear every now and then. Please Help Me sad.gif

Here's My Info:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:20:53.26 on Sat 07/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.177 [GMT -7:00]

AV: avast! antivirus 4.8.1368 [VPS 100703-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uSearch Page = hxxp://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;127.0.0.1;localhost
uInternet Settings,ProxyServer = http=
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpcent~2.lnk - c:\program files\hp center\137903\shadow\ShadowBar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpcent~1.lnk - c:\program files\hp center\137903\program\BackWeb-137903.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - hxxp://fdl.msn.com/public/chat/msnchat41.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {7A32634B-029C-4836-A023-528983982A49} - hxxp://fdl.msn.com/public/chat/msnchat42.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - hxxp://fdl.msn.com/public/chat/msnchat4.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\olhuvxu1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-5 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-5 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-5 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-5 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-5 352920]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\porttalk.sys [2009-11-30 3567]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]
S3 xboxdrv;xboxdrv;c:\windows\system32\xboxdrv.sys [2010-6-20 2304]

=============== Created Last 30 ================

2010-07-03 17:55:26 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-06-30 00:14:07 0 d-----w- c:\program files\common files\DVDVideoSoft
2010-06-30 00:14:06 0 d-----w- c:\program files\DVDVideoSoft
2010-06-29 21:55:00 112 ----a-w- c:\docume~1\alluse~1\applic~1\7Tk5g0Vt.dat
2010-06-27 21:16:55 0 d-----w- c:\program files\Cobian Backup 8
2010-06-26 21:39:36 0 d--h--w- c:\windows\PIF
2010-06-25 20:41:18 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-06-25 20:41:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-25 20:40:55 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-24 00:04:04 0 d-----w- c:\program files\Enigma Software Group
2010-06-24 00:02:43 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-24 00:02:31 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-06-23 21:26:48 0 d-----w- C:\spoolerlogs
2010-06-23 04:56:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 14:59:50 8704 ----a-w- c:\windows\system32\drivers\nfrassvmnfxl.sys
2010-06-22 14:58:18 0 d-----w- c:\documents and settings\owner\Pavark
2010-06-22 01:10:19 0 d-----w- c:\program files\Sophos
2010-06-22 00:00:55 9216 --sha-w- c:\windows\system32\Thumbs.db
2010-06-21 23:22:23 0 d-----w- c:\docume~1\owner\applic~1\Simply Super Software
2010-06-21 02:44:50 2304 ----a-w- c:\windows\system32\xboxdrv.sys
2010-06-19 19:58:15 0 d-----w- c:\docume~1\owner\applic~1\Panda Security
2010-06-19 19:29:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-06-19 19:29:16 0 d-----w- c:\program files\Panda Security
2010-06-19 18:36:14 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-19 18:29:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-19 18:28:19 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-18 22:27:45 98816 ----a-w- c:\windows\sed.exe
2010-06-18 22:27:45 77312 ----a-w- c:\windows\MBR.exe
2010-06-18 22:27:45 256512 ----a-w- c:\windows\PEV.exe
2010-06-18 22:27:45 161792 ----a-w- c:\windows\SWREG.exe
2010-06-18 22:27:06 0 d-s---w- C:\ComboFix
2010-06-14 16:39:56 0 d-----w- c:\docume~1\owner\applic~1\AnvSoft
2010-06-14 16:39:42 0 d-----w- c:\program files\AnvSoft
2010-06-12 00:27:15 0 d-----w- c:\program files\Windows Media Connect 2
2010-06-11 23:52:00 0 d--h--w- c:\docume~1\alluse~1\applic~1\ArcSoft
2010-06-09 16:10:13 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-06 11:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll
1998-08-24 20:09:10 10000 -c--a-w- c:\windows\inf\unregpn.exe
2001-07-22 02:45:40 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2009-12-05 01:08:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009120420091205\index.dat

============= FINISH: 14:24:05.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 PM

Posted 07 July 2010 - 04:30 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



Please reply so I know that you still need our help. Also please let me know the current status of your computer including any changes done. Thanks.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 arney1432

arney1432
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 07 July 2010 - 06:55 PM

Hi sempai smile.gif Yes I still need help sad.gif thanks for the reply! smile.gif

Um... well I've tried Malware bytes that didn't help, sophos anti-rootkit didn't help, avast didn't help I think I downloaded combo fixer but didn't try it because I read that the program could damage my computer. I'm pretty sure no changes have been done to my computer since I posted the computer problem because I've only been using it to check for replies and mail. thumbup2.gif

Don't know if this info will help but I'm an xp user the computer is really old I think it was made in 2001 or 2002 it's using it's max amount of ram which is 512mb sad.gif and 30gb hard drive sad.gif The browser I use is mozilla firefox
I also have reasons to believe that virus/rootkit or whatever I have is downloading more viruses onto my computer. crazy.gif

bye smile.gif

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 PM

Posted 08 July 2010 - 06:35 AM

P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."





========================================



Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 arney1432

arney1432
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 08 July 2010 - 01:21 PM

Hi sempai smile.gif

Here's the Combofix log and it says my antivirus program was enabled but that's because I pressed ok before I disabled my antivirus




ComboFix 10-07-07.02 - Owner 07/08/2010 10:20:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.180 [GMT -7:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100708-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
c:\windows\system\hpsysdrv .exe
c:\windows\system\oeminfo.ini
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 16:43 . 2010-07-08 16:46 -------- d-----w- C:\32788R22FWJFW
2010-07-05 22:11 . 2010-07-05 22:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-30 00:14 . 2010-06-30 00:15 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-06-30 00:14 . 2010-06-30 00:14 -------- d-----w- c:\program files\DVDVideoSoft
2010-06-27 21:16 . 2010-06-27 21:18 -------- d-----w- c:\program files\Cobian Backup 8
2010-06-26 21:39 . 2010-06-26 21:39 -------- d--h--w- c:\windows\PIF
2010-06-25 20:43 . 2010-07-06 17:45 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-25 20:43 . 2010-06-25 20:43 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-25 20:42 . 2010-07-05 20:34 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-25 20:41 . 2010-06-25 20:41 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-06-25 20:41 . 2010-06-25 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-25 20:40 . 2010-06-25 20:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-24 00:04 . 2010-06-24 00:04 -------- d-----w- c:\program files\Enigma Software Group
2010-06-24 00:02 . 2010-06-24 01:34 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-24 00:02 . 2010-06-24 00:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-23 21:26 . 2010-06-23 21:26 -------- d-----w- C:\spoolerlogs
2010-06-23 05:01 . 2010-07-05 22:31 248384 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-23 04:56 . 2010-07-05 22:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 22:40 . 2010-06-22 22:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2010-06-22 14:59 . 2010-06-22 14:58 8704 ----a-w- c:\windows\system32\drivers\nfrassvmnfxl.sys
2010-06-22 14:58 . 2010-06-22 14:58 -------- d-----w- c:\documents and settings\Owner\Pavark
2010-06-22 01:10 . 2010-06-22 01:10 -------- d-----w- c:\program files\Sophos
2010-06-22 00:16 . 2010-02-28 03:46 3691384 ----a-w- c:\documents and settings\Owner\Application Data\Simply Super Software\Trojan Remover\fsh1B.exe
2010-06-21 23:22 . 2010-06-21 23:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2010-06-21 02:44 . 2010-06-21 02:44 2304 ----a-w- c:\windows\system32\xboxdrv.sys
2010-06-19 19:58 . 2010-06-19 19:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2010-06-19 19:29 . 2010-06-19 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-06-19 19:29 . 2010-06-19 19:29 -------- d-----w- c:\program files\Panda Security
2010-06-19 18:36 . 2010-06-19 19:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-19 18:29 . 2010-06-19 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-19 18:28 . 2010-06-19 18:28 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-14 16:39 . 2010-06-14 16:39 -------- d-----w- c:\documents and settings\Owner\Application Data\AnvSoft
2010-06-14 16:39 . 2010-06-14 16:39 -------- d-----w- c:\program files\AnvSoft
2010-06-12 04:02 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-06-12 00:27 . 2010-06-12 00:27 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-12 00:22 . 2010-06-22 00:32 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-06-11 23:52 . 2010-06-11 23:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ArcSoft
2010-06-11 23:52 . 2010-06-11 23:52 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2010-06-11 23:52 . 2010-06-12 04:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-06-11 23:51 . 2010-06-21 17:49 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-06-09 16:10 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 17:45 . 2009-07-16 00:12 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-07-05 03:04 . 2010-03-02 21:13 -------- d-----w- c:\program files\JDownloader
2010-06-30 04:09 . 2010-05-19 00:33 -------- d-----w- c:\program files\Carbonite
2010-06-29 22:01 . 2010-06-29 21:55 112 ----a-w- c:\documents and settings\All Users\Application Data\7Tk5g0Vt.dat
2010-06-29 21:51 . 2010-02-02 23:45 -------- d-----w- c:\program files\iTunes
2010-06-29 21:51 . 2010-02-02 23:35 -------- d-----w- c:\program files\QuickTime
2010-06-24 02:09 . 2009-12-11 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 01:36 . 2009-09-25 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-06-22 00:41 . 2009-12-11 00:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-21 17:49 . 2001-09-15 05:24 -------- d-----w- c:\program files\ArcSoft
2010-06-21 17:40 . 2001-09-15 05:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-19 22:33 . 2002-01-12 23:45 -------- d-----w- c:\program files\Audiogalaxy Satellite
2010-06-12 16:35 . 2010-01-11 22:23 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-12 16:31 . 2009-12-13 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2010-06-12 15:22 . 2010-02-26 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-09 15:55 . 2009-07-15 23:40 -------- d-----w- c:\program files\LimeWire
2010-05-22 02:19 . 2010-05-22 02:19 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\msvcp71.dll
2010-05-22 02:19 . 2010-05-22 02:19 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\jmc.dll
2010-05-22 02:19 . 2010-05-22 02:19 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\msvcr71.dll
2010-05-22 02:18 . 2010-05-22 02:18 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-17ff9c44-n\decora-sse.dll
2010-05-22 02:18 . 2010-05-22 02:18 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-17ff9c44-n\decora-d3d.dll
2010-05-21 05:00 . 2010-05-21 05:00 -------- d-----w- c:\program files\MSXML 4.0
2010-05-19 00:36 . 2010-05-19 00:36 -------- d-----w- c:\program files\Seagate
2010-05-19 00:36 . 2010-05-19 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-19 00:32 . 2010-05-19 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-05-06 10:41 . 2004-01-08 22:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-18 05:24 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-12-11 01:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-12-11 01:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2001-08-17 21:55 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:29 . 2010-04-23 22:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2001-07-22 02:45 . 2001-07-22 02:45 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2001-08-18 05:36 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2001-08-18 05:36 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2001-08-18 05:36 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2001-08-18 05:36 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2001-08-18 05:36 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2001-08-18 05:36 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2001-08-18 05:36 84992 --sha-w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2001-08-18 05:36 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Carbonite\CarbonitePreinstaller .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\HPSelect\frontend\ct .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
c:\windows\SMINST\RECGUARD .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-16 28739]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk - c:\program files\hp center\137903\Shadow\ShadowBar.exe [2001-9-5 69632]
hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2001-9-5 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\docume~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe \??\c:\docume~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\drivers\aswSP.sys [12/5/2009 12:27 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\drivers\aswFsBlk.sys [12/5/2009 12:27 PM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 PortTalk;PortTalk;c:\windows\SYSTEM32\drivers\porttalk.sys [11/30/2009 4:10 PM 3567]
S3 xboxdrv;xboxdrv;c:\windows\SYSTEM32\xboxdrv.sys [6/20/2010 7:44 PM 2304]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;127.0.0.1;localhost
uInternet Settings,ProxyServer = http=
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\olhuvxu1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Beauty Wizard - c:\program files\VI-SOFT\Beauty Wizard\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 10:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(452)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'explorer.exe'(2504)
c:\windows\system32\WININET.dll
c:\docume~1\Owner\LOCALS~1\Temp\IadHide3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-08 10:55:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 17:55

Pre-Run: 7,162,413,056 bytes free
Post-Run: 7,244,029,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

- - End Of File - - 8652DBFC5DE689C8B3067A0A3B340096


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 PM

Posted 09 July 2010 - 05:34 AM

Hi,

Did you previously used Panda Security? Can you please run the removal tool HERE to remove all the remnants of the said program.


1. Please go to http://virscan.org/
  • Copy and paste or navigate the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\documents and settings\All Users\Application Data\7Tk5g0Vt.dat
    c:\windows\system32\drivers\nfrassvmnfxl.sys
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
DDS::
uInternet Settings,ProxyOverride = ;127.0.0.1;localhost
uInternet Settings,ProxyServer = http=

RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Carbonite\CarbonitePreinstaller .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\HPSelect\frontend\ct .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
c:\windows\SMINST\RECGUARD .exe

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

DirLook::
c:\documents and settings\Owner\Pavark
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 arney1432

arney1432
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 09 July 2010 - 01:32 PM

Hi Sempai smile.gif

I downloaded the panda uninstaller then I followed step 1

Here are the scan results smile.gif




VirSCAN.org Scanned Report :
Scanned time : 2010/07/09 10:31:10 (PDT)
Scanner results: Scanners did not find malware!
File Name : 7Tk5g0Vt.dat
File Size : 112 byte
File Type : data
MD5 : 0854d084511420889c343f5ca08d1414
SHA1 : 9b5d97c5d88b359b589a332826572030c2087b58
Online report : http://virscan.org/report/ca7a5ab92e00501a...598da37a38.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100710003132 2010-07-10 5.21 -
AhnLab V3 2010.07.10.00 2010.07.10 2010-07-10 1.25 -
AntiVir 8.2.4.10 7.10.9.55 2010-07-09 0.28 -
Antiy 2.0.18 20100704.4829244 2010-07-04 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201007090734 2010-07-09 1.25 -
AVAST! 4.7.4 100709-0 2010-07-09 0.00 -
AVG 8.5.793 271.1.1/2991 2010-07-09 0.23 -
BitDefender 7.90123.6465796 7.32699 2010-07-09 3.90 -
ClamAV 0.96.1 11327 2010-07-06 0.00 -
Comodo 4.0 5374 2010-07-09 1.14 -
CP Secure 1.3.0.5 2010.07.09 2010-07-09 0.00 -
Dr.Web 5.0.2.3300 2010.07.09 2010-07-09 8.53 -
F-Prot 4.4.4.56 20100708 2010-07-08 1.23 -
F-Secure 7.02.73807 2010.07.09.05 2010-07-09 6.11 -
Fortinet 4.1.143 12.135 2010-07-09 0.19 -
GData 21.486/21.177 20100709 2010-07-09 9.99 -
ViRobot 20100708 2010.07.08 2010-07-08 0.40 -
Ikarus T3.1.01.84 2010.07.09.76228 2010-07-09 7.79 -
JiangMin 13.0.900 2010.07.09 2010-07-09 1.20 -
Kaspersky 5.5.10 2010.07.09 2010-07-09 0.03 -
KingSoft 2009.2.5.15 2010.7.9.18 2010-07-09 0.66 -
McAfee 5400.1158 6038 2010-07-09 17.15 -
Microsoft 1.5902 2010.07.09 2010-07-09 6.89 -
Norman 6.05.11 6.05.00 2010-07-09 8.01 -
Panda 9.05.01 2010.07.04 2010-07-04 1.87 -
Trend Micro 9.120-1004 7.296.17 2010-07-09 0.03 -
Quick Heal 11.00 2010.07.09 2010-07-09 2.20 -
Rising 20.0 22.55.04.04 2010-07-09 0.27 -
Sophos 3.09.0 4.55 2010-07-09 3.70 -
Sunbelt 3.9.2428.2 6564 2010-07-09 8.71 -
Symantec 1.3.0.24 20100708.016 2010-07-08 0.07 -
nProtect 20100709.01 9004325 2010-07-09 8.34 -
The Hacker 6.5.2.1 v00311 2010-07-08 0.35 -
VBA32 3.12.12.6 20100709.0730 2010-07-09 2.83 -
VirusBuster 4.5.11.10 10.126.124/20533972010-07-09 2.38 -






VirSCAN.org Scanned Report :
Scanned time : 2010/07/09 10:39:29 (PDT)
Scanner results: 3% Scanner(s) (1/36) found malware!
File Name : nfrassvmnfxl.sys
File Size : 8704 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 34d44edd829476e085f5c22ac9dfe315
SHA1 : 409f8e1239c67925b4f7d137af35a30ddb40235a
Online report : http://virscan.org/report/50d40b534013f770...e3688c5264.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100710003132 2010-07-10 5.19 -
AhnLab V3 2010.07.10.00 2010.07.10 2010-07-10 1.22 -
AntiVir 8.2.4.10 7.10.9.55 2010-07-09 0.26 -
Antiy 2.0.18 20100704.4829244 2010-07-04 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.00 -
Authentium 5.1.1 201007090734 2010-07-09 1.27 -
AVAST! 4.7.4 100709-0 2010-07-09 0.00 -
AVG 8.5.793 271.1.1/2991 2010-07-09 0.24 -
BitDefender 7.90123.6465796 7.32699 2010-07-09 3.88 -
ClamAV 0.96.1 11327 2010-07-06 0.00 -
Comodo 4.0 5374 2010-07-09 1.12 -
CP Secure 1.3.0.5 2010.07.09 2010-07-09 0.04 -
Dr.Web 5.0.2.3300 2010.07.09 2010-07-09 8.60 -
F-Prot 4.4.4.56 20100708 2010-07-08 1.27 -
F-Secure 7.02.73807 2010.07.09.05 2010-07-09 0.19 -
Fortinet 4.1.143 12.135 2010-07-09 0.19 -
GData 21.486/21.177 20100709 2010-07-09 7.06 -
ViRobot 20100708 2010.07.08 2010-07-08 0.36 -
Ikarus T3.1.01.84 2010.07.09.76228 2010-07-09 7.13 -
JiangMin 13.0.900 2010.07.09 2010-07-09 1.23 -
Kaspersky 5.5.10 2010.07.09 2010-07-09 0.14 -
KingSoft 2009.2.5.15 2010.7.9.18 2010-07-09 0.65 -
McAfee 5400.1158 6038 2010-07-09 16.90 -
Microsoft 1.5902 2010.07.09 2010-07-09 6.89 -
Norman 6.05.11 6.05.00 2010-07-09 6.01 -
Panda 9.05.01 2010.07.04 2010-07-04 1.81 -
Trend Micro 9.120-1004 7.296.17 2010-07-09 0.03 -
Quick Heal 11.00 2010.07.09 2010-07-09 2.05 -
Rising 20.0 22.55.04.04 2010-07-09 1.46 RootKit.Win32.Undef.ov
Sophos 3.09.0 4.55 2010-07-09 3.58 -
Sunbelt 3.9.2428.2 6564 2010-07-09 7.95 -
Symantec 1.3.0.24 20100708.016 2010-07-08 0.25 -
nProtect 20100709.01 9004325 2010-07-09 8.29 -
The Hacker 6.5.2.1 v00311 2010-07-08 0.33 -
VBA32 3.12.12.6 20100709.0730 2010-07-09 2.82 -
VirusBuster 4.5.11.10 10.126.124/20533972010-07-09 2.37 -




And here's the Combo fix log






ComboFix 10-07-07.02 - Owner 07/09/2010 10:55:00.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.216 [GMT -7:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100708-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))
.

2010-07-09 17:22 . 2007-03-06 23:33 12336 ------w- c:\windows\system32\PGUNNT.EXE
2010-07-09 17:13 . 2010-07-09 17:22 -------- d-----w- C:\SMCLpav
2010-07-05 22:11 . 2010-07-05 22:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-30 00:14 . 2010-06-30 00:15 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-06-30 00:14 . 2010-06-30 00:14 -------- d-----w- c:\program files\DVDVideoSoft
2010-06-27 21:16 . 2010-06-27 21:18 -------- d-----w- c:\program files\Cobian Backup 8
2010-06-26 21:39 . 2010-06-26 21:39 -------- d--h--w- c:\windows\PIF
2010-06-25 20:43 . 2010-07-06 17:45 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-25 20:43 . 2010-06-25 20:43 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-25 20:42 . 2010-07-05 20:34 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-25 20:41 . 2010-06-25 20:41 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-06-25 20:41 . 2010-06-25 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-25 20:40 . 2010-06-25 20:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-24 00:04 . 2010-06-24 00:04 -------- d-----w- c:\program files\Enigma Software Group
2010-06-24 00:02 . 2010-06-24 01:34 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-24 00:02 . 2010-06-24 00:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-23 21:26 . 2010-06-23 21:26 -------- d-----w- C:\spoolerlogs
2010-06-23 04:56 . 2010-07-05 22:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 22:40 . 2010-06-22 22:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2010-06-22 14:59 . 2010-06-22 14:58 8704 ----a-w- c:\windows\system32\drivers\nfrassvmnfxl.sys
2010-06-22 14:58 . 2010-06-22 14:58 -------- d-----w- c:\documents and settings\Owner\Pavark
2010-06-22 01:10 . 2010-06-22 01:10 -------- d-----w- c:\program files\Sophos
2010-06-22 00:16 . 2010-02-28 03:46 3691384 ----a-w- c:\documents and settings\Owner\Application Data\Simply Super Software\Trojan Remover\fsh1B.exe
2010-06-21 23:22 . 2010-06-21 23:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2010-06-21 02:44 . 2010-06-21 02:44 2304 ----a-w- c:\windows\system32\xboxdrv.sys
2010-06-19 19:58 . 2010-06-19 19:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Panda Security
2010-06-19 19:29 . 2010-06-19 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2010-06-19 19:29 . 2010-06-19 19:29 -------- d-----w- c:\program files\Panda Security
2010-06-19 18:36 . 2010-06-19 19:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-19 18:29 . 2010-06-19 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-19 18:28 . 2010-06-19 18:28 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-14 16:39 . 2010-06-14 16:39 -------- d-----w- c:\documents and settings\Owner\Application Data\AnvSoft
2010-06-14 16:39 . 2010-06-14 16:39 -------- d-----w- c:\program files\AnvSoft
2010-06-12 04:02 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-06-12 00:27 . 2010-06-12 00:27 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-12 00:22 . 2010-06-22 00:32 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-06-11 23:52 . 2010-06-11 23:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ArcSoft
2010-06-11 23:52 . 2010-06-11 23:52 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2010-06-11 23:52 . 2010-06-12 04:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-06-11 23:51 . 2010-06-21 17:49 -------- d-----w- c:\program files\Common Files\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 17:54 . 2010-02-02 23:45 -------- d-----w- c:\program files\iTunes
2010-07-09 17:54 . 2010-02-02 23:35 -------- d-----w- c:\program files\QuickTime
2010-07-09 17:54 . 2010-05-19 00:33 -------- d-----w- c:\program files\Carbonite
2010-07-09 17:47 . 2010-07-09 17:47 3120 ----a-w- c:\windows\system32\drivers\nfrassvmnfxl.sys-scan.txt
2010-07-09 17:26 . 2009-07-16 00:12 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-07-09 03:59 . 2010-07-09 03:59 4504 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-07-05 03:04 . 2010-03-02 21:13 -------- d-----w- c:\program files\JDownloader
2010-06-29 22:01 . 2010-06-29 21:55 112 ----a-w- c:\documents and settings\All Users\Application Data\7Tk5g0Vt.dat
2010-06-24 02:09 . 2009-12-11 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 01:36 . 2009-09-25 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-06-22 00:41 . 2009-12-11 00:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-21 17:49 . 2001-09-15 05:24 -------- d-----w- c:\program files\ArcSoft
2010-06-21 17:40 . 2001-09-15 05:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-19 22:33 . 2002-01-12 23:45 -------- d-----w- c:\program files\Audiogalaxy Satellite
2010-06-12 16:35 . 2010-01-11 22:23 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-12 16:31 . 2009-12-13 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2010-06-12 15:22 . 2010-02-26 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-09 15:55 . 2009-07-15 23:40 -------- d-----w- c:\program files\LimeWire
2010-05-22 02:19 . 2010-05-22 02:19 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\msvcp71.dll
2010-05-22 02:19 . 2010-05-22 02:19 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\jmc.dll
2010-05-22 02:19 . 2010-05-22 02:19 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\msvcr71.dll
2010-05-22 02:18 . 2010-05-22 02:18 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-17ff9c44-n\decora-sse.dll
2010-05-22 02:18 . 2010-05-22 02:18 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-17ff9c44-n\decora-d3d.dll
2010-05-21 05:00 . 2010-05-21 05:00 -------- d-----w- c:\program files\MSXML 4.0
2010-05-19 00:36 . 2010-05-19 00:36 -------- d-----w- c:\program files\Seagate
2010-05-19 00:36 . 2010-05-19 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-19 00:32 . 2010-05-19 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-05-06 10:41 . 2004-01-08 22:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-18 05:24 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-12-11 01:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-12-11 01:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2001-08-17 21:55 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:29 . 2010-04-23 22:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2001-07-22 02:45 . 2001-07-22 02:45 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2001-08-18 05:36 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2001-08-18 05:36 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2001-08-18 05:36 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2001-08-18 05:36 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2001-08-18 05:36 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2001-08-18 05:36 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Owner\Pavark ----

2010-06-22 14:58 . 2010-06-22 14:58 44672 ----a-w- c:\documents and settings\Owner\Pavark\sdthook.sys
2010-06-22 14:58 . 2010-06-22 14:58 8704 ----a-w- c:\documents and settings\Owner\Pavark\RKPavProc.sys
2010-06-22 14:58 . 2010-06-22 14:58 23552 ----a-w- c:\documents and settings\Owner\Pavark\phooks.sys
2010-06-22 14:58 . 2010-06-22 14:58 13312 ----a-w- c:\documents and settings\Owner\Pavark\pfdnnt.exe
2010-06-22 14:58 . 2010-06-22 14:58 102400 ----a-w- c:\documents and settings\Owner\Pavark\pavsddl.dll
2010-06-22 14:58 . 2010-06-22 14:58 126976 ----a-w- c:\documents and settings\Owner\Pavark\Tucan.dll

---- Directory of c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP ----

2010-06-24 01:34 . 2010-06-24 01:34 6877 ----a-w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseData.ini
2010-06-24 01:34 . 2010-06-24 01:34 131991 ----a-w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla11.dll
2010-06-24 01:34 . 2010-06-24 01:34 130755 ----a-w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla3.dll
2010-06-24 01:34 . 2010-06-24 01:34 130193 ----a-w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla4.dll
2010-06-24 01:34 . 2010-06-24 01:34 131039 ----a-w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla.exe
2010-06-24 01:34 . 2010-06-24 01:34 130112 ----a-w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla2.dll
2010-06-24 01:34 . 2010-06-24 01:34 27494 ----a-w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCall.dll
2010-06-24 00:02 . 2010-06-24 00:02 131991 ----a-w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla11.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-16 28739]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk - c:\program files\hp center\137903\Shadow\ShadowBar.exe [2001-9-5 69632]
hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2001-9-5 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\docume~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe \??\c:\docume~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat\0PGUNNT c:\smclpav\PAVSMCL.dll\0PGUNNT c:\smclpav\SMCLPav.dll\0PGUNNT c:\smclpav\SMCLpav.exe\0PGUNNT c:\smclpav\qrvD.krn

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\drivers\aswSP.sys [12/5/2009 12:27 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\drivers\aswFsBlk.sys [12/5/2009 12:27 PM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 PortTalk;PortTalk;c:\windows\SYSTEM32\drivers\porttalk.sys [11/30/2009 4:10 PM 3567]
S3 xboxdrv;xboxdrv;c:\windows\SYSTEM32\xboxdrv.sys [6/20/2010 7:44 PM 2304]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PSGENUN
*Deregistered* - PSGenUn
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\olhuvxu1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 11:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-09 11:14:59
ComboFix-quarantined-files.txt 2010-07-09 18:14
ComboFix2.txt 2010-07-08 17:55

Pre-Run: 7,062,949,888 bytes free
Post-Run: 7,064,473,600 bytes free

- - End Of File - - 9D6A09861D73EAB3E11E767A1F485C19



thanks for the help so far smile.gif smile.gif smile.gif smile.gif





#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 PM

Posted 09 July 2010 - 11:39 PM

Hi,

How's the computer running now?

Can you please navigate and post the contents of this text file:
c:\windows\system32\drivers\nfrassvmnfxl.sys-scan.txt



Also, please run another DDS scan and post the new report. Thanks. smile.gif

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 arney1432

arney1432
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 10 July 2010 - 12:19 PM

hi sempai smile.gif

the computer seems fine now smile.gif yay!!

I actually already posted c:\windows\system32\drivers\nfrassvmnfxl.sys-scan.txt unsure.gif in my last reply but here you go smile.gif



VirSCAN.org Scanned Report :
Scanned time : 2010/07/09 10:39:29 (PDT)
Scanner results: 3% Scanner(s) (1/36) found malware!
File Name : nfrassvmnfxl.sys
File Size : 8704 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 34d44edd829476e085f5c22ac9dfe315
SHA1 : 409f8e1239c67925b4f7d137af35a30ddb40235a
Online report : http://virscan.org/report/50d40b534013f770...e3688c5264.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100710003132 2010-07-10 5.19 -
AhnLab V3 2010.07.10.00 2010.07.10 2010-07-10 1.22 -
AntiVir 8.2.4.10 7.10.9.55 2010-07-09 0.26 -
Antiy 2.0.18 20100704.4829244 2010-07-04 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.00 -
Authentium 5.1.1 201007090734 2010-07-09 1.27 -
AVAST! 4.7.4 100709-0 2010-07-09 0.00 -
AVG 8.5.793 271.1.1/2991 2010-07-09 0.24 -
BitDefender 7.90123.6465796 7.32699 2010-07-09 3.88 -
ClamAV 0.96.1 11327 2010-07-06 0.00 -
Comodo 4.0 5374 2010-07-09 1.12 -
CP Secure 1.3.0.5 2010.07.09 2010-07-09 0.04 -
Dr.Web 5.0.2.3300 2010.07.09 2010-07-09 8.60 -
F-Prot 4.4.4.56 20100708 2010-07-08 1.27 -
F-Secure 7.02.73807 2010.07.09.05 2010-07-09 0.19 -
Fortinet 4.1.143 12.135 2010-07-09 0.19 -
GData 21.486/21.177 20100709 2010-07-09 7.06 -
ViRobot 20100708 2010.07.08 2010-07-08 0.36 -
Ikarus T3.1.01.84 2010.07.09.76228 2010-07-09 7.13 -
JiangMin 13.0.900 2010.07.09 2010-07-09 1.23 -
Kaspersky 5.5.10 2010.07.09 2010-07-09 0.14 -
KingSoft 2009.2.5.15 2010.7.9.18 2010-07-09 0.65 -
McAfee 5400.1158 6038 2010-07-09 16.90 -
Microsoft 1.5902 2010.07.09 2010-07-09 6.89 -
Norman 6.05.11 6.05.00 2010-07-09 6.01 -
Panda 9.05.01 2010.07.04 2010-07-04 1.81 -
Trend Micro 9.120-1004 7.296.17 2010-07-09 0.03 -
Quick Heal 11.00 2010.07.09 2010-07-09 2.05 -
Rising 20.0 22.55.04.04 2010-07-09 1.46 RootKit.Win32.Undef.ov
Sophos 3.09.0 4.55 2010-07-09 3.58 -
Sunbelt 3.9.2428.2 6564 2010-07-09 7.95 -
Symantec 1.3.0.24 20100708.016 2010-07-08 0.25 -
nProtect 20100709.01 9004325 2010-07-09 8.29 -
The Hacker 6.5.2.1 v00311 2010-07-08 0.33 -
VBA32 3.12.12.6 20100709.0730 2010-07-09 2.82 -
VirusBuster 4.5.11.10 10.126.124/20533972010-07-09 2.37 -



here are the new dds logs bye smile.gif

Attached Files



#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 PM

Posted 10 July 2010 - 01:32 PM

Hi,

So it means that "nfrassvmnfxl.sys-scan.txt" file was created by yourself, right? smile.gif


=====================================


We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
Rootkit::
c:\windows\system32\drivers\nfrassvmnfxl.sys

Folder::
c:\documents and settings\Owner\Application Data\Panda Security
c:\documents and settings\All Users\Application Data\Panda Security
c:\program files\Panda Security

DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 arney1432

arney1432
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 10 July 2010 - 05:24 PM

hi sempai smile.gif

oh sorry about that I didn't know that the copy to clipboard button is the same as copying that's why I created the file... sorry
unsure.gif

Here's the combo fix log smile.gif






ComboFix 10-07-07.02 - Owner 07/10/2010 14:46:17.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.290 [GMT -7:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100710-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Panda Security
c:\documents and settings\Owner\Application Data\Panda Security
c:\documents and settings\Owner\Application Data\Panda Security\Panda Cloud Antivirus\PSUNUser.cfg
c:\program files\Panda Security

.
((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-09 17:13 . 2010-07-10 02:00 -------- d-----w- C:\SMCLpav
2010-07-05 22:11 . 2010-07-05 22:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-30 00:14 . 2010-06-30 00:15 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-06-30 00:14 . 2010-06-30 00:14 -------- d-----w- c:\program files\DVDVideoSoft
2010-06-27 21:16 . 2010-06-27 21:18 -------- d-----w- c:\program files\Cobian Backup 8
2010-06-26 21:39 . 2010-06-26 21:39 -------- d--h--w- c:\windows\PIF
2010-06-25 20:43 . 2010-07-06 17:45 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-25 20:43 . 2010-06-25 20:43 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-25 20:42 . 2010-07-05 20:34 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-25 20:41 . 2010-06-25 20:41 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-06-25 20:41 . 2010-06-25 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-25 20:40 . 2010-06-25 20:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-24 00:04 . 2010-06-24 00:04 -------- d-----w- c:\program files\Enigma Software Group
2010-06-24 00:02 . 2010-06-24 01:34 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-24 00:02 . 2010-06-24 00:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-23 21:26 . 2010-06-23 21:26 -------- d-----w- C:\spoolerlogs
2010-06-23 04:56 . 2010-07-05 22:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 22:40 . 2010-06-22 22:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2010-06-22 14:58 . 2010-06-22 14:58 -------- d-----w- c:\documents and settings\Owner\Pavark
2010-06-22 01:10 . 2010-06-22 01:10 -------- d-----w- c:\program files\Sophos
2010-06-22 00:16 . 2010-02-28 03:46 3691384 ----a-w- c:\documents and settings\Owner\Application Data\Simply Super Software\Trojan Remover\fsh1B.exe
2010-06-21 23:22 . 2010-06-21 23:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2010-06-21 02:44 . 2010-06-21 02:44 2304 ----a-w- c:\windows\system32\xboxdrv.sys
2010-06-19 18:36 . 2010-06-19 19:38 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-19 18:29 . 2010-06-19 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-19 18:28 . 2010-06-19 18:28 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-14 16:39 . 2010-06-14 16:39 -------- d-----w- c:\documents and settings\Owner\Application Data\AnvSoft
2010-06-14 16:39 . 2010-06-14 16:39 -------- d-----w- c:\program files\AnvSoft
2010-06-12 04:02 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-06-12 00:27 . 2010-06-12 00:27 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-12 00:22 . 2010-06-22 00:32 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-06-11 23:52 . 2010-06-11 23:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ArcSoft
2010-06-11 23:52 . 2010-06-11 23:52 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2010-06-11 23:52 . 2010-06-12 04:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-06-11 23:51 . 2010-06-21 17:49 -------- d-----w- c:\program files\Common Files\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 22:05 . 2009-07-16 00:12 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-07-09 17:54 . 2010-02-02 23:45 -------- d-----w- c:\program files\iTunes
2010-07-09 17:54 . 2010-02-02 23:35 -------- d-----w- c:\program files\QuickTime
2010-07-09 17:54 . 2010-05-19 00:33 -------- d-----w- c:\program files\Carbonite
2010-07-09 17:47 . 2010-07-09 17:47 3120 ----a-w- c:\windows\system32\drivers\nfrassvmnfxl.sys-scan.txt
2010-07-09 03:59 . 2010-07-09 03:59 4504 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-07-05 03:04 . 2010-03-02 21:13 -------- d-----w- c:\program files\JDownloader
2010-06-29 22:01 . 2010-06-29 21:55 112 ----a-w- c:\documents and settings\All Users\Application Data\7Tk5g0Vt.dat
2010-06-24 02:09 . 2009-12-11 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 01:36 . 2009-09-25 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-06-22 00:41 . 2009-12-11 00:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-21 17:49 . 2001-09-15 05:24 -------- d-----w- c:\program files\ArcSoft
2010-06-21 17:40 . 2001-09-15 05:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-19 22:33 . 2002-01-12 23:45 -------- d-----w- c:\program files\Audiogalaxy Satellite
2010-06-12 16:35 . 2010-01-11 22:23 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-12 16:31 . 2009-12-13 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2010-06-12 15:22 . 2010-02-26 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-09 15:55 . 2009-07-15 23:40 -------- d-----w- c:\program files\LimeWire
2010-05-22 02:19 . 2010-05-22 02:19 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\msvcp71.dll
2010-05-22 02:19 . 2010-05-22 02:19 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\jmc.dll
2010-05-22 02:19 . 2010-05-22 02:19 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48ea4144-n\msvcr71.dll
2010-05-22 02:18 . 2010-05-22 02:18 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-17ff9c44-n\decora-sse.dll
2010-05-22 02:18 . 2010-05-22 02:18 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-17ff9c44-n\decora-d3d.dll
2010-05-21 05:00 . 2010-05-21 05:00 -------- d-----w- c:\program files\MSXML 4.0
2010-05-19 00:36 . 2010-05-19 00:36 -------- d-----w- c:\program files\Seagate
2010-05-19 00:36 . 2010-05-19 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-05-19 00:32 . 2010-05-19 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-05-06 10:41 . 2004-01-08 22:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-18 05:24 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-12-11 01:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-12-11 01:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2001-08-17 21:55 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:29 . 2010-04-23 22:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2001-07-22 02:45 . 2001-07-22 02:45 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2001-08-18 05:36 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2001-08-18 05:36 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2001-08-18 05:36 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2001-08-18 05:36 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2001-08-18 05:36 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2001-08-18 05:36 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-16 28739]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp center UI.lnk - c:\program files\hp center\137903\Shadow\ShadowBar.exe [2001-9-5 69632]
hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2001-9-5 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\docume~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe \??\c:\docume~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\drivers\aswSP.sys [12/5/2009 12:27 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\drivers\aswFsBlk.sys [12/5/2009 12:27 PM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 PortTalk;PortTalk;c:\windows\SYSTEM32\drivers\porttalk.sys [11/30/2009 4:10 PM 3567]
S3 xboxdrv;xboxdrv;c:\windows\SYSTEM32\xboxdrv.sys [6/20/2010 7:44 PM 2304]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\olhuvxu1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.youtube.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 15:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(452)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'explorer.exe'(160)
c:\windows\system32\WININET.dll
c:\docume~1\Owner\LOCALS~1\Temp\IadHide3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\progra~1\HPCENT~1\137903\Program\BACKWE~1.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-10 15:13:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-10 22:13
ComboFix2.txt 2010-07-09 18:15
ComboFix3.txt 2010-07-08 17:55

Pre-Run: 7,050,674,176 bytes free
Post-Run: 7,026,896,896 bytes free

- - End Of File - - C34A71A7BBDDCB32DABED7E972681BE9

see you later smile.gif

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 PM

Posted 10 July 2010 - 10:29 PM

Hi arney1432,

Log is looking good. smile.gif

You can delete these two files:
c:\windows\system32\drivers\nfrassvmnfxl.sys-scan.txt
c:\documents and settings\All Users\Application Data\IObit



===================================


Let's use an online scanner to look for possible remnants.


1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel > Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.



2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 arney1432

arney1432
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 11 July 2010 - 09:57 PM

hi sempai smile.gif

here's the kaspersky scan report



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, July 11, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, July 11, 2010 11:06:18
Records in database: 4233535
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\

Scan statistics:
Objects scanned: 82691
Threats found: 3
Infected objects found: 14
Suspicious objects found: 0
Scan duration: 08:59:45


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121690.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121691.EXE Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121692.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121693.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121694.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121695.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121696.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121697.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121698.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP897\A0121699.exe Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP898\A0121730.com Infected: Trojan.Win32.Powp.fmk 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP901\A0126045.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\WINDOWS\SYSTEM32\xboxdrv.sys Infected: Trojan-Downloader.Win32.Geral.uwm 1

Selected area has been scanned.






bye smile.gif










#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 PM

Posted 12 July 2010 - 05:16 AM

Hi,

Looks good. smile.gif

Are you using Xbox and have its driver installed on your PC?

Please run another DDS scan and post the latest report for my final review.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 arney1432

arney1432
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 12 July 2010 - 12:18 PM

hi sempai smile.gif


I didn't even know you could install an xbox driver in a computer.huh.gif

Anyways I don't own xbox sad.gif I have a wii

Is it alright if I update my drivers because I went to the microsoft website and saw a bunch of updates I am asking because I don't know if updating will affect the help you're giving me

here are the logs smile.gif

Attached Files


Edited by arney1432, 12 July 2010 - 06:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users