Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Spyware and maybe a trojan


  • This topic is locked This topic is locked
118 replies to this topic

#1 brigg

brigg

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 05 July 2010 - 04:28 PM

I think I have sent someone else an infected file - please help!

I can't run Malware Bytes. I've tried unistalling and re-installing, and it still won't work.
I've tried to follow the instructions on this website and still I can't get it to work.
this is what I'm most concerned about.

Additionally, I run Spybot every week or so. tonight it found a problem and fixed it.
I currently have no search issues where when I click on something in google it takes me to
a website other than the one I've selected. I usually get the following errors, as I did tonight:
"There were problems in the include file
c:\ProgramFiles\Spybot-Search_Destry\Includes\Trojans.sbi.
See Include errors.log for details.

There were problems in the include file
c:\ProgramFiles\Spybot-Search_Destry\Includes\TrojansC.sbi.
See Include errors.log for details."

--------
I ran GMER successfully once this evening - it took about an hour, but there was not an option to SAVE.
I thought maybe it had saved automatically so I clicked Okay. The window closed. I tried several
times to re-run it, and it acts like it starts to run and then nothing. I deleted the zipped and extracted files,
and downloaded it again from both links, extracted and tried to rerun it - it won't run again.
--------------

All assistance is much appreciated! mellow.gif

----------------DDS.txt is below ------------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by UserOne at 16:46:55.04 on Mon 07/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.602 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\SOS Online Backup\OverlayCache.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\UserOne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?source=gama&hl=en
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [WinPatrol] c:\program files\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268015342640
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: winmm.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\userone\applic~1\mozilla\firefox\profiles\vce5urzp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-4-13 128016]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-3-7 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-25 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-24 162512]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-4-13 317072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-12 528008]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-7-12 224888]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-24 40384]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 26232]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 488816]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-3-13 93320]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-29 135664]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-24 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-24 40384]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-3-1 87936]

=============== Created Last 30 ================

2010-06-09 21:22:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-07-05 21:46:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 21:06:24 8354440 ----a-w- c:\program files\Firefox Setup 3.6.3.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-02-11 00:40:56 6479 ----a-w- c:\program files\favicon_182337.zip
2010-03-08 05:00:38 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2010-03-06 15:53:56 16384 --sha-w- c:\windows\system32\config\systemprofile\iecompatcache\index.dat
2010-03-08 05:00:14 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-03-06 15:53:56 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2010-03-08 05:00:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010030720100308\index.dat
2010-02-25 18:33:33 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 16:52:13.56 ===============

Edited by brigg, 05 July 2010 - 06:45 PM.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:56 AM

Posted 06 July 2010 - 12:34 AM

Hi
Welcome back. huh.gif

Please go to Start > Control Panel > Add/Remove Programs (Windows Vista itís Programs and Features) and remove the following (if present):

Spybot Search and Destroy

This program is kind of out of date now-a-days anyway. I have removed it from my suggestions list also.

Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 06 July 2010 - 10:12 AM

Hello friend and favorite person! laugh.gif
Thanks so much for jumping in to help.
I checked for you here around 12:15 am and went to sleep. I just missed you.
Combofix ran fine in only about 15 min - but it caught Zone Alarm running - I had to close it

--------Combofix log------------------------

ComboFix 10-07-05.03 - UserOne 07/06/2010 9:46.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1057 [GMT -5:00]
Running from: c:\documents and settings\UserOne\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-06-24 15:06 . 2010-06-24 15:06 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb76.tmp.exe
2010-06-23 14:43 . 2010-06-23 14:43 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb14.tmp.exe
2010-06-09 21:22 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 14:32 . 2010-03-12 20:20 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-06 14:14 . 2010-01-04 19:59 -------- d-----w- c:\program files\SOS Online Backup
2010-07-06 04:56 . 2010-01-05 02:18 -------- d-----w- c:\documents and settings\UserOne\Application Data\FileZilla
2010-07-05 20:36 . 2010-01-05 02:18 -------- d-----w- c:\program files\FileZilla FTP Client
2010-07-02 05:50 . 2010-01-04 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-24 20:57 . 2010-06-24 20:57 2160548 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-06-23 14:25 . 2010-06-23 14:27 1938432 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-06-23 14:25 . 2010-06-23 14:27 3028480 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-06-22 17:22 . 2010-02-25 16:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-01 17:43 . 2010-06-01 17:43 -------- d-----w- c:\program files\RAR Extract Frog
2010-05-28 14:16 . 2010-05-28 14:16 503808 ----a-w- c:\documents and settings\UserOne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-626e525b-n\msvcp71.dll
2010-05-28 14:16 . 2010-05-28 14:16 348160 ----a-w- c:\documents and settings\UserOne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-626e525b-n\msvcr71.dll
2010-05-28 14:16 . 2010-05-28 14:16 499712 ----a-w- c:\documents and settings\UserOne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-626e525b-n\jmc.dll
2010-05-28 14:16 . 2010-05-28 14:16 61440 ----a-w- c:\documents and settings\UserOne\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-20414c43-n\decora-sse.dll
2010-05-28 14:16 . 2010-05-28 14:16 12800 ----a-w- c:\documents and settings\UserOne\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-20414c43-n\decora-d3d.dll
2010-05-28 00:47 . 2010-05-28 00:44 -------- d-----w- c:\program files\SEO PowerSuite
2010-05-28 00:43 . 2010-05-28 00:43 -------- d-----w- c:\program files\RankChecker
2010-05-24 14:23 . 2010-05-24 14:26 2196992 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-05-24 14:23 . 2010-05-24 14:26 2196992 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-05-16 02:51 . 2010-03-13 01:15 117760 ----a-w- c:\documents and settings\UserOne\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-14 21:02 . 2007-03-01 20:12 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-14 20:51 . 2010-05-14 20:51 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-14 20:49 . 2010-05-14 20:49 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-14 20:49 . 2010-05-14 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-14 20:48 . 2010-05-14 20:48 -------- d-----w- c:\program files\NOS
2010-05-14 20:47 . 2007-03-01 21:03 -------- d-----w- c:\documents and settings\UserOne\Application Data\OpenOffice.org2
2010-05-14 20:47 . 2010-01-05 00:36 1 ----a-w- c:\documents and settings\UserOne\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-05-12 17:54 . 2010-05-12 17:56 847872 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-05-12 17:54 . 2010-05-12 17:56 2132480 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-05-11 22:50 . 2010-03-14 01:31 -------- d-----w- c:\program files\McAfee
2010-05-06 10:41 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 21:06 . 2010-05-05 21:05 8354440 ----a-w- c:\program files\Firefox Setup 3.6.3.exe
2010-05-02 05:22 . 2003-07-16 16:45 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 16:46 . 2010-04-30 16:48 1991680 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-04-20 05:30 . 2003-07-16 16:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-14 15:00 . 2010-04-14 15:02 1402880 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-04-13 19:21 . 2007-02-28 20:28 75848 ----a-w- c:\documents and settings\UserOne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 00:40 . 2010-02-11 00:40 6479 ----a-w- c:\program files\favicon_182337.zip
.
CODE
<pre>
c:\program files\Skype\Phone\skype .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!1BackedupFileOverlay]
@="{3F1FB271-8290-4330-8069-310F32C030EF}"
[HKEY_CLASSES_ROOT\CLSID\{3F1FB271-8290-4330-8069-310F32C030EF}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!2LiveProtectedFileOverlay]
@="{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}"
[HKEY_CLASSES_ROOT\CLSID\{C26F9E4A-0BA6-4005-90FE-8665DBC229C8}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!3ProtectedFileOverlay]
@="{A94C4834-6F18-491F-A205-3AFF24B16BC0}"
[HKEY_CLASSES_ROOT\CLSID\{A94C4834-6F18-491F-A205-3AFF24B16BC0}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!4SharedFileOverlay]
@="{C85F4084-C3E3-453c-B242-4BDABA8F58FB}"
[HKEY_CLASSES_ROOT\CLSID\{C85F4084-C3E3-453c-B242-4BDABA8F58FB}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!5SyncedFileOverlay]
@="{58605E40-AE20-45d7-887B-08F3D9FF3651}"
[HKEY_CLASSES_ROOT\CLSID\{58605E40-AE20-45d7-887B-08F3D9FF3651}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!6SyncingFileOverlay]
@="{06DF45CB-D312-4306-B97D-6CDA50A10B30}"
[HKEY_CLASSES_ROOT\CLSID\{06DF45CB-D312-4306-B97D-6CDA50A10B30}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!7ConflictedFileOverlay]
@="{D1542785-76CA-4d0c-9688-F290B1E77E01}"
[HKEY_CLASSES_ROOT\CLSID\{D1542785-76CA-4d0c-9688-F290B1E77E01}]
2009-11-05 16:29 601984 ------w- c:\program files\SOS Online Backup\ShlOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [N/A]
"igfxpers"="c:\windows\system32\igfxpers.exe" [N/A]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"WinPatrol"="c:\program files\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-03-25 1038728]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-03-16 730480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-07-07 02:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-01 18:48 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-09-15 22:50 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
c:\windows\system32\igfxpers.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
c:\windows\system32\igfxtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2006-10-18 22:58 696320 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2006-10-18 23:04 802816 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
c:\program files\Intel\NCS\PROSet\PRONoMgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Java\jre1.6.0\bin\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZCfgSvc.exe]
c:\windows\system32\ZCfgSvc.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/7/2010 1:26 AM 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/25/2010 11:49 AM 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/24/2010 8:55 PM 162512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [7/12/2007 3:45 PM 224888]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 8:30 AM 26232]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 8:30 AM 488816]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [3/13/2010 8:31 PM 93320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/29/2010 10:13 AM 135664]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [3/1/2007 11:05 AM 87936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{78CB6AC8-1B5B-4804-B4C8674161434618}
{16C41678-E97F-4126-80B152478DC2DCBB}
{4F89A508-B5EA-46AE-8F27FD3DA1622EF7}
{8AE3AE9E-ED34-421D-A84C7F90BCAA1950}
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cacf52eba34376.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-29 15:13]

2010-03-14 c:\windows\Tasks\SOS Online Backup - briggreene.job
- c:\program files\SOS Online Backup\sosuploadagent.exe [2009-11-05 16:29]

2010-07-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-08 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?source=gama&hl=en
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\UserOne\Application Data\Mozilla\Firefox\Profiles\vce5urzp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\UserOne\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\wininet.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(980)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-07-06 10:02:05
ComboFix-quarantined-files.txt 2010-07-06 15:01
ComboFix2.txt 2010-03-07 20:10

Pre-Run: 15,297,765,376 bytes free
Post-Run: 15,677,046,784 bytes free

- - End Of File - - FADA14EB560FE8ED1C7D622FDABE48D8

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:56 AM

Posted 06 July 2010 - 10:50 AM

Hi

Please do the following.

Please visit Virustotal
  • Click the Browse... button
  • Navigate to the files one at a time.
  • c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb76.tmp.exe
  • c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb14.tmp.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 06 July 2010 - 11:27 AM

Hello kind soul:

Interesting that when browsing for the paths below, I couldn't navigate to them.
I finally was able to copy and paste the path in, when I was in browse mode.

I am doubtful the below is what you want, i just didn't see what else I could provide. Please let me know.

First one:
MD5: 5c9ad5d799a72c5e5049d9a5e9d4bf05
First received: 2010.06.22 02:54:24 UTC
Date: 2010.07.06 14:33:23 UTC [<1D]
Results: 0/41
Permalink: analisis/e1d904e20ca97d19442a70aa1614672ad8da62fe92add7f5e08eef07f137ace4-1278426803

Second one: (I got the msg that this file has already been analyzed)
MD5: 5c9ad5d799a72c5e5049d9a5e9d4bf05
First received: 2010.06.22 02:54:24 UTC
Date: 2010.07.06 14:33:23 UTC [<1D]
Results: 0/41
Permalink: analisis/e1d904e20ca97d19442a70aa1614672ad8da62fe92add7f5e08eef07f137ace4-1278426803


Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:56 AM

Posted 06 July 2010 - 02:21 PM

Hi
OK, That's strange.

Lets try this.

Enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now this one.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page: one at a time
    • c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb76.tmp.exe
      c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb14.tmp.exe
  • Click on the submit button
  • Please post the results in your next reply.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 06 July 2010 - 02:44 PM

I don't have a My Computer from my Start button. I'll keep looking for Tools and Folder Options.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#8 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 06 July 2010 - 02:51 PM

made the change
******************note*****************to self
Make sure the change the folder view options back when done

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#9 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:56 AM

Posted 06 July 2010 - 02:52 PM

Do you have it on your desktop? That will work.

OK smile.gif

Edited by maranatha, 06 July 2010 - 02:53 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#10 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 06 July 2010 - 02:57 PM


For c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb76.tmp.exe
This file has been scanned before
gtbA80A.tmp.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sun 27 Jun 2010 02:14:58 (CET) Permalink

2010-06-26 Found nothing 2010-06-27 Found nothing
2010-06-26 Found nothing 2010-06-26 Found nothing
2010-06-26 Found nothing 2010-06-26 Found nothing
2010-06-25 Found nothing 2010-06-25 Found nothing
2010-06-26 Found nothing 2010-06-25 Found nothing
2010-06-26 Found nothing 2010-06-25 Found nothing
2010-06-27 Found nothing 2010-06-27 Found nothing
2010-06-27 Found nothing 2010-06-25 Found nothing
2010-06-26 Found nothing 2010-06-26 Found nothing
2010-06-26 Found nothing

For c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb14.tmp.exe
Filename: gtbA80A.tmp.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sun 27 Jun 2010 02:14:58 (CET) Permalink

2010-06-26 Found nothing 2010-06-27 Found nothing
2010-06-26 Found nothing 2010-06-26 Found nothing
2010-06-26 Found nothing 2010-06-26 Found nothing
2010-06-25 Found nothing 2010-06-25 Found nothing
2010-06-26 Found nothing 2010-06-25 Found nothing
2010-06-26 Found nothing 2010-06-25 Found nothing
2010-06-27 Found nothing 2010-06-27 Found nothing
2010-06-27 Found nothing 2010-06-25 Found nothing
2010-06-26 Found nothing 2010-06-26 Found nothing
2010-06-26 Found nothing

Looks like nothing was found.
I'm going to go back and make sure those folder view options saved. Will only post something else IF NOT.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#11 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 06 July 2010 - 08:29 PM

You there?

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#12 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:56 AM

Posted 06 July 2010 - 09:31 PM

Hi
OK please do the following.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::
RenV::
c:\program files\Skype\Phone\skype .exe
NetSvc::
Driver::
{78CB6AC8-1B5B-4804-B4C8674161434618}
{16C41678-E97F-4126-80B152478DC2DCBB}
{4F89A508-B5EA-46AE-8F27FD3DA1622EF7}
{8AE3AE9E-ED34-421D-A84C7F90BCAA1950}
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Please post the Combofix log.
Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#13 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 06 July 2010 - 10:49 PM

Okay, sorry for the delay.
I ran Combofix. It asked me if I wanted to update and I said No. Sorry, I forgot that you said to say Yes. It ran fine and rebooted. Came up to a black screen with a white arrow. I let it be for about 20 min. with no change.
I powered off for about 30 sec. and powered back on. Came up to Blue Dell screen with an arrow - about once a minute the time capsule flashed for a second. I let it be for about 7 min. No change.
I powered off again for about 30 sec. and rebooted to Safe Mode with networking. I chose NO
to restore and the system finally came up and here I am.

I hope I didn't mess it up.

thanks and looking forward to your response.

Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 

#14 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:56 AM

Posted 06 July 2010 - 11:09 PM

Hi
Please go to C:\ComboFix.txt Open it and post the log that it has.

Thanks

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#15 brigg

brigg
  • Topic Starter

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 06 July 2010 - 11:16 PM

This was time stamped 10:02 tonight.

ComboFix 10-07-05.03 - UserOne 07/06/2010 21:52:03.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1031 [GMT -5:00]
Running from: C:\Documents and Settings\UserOne\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\UserOne\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.


Kansas City Mo area - Central time zone 

Dell D620 Laptop    -   Operating System:  Windows XP Professional 32-bit SP3     -     CPU:  Intel Core Duo T2300E @ 1.66GHz 51 °C     -  Yonah 65nm Technology

RAM:  1.00GB Dual-Channel DDR2 @ 267MHz (4-4-4-12)    -     Motherboard:  Dell Inc. 53 °C     -     Graphics:  Plug and Play Monitor (1280x720@60Hz)
Storage:  74GB SAMSUNG HM080HI (SATA) 36 °C     -     Optical Drives:  TSSTcorp CDRW/DVD TSL462C     -     Audio:  SigmaTel High Definition Audio CODEC
PAE Enabled - Installation Date: 3/20/2009     -     Plug and Play Monitor (1280x720@60Hz)     -     Intel Mobile Intel 945GM Express Chipset Family (Dell)
 




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users