Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

av security suite infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 rvlahovi

rvlahovi

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 11 July 2010 - 08:30 AM

lots of redirects and porn popups . did a system restore but now cant use keyboard, get a code 38 device error. i am using the on screen kbrd. ran spybot and malwarebytes, found bunch of trojan viruses. still getting redirects and pc gets slow.


DDS (Ver_10-03-17.01) - NTFSx86
Run by RickMary at 22:05:04.42 on Sat 07/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1120 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\2Wire Wireless Manager\2Wire.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\RickMary\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6071210
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - No File
BHO: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [PMX Daemon] ICO.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: univ-wea.com\ctxwi.nt
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4A01A151-E350-4839-A2B8-03DC39D6C8E5} - hxxp://download.yahoo.com/dl/ypc/ypcxwizard2003080601.cab
DPF: {4A021DA6-517D-11D1-AEE9-00A0C9336A20} - hxxps://invoice.arinc.com/arinc/cabs/weblink.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.32.19/ttinst.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-31 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-31 56816]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-30 24652]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2007-12-16 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2007-12-16 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-4-10 401920]

=============== Created Last 30 ================

2010-07-11 02:57:30 0 ----a-w- c:\documents and settings\rickmary\defogger_reenable
2010-07-11 02:20:33 0 d-----w- c:\program files\Trend Micro
2010-07-10 21:41:14 0 d-----w- c:\docume~1\rickmary\applic~1\Malwarebytes
2010-07-10 21:41:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 21:41:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 21:41:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 21:41:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 02:43:05 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-09 14:56:29 2716 ----a-w- c:\windows\Ckexuv.dat
2010-07-09 14:56:29 0 ----a-w- c:\windows\Xlekod.bin
2010-06-30 23:33:27 0 d-----w- c:\program files\2Wire Wireless Manager
2010-06-30 23:32:48 477696 ----a-w- c:\windows\system32\drivers\ZD1211BU.sys
2010-06-30 23:32:48 20608 ----a-w- c:\windows\system32\drivers\BRGSp50.sys
2010-06-30 23:32:48 17664 ----a-w- c:\windows\system32\drivers\ZDPSp50.sys
2010-06-30 23:32:47 31744 ----a-w- c:\windows\system32\drivers\ZDPSp50a64.sys
2010-06-30 23:32:47 29184 ----a-w- c:\windows\system32\drivers\BRGSp50a64.sys
2010-06-30 23:32:46 0 d-----w- c:\program files\2WIRE, Inc

==================== Find3M ====================

2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2008-12-07 19:37:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120720081208\index.dat

============= FINISH: 22:06:37.57 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:46 AM

Posted 14 July 2010 - 06:58 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 rvlahovi

rvlahovi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 July 2010 - 01:18 PM

Yes, still here. I did fixt the keyboad issue but still have the redirect problem.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:46 AM

Posted 15 July 2010 - 07:16 PM

Yes, this is a rootkit called TDL3.

Please run Combofix and see if it can disinfect it for us

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 rvlahovi

rvlahovi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 July 2010 - 10:36 PM

Here is the combofix.txt file. I will be away tomorrow until Wednesday.

ComboFix 10-07-15.05 - RickMary 07/16/2010 22:16:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1611 [GMT -5:00]
Running from: c:\documents and settings\RickMary\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SET3E3B.tmp
c:\program files\Internet Explorer\SET3E7B.tmp
c:\windows\system32\_000006_.tmp.dll

Infected copy of c:\windows\system32\drivers\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-15 16:29 . 2010-07-15 22:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\deywwngcs
2010-07-14 12:53 . 2010-07-14 12:53 -------- d-----w- c:\program files\3ivx
2010-07-13 23:11 . 2010-07-13 23:11 -------- d-----w- c:\documents and settings\RickMary\Local Settings\Application Data\Deployment
2010-07-13 15:33 . 2010-07-13 15:33 503808 ----a-w- c:\documents and settings\RickMary\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1981cc0b-n\msvcp71.dll
2010-07-13 15:33 . 2010-07-13 15:33 499712 ----a-w- c:\documents and settings\RickMary\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1981cc0b-n\jmc.dll
2010-07-13 15:33 . 2010-07-13 15:33 348160 ----a-w- c:\documents and settings\RickMary\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1981cc0b-n\msvcr71.dll
2010-07-12 23:01 . 2010-07-12 23:01 0 ----a-w- c:\windows\nsreg.dat
2010-07-12 23:01 . 2010-07-12 23:01 -------- d-----w- c:\documents and settings\RickMary\Local Settings\Application Data\Mozilla
2010-07-12 22:09 . 2010-07-12 22:09 -------- d-----w- c:\program files\Common Files\Scanner
2010-07-12 22:09 . 2010-07-12 22:11 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-07-12 01:53 . 2010-07-13 02:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-11 02:20 . 2010-07-11 02:20 -------- d-----w- c:\program files\Trend Micro
2010-07-10 21:41 . 2010-07-10 21:41 -------- d-----w- c:\documents and settings\RickMary\Application Data\Malwarebytes
2010-07-10 21:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 21:41 . 2010-07-10 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-10 21:41 . 2010-07-10 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 21:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 14:49 . 2010-07-10 14:49 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-10 02:43 . 2010-07-10 02:43 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-09 14:56 . 2010-07-10 02:42 -------- d-----w- c:\documents and settings\RickMary\Local Settings\Application Data\{A92FFD1A-F277-4C4F-9E59-5B5A5EC71799}
2010-07-09 14:56 . 2010-07-10 02:06 2716 ----a-w- c:\windows\Ckexuv.dat
2010-07-09 14:56 . 2010-07-09 14:56 0 ----a-w- c:\windows\Xlekod.bin
2010-06-30 23:33 . 2010-06-30 23:33 -------- d-----w- c:\program files\2Wire Wireless Manager
2010-06-30 23:32 . 2006-08-24 18:44 477696 ----a-w- c:\windows\system32\drivers\ZD1211BU.sys
2010-06-30 23:32 . 2005-06-08 23:44 20608 ----a-w- c:\windows\system32\drivers\BRGSp50.sys
2010-06-30 23:32 . 2004-10-25 18:40 17664 ----a-w- c:\windows\system32\drivers\ZDPSp50.sys
2010-06-30 23:32 . 2005-06-08 23:44 29184 ----a-w- c:\windows\system32\drivers\BRGSp50a64.sys
2010-06-30 23:32 . 2005-03-18 20:35 31744 ----a-w- c:\windows\system32\drivers\ZDPSp50a64.sys
2010-06-30 23:32 . 2010-06-30 23:32 -------- d-----w- c:\program files\2WIRE, Inc
2010-06-24 01:44 . 2010-06-24 01:44 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6.tmp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 03:15 . 2008-12-20 17:40 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-16 00:40 . 2008-08-03 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-12 01:53 . 2009-06-15 23:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-10 20:33 . 2008-08-03 20:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-10 14:42 . 2007-12-18 03:15 -------- d-----w- c:\documents and settings\RickMary\Application Data\Apple Computer
2010-06-30 23:32 . 2007-12-10 07:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-30 23:01 . 2009-01-25 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\2Wire
2010-06-26 23:02 . 2009-08-30 19:15 -------- d-----w- c:\program files\CCleaner
2010-06-16 00:40 . 2010-06-16 00:40 -------- d-----w- c:\documents and settings\Tess\Application Data\TaxCut
2010-06-11 17:05 . 2010-06-11 17:05 503808 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-63d9ed89-n\msvcp71.dll
2010-06-11 17:05 . 2010-06-11 17:05 499712 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-63d9ed89-n\jmc.dll
2010-06-11 17:05 . 2010-06-11 17:05 348160 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-63d9ed89-n\msvcr71.dll
2010-06-09 08:13 . 2007-12-18 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-05 14:35 . 2009-03-19 23:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-31 19:22 . 2010-05-31 19:22 503808 ----a-w- c:\documents and settings\Katelyn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31d78e58-n\msvcp71.dll
2010-05-31 19:22 . 2010-05-31 19:22 499712 ----a-w- c:\documents and settings\Katelyn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31d78e58-n\jmc.dll
2010-05-31 19:22 . 2010-05-31 19:22 348160 ----a-w- c:\documents and settings\Katelyn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31d78e58-n\msvcr71.dll
2010-05-23 20:17 . 2007-12-10 07:19 -------- d-----w- c:\program files\Google
2010-05-23 20:11 . 2008-12-20 17:41 -------- d-----w- c:\documents and settings\RickMary\Application Data\Arcsoft
2010-05-22 00:51 . 2010-05-22 00:51 503808 ----a-w- c:\documents and settings\Tess\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-461cb33a-n\msvcp71.dll
2010-05-22 00:51 . 2010-05-22 00:51 499712 ----a-w- c:\documents and settings\Tess\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-461cb33a-n\jmc.dll
2010-05-22 00:51 . 2010-05-22 00:51 348160 ----a-w- c:\documents and settings\Tess\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-461cb33a-n\msvcr71.dll
2010-05-21 01:49 . 2007-12-10 07:21 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-21 01:49 . 2007-12-10 07:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-21 01:48 . 2007-12-10 07:21 -------- d-----w- c:\program files\Symantec
2010-05-19 11:29 . 2010-05-19 11:26 -------- d-----w- c:\documents and settings\RickMary\Application Data\U3
2010-05-18 03:48 . 2010-05-18 00:25 -------- d-----w- c:\documents and settings\RickMary\Application Data\NCH Swift Sound
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-23 8429568]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-06-12 200704]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-19 149280]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-10-01 61440]

c:\documents and settings\Katelyn\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/31/2009 9:00 PM 108289]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/30/2007 2:35 PM 24652]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [12/16/2007 10:48 AM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [12/16/2007 10:48 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 7:22 AM 135664]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/10/2010 10:21 AM 401920]
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-05-18 00:24]

2010-06-09 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-05-18 00:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: univ-wea.com\ctxwi.nt
DPF: {4A021DA6-517D-11D1-AEE9-00A0C9336A20} - hxxps://invoice.arinc.com/arinc/cabs/weblink.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\documents and settings\RickMary\Application Data\Mozilla\Firefox\Profiles\uzlavkn2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 22:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-16 22:30:13
ComboFix-quarantined-files.txt 2010-07-17 03:30

Pre-Run: 224,935,301,120 bytes free
Post-Run: 226,649,133,056 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DBB582F310EF6A4504F41B3BFB06E307

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:46 AM

Posted 18 July 2010 - 03:36 PM

Well, the rootkit has gone. Let's run Combofix one more time to remove the rest

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\windows\Ckexuv.dat
c:\windows\Xlekod.bin

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\deywwngcs


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 rvlahovi

rvlahovi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 22 July 2010 - 05:06 PM

ComboFix 10-07-22.01 - RickMary 07/22/2010 16:59:19.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1485 [GMT -5:00]
Running from: c:\documents and settings\RickMary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RickMary\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\Ckexuv.dat"
"c:\windows\Xlekod.bin"
.

((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-17 06:00 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 12:53 . 2010-07-14 12:53 -------- d-----w- c:\program files\3ivx
2010-07-13 23:11 . 2010-07-13 23:11 -------- d-----w- c:\documents and settings\RickMary\Local Settings\Application Data\Deployment
2010-07-12 23:01 . 2010-07-12 23:01 0 ----a-w- c:\windows\nsreg.dat
2010-07-12 23:01 . 2010-07-12 23:01 -------- d-----w- c:\documents and settings\RickMary\Local Settings\Application Data\Mozilla
2010-07-12 22:09 . 2010-07-12 22:09 -------- d-----w- c:\program files\Common Files\Scanner
2010-07-12 22:09 . 2010-07-12 22:11 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-07-12 01:53 . 2010-07-13 02:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-11 02:20 . 2010-07-11 02:20 -------- d-----w- c:\program files\Trend Micro
2010-07-10 21:41 . 2010-07-10 21:41 -------- d-----w- c:\documents and settings\RickMary\Application Data\Malwarebytes
2010-07-10 21:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 21:41 . 2010-07-10 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-10 21:41 . 2010-07-10 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 21:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 14:49 . 2010-07-10 14:49 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-10 02:43 . 2010-07-10 02:43 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 23:33 . 2010-06-30 23:33 -------- d-----w- c:\program files\2Wire Wireless Manager
2010-06-30 23:32 . 2006-08-24 18:44 477696 ----a-w- c:\windows\system32\drivers\ZD1211BU.sys
2010-06-30 23:32 . 2005-06-08 23:44 20608 ----a-w- c:\windows\system32\drivers\BRGSp50.sys
2010-06-30 23:32 . 2004-10-25 18:40 17664 ----a-w- c:\windows\system32\drivers\ZDPSp50.sys
2010-06-30 23:32 . 2005-06-08 23:44 29184 ----a-w- c:\windows\system32\drivers\BRGSp50a64.sys
2010-06-30 23:32 . 2005-03-18 20:35 31744 ----a-w- c:\windows\system32\drivers\ZDPSp50a64.sys
2010-06-30 23:32 . 2010-06-30 23:32 -------- d-----w- c:\program files\2WIRE, Inc
2010-06-24 01:44 . 2010-06-24 01:44 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6.tmp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 13:14 . 2008-12-20 17:40 602 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-07-17 08:01 . 2007-12-18 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-16 00:40 . 2008-08-03 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-12 01:53 . 2009-06-15 23:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-10 20:33 . 2008-08-03 20:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-10 14:42 . 2007-12-18 03:15 -------- d-----w- c:\documents and settings\RickMary\Application Data\Apple Computer
2010-06-30 23:32 . 2007-12-10 07:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-30 23:01 . 2009-01-25 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\2Wire
2010-06-26 23:02 . 2009-08-30 19:15 -------- d-----w- c:\program files\CCleaner
2010-06-16 00:40 . 2010-06-16 00:40 -------- d-----w- c:\documents and settings\Tess\Application Data\TaxCut
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 17:05 . 2010-06-11 17:05 503808 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-63d9ed89-n\msvcp71.dll
2010-06-11 17:05 . 2010-06-11 17:05 499712 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-63d9ed89-n\jmc.dll
2010-06-11 17:05 . 2010-06-11 17:05 348160 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-63d9ed89-n\msvcr71.dll
2010-06-05 14:35 . 2009-03-19 23:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-31 19:22 . 2010-05-31 19:22 503808 ----a-w- c:\documents and settings\Katelyn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31d78e58-n\msvcp71.dll
2010-05-31 19:22 . 2010-05-31 19:22 499712 ----a-w- c:\documents and settings\Katelyn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31d78e58-n\jmc.dll
2010-05-31 19:22 . 2010-05-31 19:22 348160 ----a-w- c:\documents and settings\Katelyn\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-31d78e58-n\msvcr71.dll
2010-05-22 00:51 . 2010-05-22 00:51 503808 ----a-w- c:\documents and settings\Tess\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-461cb33a-n\msvcp71.dll
2010-05-22 00:51 . 2010-05-22 00:51 499712 ----a-w- c:\documents and settings\Tess\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-461cb33a-n\jmc.dll
2010-05-22 00:51 . 2010-05-22 00:51 348160 ----a-w- c:\documents and settings\Tess\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-461cb33a-n\msvcr71.dll
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-17_03.28.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-22 13:14 . 2010-07-22 13:14 16384 c:\windows\Temp\Perflib_Perfdata_d4.dat
+ 2007-12-18 00:37 . 2010-07-17 08:01 35088 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 35088 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 18704 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 18704 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 20240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 20240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-12-19 16:12 . 2010-07-22 21:44 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-12-19 16:12 . 2010-07-17 03:26 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2007-12-18 00:37 . 2010-07-17 08:01 888080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 888080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 272648 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 272648 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 922384 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 922384 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 845584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 845584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 217864 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 217864 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 184080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 184080 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 159504 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 159504 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-03-06 07:37 . 2009-03-06 07:37 501640 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\SOA.DLL
+ 2008-10-26 11:26 . 2008-10-26 11:26 162680 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\ACCWIZ.DLL
+ 2010-05-21 00:57 . 2010-05-21 00:57 4989952 c:\windows\Installer\1051674.msp
+ 2010-05-21 00:57 . 2010-05-21 00:57 5907456 c:\windows\Installer\1051673.msp
+ 2010-06-11 16:03 . 2010-06-11 16:03 5021184 c:\windows\Installer\1051654.msp
+ 2007-12-18 00:37 . 2010-07-17 08:01 1172240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 1172240 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-12-18 00:37 . 2010-07-17 08:01 1165584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2007-12-18 00:37 . 2010-06-09 08:13 1165584 c:\windows\Installer\{91120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2007-12-26 18:30 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
+ 2010-05-21 00:58 . 2010-05-21 00:58 12114432 c:\windows\Installer\105163e.msp
+ 2009-03-06 07:37 . 2009-03-06 07:37 10222432 c:\windows\Installer\$PatchCache$\Managed\00002119030000000000000000F01FEC\12.0.6425\MSACCESS.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-23 8429568]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-06-12 200704]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-19 149280]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"2Wire Wireless Manager"="c:\program files\2Wire Wireless Manager\2Wire.exe" [2007-10-01 61440]

c:\documents and settings\Katelyn\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/31/2009 9:00 PM 108289]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/30/2007 2:35 PM 24652]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [12/16/2007 10:48 AM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [12/16/2007 10:48 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 7:22 AM 135664]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/10/2010 10:21 AM 401920]
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\wavepadDowngrade.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-05-18 00:24]

2010-06-09 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-05-18 00:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: univ-wea.com\ctxwi.nt
DPF: {4A021DA6-517D-11D1-AEE9-00A0C9336A20} - hxxps://invoice.arinc.com/arinc/cabs/weblink.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\documents and settings\RickMary\Application Data\Mozilla\Firefox\Profiles\uzlavkn2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\pmxscrll.dll
c:\windows\system32\PMXCOMM.dll
c:\windows\system32\PMXHOOKS.dll
.
Completion time: 2010-07-22 17:03:21
ComboFix-quarantined-files.txt 2010-07-22 22:03
ComboFix2.txt 2010-07-22 21:57
ComboFix3.txt 2010-07-17 03:30

Pre-Run: 226,538,053,632 bytes free
Post-Run: 226,520,887,296 bytes free

- - End Of File - - AA7BA8386505D4A783F1709D403EF721

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:46 AM

Posted 22 July 2010 - 07:19 PM

That looks good now. thumbup.gif


Please run the ESET online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 rvlahovi

rvlahovi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 22 July 2010 - 09:30 PM

I can't get past step two of the initialization. It is trying to download the signature database but I get a message "Can not get update. Is proxy configured?"



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:46 AM

Posted 23 July 2010 - 01:10 PM

In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".

In Firefox you find the Proxy server settings this like this. In Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.
Posted Image
m0le is a proud member of UNITE

#11 rvlahovi

rvlahovi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 23 July 2010 - 06:16 PM

C:\Qoobox\Quarantine\C\Documents and Settings\RickMary\Local Settings\Application Data\{A92FFD1A-F277-4C4F-9E59-5B5A5EC71799}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:46 AM

Posted 23 July 2010 - 06:19 PM

Only the quarantined virus was deleted. Clean log thumbup2.gif

How is the PC running?
Posted Image
m0le is a proud member of UNITE

#13 rvlahovi

rvlahovi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 23 July 2010 - 06:22 PM

Running fine although I ran an AVIRA scan yesterday and it found some infected files.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:46 AM

Posted 23 July 2010 - 06:41 PM

What did it find?
Posted Image
m0le is a proud member of UNITE

#15 rvlahovi

rvlahovi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 23 July 2010 - 09:03 PM

here is the avira scan file report from yesterday:



Avira AntiVir Personal
Report file date: Thursday, July 22, 2010 17:16

Scanning for 2562399 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : RICK1

Version information:
BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/20/2009 01:08:24
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 01:08:24
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:08:24
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 03:51:15
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 03:51:19
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 02:27:35
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 23:40:28
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 23:14:45
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 23:14:45
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 23:14:45
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 23:14:46
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 23:14:46
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 23:14:46
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 23:14:46
VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 23:14:51
VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 21:26:42
VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 21:26:47
VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 21:27:28
VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 21:25:44
VBASE018.VDF : 7.10.8.194 133632 Bytes 6/27/2010 21:26:17
VBASE019.VDF : 7.10.8.220 134656 Bytes 6/29/2010 21:26:24
VBASE020.VDF : 7.10.8.252 171520 Bytes 7/4/2010 21:26:57
VBASE021.VDF : 7.10.9.19 131072 Bytes 7/6/2010 21:27:02
VBASE022.VDF : 7.10.9.36 297472 Bytes 7/7/2010 21:27:04
VBASE023.VDF : 7.10.9.60 150016 Bytes 7/11/2010 21:27:12
VBASE024.VDF : 7.10.9.79 113152 Bytes 7/13/2010 21:27:17
VBASE025.VDF : 7.10.9.99 158720 Bytes 7/16/2010 00:40:38
VBASE026.VDF : 7.10.9.133 630784 Bytes 7/20/2010 00:41:17
VBASE027.VDF : 7.10.9.141 421376 Bytes 7/21/2010 22:15:03
VBASE028.VDF : 7.10.9.148 355328 Bytes 7/21/2010 22:15:07
VBASE029.VDF : 7.10.9.153 492032 Bytes 7/21/2010 22:15:14
VBASE030.VDF : 7.10.9.160 864768 Bytes 7/22/2010 22:15:25
VBASE031.VDF : 7.10.9.163 17408 Bytes 7/22/2010 22:15:25
Engineversion : 8.2.4.26
AEVDF.DLL : 8.1.2.0 106868 Bytes 4/23/2010 23:29:28
AESCRIPT.DLL : 8.1.3.41 1364346 Bytes 7/21/2010 00:41:55
AESCN.DLL : 8.1.6.1 127347 Bytes 5/12/2010 23:14:49
AESBX.DLL : 8.1.3.1 254324 Bytes 4/23/2010 23:29:28
AERDL.DLL : 8.1.8.2 614772 Bytes 7/21/2010 00:41:49
AEPACK.DLL : 8.2.3.2 471414 Bytes 7/21/2010 00:41:45
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/22/2010 22:15:30
AEHEUR.DLL : 8.1.2.6 2793846 Bytes 7/21/2010 00:41:40
AEHELP.DLL : 8.1.13.2 242039 Bytes 7/21/2010 00:41:24
AEGEN.DLL : 8.1.3.17 385396 Bytes 7/22/2010 22:15:28
AEEMU.DLL : 8.1.2.0 393588 Bytes 4/23/2010 23:29:26
AECORE.DLL : 8.1.16.2 192887 Bytes 7/21/2010 00:41:19
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 23:29:26
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/9/2009 01:57:32
AVREP.DLL : 8.0.0.7 159784 Bytes 2/18/2010 03:09:40
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 4/27/2009 22:01:25
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 7/1/2009 07:43:23
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/20/2009 01:08:24

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, July 22, 2010 17:16

Starting search for hidden objects.
'71724' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'CPSHelpRunner.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ACDaemon.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb03.exe' - '1' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'PDVDDXSrv.exe' - '1' Module(s) have been scanned
Scan process 'DrgToDsc.exe' - '1' Module(s) have been scanned
Scan process 'RoxWatchTray9.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'pmxmiced.exe' - '1' Module(s) have been scanned
Scan process 'ico.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'ULCDRSvr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'RoxWatch9.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'PIFSvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'FreeAgentService.exe' - '1' Module(s) have been scanned
Scan process 'FlipShareService.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ACService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
52 processes with 52 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-3dc57d3a
[0] Archive type: ZIP
--> dev/s/AdgredY.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.S Java virus
--> dev/s/DyesyasZ.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.R Java virus
--> dev/s/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP936\A0110052.exe
[DETECTION] Is the TR/Kryptik.eif.9728 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP936\A0110076.exe
[DETECTION] Is the TR/Kryptik.eif.9728 Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP936\A0110078.exe
[DETECTION] Is the TR/FakeScanti.T Trojan

Beginning disinfection:
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\1\11e45981-3dc57d3a
[NOTE] The file was moved to '4cadd015.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP936\A0110052.exe
[DETECTION] Is the TR/Kryptik.eif.9728 Trojan
[NOTE] The file was moved to '4c79d014.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP936\A0110076.exe
[DETECTION] Is the TR/Kryptik.eif.9728 Trojan
[NOTE] The file was moved to '45676825.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP936\A0110078.exe
[DETECTION] Is the TR/FakeScanti.T Trojan
[NOTE] The file was moved to '4a907295.qua'!


End of the scan: Thursday, July 22, 2010 18:10
Used time: 53:50 Minute(s)

The scan has been done completely.

14658 Scanned directories
399856 Files were scanned
6 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
399848 Files not concerned
7976 Archives were scanned
2 Warnings
6 Notes
71724 Objects were scanned with rootkit scan
0 Hidden objects were found

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users