Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Restart


  • This topic is locked This topic is locked
2 replies to this topic

#1 JefreyL

JefreyL

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 11 July 2010 - 12:28 PM

Ok, so i've been trying to get rid of these virus/trojans for the past week. It began with removing AV suite security, but then came Defense Center. I ran malwarebytes, spybot, AVG, McAfee, and Combofix. Before i ran combofix everything seemed normal except for the redirecting from search engines. After combofix things appear back to the way it was before. Except after i left my computer on overnight, i found that it was restarted and i was on my login screen. i checked my computer settings and i didn't make any changes to when the computer will reboot. Here is my latest combofix log.

ComboFix 10-07-10.01 - JEFF 07/10/2010 22:34:31.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.854 [GMT -7:00]
Running from: c:\documents and settings\JEFF\My Documents\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\JEFF\LOCALS~1\Temp\2280acd650e5.tmp
c:\docume~1\JEFF\LOCALS~1\Temp\5f1940283ffa.tmp
c:\docume~1\JEFF\LOCALS~1\Temp\6508758044b3.tmp
c:\docume~1\JEFF\LOCALS~1\Temp\669f0a19af8b.tmp
c:\docume~1\JEFF\LOCALS~1\Temp\6b636d7646e2.tmp
c:\docume~1\JEFF\LOCALS~1\Temp\d830dffb2710.tmp
c:\docume~1\JEFF\LOCALS~1\Temp\e0968c74b339.tmp
c:\docume~1\JEFF\LOCALS~1\Temp\e61d7381c5a5.tmp
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\documents and settings\All Users\Application Data\93012646.ini
c:\documents and settings\All Users\Application Data\vlc-1.0.5-win32.exe
c:\documents and settings\JEFF\Application Data\Mevoeb
c:\documents and settings\JEFF\Application Data\Mevoeb\ekexo.exe
c:\documents and settings\JEFF\Local Settings\Application Data\Windows Server
c:\documents and settings\JEFF\Local Settings\Application Data\Windows Server\config.data
c:\documents and settings\JEFF\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\JEFF\Local Settings\Application Data\Windows Server\thread.xml
c:\documents and settings\JEFF\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\JEFF\Local Settings\Application Data\Windows Server\worker.info
c:\documents and settings\JEFF\Local Settings\Temp\2280acd650e5.tmp
c:\documents and settings\JEFF\Local Settings\Temp\5f1940283ffa.tmp
c:\documents and settings\JEFF\Local Settings\Temp\6508758044b3.tmp
c:\documents and settings\JEFF\Local Settings\Temp\669f0a19af8b.tmp
c:\documents and settings\JEFF\Local Settings\Temp\6b636d7646e2.tmp
c:\documents and settings\JEFF\Local Settings\Temp\d830dffb2710.tmp
c:\documents and settings\JEFF\Local Settings\Temp\e0968c74b339.tmp
c:\documents and settings\JEFF\Local Settings\Temp\e61d7381c5a5.tmp
c:\documents and settings\JEFF\NTProcDrv.sys
c:\windows\alobecerisubaca.dll
c:\windows\alularef.dll
c:\windows\apamiruxecaba.dll
c:\windows\aqebadis.dll
c:\windows\arenewucobuhogeh.dll
c:\windows\efepiditem.dll
c:\windows\elaloqetugu.dll
c:\windows\emuwareheguri.dll
c:\windows\ewamejes.dll
c:\windows\exadokez.dll
c:\windows\ezehayaticuha.dll
c:\windows\ifucuqep.dll
c:\windows\ipojadan.dll
c:\windows\ivuzesecoqafar.dll
c:\windows\system32\drivers\UACmltxjlkltvwbwwo.sys
c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\17oCE7.dll
c:\windows\system32\spool\prtprocs\w32x86\1oCEIQ.dll
c:\windows\system32\spool\prtprocs\w32x86\31793c79.dll
c:\windows\system32\spool\prtprocs\w32x86\31yWSK7y.dll
c:\windows\system32\spool\prtprocs\w32x86\555m5.dll
c:\windows\system32\spool\prtprocs\w32x86\79iQ7w3.dll
c:\windows\system32\spool\prtprocs\w32x86\9a17eIQ7w.dll
c:\windows\system32\spool\prtprocs\w32x86\C1s9e1aA.dll
c:\windows\system32\spool\prtprocs\w32x86\cE9317.dll
c:\windows\system32\spool\prtprocs\w32x86\E179eI79.dll
c:\windows\system32\spool\prtprocs\w32x86\gM93w7.dll
c:\windows\system32\spool\prtprocs\w32x86\IQ79cEI9.dll
c:\windows\system32\spool\prtprocs\w32x86\o931i93.dll
c:\windows\system32\spool\prtprocs\w32x86\u5mY5.dll
c:\windows\system32\spool\prtprocs\w32x86\UOC9s1eI.dll
c:\windows\system32\spool\prtprocs\w32x86\WSKU1m.dll
c:\windows\system32\spool\prtprocs\w32x86\Y5c5s.dll
c:\windows\system32\UAChompumkrixrvrii.db
c:\windows\system32\uactmp.db
c:\windows\ujucajuhiqi.dll
c:\windows\ukogeyajo.dll
c:\windows\Umuqua.exe
c:\windows\wsdnmsr.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
.

2010-07-10 20:09 . 2010-07-10 20:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-07-10 18:23 . 2010-07-10 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-07-10 18:18 . 2010-02-17 23:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-10 18:18 . 2010-02-17 23:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-07-10 18:18 . 2010-02-17 23:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-10 18:18 . 2009-07-16 19:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-10 18:16 . 2010-07-10 18:18 -------- d-----w- c:\program files\Common Files\McAfee
2010-07-10 18:16 . 2010-07-10 18:17 -------- d-----w- c:\program files\McAfee.com
2010-07-10 18:16 . 2010-07-10 18:22 -------- d-----w- c:\program files\McAfee
2010-07-10 18:12 . 2010-02-17 23:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-07-10 18:06 . 2010-07-10 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-10 11:05 . 2010-07-10 11:05 -------- d-----w- c:\documents and settings\JEFF\Local Settings\Application Data\Temp
2010-07-09 08:15 . 2010-07-09 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-07-09 08:11 . 2010-07-09 08:11 -------- d-----w- c:\program files\Citrix
2010-07-09 08:11 . 2010-07-09 08:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Citrix
2010-07-09 07:10 . 2010-07-09 07:24 -------- d-----w- c:\documents and settings\JEFF\Local Settings\Application Data\rcyeagchm
2010-07-09 05:52 . 2010-07-11 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-09 05:21 . 2010-07-09 05:21 -------- d-----w- c:\documents and settings\JEFF\Local Settings\Application Data\Threat Expert
2010-07-09 05:12 . 2010-06-08 02:16 763832 ----a-w- c:\windows\BDTSupport.dll
2010-07-09 05:12 . 2010-01-22 16:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-07-09 05:12 . 2009-10-28 08:36 1152444 ----a-w- c:\windows\UDB.zip
2010-07-09 05:12 . 2008-11-26 19:08 131 ----a-w- c:\windows\IDB.zip
2010-07-09 05:12 . 2010-06-08 00:21 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-07-09 05:12 . 2010-01-22 16:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-07-09 05:11 . 2010-02-05 16:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-09 05:11 . 2010-03-10 18:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-09 05:11 . 2009-11-23 20:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-09 05:11 . 2010-02-05 16:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-09 05:11 . 2010-07-10 05:17 -------- d-----w- c:\program files\Spyware Doctor
2010-07-09 05:11 . 2010-07-09 05:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-07-09 05:11 . 2010-07-09 05:11 -------- d-----w- c:\documents and settings\JEFF\Application Data\PC Tools
2010-07-09 05:11 . 2010-07-09 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-07-09 02:20 . 2010-07-09 02:20 -------- d-----w- C:\_OTM
2010-07-08 08:44 . 2010-07-08 08:44 -------- d-----w- c:\documents and settings\JEFF\Local Settings\Application Data\{0115AB46-43BA-495E-8CBF-00EE9141C4C5}
2010-07-08 08:05 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-08 08:05 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-08 07:25 . 2010-07-08 07:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-07-08 07:24 . 2010-07-08 07:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\acccore
2010-07-08 07:24 . 2010-07-08 07:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AIM
2010-07-08 07:24 . 2010-07-08 07:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-07-08 07:23 . 2010-07-08 07:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-08 06:35 . 2010-07-08 06:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-07 19:59 . 2010-07-07 19:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-07 17:22 . 2010-07-08 06:55 -------- d-----w- c:\documents and settings\JEFF\Local Settings\Application Data\egwjcgyyi
2010-07-07 17:11 . 2010-07-07 17:11 -------- d-----w- C:\spoolerlogs
2010-07-07 17:09 . 2010-07-07 17:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-04 09:38 . 2010-07-04 09:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-27 04:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-27 04:02 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-27 04:02 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-27 04:02 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 06:03 . 2009-04-23 02:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-11 05:23 . 2010-03-26 06:12 -------- d-----w- c:\documents and settings\JEFF\Application Data\Dyilal
2010-07-11 05:11 . 2010-06-04 06:38 120 ----a-w- c:\windows\Vgifatuxofum.dat
2010-07-11 04:28 . 2009-08-23 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-11 02:54 . 2005-10-21 14:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-11 02:17 . 2009-12-25 11:18 -------- d-----w- c:\program files\osu!
2010-07-10 19:18 . 2004-08-10 18:03 77859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-10 15:35 . 2010-07-10 15:35 693016 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\prepare\avgcsrvx.exe
2010-07-10 07:17 . 2010-06-04 06:38 0 ----a-w- c:\windows\Jkujutodigip.bin
2010-07-10 04:28 . 2010-04-07 07:39 -------- d-----w- c:\documents and settings\JEFF\Application Data\PriceGong
2010-07-09 10:00 . 2008-05-21 06:05 -------- d-----w- c:\program files\Google
2010-07-09 09:40 . 2010-07-09 09:40 1975408 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en32_signed.exe
2010-07-09 09:25 . 2004-08-10 17:51 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-07-09 08:35 . 2009-06-16 08:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 08:00 . 2009-07-14 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-09 05:52 . 2010-07-10 15:28 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2010-07-09 05:52 . 2010-07-10 15:28 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2010-07-09 05:52 . 2010-07-10 15:28 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2010-07-09 05:52 . 2010-07-10 15:28 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2010-07-09 05:01 . 2004-08-04 03:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-08 08:05 . 2009-06-17 00:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 16:06 . 2010-03-16 22:34 -------- d-----w- c:\program files\Silkroad
2010-06-06 07:09 . 2010-06-06 07:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 06:36 . 2010-06-04 06:36 12 ----a-w- c:\documents and settings\JEFF\Application Data\gklupx.dat
2010-06-01 03:32 . 2010-06-01 03:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-05-08 08:27 . 2010-05-08 08:27 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-08 08:27 . 2010-05-08 08:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-08 08:27 . 2010-05-08 08:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-08 08:27 . 2010-05-08 08:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-08 08:27 . 2010-05-08 08:27 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-08 08:27 . 2010-05-08 08:27 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-08 08:27 . 2010-05-08 08:27 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-08 08:27 . 2010-05-08 08:27 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-08 08:27 . 2010-03-17 05:13 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-08 08:25 . 2006-07-12 02:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-08 01:44 . 2009-10-08 01:44 685775 ----a-w- c:\program files\C19H28O2.v7.34.zip
2009-10-08 01:42 . 2009-10-08 01:42 4595900 ----a-w- c:\program files\SBot_1.41a.zip
2009-10-07 08:29 . 2009-10-07 08:29 4751384 ----a-w- c:\program files\ATTInternetInstaller.exe
2008-09-06 03:51 . 2008-09-06 03:49 6534 ----a-w- c:\program files\ST6UNST.LOG
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-06 02:26 . 2008-05-06 02:26 8 --sh--r- c:\windows\system32\D1561729CF.sys
2008-05-06 02:26 . 2008-05-06 02:26 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
2010-03-28 19:47 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-10-06 2075384]
"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2010-02-24 982528]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-09 39408]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"nwiz"="nwiz.exe" [2007-04-19 1626112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-08 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\JEFF\Start Menu\Programs\Startup\
syscron.exe [2008-4-13 61960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 22:48 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sp_rssrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Documents and Settings\\JEFF\\Desktop\\SRO_New_Full-Client_Downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\JEFF\\Desktop\\SRO_L4_Full_Client_Downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\JEFF\\My Documents\\SRO_L4.5_Hotan_Full_Client_Downloader.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ijjiOptimizer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6981:TCP"= 6981:TCP:League of Legends Launcher
"6981:UDP"= 6981:UDP:League of Legends Launcher

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/8/2010 10:11 PM 217032]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [7/8/2010 10:12 PM 112592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/10/2010 11:23 AM 203280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/5/2008 8:32 PM 24652]
S2 0227231278785881mcinstcleanup;McAfee Application Installer Cleanup (0227231278785881);c:\docume~1\JEFF\LOCALS~1\Temp\022723~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\JEFF\LOCALS~1\Temp\022723~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 ggnsckhq;ggnsckhq;c:\windows\system32\drivers\livjp.sys --> c:\windows\system32\drivers\livjp.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/9/2010 3:00 AM 135664]
S2 rtuomkvb;rtuomkvb;c:\windows\system32\drivers\idhhwbn.sys --> c:\windows\system32\drivers\idhhwbn.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\Silkroad\NtProcDrv.sys --> c:\program files\Silkroad\NtProcDrv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/8/2010 10:11 PM 366840]
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-09 10:00]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-09 10:00]

2010-07-10 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-10 19:22]

2010-07-10 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-07-10 19:22]

2010-07-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-897587264-554499079-576479661-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-07-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-897587264-554499079-576479661-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-07-11 c:\windows\Tasks\User_Feed_Synchronization-{7EE50283-5EA8-478E-B5D4-210A61E02867}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
FF - ProfilePath - c:\documents and settings\JEFF\Application Data\Mozilla\Firefox\Profiles\7bhuey9t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - hxxp://home.alot.com/?src_id=11511&client_id=88a94864c6ce881408a8f923&camp_id=-3&install_time=2010-04-07T07:56Z&tb_version=2.4.2000%28F%29
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11511&client_id=88a94864c6ce881408a8f923&camp_id=-3&install_time=2010-04-07T07:56Z&tb_version=2.4.2000%28F%29&pr=auto&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {0115AB46-43BA-495E-8CBF-00EE9141C4C5} - c:\documents and settings\JEFF\Local Settings\Application Data\{0115AB46-43BA-495E-8CBF-00EE9141C4C5}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-BFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-{25CD6DDE-2482-D97E-29C6-58EC43FE2AEC} - c:\documents and settings\JEFF\Application Data\Mevoeb\ekexo.exe
HKCU-Run-Idupurixuq - c:\windows\wsdnmsr.dll
HKLM-Run-Vziwewidumuhifop - c:\windows\alularef.dll
SafeBoot-klmdb.sys
AddRemove-Defense Center - c:\program files\Defense Center\Pklkvqdii+`}`



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 23:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\JEFF\Start Menu\Programs\Startup\syscron.exe 61960 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(700)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(420)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\nvcpl.dll
c:\windows\system32\nvapi.dll
c:\windows\system32\igfxpph.dll
c:\windows\system32\hccutils.DLL
c:\windows\system32\igfxres.dll
c:\windows\system32\igfxress.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\nvshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\stsystra.exe
c:\program files\Super_DVD_Creator_9.8\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
.
**************************************************************************
.
Completion time: 2010-07-10 23:13:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-11 06:13

Pre-Run: 16,171,438,080 bytes free
Post-Run: 16,661,368,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 098B1A46B402E39653342B9545896CF9

Edited by boopme, 23 July 2010 - 02:41 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:20 PM

Posted 23 July 2010 - 04:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:20 PM

Posted 27 July 2010 - 06:56 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users