Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Assistance - Virtumonde / Hiloti Malware Redirecting


  • This topic is locked This topic is locked
15 replies to this topic

#1 Rainier8

Rainier8

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 11 July 2010 - 09:20 PM

Hello,

I'm new to this, and posted the other day, but did not know about "bumping" my topic. I replied with additional twice more, making it less likely I'll get help, so I'm reposting. My old topic was: Malware Infection: hxxp://www.news-11-today.com, I don't know the proper steps for removal.

Here is the run down, I get a pop-up window in both Mozilla and IE browsers reading: hxxp://www.news-11-today.com/money-news/breaking-news.php?ex=001&tid=dus1x245 and then things slow down. I searched and found out this seems to be related to a malware infection. Prior to searching, I tried running Malwarebytes current version, and also my Avira virus scan. It did not seem to work. I had much trouble running GMER.

I was able to run Spybot S&D and it detected Virtumonde Trojan. Virtumonde was removed and other remnants on a reboot removed as well. Then I was able to run new DDS reports and also GMER, all of which are attached here.

I did notice, however, that after another reboot, a "local search" web page opened up when I opened up Mozilla....meaning all is not well yet.

Based on another article here at the Bleepingcomputer webpage, I ran through procedures to get Malwarebytes running. It detected the trojan HILOTI, and then removed it. Of course, it didn't do any good when I restarted and the re-directing started up again. I noticed it in both browsers, and especially if I try to google the problem and click through to advice web pages.

When I was running a new version of GMER, before it jammed up and stopped responding, I noticed my Avira antivirus had once again been turned off by evil forces. I am doing all of this with my wireless turned off. I only turned it on to provide this update. At this point, I am not doing anything else, no changes, downloads, windows updates...nothing, until I hear from someone that knows what their doing.

Other things I've noticed, is that my Avira Antivirus will turn off on it's own. I also had a notification that a Windows Update was waiting for me to install. I did not install it, and now that I've rebooted, the notification is gone.

The reports are attached. The GMER report took about 14 hours to get to!

Sorry for the confusion about reposting and bumping.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kevin Coyne at 12:49:43.39 on Sat 07/10/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1341 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\KEVINC~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Mpf4\Mpf.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kevin Coyne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Favorites] c:\program files\webroot\mpf4\Mpf.exe /S
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\kevinc~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: santa-cruz.ca.us\owa.co
Trusted Zone: musicmatch.com\online
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} - hxxp://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194145231046
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.photofinale.com/ImageUploader/ImageUploader4.cab
DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - No File
Hosts: 216.19.0.250 idenupdate.motorola.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevinc~1\applic~1\mozilla\firefox\profiles\zzct4dpu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com
FF - component: c:\program files\paypal\paypal plug-in\components\PayPalPlugin.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {CEB00DC5-10BA-4322-AF49-E460BA0CC3D0} - c:\documents and settings\kevin coyne\local settings\application data\{CEB00DC5-10BA-4322-AF49-E460BA0CC3D0}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-8-10 3968]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-11 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-11 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-11 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-12 60936]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-3 24652]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2007-8-15 598856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-7 133104]

============== File Associations ===============

txtfile=c:\reunion\reunion.exe %1

=============== Created Last 30 ================

2010-07-10 19:49:18 0 ----a-w- c:\documents and settings\kevin coyne\defogger_reenable
2010-07-10 17:59:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 17:59:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 17:27:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 17:24:18 0 ----a-w- c:\windows\evomubar.dll
2010-07-10 17:20:48 0 ----a-w- c:\windows\ohikovuviyaki.dll
2010-07-10 17:19:48 0 ----a-w- c:\windows\amedidakipipa.dll
2010-07-10 17:18:27 0 ----a-w- c:\windows\iretecoqajete.dll
2010-07-10 17:16:49 0 ----a-w- c:\windows\atifokelodasod.dll
2010-07-10 16:21:09 0 ----a-w- c:\windows\onaxesab.dll
2010-07-10 14:19:29 0 ----a-w- c:\windows\asiculen.dll
2010-07-10 12:17:19 0 ----a-w- c:\windows\oyitizic.dll
2010-07-10 10:46:40 0 ----a-w- c:\windows\alakowucafojufa.dll
2010-07-10 08:44:40 0 ----a-w- c:\windows\igeroqax.dll
2010-07-10 06:44:52 0 ----a-w- c:\windows\ukumoqix.dll
2010-07-10 01:12:05 0 ----a-w- c:\windows\ujafonut.dll
2010-07-09 23:12:49 0 ----a-w- c:\windows\avasalut.dll
2010-07-09 15:02:21 0 ----a-w- c:\windows\ukapicon.dll
2010-07-09 03:30:13 120 ----a-w- c:\windows\Tlipagifin.dat
2010-07-09 03:30:13 0 ----a-w- c:\windows\Vjemalevetecof.bin
2010-06-13 07:23:31 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-06-22 01:17:32 27518 ----a-w- c:\docume~1\kevinc~1\applic~1\wklnhst.dat
2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 11:43:25 634656 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2005-05-14 00:12:00 217073 --sha-r- c:\windows\meta4.exe
2005-07-14 19:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2006-09-23 19:57:23 88 --sh--r- c:\windows\system32\DD96005965.sys
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-09-23 19:57:24 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2005-02-28 20:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
2008-09-21 08:40:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 12:51:49.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:15 PM

Posted 11 July 2010 - 10:48 PM

Hi, Rainier8 smile.gif

welcome.gif

Lets try Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Rainier8

Rainier8
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 12 July 2010 - 12:23 AM

Saludos!

Thank you for your quick reply. Combofix ran without any problems. I have attached the log. I'll await your response.

ComboFix 10-07-11.03 - Kevin Coyne 07/11/2010 21:55:59.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1573 [GMT -7:00]
Running from: c:\documents and settings\Kevin Coyne\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kevin Coyne\Local Settings\Application Data\{CEB00DC5-10BA-4322-AF49-E460BA0CC3D0}
c:\documents and settings\Kevin Coyne\Local Settings\Application Data\{CEB00DC5-10BA-4322-AF49-E460BA0CC3D0}\chrome.manifest
c:\documents and settings\Kevin Coyne\Local Settings\Application Data\{CEB00DC5-10BA-4322-AF49-E460BA0CC3D0}\chrome\content\_cfg.js
c:\documents and settings\Kevin Coyne\Local Settings\Application Data\{CEB00DC5-10BA-4322-AF49-E460BA0CC3D0}\chrome\content\overlay.xul
c:\documents and settings\Kevin Coyne\Local Settings\Application Data\{CEB00DC5-10BA-4322-AF49-E460BA0CC3D0}\install.rdf
c:\windows\alakowucafojufa.dll
c:\windows\amedidakipipa.dll
c:\windows\asiculen.dll
c:\windows\atifokelodasod.dll
c:\windows\avasalut.dll
c:\windows\evomubar.dll
c:\windows\igeroqax.dll
c:\windows\iretecoqajete.dll
c:\windows\ohikovuviyaki.dll
c:\windows\onaxesab.dll
c:\windows\oyitizic.dll
c:\windows\system32\BSTIep~1.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\Data
c:\windows\ujafonut.dll
c:\windows\ukapicon.dll
c:\windows\ukumoqix.dll

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-12 04:58 . 2010-07-12 04:58 -------- d-----w- c:\windows\LastGood
2010-07-12 00:03 . 2010-07-12 00:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-10 17:59 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 17:59 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 17:27 . 2010-07-10 18:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 08:53 . 2010-07-09 08:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-09 03:30 . 2010-07-09 08:57 120 ----a-w- c:\windows\Tlipagifin.dat
2010-07-09 03:30 . 2010-07-09 08:57 0 ----a-w- c:\windows\Vjemalevetecof.bin
2010-06-23 02:37 . 2010-06-23 02:37 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtbA45.tmp.exe
2010-06-13 07:23 . 2010-07-09 06:15 -------- d-----w- c:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 04:35 . 2006-08-30 05:02 -------- d-----w- c:\documents and settings\Kevin Coyne\Application Data\OpenOffice.org2
2010-07-12 00:08 . 2010-02-01 07:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 00:01 . 2006-12-16 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-10 18:56 . 2008-05-02 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-10 18:56 . 2006-07-22 20:05 -------- d-----w- c:\program files\Lavasoft
2010-07-10 17:15 . 2009-08-23 18:21 -------- d-----w- c:\documents and settings\Kevin Coyne\Application Data\vlc
2010-07-10 14:08 . 2007-03-18 03:44 -------- d-----w- c:\documents and settings\Kevin Coyne\Application Data\uTorrent
2010-07-01 05:51 . 2010-05-12 05:50 439816 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Real\Update\setup3.10\setup.exe
2010-06-22 01:17 . 2006-07-22 21:54 27518 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\wklnhst.dat
2010-06-09 10:33 . 2009-10-05 15:44 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 19:19 . 2006-09-05 01:59 -------- d-----w- c:\program files\WinMX
2010-06-05 03:55 . 2010-01-01 19:32 -------- d-----w- c:\program files\AIM7
2010-06-05 03:55 . 2010-06-05 03:55 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-03 02:05 . 2010-06-03 02:05 503808 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b11b5c3-n\msvcp71.dll
2010-06-03 02:05 . 2010-06-03 02:05 499712 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b11b5c3-n\jmc.dll
2010-06-03 02:05 . 2010-06-03 02:05 61440 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-508be12c-n\decora-sse.dll
2010-06-03 02:05 . 2010-06-03 02:05 348160 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b11b5c3-n\msvcr71.dll
2010-06-03 02:05 . 2010-06-03 02:05 12800 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-508be12c-n\decora-d3d.dll
2010-06-01 04:14 . 2006-09-12 20:59 -------- d-----w- c:\documents and settings\Kevin Coyne\Application Data\U3
2010-05-21 03:22 . 2007-03-18 03:44 -------- d-----w- c:\program files\uTorrent
2010-05-04 17:20 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2005-05-14 00:12 . 2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe
2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-09-23 19:57 . 2006-09-23 19:38 88 --sh--r- c:\windows\system32\DD96005965.sys
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-09-23 19:57 . 2006-09-23 19:38 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

------- Sigcheck -------

[-] 2009-11-08 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-11-08 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2008-08-20 . 3ADCE4790F591BF160A94F6F08039577 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-19 . 482AB7F9CD41702E8F856C11CFEFB02D . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]
"Favorites"="c:\program files\Webroot\Mpf4\Mpf.exe" [2003-11-09 729600]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-03-16 1355468]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-26 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-26 974848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-01 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Kevin Coyne\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-16 24576]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-4 1078]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\PeerGuardian2\\pg2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/16/2009 12:45 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/11/2010 9:44 AM 135336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/3/2007 10:10 PM 24652]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [8/15/2007 8:51 PM 598856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 6:49 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 01:49]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 01:49]

2010-07-11 c:\windows\Tasks\User_Feed_Synchronization-{9A2AA935-6E51-49BD-809F-F4A9BDF8331C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: santa-cruz.ca.us\owa.co
Trusted Zone: musicmatch.com\online
DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab
FF - ProfilePath - c:\documents and settings\Kevin Coyne\Application Data\Mozilla\Firefox\Profiles\zzct4dpu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
txtfile=c:\reunion\reunion.exe %1
.
- - - - ORPHANS REMOVED - - - -

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-07-11 22:07:14
ComboFix-quarantined-files.txt 2010-07-12 05:07

Pre-Run: 3,454,279,680 bytes free
Post-Run: 3,555,315,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9ABFE0273414339B00F6A12A5DA003F4


Rainier8

Attached Files


Edited by JSntgRvr, 12 July 2010 - 12:27 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:15 PM

Posted 12 July 2010 - 12:53 AM

Lets try this fix:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
QUOTE
Collect::
c:\windows\Tlipagifin.dat
c:\windows\Vjemalevetecof.bin
c:\windows\meta4.exe

File::
c:\windows\system32\dllcache\TCPIP.SYS

Fcopy::
c:\windows\ServicePackFiles\i386\TCPIP.SYS|c:\windows\system32\drivers\TCPIP.SYS

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6F,63,68,65,63,6B,20,61,75,74,6F,\
63,68,6B,20,2A,00,00

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If the upload of these files fails, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

Edited by JSntgRvr, 12 July 2010 - 12:54 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Rainier8

Rainier8
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 12 July 2010 - 01:29 AM

Hello,

I did it, and it appeared that the file uploaded successfully from Combofix. Do I still need to do anything further with this log?

Rainier 8

PS: Thanks so much.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:15 PM

Posted 12 July 2010 - 03:24 PM

When you drag and drop the fix, Combofix will run and another report will be produced. I need to see that report. Make sure is not the one you posted earlier.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Rainier8

Rainier8
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 12 July 2010 - 06:54 PM

When I dragged and dropped the fix, a report was generated and uploaded (through Combofix). If you did not get it by that method, I'll go to C:\Qoobox\Quarantine when I get home later and upload the zip file it to that link you provided to me before.

Is that all you need at this point of the process?

Thank you so much.

#8 Rainier8

Rainier8
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 12 July 2010 - 08:03 PM

Hello,

I submitted the zip file to you at the link you provided me.

Gracias

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:15 PM

Posted 12 July 2010 - 09:05 PM

Thanks for the file.

Please run Combofix once again and post its report.
  • Launch and update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

Edited by JSntgRvr, 12 July 2010 - 09:14 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Rainier8

Rainier8
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 13 July 2010 - 07:36 AM

Here are the results. As you can see, MBAM found nothing, but Kaspersky found 4 items:

Combofix:

ComboFix 10-07-12.02 - Kevin Coyne 07/12/2010 22:48:07.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1291 [GMT -7:00]
Running from: c:\documents and settings\Kevin Coyne\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\KEVINC~1\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Kevin Coyne\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp

.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-12 00:03 . 2010-07-12 00:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-10 17:59 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 17:59 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 17:27 . 2010-07-10 18:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 08:53 . 2010-07-09 08:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-23 02:37 . 2010-06-23 02:37 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtbA45.tmp.exe
2010-06-13 07:23 . 2010-07-09 06:15 -------- d-----w- c:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 05:38 . 2006-08-30 05:02 -------- d-----w- c:\documents and settings\Kevin Coyne\Application Data\OpenOffice.org2
2010-07-12 06:04 . 2009-08-23 18:21 -------- d-----w- c:\documents and settings\Kevin Coyne\Application Data\vlc
2010-07-12 00:08 . 2010-02-01 07:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 00:01 . 2006-12-16 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-10 18:56 . 2008-05-02 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-10 18:56 . 2006-07-22 20:05 -------- d-----w- c:\program files\Lavasoft
2010-07-10 14:08 . 2007-03-18 03:44 -------- d-----w- c:\documents and settings\Kevin Coyne\Application Data\uTorrent
2010-07-01 05:51 . 2010-05-12 05:50 439816 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Real\Update\setup3.10\setup.exe
2010-06-22 01:17 . 2006-07-22 21:54 27518 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\wklnhst.dat
2010-06-09 10:33 . 2009-10-05 15:44 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 19:19 . 2006-09-05 01:59 -------- d-----w- c:\program files\WinMX
2010-06-05 03:55 . 2010-01-01 19:32 -------- d-----w- c:\program files\AIM7
2010-06-05 03:55 . 2010-06-05 03:55 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-06-03 02:05 . 2010-06-03 02:05 503808 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b11b5c3-n\msvcp71.dll
2010-06-03 02:05 . 2010-06-03 02:05 499712 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b11b5c3-n\jmc.dll
2010-06-03 02:05 . 2010-06-03 02:05 61440 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-508be12c-n\decora-sse.dll
2010-06-03 02:05 . 2010-06-03 02:05 348160 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5b11b5c3-n\msvcr71.dll
2010-06-03 02:05 . 2010-06-03 02:05 12800 ----a-w- c:\documents and settings\Kevin Coyne\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-508be12c-n\decora-d3d.dll
2010-06-01 04:14 . 2006-09-12 20:59 -------- d-----w- c:\documents and settings\Kevin Coyne\Application Data\U3
2010-05-21 03:22 . 2007-03-18 03:44 -------- d-----w- c:\program files\uTorrent
2010-05-04 17:20 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2005-07-14 19:31 . 2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-09-23 19:57 . 2006-09-23 19:38 88 --sh--r- c:\windows\system32\DD96005965.sys
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-09-23 19:57 . 2006-09-23 19:38 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 07:00 . 2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-12_05.05.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-13 05:35 . 2010-07-13 05:35 16384 c:\windows\Temp\Perflib_Perfdata_310.dat
- 2006-11-07 06:00 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2006-11-07 06:00 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2004-08-10 17:51 . 2010-07-13 05:40 72134 c:\windows\system32\perfc009.dat
- 2004-08-10 17:51 . 2010-07-12 04:59 72134 c:\windows\system32\perfc009.dat
+ 2004-08-10 17:51 . 2010-07-13 05:40 443034 c:\windows\system32\perfh009.dat
- 2004-08-10 17:51 . 2010-07-12 04:59 443034 c:\windows\system32\perfh009.dat
+ 2004-08-10 17:51 . 2008-06-20 11:51 361600 c:\windows\system32\drivers\tcpip.sys
- 2004-08-10 17:51 . 2009-11-08 23:20 361600 c:\windows\system32\drivers\TCPIP.SYS
+ 2008-06-20 11:51 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
- 2008-06-20 11:51 . 2009-11-08 23:20 361600 c:\windows\system32\dllcache\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]
"Favorites"="c:\program files\Webroot\Mpf4\Mpf.exe" [2003-11-09 729600]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-03-16 1355468]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-26 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-26 974848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-01 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Kevin Coyne\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-16 24576]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-4 1078]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\PeerGuardian2\\pg2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/16/2009 12:45 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/11/2010 9:44 AM 135336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/3/2007 10:10 PM 24652]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [8/15/2007 8:51 PM 598856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 6:49 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 01:49]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 01:49]

2010-07-13 c:\windows\Tasks\User_Feed_Synchronization-{9A2AA935-6E51-49BD-809F-F4A9BDF8331C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: santa-cruz.ca.us\owa.co
Trusted Zone: musicmatch.com\online
DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} - hxxp://www.eomniform.com/OF5/nsplugins/OFMailX.cab
FF - ProfilePath - c:\documents and settings\Kevin Coyne\Application Data\Mozilla\Firefox\Profiles\zzct4dpu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
txtfile=c:\reunion\reunion.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 22:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-12 22:59:18
ComboFix-quarantined-files.txt 2010-07-13 05:59
ComboFix2.txt 2010-07-12 06:23
ComboFix3.txt 2010-07-12 05:07

Pre-Run: 4,230,578,176 bytes free
Post-Run: 4,220,461,056 bytes free

- - End Of File - - 42A8239983617EF47F7497C28168C163


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4307

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

7/12/2010 11:07:50 PM
mbam-log-2010-07-12 (23-07-50).txt

Scan type: Quick scan
Objects scanned: 146469
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, July 13, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, July 13, 2010 03:54:54
Records in database: 4228113
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 98761
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 05:14:14


File name / Threat / Threats count
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys2\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1231\A0127421.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:15 PM

Posted 13 July 2010 - 12:46 PM

Do you recognize this program?

c:\reunion\reunion.exe

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Rainier8

Rainier8
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 13 July 2010 - 06:57 PM

Yes, it's a very simple genealogy program and database that I've had for years (since windows 95 I think). It can generate reports in rtf format, and charts. It can also import and export GEDCOM files.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:15 PM

Posted 13 July 2010 - 09:58 PM

In that case, all is left is some housekeeping. Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix to Uninstall and click on it. That should remove the application.
Please download OTC by OldTimer.
  • Save it to your desktop.
  • Please double-click OTC.exe to run it. (Vista users, please right click on OTC.exe and select "Run as an Administrator")
  • This will delete the tools we used in the removal of malware, including this program.
  • If you are asked to reboot to complete the removal process then please do so
Upon restart, manually remove any remaining tools.
Manually remove any tool left.

Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Rainier8

Rainier8
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 13 July 2010 - 11:39 PM

Thank you.

I did all the cleanup. I also went through my startup programs using the index here on bleepingcomputer.com , and using ccleaner disabled a bunch of things.

In regards to SpyBot. In the past I installed it with Teatimer active, but thought it made my system run slow, so I uninstalled it and reinstalled it without Teatimer. What are your thoughts on the Teatimer portion?

Should either of these programs be running at the same time as my Avira Antivirus, and does any combination cause unwanted conflicts, or should they just be run occasionally or as needed?



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:15 PM

Posted 14 July 2010 - 06:22 AM

QUOTE(Rainier8 @ Jul 14 2010, 12:39 AM) View Post
Thank you.

I did all the cleanup. I also went through my startup programs using the index here on bleepingcomputer.com , and using ccleaner disabled a bunch of things.

In regards to SpyBot. In the past I installed it with Teatimer active, but thought it made my system run slow, so I uninstalled it and reinstalled it without Teatimer. What are your thoughts on the Teatimer portion?

Should either of these programs be running at the same time as my Avira Antivirus, and does any combination cause unwanted conflicts, or should they just be run occasionally or as needed?

It shouldn't give you a problem or slow down your computer. You should never have more than one Antivirus and one Firewall application running at the same time, but anti-spyware or anti-adware applications can be combined and act a compliment to each other, as long as you do not over do it. Despite any protection, there are no defense against new variants. Only observing good practices while online will keep you out of trouble.

Be safe. smile.gif

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users