Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix log


  • This topic is locked This topic is locked
23 replies to this topic

#1 mrdsb

mrdsb

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 12 July 2010 - 04:07 PM

ComboFix 10-07-11.07 - BLAKE 07/12/2010 15:57:27.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2212 [GMT -4:00]
Running from: c:\users\BLAKE\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\F3CJpeg.dll
c:\program files\MyWebSearch\bar\1.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTtpct.dll
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSUABTN.DLL
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\users\BLAKE\AppData\Roaming\lsass.exe
c:\users\BLAKE\AppData\Roaming\Microsoft\Svchost.exe
c:\windows\7Loader.TAG
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MyWebSearchService
-------\Service_unikorn


((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-12 20:09 . 2010-07-12 20:12 -------- d-----w- c:\users\BLAKE\AppData\Local\temp
2010-07-12 20:09 . 2010-07-12 20:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-12 20:09 . 2010-07-12 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-12 20:09 . 2010-07-12 20:09 -------- d-----w- c:\users\Dav\AppData\Local\temp
2010-07-12 19:53 . 2010-07-12 19:53 -------- d-----w- C:\32788R22FWJFW
2010-07-09 17:53 . 2010-07-12 19:06 -------- d-----w- c:\users\BLAKE\AppData\Local\CrashDumps
2010-07-09 02:30 . 2010-07-09 02:29 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-09 02:29 . 2010-07-09 02:30 -------- d-----w- c:\program files\Symantec
2010-07-09 02:29 . 2010-07-12 23:26 -------- d-----w- c:\windows\system32\drivers\NAV
2010-07-09 02:29 . 2010-07-09 02:29 -------- d-----w- c:\program files\Norton AntiVirus
2010-07-09 02:29 . 2010-07-12 23:26 -------- d-----w- c:\programdata\Norton
2010-07-09 02:27 . 2010-07-09 02:27 -------- d-----w- c:\programdata\NortonInstaller
2010-06-30 20:56 . 2010-06-30 20:56 -------- d-----w- c:\users\BLAKE\AppData\Roaming\SiteAdvisor
2010-06-30 20:53 . 2010-06-30 20:53 -------- d-----w- c:\program files\McAfee.com
2010-06-30 20:53 . 2010-06-30 20:55 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-30 20:53 . 2010-06-30 20:56 -------- d-----w- c:\program files\McAfee
2010-06-24 14:04 . 2010-06-24 14:04 -------- d-----w- c:\program files\Canon
2010-06-24 13:34 . 2010-06-24 13:34 -------- d-----w- c:\users\BLAKE\AppData\Roaming\ScanSoft
2010-06-24 13:34 . 2010-06-24 13:34 -------- d-----w- c:\programdata\SSScanWizard
2010-06-24 13:34 . 2010-06-24 13:34 -------- d-----w- c:\programdata\SSScanAppDataDir
2010-06-24 13:33 . 2010-06-24 13:34 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-06-24 13:33 . 2010-06-24 13:33 -------- d-----w- c:\program files\ScanSoft
2010-06-24 13:33 . 2010-06-24 13:33 -------- d-----w- c:\program files\ArcSoft
2010-06-24 13:33 . 1995-08-01 08:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2010-06-24 13:31 . 2010-06-24 13:31 -------- d-----w- c:\windows\Profiles
2010-06-24 13:31 . 2010-06-24 13:31 -------- d-----w- c:\windows\system32\Adobe
2010-06-24 13:31 . 2010-06-24 13:31 -------- d-----w- c:\users\BLAKE\AppData\Roaming\InterTrust
2010-06-24 13:31 . 1998-10-29 19:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-17 14:22 . 2010-06-17 14:22 -------- d-----w- c:\programdata\RegCure
2010-06-17 14:22 . 2010-06-19 15:31 -------- d-----w- c:\program files\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 23:26 . 2010-04-29 14:33 -------- d-----w- c:\users\BLAKE\AppData\Roaming\Network Printer
2010-07-12 23:26 . 2010-02-26 02:39 -------- d-----w- c:\program files\Veetle
2010-07-12 23:26 . 2009-08-19 15:13 -------- d-----w- c:\programdata\FLEXnet
2010-07-12 23:26 . 2007-11-26 05:02 -------- d-----w- c:\programdata\Microsoft Help
2010-07-12 23:26 . 2007-11-26 04:40 -------- d-----w- c:\program files\Microsoft Works
2010-07-09 04:48 . 2009-04-29 23:13 -------- d-----w- c:\users\BLAKE\AppData\Roaming\Azureus
2010-07-09 04:30 . 2009-06-17 22:16 -------- d-----w- c:\program files\DivX Installer
2010-07-09 02:43 . 2009-12-13 12:51 148 ---ha-w- c:\users\BLAKE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\santa.bat
2010-07-09 02:33 . 2007-11-26 03:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-09 02:29 . 2010-07-09 02:30 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-09 02:29 . 2010-07-09 02:30 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-09 02:27 . 2010-05-06 18:07 -------- d-----w- c:\program files\NortonInstaller
2010-07-09 02:24 . 2007-11-26 03:25 -------- d-----w- c:\programdata\Symantec
2010-07-09 02:05 . 2009-04-29 23:20 175 ----a-w- c:\users\BLAKE\AppData\Roaming\Azureus\restart.bat
2010-07-06 16:28 . 2009-04-29 22:42 -------- d-----w- c:\program files\Vuze
2010-07-06 16:27 . 2010-07-06 16:27 52224 ----a-w- c:\users\BLAKE\AppData\Roaming\Mozilla\Firefox\Profiles\hznrt2jq.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
2010-07-06 16:27 . 2010-07-06 16:27 101376 ----a-w- c:\users\BLAKE\AppData\Roaming\Mozilla\Firefox\Profiles\hznrt2jq.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
2010-06-30 20:57 . 2010-05-12 18:31 -------- d-----w- c:\programdata\McAfee
2010-06-30 19:51 . 2009-07-18 05:15 -------- d-----w- c:\users\BLAKE\AppData\Roaming\vlc
2010-06-25 23:28 . 2009-12-11 10:35 69161 ----a-w- c:\programdata\nvModes.dat
2010-06-24 14:04 . 2007-11-26 03:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-24 13:31 . 2007-11-26 05:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-21 17:01 . 2008-01-25 05:48 -------- d-----w- c:\programdata\NVIDIA
2010-06-20 20:42 . 2010-01-31 03:52 -------- d-----w- c:\users\BLAKE\AppData\Roaming\dvdcss
2010-06-09 22:58 . 2010-05-12 18:31 -------- d-----w- c:\program files\McAfee Security Scan
2010-06-09 21:44 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-06-09 21:44 . 2010-05-12 18:31 -------- d-----w- c:\programdata\McAfee Security Scan
2010-06-09 21:44 . 2010-04-16 12:59 -------- d-----w- c:\programdata\DivX
2010-06-09 21:44 . 2009-06-17 22:18 -------- d-----w- c:\program files\DivX
2010-06-09 21:42 . 2009-04-29 17:36 -------- d-----w- c:\programdata\Yahoo! Companion
2010-06-08 17:09 . 2010-06-03 22:18 -------- d-----w- c:\users\BLAKE\AppData\Roaming\DivX
2010-05-10 14:01 . 2009-12-11 10:36 120624 ----a-w- c:\users\BLAKE\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-09 12:03 . 2010-04-29 14:33 144 ----a-w- c:\users\BLAKE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe
2010-05-06 10:14 . 2010-05-06 10:14 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-06 07:47 . 2010-05-06 07:47 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-05-06 07:47 . 2010-05-06 07:47 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-06 07:47 . 2010-05-06 07:47 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-05-06 07:46 . 2010-05-06 07:46 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-06 07:46 . 2010-05-06 07:46 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-06 07:44 . 2010-05-06 07:44 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-05-06 07:39 . 2010-05-06 07:47 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-05-06 07:38 . 2010-05-06 07:47 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-01 10:07 . 2010-05-01 10:07 1564672 ----a-w- c:\windows\system32\e_CqQF_2g-.dll
2010-04-30 21:47 . 2010-04-29 14:33 89088 ----a-w- c:\users\BLAKE\AppData\Roaming\Network Printer\NetPrint.exe
2010-04-15 22:49 . 2010-04-30 13:00 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2008-04-14 03:48 . 2009-04-28 12:10 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c3a1de1-94ca-4ad6-acdf-c1324adc487b}"= "c:\program files\Isohunt-vuze\tbIso0.dll" [2008-09-15 1784856]

[HKEY_CLASSES_ROOT\clsid\{6c3a1de1-94ca-4ad6-acdf-c1324adc487b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c3a1de1-94ca-4ad6-acdf-c1324adc487b}]
2008-09-15 10:47 1784856 ----a-w- c:\program files\Isohunt-vuze\tbIso0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c17a78f3-013a-cd59-9106-ed2d42f06c85}]
2010-05-01 10:07 1564672 ----a-w- c:\windows\System32\e_CqQF_2g-.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
"{6c3a1de1-94ca-4ad6-acdf-c1324adc487b}"= "c:\program files\Isohunt-vuze\tbIso0.dll" [2008-09-15 1784856]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{6c3a1de1-94ca-4ad6-acdf-c1324adc487b}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6C3A1DE1-94CA-4AD6-ACDF-C1324ADC487B}"= "c:\program files\Isohunt-vuze\tbIso0.dll" [2008-09-15 1784856]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{6c3a1de1-94ca-4ad6-acdf-c1324adc487b}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]

c:\users\BLAKE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
santa.bat [2010-7-8 148]
smss.exe [2010-5-9 144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
backupExtension=Common Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avlla6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avvqgga
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bvbvbv6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bvvqggb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bwwqqlg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccsxiic
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cwc6r
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cwchcrr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cxchc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cxxc7n
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dxinid
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eeyytty
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ejttoee
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ettjy6t
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezoojjt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fkafa
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gaqqllg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gbqgg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcmmcs
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcxxn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hhbr5m
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hxxssnh
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjeetjj
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjyyjo
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kkapp5f
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lbbgw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lgvvq2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\llgvvlq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lllaa3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lllgaa
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lvll8g
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcwrr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwhhcrr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwrmcwr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxmmh
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ncnh1n
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nixsndn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oddyo
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oeeye2j
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ojojo
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooi0i
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oydoy25
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oyooi0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oyye2j
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ozjzzoe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pezupp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pfkkp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pjjee
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qaagqga
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qggaq0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qggaqq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qgvlllg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlaav
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qllg1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qllggbv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qqlgg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qvqvg4v
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rlgwg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rmmhw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snc6h
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snddi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sxiicx
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tiidttn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tniidti
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tniini
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tojj81
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tteeej
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tytjjyy
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufpaau0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uuppeu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uuuz7
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vavvalv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vglga

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-12-04 07:42 13556256 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-12-04 07:42 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-08-17 13:27 4702208 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14 1173504 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-01-17 13:34 634880 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-15 08:29 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-08-17 07:13 218408 ----a-w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-05-19 639224]
R2 gupdate1c9ef9999ddcec7;Google Update Service (gupdate1c9ef9999ddcec7);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 133104]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-09 102448]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1105000.07F\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1105000.07F\SYMEFA.SYS [2009-11-26 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [2010-06-19 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1105000.07F\ccHPx86.sys [2009-12-09 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100708.004\IDSvix86.sys [2010-06-17 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1105000.07F\Ironx86.SYS [2009-11-26 116272]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NAV\1105000.07F\SYMTDIV.SYS [2009-11-22 340016]
S2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [2007-10-01 39408]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe [2009-12-09 126392]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

.
Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 22:18]

2010-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 22:18]

2010-06-25 c:\windows\Tasks\HPCeeScheduleForBLAKE.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-11-26 19:58]

2010-07-07 c:\windows\Tasks\Norton Security Scan for BLAKE.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-05-06 04:04]

2010-07-12 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 22:58]

2010-07-12 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 22:58]

2010-07-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 22:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://amoelcine.net/Inicio.html
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\BLAKE\AppData\Roaming\Mozilla\Firefox\Profiles\hznrt2jq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\BLAKE\AppData\Roaming\Mozilla\Firefox\Profiles\hznrt2jq.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\users\BLAKE\AppData\Roaming\Mozilla\Firefox\Profiles\hznrt2jq.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-gvq1g - c:\windows\system32\8qlalav.exe
HKCU-Run-aalll - c:\windows\system32\aa6q4qq2q.exe
HKCU-Run-qgvlqll - c:\windows\system32\laa6qlqgv2.exe
HKCU-Run-llgaq - c:\windows\system32\a04qq2qgva.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
AddRemove-X--Hn_Yj - c:\windows\system32\X--Hn_Yj.exe



[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\DPPWDFLT.DLL

- - - - - - - > 'Explorer.exe'(2148)
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\sppsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\taskhost.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-07-12 16:19:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-12 20:19
ComboFix2.txt 2010-06-06 14:42

Pre-Run: 28,032,053,248 bytes free
Post-Run: 28,263,895,040 bytes free

- - End Of File - - 9348BB16F2F9F5B702A0A25AB8D54BCC


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:00 PM

Posted 17 July 2010 - 03:23 PM

Hello mrdsb

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 mrdsb

mrdsb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 21 July 2010 - 03:53 PM

Thanks for the help so far kahdah, i wasnt able to download OTL but i did get the GMER Rootkit. I think it caused me to get a blue screen a number of times even in safe mode but finally got it done. Here is the result of that scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-21 15:12:56
Windows 6.1.7600
Running: t463ghd0.exe; Driver: C:\Users\BLAKE\AppData\Local\Temp\uglcqpoc.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82223AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82223104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822233F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8220C2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8220B898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822231DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82223958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822236F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82223F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822241A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82283599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 822A7F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1852] ntdll.dll!LdrLoadDll 77DAF585 5 Bytes JMP 013B13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37a12f5a
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37a12f5a@0017e4a81a5a 0x6C 0x50 0x4B 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37a12f5a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37a12f5a@0017e4a81a5a 0x6C 0x50 0x4B 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  ark.log   11.31KB   3 downloads


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:00 PM

Posted 21 July 2010 - 04:05 PM

Yeah the Geekstogo website is down temporarily.
Try this program please
Please download DDS and save it to your desktop.
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open as well as attach.txt.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
attach.txt
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 mrdsb

mrdsb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 22 July 2010 - 09:47 PM

Thanks for the speedy reply man. Appreciate it. Could u also figure out why wen i try to sign in with messenger everything on my computer stop responding?

Attached Files



#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:00 PM

Posted 23 July 2010 - 07:57 AM

Let's see if your mbr is infected first as that may explain why.

Please download and run MBR.exe by GMER:

http://www2.gmer.net/mbr/mbr.exe

It will produce a log, mbr.txt in the same directory as the program. Please copy/paste that log here.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 mrdsb

mrdsb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 24 July 2010 - 06:48 PM

The MBR log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:00 PM

Posted 25 July 2010 - 07:02 AM

  1. Please download mbrcheck from Here
  2. Save that file to your desktop and double click on it to run it.
  3. It will show a Black screen with some data on it
  4. Right click on the screen and select Mark
  5. Then take your mouse and select the info in the black screen then hit the enter key to copy it to the clipboard.
  6. Open a notepad and press Control+V to paste in the contents.

Post the resultant text here please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 mrdsb

mrdsb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 25 July 2010 - 01:25 PM

Here we go...

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Windows 7 MBR code detected





Done! Press ENTER to exit...



#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:00 PM

Posted 25 July 2010 - 07:54 PM

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 mrdsb

mrdsb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 26 July 2010 - 06:27 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4356

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/26/2010 7:25:28 PM
mbam-log-2010-07-26 (19-25-28).txt

Scan type: Quick scan
Objects scanned: 149341
Time elapsed: 9 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 45
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\x--hn_yj (Adware.LoudMo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c17a78f3-013a-cd59-9106-ed2d42f06c85} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c17a78f3-013a-cd59-9106-ed2d42f06c85} (Adware.AdRotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (http://flvdirect.iamwired.net/) Good: (http://www.google.com) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\X--Hn_Yj.exe (Adware.LoudMo) -> Quarantined and deleted successfully.
C:\Users\BLAKE\downloads\FLVDirect.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Users\BLAKE\downloads\WebfettiSetup2.3.67.1.ZKfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\BLAKE\downloads\WebfettiSetup2.3.50.49.ZKfox000.SA.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\BLAKE\AppData\Roaming\Network Printer\NetPrint.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\BLAKE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\santa.bat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\BLAKE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\e_CqQF_2g-.dll (Adware.AdRotator) -> Delete on reboot.


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:00 PM

Posted 26 July 2010 - 07:26 PM

Great post the eset scan log when you can. smile.gif
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 mrdsb

mrdsb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 26 July 2010 - 08:52 PM

did a full scan after....here is the result as well

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4356

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/26/2010 9:41:33 PM
mbam-log-2010-07-26 (21-41-33).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 402698
Time elapsed: 2 hour(s), 5 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\BLAKE\Documents\Azureus Downloads\Windows Game Collection\Insaniquarium Deluxe 1.0 (GameHouse)\Crack\insaniquarium_crack.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\BLAKE\Documents\Azureus Downloads\Windows Game Collection\Insaniquarium Deluxe 1.0.0.1 (GameHouse)\Crack\crack.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\sysprep\CRYPTBASE.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{4e132474-1430-7cf0-e87e-2d4e84fbc57c}\components\OO-__K7DtZPKZZS.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\f3PSSavr.scr.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.


#14 mrdsb

mrdsb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 27 July 2010 - 06:14 AM

I ran Eset but the log and it cleaned 17 infected files. when i went into the log however this is all i saw

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:00 PM

Posted 27 July 2010 - 06:26 AM

Ok most of the ones mbam found on the full scan are already quarantined however this one is a false positive:
C:\Windows\System32\sysprep\CRYPTBASE.dll
You can restore it by going to the quarantine area and click on this file name and click on restore at the bottom.

Other than that how are things running?
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users