Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invisible ads and wave volume resetting to zero automatically


  • This topic is locked This topic is locked
17 replies to this topic

#1 h18110

h18110

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 15 July 2010 - 02:23 AM

Hi, i've been having the same problem as
this topic : http://www.bleepingcomputer.com/forums/t/328595/invisible-ads-and-wave-volume-resetting-to-zero/

i am going to use combofix and it tells me that i need someone to analyze my logs for further examination and help..

i am such a beginner at this, please please please follow and analyze the log i post afterwards!

ComboFix 10-07-14.02 - Administrator 5/2010 Thu 0:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.2038.1378 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Process.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-13 02:15 . 2010-07-15 07:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-13 01:04 . 2010-07-13 01:04 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-13 01:03 . 2010-07-13 01:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-13 01:03 . 2010-07-13 01:03 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-13 01:02 . 2010-07-15 07:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AskToolbar
2010-07-13 01:02 . 2010-07-13 01:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AhnLab
2010-07-06 23:27 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-06 23:27 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-06 23:27 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-06 23:27 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-06 23:27 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-06 23:27 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-06 23:27 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-06 23:27 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-06 23:27 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-06 23:26 . 2010-07-06 23:26 -------- d-----w- c:\program files\Alwil Software
2010-07-06 23:26 . 2010-07-06 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-06 10:06 . 2010-07-06 10:06 -------- d-----w- c:\program files\PokerStars.NET
2010-07-06 08:59 . 2010-07-06 08:59 92728 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dynomite\bass.dll
2010-07-06 08:59 . 2010-07-06 08:59 972288 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dynomite\dynomite.dll
2010-07-06 08:49 . 2010-07-06 08:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WorldWinner.com
2010-07-06 08:26 . 2010-07-06 08:26 1055744 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\bigmoney\bigmoney.dll
2010-07-06 08:26 . 2010-07-06 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-06-29 09:13 . 2010-06-29 09:13 -------- d-----w- c:\windows\system32\drivers\myrmbin
2010-06-29 09:13 . 2010-06-29 09:13 -------- d-----w- c:\windows\system32\drivers\mycodec
2010-06-29 09:13 . 2010-06-29 09:28 -------- d-----w- c:\program files\MyVideoConverter
2010-06-28 01:21 . 2010-06-28 01:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\ooVoo Details
2010-06-28 01:20 . 2010-06-28 01:20 -------- d-----w- c:\program files\ooVoo
2010-06-23 05:48 . 2010-07-15 07:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-06-23 04:24 . 2010-04-06 17:27 1053056 ----a-w- c:\windows\system32\drivers\CAMTHWDM.sys
2010-06-23 04:11 . 2010-06-23 04:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MagicCamera
2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\program files\Ask.com
2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\WebcamMax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 07:36 . 2010-02-18 19:04 -------- d-----w- c:\program files\AhnLab
2010-07-15 07:36 . 2010-02-18 19:04 -------- d-----w- c:\program files\Common Files\AhnLab
2010-07-15 07:34 . 2010-03-24 14:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-07-15 04:00 . 2010-02-18 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-13 04:10 . 2009-09-14 19:21 86800 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-13 01:09 . 2008-08-20 04:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 00:03 . 2010-02-19 01:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-06-14 14:31 . 2007-08-21 23:21 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31686\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31686\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31686\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31686\AcrobatUpdater.exe
2010-06-09 00:59 . 2007-12-14 00:54 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-06-09 00:59 . 2007-12-14 00:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 07:53 . 2010-02-24 06:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcSoft
2010-06-07 07:53 . 2010-02-24 06:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-06-07 07:49 . 2007-12-14 00:54 -------- d-----w- c:\program files\ArcSoft
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-31 22:40 . 2010-05-31 22:39 -------- d-----w- c:\program files\iTunes
2010-05-31 22:40 . 2010-05-31 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-31 22:39 . 2010-02-19 01:50 -------- d-----w- c:\program files\iPod
2010-05-31 22:39 . 2010-02-19 02:12 -------- d-----w- c:\program files\Common Files\Apple
2010-05-31 22:36 . 2010-05-31 22:36 -------- d-----w- c:\program files\QuickTime
2010-05-31 22:34 . 2010-05-31 22:34 -------- d-----w- c:\program files\Bonjour
2010-05-31 22:32 . 2010-05-31 22:32 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-23 20:18 . 2010-05-23 20:18 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f3dd9c8-n\decora-sse.dll
2010-05-23 20:18 . 2010-05-23 20:18 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\msvcp71.dll
2010-05-23 20:18 . 2010-05-23 20:18 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\jmc.dll
2010-05-23 20:18 . 2010-05-23 20:18 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\msvcr71.dll
2010-05-23 20:18 . 2010-05-23 20:18 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f3dd9c8-n\decora-d3d.dll
2010-05-06 10:41 . 2007-08-21 23:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2007-08-21 23:01 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 12:57 . 2010-04-23 12:57 114688 ----a-w- c:\windows\system32\DirShowEXDD.dll
2010-04-23 02:32 . 2010-03-03 08:25 7834 ----a-w- c:\documents and settings\Administrator\Application Data\wklnhst.dat
2010-04-20 05:30 . 2007-08-21 23:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:33 . 2010-02-19 02:12 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2010-02-19 02:12 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 22:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 163840]
"331BigDog"="c:\windows\VM331_STI.EXE" [2007-09-27 196608]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-11-02 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-11-02 61440]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2006-07-22 233472]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-15 888832]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-20 91432]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 8.0.0.358\\English\\setup.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [12/13/2007 5:25 PM 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [12/13/2007 4:56 PM 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [12/13/2007 5:18 PM 35456]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/6/2010 4:27 PM 165456]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 1:07 PM 61424]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/6/2010 4:27 PM 17744]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [12/13/2007 4:54 PM 4864]
R3 vm331avs;VC0334 USB2.0 Digital Camera;c:\windows\system32\drivers\vm331avs.sys [12/13/2007 5:20 PM 941056]
R4 AhnRghNt;AhnRghNt;\??\c:\windows\system32\Drivers\AhnRghNt.sys --> c:\windows\system32\Drivers\AhnRghNt.sys [?]
R4 CdmDrvNt;CdmDrvNt;\??\c:\windows\system32\Drivers\CdmDrvNt.sys --> c:\windows\system32\Drivers\CdmDrvNt.sys [?]
S3 AhnFlt2k;AhnFlt2k;\??\c:\windows\system32\Drivers\AhnFlt2k.sys --> c:\windows\system32\Drivers\AhnFlt2k.sys [?]
S3 AhnRec2k;AhnRec2k;\??\c:\windows\system32\Drivers\AhnRec2k.sys --> c:\windows\system32\Drivers\AhnRec2k.sys [?]
S3 ATamptNt_V3LITE;ATamptNt_V3LITE;\??\c:\progra~1\AhnLab\V3Lite\ATamptNt.sys --> c:\progra~1\AhnLab\V3Lite\ATamptNt.sys [?]
S3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [12/13/2007 4:57 PM 3909]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/19/2008 10:01 PM 110080]
S3 RTURC;Realtek UWB Radio Control Driver;c:\windows\system32\drivers\RTURC.sys [8/19/2008 10:07 PM 95488]
S3 RTWHCI;Realtek WHCI driver;c:\windows\system32\drivers\RTWHCI.sys [8/19/2008 10:07 PM 190976]

--- Other Services/Drivers In Memory ---

*Deregistered* - AhnSZE
*Deregistered* - ASZFltNt
*Deregistered* - ATamptNt_ASG
*Deregistered* - v3engine
*Deregistered* - V3Flt2K

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-07-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

2010-07-15 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qxljl4l.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGomtvx_nie.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 00:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,38,7e,2e,e3,06,5b,49,88,b0,cb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,38,7e,2e,e3,06,5b,49,88,b0,cb,\

[HKEY_USERS\S-1-5-21-1536446456-4173809351-2792318203-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d4,71,19,5a,6a,73,4b,4b,b5,36,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d4,71,19,5a,6a,73,4b,4b,b5,36,a1,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-15 00:51:41
ComboFix-quarantined-files.txt 2010-07-15 07:51

Pre-Run: 131,265,908,736 bytes free
Post-Run: 131,729,899,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2DCB132C0D80868FFCFF0DC7A9BB66F7

Merged posts. ~ OB

Edited by Orange Blossom, 15 July 2010 - 10:30 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 AM

Posted 20 July 2010 - 07:07 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 h18110

h18110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 24 July 2010 - 03:15 AM

alright i'll be patient thanks! i uninstalled the program i scanned the log with though a few days ago and tried scanning with other programs.. did i make a mistake already then?

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 AM

Posted 24 July 2010 - 04:36 PM

QUOTE(h18110 @ Jul 24 2010, 09:15 AM) View Post
did i make a mistake already then?


No, that's just a general post I made above. You shouldn't have run Combofix though.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you still have Combofix installed then please run it, update if it requests to and then post a new log.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#5 h18110

h18110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 25 July 2010 - 01:07 AM

i dont have it, i uninstalled it; should i reinstall and rerun?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 AM

Posted 25 July 2010 - 10:50 AM

Yes, here's the complete instructions to do this. smile.gif

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 AM

Posted 27 July 2010 - 07:09 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 AM

Posted 28 July 2010 - 06:31 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 AM

Posted 03 August 2010 - 01:44 PM

Reopened at user's request

-----------------------------------------

Please post the Combofix log when you have run the program. smile.gif
Posted Image
m0le is a proud member of UNITE

#10 h18110

h18110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 03 August 2010 - 10:22 PM

ComboFix 10-08-02.03 - Administrator 3/2010 Tue 2:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.2038.1352 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-03 02:52 . 2010-08-03 02:52 -------- d-----w- c:\windows\LastGood
2010-07-24 09:27 . 2010-07-24 09:27 -------- d-----w- c:\program files\iTunes
2010-07-24 09:24 . 2010-07-24 09:24 -------- d-----w- c:\program files\Bonjour
2010-07-24 09:21 . 2010-07-24 09:21 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-19 21:10 . 2010-07-19 21:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-19 21:09 . 2010-07-19 21:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-19 21:09 . 2010-07-19 21:09 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-15 23:41 . 2010-07-15 23:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-15 08:48 . 2010-07-15 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-15 08:48 . 2010-07-15 08:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-13 02:15 . 2010-08-03 09:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-13 01:04 . 2010-07-13 01:04 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-13 01:03 . 2010-07-13 01:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-13 01:03 . 2010-07-13 01:03 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-13 01:02 . 2010-08-03 02:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AskToolbar
2010-07-13 01:02 . 2010-07-13 01:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AhnLab
2010-07-06 23:27 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-06 23:27 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-06 23:27 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-06 23:27 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-06 23:27 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-06 23:27 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-06 23:27 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-06 23:27 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-06 23:27 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-06 23:26 . 2010-07-06 23:26 -------- d-----w- c:\program files\Alwil Software
2010-07-06 23:26 . 2010-07-06 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-06 10:06 . 2010-07-06 10:06 -------- d-----w- c:\program files\PokerStars.NET
2010-07-06 08:59 . 2010-07-06 08:59 92728 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dynomite\bass.dll
2010-07-06 08:59 . 2010-07-06 08:59 972288 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dynomite\dynomite.dll
2010-07-06 08:49 . 2010-07-06 08:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WorldWinner.com
2010-07-06 08:26 . 2010-07-06 08:26 1055744 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\bigmoney\bigmoney.dll
2010-07-06 08:26 . 2010-07-06 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 22:45 . 2008-08-20 04:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-24 09:27 . 2010-02-19 01:50 -------- d-----w- c:\program files\iPod
2010-07-24 09:27 . 2010-02-19 02:12 -------- d-----w- c:\program files\Common Files\Apple
2010-07-24 00:21 . 2010-02-19 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-15 07:36 . 2010-02-18 19:04 -------- d-----w- c:\program files\AhnLab
2010-07-15 07:36 . 2010-02-18 19:04 -------- d-----w- c:\program files\Common Files\AhnLab
2010-07-15 07:34 . 2010-03-24 14:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-07-15 04:00 . 2010-02-18 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-13 04:10 . 2009-09-14 19:21 86800 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 00:03 . 2010-02-19 01:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-06-29 09:28 . 2010-06-29 09:13 -------- d-----w- c:\program files\MyVideoConverter
2010-06-28 01:23 . 2010-06-28 01:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\ooVoo Details
2010-06-28 01:20 . 2010-06-28 01:20 -------- d-----w- c:\program files\ooVoo
2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\program files\Ask.com
2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\WebcamMax
2010-06-14 14:31 . 2007-08-21 23:21 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 00:59 . 2007-12-14 00:54 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-06-09 00:59 . 2007-12-14 00:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 07:53 . 2010-02-24 06:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcSoft
2010-06-07 07:53 . 2010-02-24 06:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-06-07 07:49 . 2007-12-14 00:54 -------- d-----w- c:\program files\ArcSoft
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-23 20:18 . 2010-05-23 20:18 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f3dd9c8-n\decora-sse.dll
2010-05-23 20:18 . 2010-05-23 20:18 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\msvcp71.dll
2010-05-23 20:18 . 2010-05-23 20:18 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\jmc.dll
2010-05-23 20:18 . 2010-05-23 20:18 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\msvcr71.dll
2010-05-23 20:18 . 2010-05-23 20:18 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f3dd9c8-n\decora-d3d.dll
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2007-08-21 23:01 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-15_07.48.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-03 02:47 . 2010-08-03 02:47 16384 c:\windows\Temp\Perflib_Perfdata_97c.dat
+ 2010-07-24 09:24 . 2010-04-20 03:47 41984 c:\windows\system32\DRVSTORE\usbaapl_3822718F9E2E86C3752D30561ECA5A855A4A3F7D\usbaapl.sys
+ 2010-07-24 09:24 . 2010-04-20 03:29 18432 c:\windows\system32\DRVSTORE\netaapl_3A00C5601D92D37DDCB0AE45518D6B42BE1588E6\netaapl.sys
+ 2010-02-19 02:12 . 2010-04-20 03:47 41984 c:\windows\system32\drivers\usbaapl.sys
+ 2010-07-15 23:41 . 2010-07-20 01:30 16384 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2007-08-21 23:28 . 2010-08-03 09:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-21 23:28 . 2010-07-15 07:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-08-21 23:28 . 2010-08-03 09:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-08-21 23:28 . 2010-07-15 07:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-15 23:40 . 2010-07-20 01:30 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2007-08-21 23:28 . 2010-07-15 07:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-08-21 23:28 . 2010-08-03 09:10 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-07-19 21:09 . 2010-07-19 21:09 28160 c:\windows\Installer\8574ee.msi
+ 2009-12-22 03:09 . 2009-12-22 03:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 08:57 . 2009-12-22 08:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-22 03:02 . 2009-12-22 03:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-22 06:21 . 2009-12-22 06:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 22:57 . 2009-12-11 22:57 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-22 06:37 . 2009-12-22 06:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-22 01:39 . 2009-12-22 01:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-22 01:27 . 2009-12-22 01:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-22 01:27 . 2009-12-22 01:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2010-07-15 23:41 . 2010-07-15 23:41 7024 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\frameiconcache.dat
+ 2010-07-24 09:23 . 2010-07-24 09:23 807424 c:\windows\Installer\4b0ee5.msi
+ 2010-07-24 09:27 . 2010-07-24 09:27 372736 c:\windows\Installer\{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}\iTunesIco.exe
+ 2009-12-11 22:57 . 2009-12-11 22:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-22 01:35 . 2009-12-22 01:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-22 03:05 . 2009-12-22 03:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-22 01:34 . 2009-12-22 01:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-10 02:18 . 2009-11-10 02:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-22 03:02 . 2009-12-22 03:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 22:57 . 2009-12-11 22:57 948672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-22 01:43 . 2009-12-22 01:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 08:57 . 2009-12-22 08:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-22 01:15 . 2009-12-22 01:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-22 02:32 . 2009-12-22 02:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 22:57 . 2009-12-11 22:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-22 02:15 . 2009-12-22 02:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2010-02-19 02:12 . 2010-04-20 03:47 3062048 c:\windows\system32\usbaaplrc.dll
+ 2010-07-24 09:24 . 2010-04-20 03:47 3062048 c:\windows\system32\DRVSTORE\usbaapl_3822718F9E2E86C3752D30561ECA5A855A4A3F7D\usbaaplrc.dll
+ 2010-07-24 09:24 . 2010-04-20 03:29 1461992 c:\windows\system32\DRVSTORE\netaapl_3A00C5601D92D37DDCB0AE45518D6B42BE1588E6\wdfcoinstaller01009.dll
+ 2010-06-20 08:01 . 2010-06-20 08:01 8040960 c:\windows\Installer\8575d8.msp
+ 2010-07-19 21:11 . 2010-07-19 21:11 3940352 c:\windows\Installer\8575d7.msi
+ 2010-07-24 09:27 . 2010-07-24 09:27 5731328 c:\windows\Installer\4b1785.msi
+ 2010-07-24 09:24 . 2010-07-24 09:24 3089408 c:\windows\Installer\4b0f5a.msi
+ 2010-07-24 09:24 . 2010-07-24 09:24 1984000 c:\windows\Installer\4b0f1d.msi
+ 2009-12-22 01:29 . 2009-12-22 01:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-22 02:00 . 2009-12-22 02:00 1298996 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JSByteCodeWin.bin
+ 2009-12-22 06:31 . 2009-12-22 06:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\8575d9.msp
+ 2009-12-22 06:21 . 2009-12-22 06:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 22:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 163840]
"331BigDog"="c:\windows\VM331_STI.EXE" [2007-09-27 196608]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-11-02 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-11-02 61440]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2006-07-22 233472]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-15 888832]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-20 91432]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 8.0.0.358\\English\\setup.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"443:TCP"= 443:TCP:ooVoo TCP port 443

R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [12/13/2007 5:25 PM 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [12/13/2007 4:56 PM 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [12/13/2007 5:18 PM 35456]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/6/2010 4:27 PM 165456]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 1:07 PM 61424]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/6/2010 4:27 PM 17744]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [12/13/2007 4:54 PM 4864]
R3 vm331avs;VC0334 USB2.0 Digital Camera;c:\windows\system32\drivers\vm331avs.sys [12/13/2007 5:20 PM 941056]
S3 AhnFlt2k;AhnFlt2k;\??\c:\windows\system32\Drivers\AhnFlt2k.sys --> c:\windows\system32\Drivers\AhnFlt2k.sys [?]
S3 AhnRec2k;AhnRec2k;\??\c:\windows\system32\Drivers\AhnRec2k.sys --> c:\windows\system32\Drivers\AhnRec2k.sys [?]
S3 ATamptNt_V3LITE;ATamptNt_V3LITE;\??\c:\progra~1\AhnLab\V3Lite\ATamptNt.sys --> c:\progra~1\AhnLab\V3Lite\ATamptNt.sys [?]
S3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [12/13/2007 4:57 PM 3909]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/19/2008 10:01 PM 110080]
S3 RTURC;Realtek UWB Radio Control Driver;c:\windows\system32\drivers\RTURC.sys [8/19/2008 10:07 PM 95488]
S3 RTWHCI;Realtek WHCI driver;c:\windows\system32\drivers\RTWHCI.sys [8/19/2008 10:07 PM 190976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-08-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

2010-08-03 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qxljl4l.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGomtvx_nie.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 02:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,38,7e,2e,e3,06,5b,49,88,b0,cb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,38,7e,2e,e3,06,5b,49,88,b0,cb,\

[HKEY_USERS\S-1-5-21-1536446456-4173809351-2792318203-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d4,71,19,5a,6a,73,4b,4b,b5,36,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d4,71,19,5a,6a,73,4b,4b,b5,36,a1,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(784)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-03 02:24:51
ComboFix-quarantined-files.txt 2010-08-03 09:24
ComboFix2.txt 2010-07-15 07:51

Pre-Run: 127,485,267,968 bytes free
Post-Run: 127,872,528,384 bytes free

- - End Of File - - AEEA619919C92C8FA12687736D70046A


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 AM

Posted 04 August 2010 - 04:33 PM

Looks okay there. Just a quick script to change some permissions

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-1536446456-4173809351-2792318203-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Let's run MBAM and see how that looks

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#12 h18110

h18110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 05 August 2010 - 12:40 AM

ComboFix 10-08-04.04 - Administrator 4/2010 Wed 22:27:56.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.949.82.1033.18.2038.1638 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-07-24 09:27 . 2010-07-24 09:27 -------- d-----w- c:\program files\iTunes
2010-07-24 09:24 . 2010-07-24 09:24 -------- d-----w- c:\program files\Bonjour
2010-07-24 09:21 . 2010-07-24 09:21 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-19 21:10 . 2010-07-19 21:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-19 21:09 . 2010-07-19 21:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-19 21:09 . 2010-07-19 21:09 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-15 23:41 . 2010-07-15 23:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-15 08:48 . 2010-07-15 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-15 08:48 . 2010-07-15 08:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-13 02:15 . 2010-08-05 05:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-07-13 01:04 . 2010-07-13 01:04 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-13 01:03 . 2010-07-13 01:03 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-13 01:03 . 2010-07-13 01:03 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-13 01:02 . 2010-08-05 04:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AskToolbar
2010-07-13 01:02 . 2010-07-13 01:02 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AhnLab
2010-07-06 23:27 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-06 23:27 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-06 23:27 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-06 23:27 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-06 23:27 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-06 23:27 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-06 23:27 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-06 23:27 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-06 23:27 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-06 23:26 . 2010-07-06 23:26 -------- d-----w- c:\program files\Alwil Software
2010-07-06 23:26 . 2010-07-06 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-06 10:06 . 2010-07-06 10:06 -------- d-----w- c:\program files\PokerStars.NET
2010-07-06 08:59 . 2010-07-06 08:59 92728 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dynomite\bass.dll
2010-07-06 08:59 . 2010-07-06 08:59 972288 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dynomite\dynomite.dll
2010-07-06 08:49 . 2010-07-06 08:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WorldWinner.com
2010-07-06 08:26 . 2010-07-06 08:26 1055744 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\bigmoney\bigmoney.dll
2010-07-06 08:26 . 2010-07-06 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 22:45 . 2008-08-20 04:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-27 06:30 . 2010-07-27 06:30 8462336 ----a-w- c:\windows\system32\SET219.tmp
2010-07-24 09:27 . 2010-02-19 01:50 -------- d-----w- c:\program files\iPod
2010-07-24 09:27 . 2010-02-19 02:12 -------- d-----w- c:\program files\Common Files\Apple
2010-07-24 00:21 . 2010-02-19 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-15 07:36 . 2010-02-18 19:04 -------- d-----w- c:\program files\AhnLab
2010-07-15 07:36 . 2010-02-18 19:04 -------- d-----w- c:\program files\Common Files\AhnLab
2010-07-15 07:34 . 2010-03-24 14:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-07-15 04:00 . 2010-02-18 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-13 04:10 . 2009-09-14 19:21 86800 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 00:03 . 2010-02-19 01:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-06-29 09:28 . 2010-06-29 09:13 -------- d-----w- c:\program files\MyVideoConverter
2010-06-28 01:23 . 2010-06-28 01:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\ooVoo Details
2010-06-28 01:20 . 2010-06-28 01:20 -------- d-----w- c:\program files\ooVoo
2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\program files\Ask.com
2010-06-23 04:04 . 2010-06-23 04:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\WebcamMax
2010-06-14 14:31 . 2007-08-21 23:21 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 00:59 . 2007-12-14 00:54 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-06-09 00:59 . 2007-12-14 00:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-07 07:53 . 2010-02-24 06:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcSoft
2010-06-07 07:53 . 2010-02-24 06:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-06-07 07:49 . 2007-12-14 00:54 -------- d-----w- c:\program files\ArcSoft
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-23 20:18 . 2010-05-23 20:18 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f3dd9c8-n\decora-sse.dll
2010-05-23 20:18 . 2010-05-23 20:18 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\msvcp71.dll
2010-05-23 20:18 . 2010-05-23 20:18 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\jmc.dll
2010-05-23 20:18 . 2010-05-23 20:18 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61a045da-n\msvcr71.dll
2010-05-23 20:18 . 2010-05-23 20:18 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f3dd9c8-n\decora-d3d.dll
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-08-03_09.23.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-05 05:26 . 2010-08-05 05:26 16384 c:\windows\Temp\Perflib_Perfdata_570.dat
+ 2007-08-21 23:28 . 2010-08-05 05:22 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-21 23:28 . 2010-08-03 09:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-08-21 23:28 . 2010-08-03 09:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-08-21 23:28 . 2010-08-05 05:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-08-21 23:28 . 2010-08-05 05:22 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-08-21 23:28 . 2010-08-03 09:10 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-08-21 23:01 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 22:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 163840]
"331BigDog"="c:\windows\VM331_STI.EXE" [2007-09-27 196608]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-11-02 242688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-11-02 61440]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2006-07-22 233472]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-15 888832]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-20 91432]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 8.0.0.358\\English\\setup.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443

R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [12/13/2007 5:25 PM 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [12/13/2007 4:56 PM 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [12/13/2007 5:18 PM 35456]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/6/2010 4:27 PM 165456]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 1:07 PM 61424]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/6/2010 4:27 PM 17744]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [12/13/2007 4:54 PM 4864]
R3 vm331avs;VC0334 USB2.0 Digital Camera;c:\windows\system32\drivers\vm331avs.sys [12/13/2007 5:20 PM 941056]
S3 AhnFlt2k;AhnFlt2k;\??\c:\windows\system32\Drivers\AhnFlt2k.sys --> c:\windows\system32\Drivers\AhnFlt2k.sys [?]
S3 AhnRec2k;AhnRec2k;\??\c:\windows\system32\Drivers\AhnRec2k.sys --> c:\windows\system32\Drivers\AhnRec2k.sys [?]
S3 ATamptNt_V3LITE;ATamptNt_V3LITE;\??\c:\progra~1\AhnLab\V3Lite\ATamptNt.sys --> c:\progra~1\AhnLab\V3Lite\ATamptNt.sys [?]
S3 bioschk;FPC BIOS Check Driver;c:\windows\system32\drivers\bioschk.sys [12/13/2007 4:57 PM 3909]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [8/19/2008 10:01 PM 110080]
S3 RTURC;Realtek UWB Radio Control Driver;c:\windows\system32\drivers\RTURC.sys [8/19/2008 10:07 PM 95488]
S3 RTWHCI;Realtek WHCI driver;c:\windows\system32\drivers\RTWHCI.sys [8/19/2008 10:07 PM 190976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-08-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

2010-08-05 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qxljl4l.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGomtvx_nie.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-04 22:37:06
ComboFix-quarantined-files.txt 2010-08-05 05:37
ComboFix2.txt 2010-08-03 09:24
ComboFix3.txt 2010-07-15 07:51

Pre-Run: 125,723,500,544 bytes free
Post-Run: 125,789,958,144 bytes free

- - End Of File - - E66146100698702B2A3C0DAABBC96FE6






I will go on to the next step now..

#13 h18110

h18110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 05 August 2010 - 02:43 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4391

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/4/2010 11:44:12 PM
mbam-log-2010-08-04 (23-44-12).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 231646
Time elapsed: 58 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 AM

Posted 05 August 2010 - 08:27 AM

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#15 h18110

h18110
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 06 August 2010 - 03:47 PM

I am a little confused about the steps..
where do i get the windows xp CD? was it supposed to come with my computer? i have XP too by the way.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users