Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit & logon malware - keeps peplicating & copying itself


  • This topic is locked This topic is locked
23 replies to this topic

#1 Microfloss

Microfloss

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 21 July 2010 - 12:44 PM

I have come here after spending my hole summer so far tying to figure this out.

I was infected my a sloppy antivirus and stuff got into my computer. It infect all my antiviris, malware removal and firewall.
and I know I have some sort of rootkit that keeps hiding itself.

After I got infected, when I logged in all I saw was my wall paper and couldnt do anything and didn't have access to anything.
I Went through the admin account in safe mode, but still had problems. i created a new user but whatever it was kept invading the antivirus.

I was able to stabilize the OP and was able to use the computer as I didnt have time or knowledge to fix it. this was months ago

I was clueless and had to learn from the beginning...starting form what a ROOTKIT WAS.

Unhack me has been a savior so far the couple of weeks I discovered it, as

***I absloutly do no understand most of the rookit programs or how to interpet them** Because all the anti malware programs use hooks I don know what is what
or really how to do any interpretation.


I finally found a trace of a winlogon and it was deleted by superantispyware... of all programs.
*** Forgot to add ....recently it keeps changing the QUICK LAUNCH task bar. It always disappears and I have to go to reactivate it.
The CPU usage was going up to cloose to a hundred and freezing everything...and I would have to use the setset button outside of the computer to restart
to get control

I'm afraid to leave the completer idle too long as I dont know what might start up and take control.

I do have a lot of antimalware and antivirus programs ...but I dont really trust any of them

Please I need help badly and dont want to have to to a reinstall...I have too much stuff on the computer and not alot of time

Please someone I need help ...Help
wacko.gif


Here's my hiJack log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:16:22 AM, on 20/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Comodo 2nd install\Comodo\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Avast-June29-2010\AvastSvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\BDT\BDTUpdateService.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\IObit\IObit Security 360\IS360srv.exe
D:\Program Files\Sandboxie July2010\SbieSvc.exe
D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsAuxs.exe
D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsSvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\ThreatFire\TFService.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsTray.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\system32\atiptaxx.exe
D:\WINDOWS\system32\desk98.exe
D:\WINDOWS\system32\V0230Mon.exe
D:\Program Files\IObit\IObit Security 360\IS360tray.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\Comodo 2nd install\Comodo\COMODO Internet Security\cfp.exe
D:\PROGRA~1\AVAST-~1\avastUI.exe
D:\Program Files\ThreatFire\TFTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\UnHackMe\hackmon.exe
D:\Program Files\IObit\IObit Security 360\is360.exe
D:\Program Files\Firefox-July2010\firefox.exe
D:\Program Files\Firefox-July2010\plugin-container.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [V0230Mon.exe] D:\WINDOWS\system32\V0230Mon.exe
O4 - HKLM\..\Run: [IObit Security 360] "D:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo 2nd install\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avast5] D:\PROGRA~1\AVAST-~1\avastUI.exe /nogui
O4 - HKLM\..\Run: [ThreatFire] D:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] D:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "D:\Program Files\Sandboxie July2010\SbieCtrl.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1AB4F85-8CE1-4E50-BCD1-E4814895627F}: NameServer = 206.248.154.22,69.28.199.126
O20 - AppInit_DLLs: d:\windows\system32\guard32.dll D:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - D:\Program Files\Avast-June29-2010\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - D:\Program Files\Avast-June29-2010\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - D:\Program Files\Avast-June29-2010\AvastSvc.exe
O23 - Service: Browser Defender Update Service - Unknown owner - D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\Program Files\Comodo 2nd install\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: IS360service - IObit - D:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - D:\Program Files\Sandboxie July2010\SbieSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - D:\Program Files\ThreatFire\TFService.exe

--
End of file - 6439 bytes

Edited by Microfloss, 21 July 2010 - 12:57 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 AM

Posted 27 July 2010 - 11:43 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Microfloss

Microfloss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 28 July 2010 - 06:44 PM

Thanks for the reply Gringo. I thought it would of been a few months before someone got back to
me.

-----------------------------------
I am currently use a community centre computer or will be travelling to a relatives house
to get this done as I dont dont want to use my computer to access the internet.
so right the internet is off and totally unplugged out of the wall.
This is the only computer in the house. It is not part of any any network.

I am afraid to use the internet, as I know there is some server/ person/ remote control

attached to my user profile, and I am a "child of that computer" user

I have done some of the stuff before you replied as I looked at some of the older logs.
So most of these logs were completed before, by folling some of the other postings

instruction.

currently I have very little control over the programs on mycomputer.
a week ago Rootkit unhooker would not work at all I will try again though.
-----------------------------------

I still have to do the Rootkit unhooker
and MBR Check... In the mean while you can take a look at this.
------------------------------------

1.) I had problems with defogger I didnt know if it was working or not

This is the log by Defogger below. I dont know who this is -->> ######## (0.0.0.0)
This is me -->>(Frankenfunk)
--------

defogger_disable by (########) - JohnDow (0.0.0.0) I dont want to print its name just

case
Log created at 17:24 on 24/07/2010 (Frankenfunk)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
SPTD -> Disabled

-=E.O.F=-
------------------------------------

I had many many anti malware programs on the computer before it took control of my

computer....which ones do I disable.

some of the progams currently on the on the computer:

COMODO Firewall
Avast antivirus
Spydoctor
IObit Security 360
Sandboxie
PC Tools ThreatFire
HiJackThis.exe
SuperAntiSpyware
Malwarebytes
UnHackMe/ Reanimator

***I am very afraid (actually terrified) to disable any anti- malware preogram as

I am afraid it will take over the computer.
-----------------------------------------------------------
DDS Logs (antivirus/ malware not diabled)

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Frankenfunk at 17:26:52.62 on 24/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.464 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-

1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\system32\svchost.exe -k netsvcs
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Frankenfunk\Desktop\Defogger.exe
D:\Documents and Settings\Frankenfunk\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program

files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {dbc80044-a445-435b-bc74-9c25c1c588a9} - Java™ Plug-In 2 SSV Helper
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [CTFMON.EXE] d:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] d:\program files\unhackme\hackmon.exe
uRun: [SandboxieControl] "d:\program files\sandboxie july2010\SbieCtrl.exe"
uRun: [SUPERAntiSpyware] d:\program files\superantispyware-july22\SUPERAntiSpyware.exe
uRun: [Tucan] "c:\antivirus programs to fix computer dec jan 2009-2010\panda antiroot

kit\PAVARK.exe" /Monitor
mRun: [ehTray] d:\windows\ehome\ehtray.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [HydarVisionDesktopManager] desk98.exe
mRun: [V0230Mon.exe] d:\windows\system32\V0230Mon.exe
mRun: [IObit Security 360] "d:\program files\iobit\iobit security 360\IS360tray.exe"

/autostart
mRun: [COMODO Internet Security] "d:\program files\comodo 2nd install\comodo\comodo

internet security\cfp.exe" -h
mRun: [avast5] d:\progra~1\avast-~1\avastUI.exe /nogui
mRun: [ThreatFire] d:\program files\threatfire\TFTray.exe
mRun: [ISTray] "d:\program files\pctools spydoctor july8 10\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

d:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: d:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {A1AB4F85-8CE1-4E50-BCD1-E4814895627F} = 206.248.154.22,69.28.199.126
Notify: !SASWinLogon - d:\program files\superantispyware-july22\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: d:\windows\system32\guard32.dll d:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program

files\superantispyware-july22\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\franke~1\applic~1

\mozilla\firefox\profiles\69bfhxh5.default\

---- FIREFOX POLICIES ----
d:\program files\firefox-july2010\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("ui.use_native_popup_windows",

false);
d:\program files\firefox-july2010\greprefs\all.js - pref

("browser.enable_click_image_resizing", true);
d:\program files\firefox-july2010\greprefs\all.js - pref

("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\firefox-july2010\greprefs\all.js - pref

("javascript.options.mem.high_water_mark", 32);
d:\program files\firefox-july2010\greprefs\all.js - pref

("javascript.options.mem.gc_frequency", 1600);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.lu",

true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.nu",

true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.nz",

true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.xn--

mgbaam7a8h", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.xn--

mgberp4a5d4ar", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai",

true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.xn--

mgbayh7gpa", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.tel",

true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.auth.force-generic-

ntlm", false);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.proxy.type",

5);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.buffer.cache.count",

24);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.buffer.cache.size",

4096);
d:\program files\firefox-july2010\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs",

45);
d:\program files\firefox-july2010\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\firefox-july2010\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -

1);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.debug",

false);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.agedWeight",

2);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.bucketSize",

1);
d:\program files\firefox-july2010\greprefs\all.js - pref

("browser.formfill.maxTimeGroupings", 25);
d:\program files\firefox-july2010\greprefs\all.js - pref

("browser.formfill.timeGroupingSize", 604800);
d:\program files\firefox-july2010\greprefs\all.js - pref

("browser.formfill.boundaryWeight", 25);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.prefixWeight",

5);
d:\program files\firefox-july2010\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("html5.enable", false);
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref

("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref

("security.ssl.renego_unrestricted_hosts", "");
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref

("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref

("security.ssl.require_safe_negotiation", false);
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref

("security.ssl3.rsa_seed_sha", true);
d:\program files\firefox-july2010\defaults\pref\firefox-branding.js - pref

("app.update.download.backgroundInterval", 600);
d:\program files\firefox-july2010\defaults\pref\firefox-branding.js - pref

("app.update.url.manual", "http://www.firefox.com");
d:\program files\firefox-july2010\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("extensions.{972ce4c6-

7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("extensions.{972ce4c6-

7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("lightweightThemes.update.enabled", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("browser.allTabs.previews", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("plugins.update.notifyUser", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("toolbar.customization.usesheet", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("dom.ipc.plugins.enabled", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("browser.taskbar.previews.enable", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("browser.taskbar.previews.max", 20);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref

("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2010-7-8 218592]
R0 phooks;phooks;d:\windows\system32\drivers\phooks.sys [2010-7-24 23552]
R0 TfFsMon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys [2010-7-2 51984]
R0 TfSysMon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys [2010-7-2 59664]
S1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [2010-6-29 165456]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32

\drivers\cmdguard.sys [2009-12-9 134344]
S1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys

[2009-12-9 25160]
S1 ElRawDisk;ElRawDisk;d:\windows\system32\drivers\elrawdsk.sys [2007-12-4 29768]
S1 SASDIFSV;SASDIFSV;d:\program files\superantispyware-july22\sasdifsv.sys [2010-2-17

12872]
S1 SASKUTIL;SASKUTIL;d:\program files\superantispyware-july22\SASKUTIL.SYS [2010-5-10

67656]
S2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2010-6-29 17744]
S2 avast! Antivirus;avast! Antivirus;d:\program files\avast-june29-2010\AvastSvc.exe

[2010-6-29 40384]
S2 Browser Defender Update Service;Browser Defender Update Service;d:\program

files\pctools spydoctor july8 10\spyware doctor\bdt\BDTUpdateService.exe [2010-7-8 112592]
S2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo 2nd

install\comodo\comodo internet security\cmdagent.exe [2009-12-15 723632]
S2 IS360service;IS360service;d:\program files\iobit\iobit security 360\is360srv.exe [2010

-6-29 312152]
S2 sdAuxService;PC Tools Auxiliary Service;d:\program files\pctools spydoctor july8 10

\spyware doctor\pctsAuxs.exe [2010-7-8 366840]
S2 sdCoreService;PC Tools Security Service;d:\program files\pctools spydoctor july8 10

\spyware doctor\pctsSvc.exe [2010-7-8 1142224]
S2 ThreatFire;ThreatFire;d:\program files\threatfire\tfservice.exe service --> d:\program

files\threatfire\TFService.exe service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;d:\program files\avast-june29-2010\AvastSvc.exe

[2010-6-29 40384]
S3 avast! Web Scanner;avast! Web Scanner;d:\program files\avast-june29-2010\AvastSvc.exe

[2010-6-29 40384]
S3 ODLVRFNFCF;ODLVRFNFCF;d:\docume~1\franke~1\locals~1\temp\ODLVRFNFCF.exe [2010-7-24

383872]
S3 Partizan;Partizan;d:\windows\system32\drivers\Partizan.sys [2010-6-17 35816]
S3 RegGuard;RegGuard;d:\windows\system32\drivers\regguard.sys [2010-6-19 24416]
S3 Revoflt;Revoflt;d:\windows\system32\drivers\revoflt.sys [2010-7-18 27064]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [2010-5-19 27192]
S3 SbieDrv;SbieDrv;d:\program files\sandboxie july2010\SbieDrv.sys [2010-4-17 115944]
S3 TfNetMon;TfNetMon;d:\windows\system32\drivers\TfNetMon.sys [2010-7-2 33552]
S3 TMPassthruMP;TMPassthruMP;d:\windows\system32\drivers\tmpassthru.sys -->

d:\windows\system32\drivers\TMPassthru.sys [?]
S3 V0230Vfx;V0230Vfx;d:\windows\system32\drivers\V0230Vfx.sys [2008-2-7 6272]
S3 V0230VID;Live! Cam Video IM Pro;d:\windows\system32\drivers\V0230VID.sys [2008-2-7

498464]

=============== Created Last 30 ================

2010-07-24 18:26:24 23552 ----a-w- d:\windows\system32\drivers\phooks.sys
2010-07-22 22:45:57 0 d-----w- d:\documents and

settings\frankenfunk\Pavark
2010-07-22 16:58:25 25600 ----a-w- d:\windows\system32\ATMenuxx.FTG
2010-07-22 14:12:39 0 d-----w- d:\docume~1\alluse~1\applic~1

\SUPERAntiSpyware.com
2010-07-22 14:10:57 0 d-----w- d:\program files\SuperAntiSpyware-July22
2010-07-20 04:13:44 0 d-----w- d:\program files\Trend Micro
2010-07-19 17:07:21 260 ----a-w- d:\documents and

settings\frankenfunk\defogger_reenable
2010-07-18 23:55:52 0 d-----w- d:\docume~1\franke~1\applic~1\VS Revo

Group
2010-07-18 23:49:00 27064 ----a-w- d:\windows\system32\drivers\revoflt.sys
2010-07-18 23:48:54 0 d-----w- d:\program files\VS Revo Group
2010-07-18 01:17:42 0 dc-h--w- d:\docume~1\alluse~1\applic~1\{66E2F539-

12B6-4870-A500-7689CDE75C5E}
2010-07-17 22:45:40 767928 ----a-w- d:\windows\BDTSupport.dll
2010-07-17 19:34:52 0 d-----w- D:\Backreg
2010-07-14 19:20:38 0 d-----w- d:\program files\Malwarebytes-July14-2010
2010-07-14 14:57:23 744448 -c----w- d:\windows\system32\dllcache\helpsvc.exe
2010-07-11 03:32:59 0 d-----w- d:\program files\Opera July10 2010
2010-07-08 23:11:44 0 d-----w- d:\program files\ThreatExpert Memory

Scanner
2010-07-08 19:34:07 7387 ----a-w- d:\windows\system32\drivers\pctgntdi.cat
2010-07-08 19:34:07 233136 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2010-07-08 19:32:46 7383 ----a-w- d:\windows\system32\drivers\pctcore.cat
2010-07-08 19:32:45 88040 ----a-w- d:\windows\system32

\drivers\PCTAppEvent.sys
2010-07-08 19:32:45 7412 ----a-w- d:\windows\system32

\drivers\PCTAppEvent.cat
2010-07-08 19:32:45 218592 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2010-07-08 19:30:11 0 d-----w- d:\docume~1\franke~1\applic~1\PC Tools
2010-07-08 19:28:23 0 d-----w- d:\program files\PCtools Spydoctor July8

10
2010-07-03 02:57:41 0 d-----r- D:\Sandbox
2010-07-03 02:52:06 1992 ----a-w- d:\windows\Sandboxie.ini
2010-07-03 02:50:04 0 d-----w- d:\program files\Sandboxie July2010
2010-07-02 14:19:11 59664 ----a-w- d:\windows\system32\drivers\TfSysMon.sys
2010-07-02 14:19:11 33552 ----a-w- d:\windows\system32\drivers\TfNetMon.sys
2010-07-02 14:19:10 51984 ----a-w- d:\windows\system32\drivers\TfFsMon.sys
2010-07-02 14:19:06 0 d-----w- d:\program files\ThreatFire
2010-07-02 03:43:21 0 d-----w- D:\RegRunInfo
2010-07-02 02:10:40 0 d-----w- d:\windows\RestoreSafeDeleted
2010-07-01 18:42:46 0 d-----w- D:\Stuff that is needed
2010-06-30 05:36:54 0 d-----w- d:\program files\Firefox-July2010
2010-06-29 21:14:29 7383 ----a-w- d:\windows\system32\drivers\pctplsg.cat
2010-06-29 21:14:28 63360 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2010-06-29 21:14:13 0 d-----w- d:\program files\Spyware Doctor
2010-06-29 21:14:13 0 d-----w- d:\docume~1\alluse~1\applic~1\PC Tools
2010-06-29 20:28:47 38848 ----a-w- d:\windows\avastSS.scr
2010-06-29 20:25:47 0 d-----w- d:\program files\Avast-June29-2010
2010-06-29 15:01:35 0 d-sha-r- D:\autorun.inf
2010-06-29 02:30:50 0 d-----w- d:\program files\RkUnhooker

==================== Find3M ====================

2010-07-23 03:06:38 24416 ----a-w- d:\windows\system32\drivers\regguard.sys
2010-06-17 22:43:09 37600 ----a-w- d:\windows\system32\Partizan.exe
2010-06-17 22:43:09 35816 ----a-w- d:\windows\system32\drivers\Partizan.sys
2010-06-17 21:30:11 29708 ----a-w- d:\program files\configuration.conf
2010-06-17 21:30:11 25026 ----a-w- d:\program files\machine.conf
2010-06-17 21:29:08 210306 ----a-w- d:\program files\modules.ini
2010-06-17 16:27:06 161296 ----a-w- d:\windows\system32\drivers\tmcomm.sys
2010-05-04 17:20:39 832512 ----a-w- d:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- d:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ------w- d:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- d:\windows\system32\win32k.sys
2010-02-22 19:56:51 29531 ----a-w- d:\program files\configuration.backup
2010-02-22 19:48:12 210306 ----a-w- d:\program files\modules.0
2010-02-22 19:41:30 34723 ----a-w- d:\program files\machine.ini
2009-12-04 03:23:33 159 ----a-w- d:\program files\improve_net_report.xm~
2009-12-04 03:14:57 88619 ----a-w- d:\program files\unins000.dat
2009-12-04 03:14:57 11200 ----a-w- d:\program files\unins000.msg
2009-04-28 15:09:16 2121216 ----a-w- d:\program files\op_install.dll
2009-04-28 15:08:26 2130432 ----a-w- d:\program files\op_cmn.dll
2009-04-28 15:06:08 710656 ----a-w- d:\program files\update.dll
2009-04-28 15:05:56 715264 ----a-w- d:\program files\wl_hook.dll
2009-04-28 15:05:18 266752 ----a-w- d:\program files\log_converter.dll
2009-04-28 15:04:56 428032 ----a-w- d:\program files\feedback.exe
2009-04-28 13:53:52 496 ----a-w- d:\program files\op_links.ini
2009-04-06 16:37:14 7653 ----a-w- d:\program files\SandBox.cat
2009-04-06 16:37:12 2119 ----a-w- d:\program files\SandBox.inf
2009-04-06 16:07:58 44531 ----a-w- d:\program files\vendors.inet
2009-04-06 16:07:58 34431 ----a-w- d:\program files\ads_link.inet
2009-04-06 16:07:58 17710 ----a-w- d:\program files\compatibility.ini
2009-04-06 16:07:58 1081100 ----a-w- d:\program files\preset.conf
2009-04-06 16:02:26 3678 ----a-w- d:\program files\compatibility.en
2009-04-06 16:02:26 2838 ----a-w- d:\program files\py_localize.en
2009-04-06 16:02:22 1150 ----a-w- d:\program files\update.ico
2009-04-06 16:02:22 1030144 ----a-w- d:\program files\dbghelp.dll
2009-04-06 16:01:56 97148 ----a-w- d:\program files\spy_sites.inet
2009-04-06 16:01:56 774 ----a-w- d:\program files\rc_macro.lst
2009-04-06 16:01:56 5985 ----a-w- d:\program files\license
2009-04-06 16:01:56 153 ----a-w- d:\program files\preconfig.ini
2009-04-02 19:23:54 2034176 ----a-w- d:\program files\python25.dll
2009-04-02 18:29:44 552448 ----a-w- d:\program files\htmlayout.dll
1848-03-08 18:19:28 4263 --sh--w- d:\windows\windllreg1c.sys
2009-12-07 20:16:00 32768 --sha-w- d:\windows\system32

\config\systemprofile\local settings\history\history.ie5\mshist012009120720091208

\index.dat

============= FINISH: 17:27:12.93 ===============

DDS Attach log
----

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 27/11/2007 11:10:56 AM
System Uptime: 24/07/2010 2:29:53 PM (3 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4B266
Processor: Intel® Pentium® 4 CPU 1.80GHz | PGA 478 | 1816/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 37 GiB total, 3.452 GiB free.
D: is FIXED (NTFS) - 50 GiB total, 9.148 GiB free.
E: is FIXED (NTFS) - 49 GiB total, 3.054 GiB free.
F: is FIXED (NTFS) - 50 GiB total, 34.229 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: HP ScanJet 4470c
Device ID: USB\VID_03F0&PID_0805\CN26HAD0RMZ
Manufacturer:
Name: HP ScanJet 4470c
PNP Device ID: USB\VID_03F0&PID_0805\CN26HAD0RMZ
Service:

==== System Restore Points ===================

RP901: 22/07/2010 6:36:21 PM - RegRun Virus Scan
RP902: 22/07/2010 11:04:54 PM - RegRun Virus Scan

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player
ATI - Software Uninstall Utility
ATI Display Driver
AutoUpdate
avast! Free Antivirus
Balabolka
COMODO Internet Security
COMODO livePCsupport 1.0.65302.27
Creative Live! Cam Video IM Pro Driver (1.00.07.0725)
Data Lifeguard Tools
DivX Codec
DivX Version Checker
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HydraVision
Intel® 537 Modem
IObit Security 360
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Natural Color Pro
Nero 7 Essentials
NextUp.com-NeoSpeech Kate16 Voice
Opera 10.60
PCI Audio Driver
RegRun Reanimator
Revo Uninstaller Pro 2.2.3
Rootkit Unhooker Uninstall
Sandboxie 3.442
SanityCheck 2.00
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Sophos Anti-Rootkit 1.5.4
Spyware Doctor 7.0
SUPERAntiSpyware
ThreatExpert Memory Scanner 1.0
ThreatFire
TypingMaster Pro
UnHackMe 5.90 release
Uniblue DriverScanner 2009
Uniblue RegistryBooster 2009
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6d
WebFldrs XP
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

24/07/2010 2:09:34 PM, error: Service Control Manager [7026] - The following boot-start

or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi cmdGuard cmdHlp

ElRawDisk Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL sptd

Tcpip
24/07/2010 2:09:34 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper

service depends on the AFD service which failed to start because of the following error:

A device attached to the system is not functioning.
24/07/2010 2:09:34 PM, error: Service Control Manager [7001] - The DNS Client service

depends on the TCP/IP Protocol Driver service which failed to start because of the

following error: A device attached to the system is not functioning.
24/07/2010 2:09:34 PM, error: Service Control Manager [7001] - The DHCP Client service

depends on the NetBios over Tcpip service which failed to start because of the following

error: A device attached to the system is not functioning.
24/07/2010 2:09:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start

the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0

-00805FC1270E}
24/07/2010 2:09:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start

the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1

-B726-00C04FB926AF}
22/07/2010 9:58:56 AM, error: System Error [1003] - Error code 000000f4, parameter1

00000003, parameter2 851c96c8, parameter3 851c983c, parameter4 805fb146.
22/07/2010 9:35:12 AM, error: System Error [1003] - Error code 000000f4, parameter1

00000003, parameter2 851ca530, parameter3 851ca6a4, parameter4 805fb146.
22/07/2010 2:17:33 AM, error: System Error [1003] - Error code 000000f4, parameter1

00000003, parameter2 855f1c10, parameter3 855f1d84, parameter4 805fb146.
22/07/2010 12:34:11 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM

Service service failed to start due to the following error: The service did not respond

to the start or control request in a timely fashion.
22/07/2010 12:34:10 PM, error: Service Control Manager [7009] - Timeout (30000

milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
22/07/2010 1:52:23 AM, error: System Error [1003] - Error code 000000f4, parameter1

00000003, parameter2 8515e530, parameter3 8515e6a4, parameter4 805fb146.
21/07/2010 7:12:57 PM, error: Service Control Manager [7026] - The following boot-start

or system-start driver(s) failed to load: sptd
21/07/2010 4:40:08 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred

during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will

try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to

an unreachable host. (0x80072751)
21/07/2010 4:39:42 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the

Network Card with network address 00055DFE2A5D has been denied by the DHCP server

192.168.1.1 (The DHCP Server sent a DHCPNACK message).
21/07/2010 11:27:55 PM, error: Service Control Manager [7034] - The PC Tools Security

Service service terminated unexpectedly. It has done this 1 time(s).
20/07/2010 4:05:21 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call

failed for Start with the following error: Access is denied.
20/07/2010 11:34:18 AM, error: System Error [1003] - Error code 1000008e, parameter1

c0000090, parameter2 0049403c, parameter3 f794ef2c, parameter4 00000000.
19/07/2010 1:11:29 AM, error: System Error [1003] - Error code 1000008e, parameter1

c0000090, parameter2 0049403c, parameter3 f7a8ef2c, parameter4 00000000.
18/07/2010 1:48:04 AM, error: Service Control Manager [7000] - The SABKUTIL service

failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================


I will try do redo everthing. but I still dont know what to dia able or if it is

advisable to do so please advise

Thanks for your help

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 AM

Posted 28 July 2010 - 06:56 PM

Before I can come up with a fix I still need to see those logs


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Microfloss

Microfloss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 29 July 2010 - 05:50 PM

Rootkit Unkooker wont work at all. I tried to use it al couple of months, so I guess they disale any new installs of it.

But I was able to get a new DDS log and the log from MBRchecker.


DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Frankenfunk at 12:50:14.79 on 29/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.556 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\system32\svchost.exe -k netsvcs
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Frankenfunk\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {dbc80044-a445-435b-bc74-9c25c1c588a9} - Java™ Plug-In 2 SSV Helper
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [CTFMON.EXE] d:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] d:\program files\unhackme\hackmon.exe
uRun: [SandboxieControl] "d:\program files\sandboxie july2010\SbieCtrl.exe"
mRun: [ehTray] d:\windows\ehome\ehtray.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [HydarVisionDesktopManager] desk98.exe
mRun: [IObit Security 360] "d:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [COMODO Internet Security] "d:\program files\comodo 2nd install\comodo\comodo internet security\cfp.exe" -h
mRun: [avast5] d:\progra~1\avast-~1\avastUI.exe /nogui
mRun: [ThreatFire] d:\program files\threatfire\TFTray.exe
mRun: [ISTray] "d:\program files\pctools spydoctor july8 10\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: d:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {A1AB4F85-8CE1-4E50-BCD1-E4814895627F} = 206.248.154.22,69.28.199.126
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: d:\windows\system32\guard32.dll d:\windows\system32\guard32.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\franke~1\applic~1\mozilla\firefox\profiles\69bfhxh5.default\

---- FIREFOX POLICIES ----
d:\program files\firefox-july2010\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\firefox-july2010\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\firefox-july2010\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\firefox-july2010\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\firefox-july2010\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\firefox-july2010\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\firefox-july2010\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\firefox-july2010\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\firefox-july2010\greprefs\all.js - pref("html5.enable", false);
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\firefox-july2010\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\program files\firefox-july2010\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\firefox-july2010\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\firefox-july2010\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\firefox-july2010\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2010-7-8 218592]
R0 TfFsMon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys [2010-7-2 51984]
R0 TfSysMon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys [2010-7-2 59664]
S1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [2010-6-29 165456]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32\drivers\cmdguard.sys [2009-12-9 134344]
S1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [2009-12-9 25160]
S1 ElRawDisk;ElRawDisk;d:\windows\system32\drivers\elrawdsk.sys [2007-12-4 29768]
S2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2010-6-29 17744]
S2 avast! Antivirus;avast! Antivirus;d:\program files\avast-june29-2010\AvastSvc.exe [2010-6-29 40384]
S2 Browser Defender Update Service;Browser Defender Update Service;d:\program files\pctools spydoctor july8 10\spyware doctor\bdt\BDTUpdateService.exe [2010-7-8 112592]
S2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo 2nd install\comodo\comodo internet security\cmdagent.exe [2009-12-15 723632]
S2 IS360service;IS360service;d:\program files\iobit\iobit security 360\is360srv.exe [2010-6-29 312152]
S2 sdAuxService;PC Tools Auxiliary Service;d:\program files\pctools spydoctor july8 10\spyware doctor\pctsAuxs.exe [2010-7-8 366840]
S2 sdCoreService;PC Tools Security Service;d:\program files\pctools spydoctor july8 10\spyware doctor\pctsSvc.exe [2010-7-8 1142224]
S2 ThreatFire;ThreatFire;d:\program files\threatfire\tfservice.exe service --> d:\program files\threatfire\TFService.exe service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;d:\program files\avast-june29-2010\AvastSvc.exe [2010-6-29 40384]
S3 avast! Web Scanner;avast! Web Scanner;d:\program files\avast-june29-2010\AvastSvc.exe [2010-6-29 40384]
S3 Partizan;Partizan;d:\windows\system32\drivers\Partizan.sys [2010-6-17 35816]
S3 RegGuard;RegGuard;d:\windows\system32\drivers\regguard.sys [2010-6-19 24416]
S3 Revoflt;Revoflt;d:\windows\system32\drivers\revoflt.sys [2010-7-18 27064]
S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [2010-5-19 27192]
S3 SbieDrv;SbieDrv;d:\program files\sandboxie july2010\SbieDrv.sys [2010-4-17 115944]
S3 TfNetMon;TfNetMon;d:\windows\system32\drivers\TfNetMon.sys [2010-7-2 33552]
S3 TMPassthruMP;TMPassthruMP;d:\windows\system32\drivers\tmpassthru.sys --> d:\windows\system32\drivers\TMPassthru.sys [?]
S3 V0230Vfx;V0230Vfx;d:\windows\system32\drivers\V0230Vfx.sys [2008-2-7 6272]
S3 V0230VID;Live! Cam Video IM Pro;d:\windows\system32\drivers\V0230VID.sys [2008-2-7 498464]
UnknownUnknown rkhdrv40;rkhdrv40; [x]

=============== Created Last 30 ================

2010-07-28 15:36:30 0 d-----w- D:\bookmarks July28 firefox
2010-07-25 13:47:43 20 ----a-w- d:\documents and settings\frankenfunk\defogger_reenable
2010-07-22 22:45:57 0 d-----w- d:\documents and settings\frankenfunk\Pavark
2010-07-22 16:58:25 25600 ----a-w- d:\windows\system32\ATMenuxx.FTG
2010-07-22 14:12:39 0 d-----w- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-20 04:13:44 0 d-----w- d:\program files\Trend Micro
2010-07-18 23:55:52 0 d-----w- d:\docume~1\franke~1\applic~1\VS Revo Group
2010-07-18 23:49:00 27064 ----a-w- d:\windows\system32\drivers\revoflt.sys
2010-07-18 23:48:54 0 d-----w- d:\program files\VS Revo Group
2010-07-18 01:17:42 0 dc-h--w- d:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2010-07-17 22:45:40 767928 ----a-w- d:\windows\BDTSupport.dll
2010-07-17 19:34:52 0 d-----w- D:\Backreg
2010-07-14 19:20:38 0 d-----w- d:\program files\Malwarebytes-July14-2010
2010-07-14 14:57:23 744448 -c----w- d:\windows\system32\dllcache\helpsvc.exe
2010-07-11 03:32:59 0 d-----w- d:\program files\Opera July10 2010
2010-07-08 23:11:44 0 d-----w- d:\program files\ThreatExpert Memory Scanner
2010-07-08 19:34:07 7387 ----a-w- d:\windows\system32\drivers\pctgntdi.cat
2010-07-08 19:34:07 233136 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2010-07-08 19:32:46 7383 ----a-w- d:\windows\system32\drivers\pctcore.cat
2010-07-08 19:32:45 88040 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2010-07-08 19:32:45 7412 ----a-w- d:\windows\system32\drivers\PCTAppEvent.cat
2010-07-08 19:32:45 218592 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2010-07-08 19:30:11 0 d-----w- d:\docume~1\franke~1\applic~1\PC Tools
2010-07-08 19:28:23 0 d-----w- d:\program files\PCtools Spydoctor July8 10
2010-07-03 02:57:41 0 d-----r- D:\Sandbox
2010-07-03 02:52:06 1992 ----a-w- d:\windows\Sandboxie.ini
2010-07-03 02:50:04 0 d-----w- d:\program files\Sandboxie July2010
2010-07-02 14:19:11 59664 ----a-w- d:\windows\system32\drivers\TfSysMon.sys
2010-07-02 14:19:11 33552 ----a-w- d:\windows\system32\drivers\TfNetMon.sys
2010-07-02 14:19:10 51984 ----a-w- d:\windows\system32\drivers\TfFsMon.sys
2010-07-02 14:19:06 0 d-----w- d:\program files\ThreatFire
2010-07-02 03:43:21 0 d-----w- D:\RegRunInfo
2010-07-02 02:10:40 0 d-----w- d:\windows\RestoreSafeDeleted
2010-07-01 18:42:46 0 d-----w- D:\Stuff that is needed
2010-06-30 05:36:54 0 d-----w- d:\program files\Firefox-July2010
2010-06-29 21:14:29 7383 ----a-w- d:\windows\system32\drivers\pctplsg.cat
2010-06-29 21:14:28 63360 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2010-06-29 21:14:13 0 d-----w- d:\program files\Spyware Doctor
2010-06-29 21:14:13 0 d-----w- d:\docume~1\alluse~1\applic~1\PC Tools
2010-06-29 20:28:47 38848 ----a-w- d:\windows\avastSS.scr
2010-06-29 20:25:47 0 d-----w- d:\program files\Avast-June29-2010

==================== Find3M ====================

2010-07-25 18:20:57 24416 ----a-w- d:\windows\system32\drivers\regguard.sys
2010-06-17 22:43:09 37600 ----a-w- d:\windows\system32\Partizan.exe
2010-06-17 22:43:09 35816 ----a-w- d:\windows\system32\drivers\Partizan.sys
2010-06-17 21:30:11 29708 ----a-w- d:\program files\configuration.conf
2010-06-17 21:30:11 25026 ----a-w- d:\program files\machine.conf
2010-06-17 21:29:08 210306 ----a-w- d:\program files\modules.ini
2010-06-17 16:27:06 161296 ----a-w- d:\windows\system32\drivers\tmcomm.sys
2010-05-04 17:20:39 832512 ----a-w- d:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- d:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ------w- d:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- d:\windows\system32\win32k.sys
2010-02-22 19:56:51 29531 ----a-w- d:\program files\configuration.backup
2010-02-22 19:48:12 210306 ----a-w- d:\program files\modules.0
2010-02-22 19:41:30 34723 ----a-w- d:\program files\machine.ini
2009-12-04 03:23:33 159 ----a-w- d:\program files\improve_net_report.xm~
2009-12-04 03:14:57 88619 ----a-w- d:\program files\unins000.dat
2009-12-04 03:14:57 11200 ----a-w- d:\program files\unins000.msg
2009-04-28 15:09:16 2121216 ----a-w- d:\program files\op_install.dll
2009-04-28 15:08:26 2130432 ----a-w- d:\program files\op_cmn.dll
2009-04-28 15:06:08 710656 ----a-w- d:\program files\update.dll
2009-04-28 15:05:56 715264 ----a-w- d:\program files\wl_hook.dll
2009-04-28 15:05:18 266752 ----a-w- d:\program files\log_converter.dll
2009-04-28 15:04:56 428032 ----a-w- d:\program files\feedback.exe
2009-04-28 13:53:52 496 ----a-w- d:\program files\op_links.ini
2009-04-06 16:37:14 7653 ----a-w- d:\program files\SandBox.cat
2009-04-06 16:37:12 2119 ----a-w- d:\program files\SandBox.inf
2009-04-06 16:07:58 44531 ----a-w- d:\program files\vendors.inet
2009-04-06 16:07:58 34431 ----a-w- d:\program files\ads_link.inet
2009-04-06 16:07:58 17710 ----a-w- d:\program files\compatibility.ini
2009-04-06 16:07:58 1081100 ----a-w- d:\program files\preset.conf
2009-04-06 16:02:26 3678 ----a-w- d:\program files\compatibility.en
2009-04-06 16:02:26 2838 ----a-w- d:\program files\py_localize.en
2009-04-06 16:02:22 1150 ----a-w- d:\program files\update.ico
2009-04-06 16:02:22 1030144 ----a-w- d:\program files\dbghelp.dll
2009-04-06 16:01:56 97148 ----a-w- d:\program files\spy_sites.inet
2009-04-06 16:01:56 774 ----a-w- d:\program files\rc_macro.lst
2009-04-06 16:01:56 5985 ----a-w- d:\program files\license
2009-04-06 16:01:56 153 ----a-w- d:\program files\preconfig.ini
2009-04-02 19:23:54 2034176 ----a-w- d:\program files\python25.dll
2009-04-02 18:29:44 552448 ----a-w- d:\program files\htmlayout.dll
1848-03-08 18:19:28 4263 --sh--w- d:\windows\windllreg1c.sys
2009-12-07 20:16:00 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009120720091208\index.dat

============= FINISH: 12:50:45.07 ===============
----------------------------------------------------

Attach (DDS)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 27/11/2007 11:10:56 AM
System Uptime: 29/07/2010 12:01:54 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4B266
Processor: Intel® Pentium® 4 CPU 1.80GHz | PGA 478 | 1816/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 37 GiB total, 4.724 GiB free.
D: is FIXED (NTFS) - 50 GiB total, 10.086 GiB free.
E: is FIXED (NTFS) - 49 GiB total, 3.429 GiB free.
F: is FIXED (NTFS) - 50 GiB total, 34.229 GiB free.
G: is CDROM ()
H: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description: HP ScanJet 4470c
Device ID: USB\VID_03F0&PID_0805\CN26HAD0RMZ
Manufacturer:
Name: HP ScanJet 4470c
PNP Device ID: USB\VID_03F0&PID_0805\CN26HAD0RMZ
Service:

==== System Restore Points ===================

RP902: 22/07/2010 11:04:54 PM - RegRun Virus Scan

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player
ATI - Software Uninstall Utility
ATI Display Driver
AutoUpdate
avast! Free Antivirus
Balabolka
COMODO Internet Security
COMODO livePCsupport 1.0.65302.27
Creative Live! Cam Video IM Pro Driver (1.00.07.0725)
Data Lifeguard Tools
DivX Codec
DivX Version Checker
HiJackThis
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HydraVision
Intel® 537 Modem
IObit Security 360
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Natural Color Pro
Nero 7 Essentials
NextUp.com-NeoSpeech Kate16 Voice
Opera 10.60
PCI Audio Driver
RegRun Reanimator
Revo Uninstaller Pro 2.2.3
Sandboxie 3.442
SanityCheck 2.00
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Sophos Anti-Rootkit 1.5.4
Spyware Doctor 7.0
ThreatExpert Memory Scanner 1.0
ThreatFire
TypingMaster Pro
UnHackMe 5.90 release
Uniblue DriverScanner 2009
Uniblue RegistryBooster 2009
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6d
WebFldrs XP
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

26/07/2010 2:50:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
26/07/2010 2:32:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi cmdGuard cmdHlp ElRawDisk Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
25/07/2010 6:52:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service COMSysApp with arguments "" in order to run the server: {182C40F0-32E4-11D0-818B-00A0C9231C29}
25/07/2010 1:30:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi cmdGuard cmdHlp ElRawDisk Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
24/07/2010 2:09:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi cmdGuard cmdHlp ElRawDisk Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL sptd Tcpip
24/07/2010 2:09:34 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
24/07/2010 2:09:34 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
24/07/2010 2:09:34 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
24/07/2010 2:09:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
24/07/2010 2:09:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
22/07/2010 9:59:59 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00055DFE2A5D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
22/07/2010 9:58:56 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 851c96c8, parameter3 851c983c, parameter4 805fb146.
22/07/2010 9:44:51 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
22/07/2010 9:35:12 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 851ca530, parameter3 851ca6a4, parameter4 805fb146.
22/07/2010 2:17:33 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 855f1c10, parameter3 855f1d84, parameter4 805fb146.
22/07/2010 12:34:11 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
22/07/2010 12:34:10 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
22/07/2010 1:52:23 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8515e530, parameter3 8515e6a4, parameter4 805fb146.
22/07/2010 1:24:05 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sptd

==== End Of File ===========================

--------------------------------------------------------------------------------------------------


MBRCheck, version 1.1.1

© 2010, AD


\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive1

\\.\E: --> \\.\PhysicalDrive1

\\.\F: --> \\.\PhysicalDrive1


Size Device Name MBR Status

--------------------------------------------

37 GB \\.\PhysicalDrive0 Windows XP MBR code detected

149 GB \\.\PhysicalDrive1 Windows XP MBR code detected


Done! Press ENTER to exit...

----------------------------------------------------------------------------------------------

RKUnhooker does not work, even in safe mode.
I also tried Gmer. works for a while but it gets stopped by something. I took screenshots of some of the readout until it was stopped.

thanks



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 AM

Posted 29 July 2010 - 06:22 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Microfloss

Microfloss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 31 July 2010 - 11:13 AM

the REcovery Conssole was installed okay it seems.
I used same mode so most stuff it seems was disabled. Nothing was showing as active or in the trays and nothing was open, but comofix said that avast was active.

I started the program and disabled all it's scanners, and closed it.

It seems that it worked okay, as there are not a 100 programs asking for permission from Comodo firewall.

when I start a program comodo firewall still says that the program (some registry file) could not be reconized and that that its about to modify the registry key. somtimes when I block it the progams do not start.

When the internet is plugged in The harddrive light on the computer seems to be on and the processer? is working when the intern is on, though nothing shows on the firewall tray.

There are also folders that I have not seen before on all the drives/ partitions that seem have no files in them but when you check the propertities of the folder it says it has a few files in them. there is a folder that I have not seen before thathas 400 somting MB of files suppoedly related to MS office.

Most of the major files that were there is still there. htese include files in the system root.

Well here is the Combofix log
--------------------------------------------------------------

ComboFix 10-07-29.04 - Frankenfunk 31/07/2010 2:36.1.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.610 [GMT -4:00]
Running from: d:\documents and settings\Frankenfunk\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\atridtxx.chs
d:\windows\system32\atridtxx.cht
d:\windows\system32\atridtxx.csy
d:\windows\system32\atridtxx.dan
d:\windows\system32\atridtxx.deu
d:\windows\system32\atridtxx.ell
d:\windows\system32\Atridtxx.enu
d:\windows\system32\atridtxx.esp
d:\windows\system32\atridtxx.fin
d:\windows\system32\atridtxx.fra
d:\windows\system32\atridtxx.hun
d:\windows\system32\atridtxx.ita
d:\windows\system32\atridtxx.jpn
d:\windows\system32\atridtxx.kor
d:\windows\system32\atridtxx.nld
d:\windows\system32\atridtxx.nor
d:\windows\system32\atridtxx.plk
d:\windows\system32\atridtxx.ptb
d:\windows\system32\atridtxx.rus
d:\windows\system32\atridtxx.sve
d:\windows\system32\atridtxx.tha
d:\windows\system32\atridtxx.trk
d:\windows\system32\atriprxx.ara
d:\windows\system32\atriprxx.chs
d:\windows\system32\atriprxx.cht
d:\windows\system32\atriprxx.csy
d:\windows\system32\atriprxx.dan
d:\windows\system32\atriprxx.deu
d:\windows\system32\atriprxx.ell
d:\windows\system32\atriprxx.enu
d:\windows\system32\atriprxx.esp
d:\windows\system32\atriprxx.fin
d:\windows\system32\atriprxx.fra
d:\windows\system32\atriprxx.heb
d:\windows\system32\atriprxx.hun
d:\windows\system32\atriprxx.ita
d:\windows\system32\atriprxx.jpn
d:\windows\system32\atriprxx.kor
d:\windows\system32\atriprxx.nld
d:\windows\system32\atriprxx.nor
d:\windows\system32\atriprxx.plk
d:\windows\system32\atriprxx.ptb
d:\windows\system32\atriprxx.rus
d:\windows\system32\atriprxx.sve
d:\windows\system32\atriprxx.tha
d:\windows\system32\atriprxx.trk
d:\windows\system32\images
d:\windows\system32\images\accessinghvnoprop.jpg
d:\windows\system32\images\accessingmdesk.jpg
d:\windows\system32\images\ati_logo.jpg
d:\windows\system32\images\hvdm.jpg
d:\windows\system32\images\hvhotkeys.jpg
d:\windows\system32\images\hvsystray.jpg
d:\windows\system32\images\hvsystray2.jpg
d:\windows\system32\index.html

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-28 15:36 . 2010-07-28 15:36 -------- d-----w- D:\bookmarks July28 firefox
2010-07-22 22:45 . 2010-07-25 22:16 -------- d-----w- d:\documents and settings\Frankenfunk\Pavark
2010-07-22 14:12 . 2010-07-22 14:12 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-20 04:13 . 2010-07-20 04:13 388096 ----a-r- d:\documents and settings\Frankenfunk\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-20 04:13 . 2010-07-20 04:13 -------- d-----w- d:\program files\Trend Micro
2010-07-18 23:55 . 2010-07-18 23:55 -------- d-----w- d:\documents and settings\Frankenfunk\Application Data\VS Revo Group
2010-07-18 23:50 . 2010-07-18 23:50 -------- d-----w- d:\documents and settings\Frankenfunk\Local Settings\Application Data\VS Revo Group
2010-07-18 23:49 . 2009-12-30 16:20 27064 ----a-w- d:\windows\system32\drivers\revoflt.sys
2010-07-18 23:48 . 2010-07-18 23:48 -------- d-----w- d:\program files\VS Revo Group
2010-07-18 01:21 . 2009-04-03 10:09 2653243 -c--a-w- d:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
2010-07-18 01:17 . 2010-07-18 01:21 -------- dc-h--w- d:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2010-07-17 22:45 . 2010-07-21 04:37 767928 ----a-w- d:\windows\BDTSupport.dll
2010-07-17 19:34 . 2010-07-17 19:34 -------- d-----w- D:\Backreg
2010-07-14 19:20 . 2010-07-14 19:21 -------- d-----w- d:\program files\Malwarebytes-July14-2010
2010-07-14 14:57 . 2010-06-14 14:31 744448 -c----w- d:\windows\system32\dllcache\helpsvc.exe
2010-07-11 03:32 . 2010-07-11 03:33 -------- d-----w- d:\program files\Opera July10 2010
2010-07-08 23:11 . 2010-07-21 21:17 -------- d-----w- d:\program files\ThreatExpert Memory Scanner
2010-07-08 19:34 . 2010-02-05 13:17 233136 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2010-07-08 19:32 . 2010-03-29 14:06 218592 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2010-07-08 19:32 . 2009-11-23 17:54 88040 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2010-07-08 19:30 . 2010-07-08 19:30 -------- d-----w- d:\documents and settings\Frankenfunk\Application Data\PC Tools
2010-07-08 19:28 . 2010-07-08 19:30 -------- d-----w- d:\program files\PCtools Spydoctor July8 10
2010-07-03 02:57 . 2010-07-03 02:57 -------- d-----r- D:\Sandbox
2010-07-03 02:50 . 2010-07-03 02:50 -------- d-----w- d:\program files\Sandboxie July2010
2010-07-02 14:19 . 2010-01-14 20:08 59664 ----a-w- d:\windows\system32\drivers\TfSysMon.sys
2010-07-02 14:19 . 2010-01-14 20:08 33552 ----a-w- d:\windows\system32\drivers\TfNetMon.sys
2010-07-02 14:19 . 2010-01-14 20:08 51984 ----a-w- d:\windows\system32\drivers\TfFsMon.sys
2010-07-02 14:19 . 2010-07-02 14:19 -------- d-----w- d:\program files\ThreatFire
2010-07-02 03:43 . 2010-07-02 03:43 -------- d-----w- D:\RegRunInfo
2010-07-02 02:10 . 2010-07-25 18:15 -------- d-----w- d:\windows\RestoreSafeDeleted
2010-07-01 18:42 . 2010-07-01 19:00 -------- d-----w- D:\Stuff that is needed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 06:07 . 2007-12-01 05:52 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2010-07-25 18:20 . 2010-06-19 23:04 24416 ----a-w- d:\windows\system32\drivers\regguard.sys
2010-07-25 17:47 . 2010-06-17 22:41 -------- d-----w- d:\program files\UnHackMe
2010-07-21 19:40 . 2009-10-26 02:03 -------- d-----w- d:\program files\MSECache
2010-07-21 16:42 . 2010-06-30 05:36 -------- d-----w- d:\program files\Firefox-July2010
2010-07-19 19:48 . 2009-12-06 07:43 70896 ----a-w- d:\documents and settings\Frankenfunk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-19 05:10 . 2007-11-27 19:54 -------- d--h--w- d:\program files\InstallShield Installation Information
2010-07-18 01:25 . 2010-06-18 05:12 -------- d-----w- d:\documents and settings\All Users\Application Data\DriverScanner
2010-07-18 01:20 . 2010-03-23 04:37 -------- d-----w- d:\documents and settings\Frankenfunk\Application Data\Uniblue
2010-07-18 01:16 . 2010-03-23 04:36 -------- d-----w- d:\program files\Uniblue
2010-07-17 21:14 . 2010-06-17 22:42 2 --shatr- d:\windows\winstart.bat
2010-07-08 19:39 . 2009-12-07 16:43 -------- d-----w- d:\program files\Common Files\PC Tools
2010-07-08 19:30 . 2010-06-29 21:14 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2010-07-05 05:33 . 2010-06-29 21:14 -------- d-----w- d:\program files\Spyware Doctor
2010-06-30 02:46 . 2010-06-29 20:25 -------- d-----w- d:\program files\Avast-June29-2010
2010-06-29 20:28 . 2010-02-07 17:28 -------- d-----w- d:\documents and settings\All Users\Application Data\Alwil Software
2010-06-29 20:04 . 2010-02-18 02:40 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira
2010-06-28 20:57 . 2010-06-29 20:28 38848 ----a-w- d:\windows\avastSS.scr
2010-06-28 20:57 . 2010-06-29 20:28 165032 ----a-w- d:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-06-29 20:29 46672 ----a-w- d:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-06-29 20:29 165456 ----a-w- d:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-06-29 20:29 23376 ----a-w- d:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-06-29 20:29 100176 ----a-w- d:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-06-29 20:29 94544 ----a-w- d:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-06-29 20:29 17744 ----a-w- d:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-06-29 20:29 28880 ----a-w- d:\windows\system32\drivers\aavmker4.sys
2010-06-22 01:19 . 2008-03-26 12:56 -------- d-----w- d:\program files\Java
2010-06-22 00:48 . 2008-01-28 21:28 -------- d-----w- d:\program files\Common Files\Real
2010-06-19 02:06 . 2010-06-19 02:06 -------- d-----w- d:\program files\Sophos
2010-06-18 20:07 . 2009-12-07 19:48 -------- d-----w- d:\documents and settings\All Users\Application Data\SecTaskMan
2010-06-17 22:43 . 2010-06-17 22:43 37600 ----a-w- d:\windows\system32\Partizan.exe
2010-06-17 22:43 . 2010-06-17 22:43 35816 ----a-w- d:\windows\system32\drivers\Partizan.sys
2010-06-17 21:30 . 2009-12-04 03:19 25026 ----a-w- d:\program files\machine.conf
2010-06-17 21:30 . 2009-12-04 03:18 29708 ----a-w- d:\program files\configuration.conf
2010-06-17 21:29 . 2009-12-04 03:20 210306 ----a-w- d:\program files\modules.ini
2010-06-17 21:29 . 2009-12-04 03:14 -------- d-----w- d:\program files\log
2010-06-17 16:27 . 2010-06-17 16:15 161296 ----a-w- d:\windows\system32\drivers\tmcomm.sys
2010-06-14 14:31 . 2007-11-27 16:03 744448 ----a-w- d:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 11:11 . 2010-05-20 16:57 439816 ----a-w- d:\documents and settings\Frankenfunk\Application Data\Real\Update\setup3.10\setup.exe
2010-05-21 16:16 . 2010-06-17 22:41 12808 ----a-w- d:\windows\system32\drivers\UnHackMeDrv.sys
2010-05-04 17:20 . 2006-03-15 12:00 832512 ----a-w- d:\windows\system32\wininet.dll
2010-05-04 17:20 . 2006-03-15 12:00 78336 ----a-w- d:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-03-15 12:00 17408 ------w- d:\windows\system32\corpol.dll
2010-02-22 19:56 . 2009-12-04 03:20 29531 ----a-w- d:\program files\configuration.backup
2010-02-22 19:48 . 2009-12-04 03:20 210306 ----a-w- d:\program files\modules.0
2010-02-22 19:41 . 2009-12-04 03:14 34723 ----a-w- d:\program files\machine.ini
2009-12-04 03:23 . 2009-12-04 03:17 159 ----a-w- d:\program files\improve_net_report.xm~
1848-03-08 18:19 . 1848-03-08 18:19 4263 --sh--w- d:\windows\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnHackMe Monitor"="d:\program files\UnHackMe\hackmon.exe" [2010-05-21 594200]
"SandboxieControl"="d:\program files\Sandboxie July2010\SbieCtrl.exe" [2010-04-17 394984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="d:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AtiPTA"="atiptaxx.exe" [2001-09-15 245760]
"HydarVisionDesktopManager"="desk98.exe" [2001-08-21 614400]
"IObit Security 360"="d:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"COMODO Internet Security"="d:\program files\Comodo 2nd install\Comodo\COMODO Internet Security\cfp.exe" [2010-02-01 1800464]
"ThreatFire"="d:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]
"ISTray"="d:\program files\PCtools Spydoctor July8 10\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speaking Clock Deluxe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2001-09-12 22:09 1134592 ----a-r- d:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- d:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- d:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"UxTuneUp"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Opera July10 2010\\opera.exe"=

R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [08/07/2010 3:32 PM 218592]
R0 TfFsMon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys [02/07/2010 10:19 AM 51984]
R0 TfSysMon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys [02/07/2010 10:19 AM 59664]
S1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [29/06/2010 4:29 PM 165456]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32\drivers\cmdguard.sys [09/12/2009 4:37 PM 134344]
S1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [09/12/2009 4:37 PM 25160]
S1 ElRawDisk;ElRawDisk;d:\windows\system32\drivers\elrawdsk.sys [04/12/2007 5:06 PM 29768]
S2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [29/06/2010 4:29 PM 17744]
S2 Browser Defender Update Service;Browser Defender Update Service;d:\program files\PCtools Spydoctor July8 10\Spyware Doctor\BDT\BDTUpdateService.exe [08/07/2010 3:40 PM 112592]
S2 IS360service;IS360service;d:\program files\IObit\IObit Security 360\is360srv.exe [29/06/2010 3:52 PM 312152]
S2 sdAuxService;PC Tools Auxiliary Service;d:\program files\PCtools Spydoctor July8 10\Spyware Doctor\pctsAuxs.exe [08/07/2010 3:30 PM 366840]
S2 ThreatFire;ThreatFire;d:\program files\ThreatFire\TFService.exe service --> d:\program files\ThreatFire\TFService.exe service [?]
S3 Partizan;Partizan;d:\windows\system32\drivers\Partizan.sys [17/06/2010 6:43 PM 35816]
S3 RegGuard;RegGuard;d:\windows\system32\drivers\regguard.sys [19/06/2010 7:04 PM 24416]
S3 Revoflt;Revoflt;d:\windows\system32\drivers\revoflt.sys [18/07/2010 7:49 PM 27064]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 rspSanity;rspSanity;d:\windows\system32\drivers\rspSanity32.sys [19/05/2010 10:51 AM 27192]
S3 TfNetMon;TfNetMon;d:\windows\system32\drivers\TfNetMon.sys [02/07/2010 10:19 AM 33552]
S3 TMPassthruMP;TMPassthruMP;d:\windows\system32\DRIVERS\TMPassthru.sys --> d:\windows\system32\DRIVERS\TMPassthru.sys [?]
S3 V0230Vfx;V0230Vfx;d:\windows\system32\drivers\V0230Vfx.sys [07/02/2008 4:23 PM 6272]
S3 V0230VID;Live! Cam Video IM Pro;d:\windows\system32\drivers\V0230VID.sys [07/02/2008 4:23 PM 498464]
S4 sptd;sptd;d:\windows\system32\Drivers\sptd.sys --> d:\windows\system32\Drivers\sptd.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: d:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {A1AB4F85-8CE1-4E50-BCD1-E4814895627F} = 206.248.154.22,69.28.199.126
FF - ProfilePath - d:\documents and settings\Frankenfunk\Application Data\Mozilla\Firefox\Profiles\69bfhxh5.default\

---- FIREFOX POLICIES ----
d:\program files\Firefox-July2010\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\Firefox-July2010\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\Firefox-July2010\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Firefox-July2010\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Firefox-July2010\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Firefox-July2010\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Firefox-July2010\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Firefox-July2010\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Firefox-July2010\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Firefox-July2010\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Firefox-July2010\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Firefox-July2010\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Firefox-July2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Firefox-July2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Firefox-July2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Firefox-July2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Firefox-July2010\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 02:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(284)
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\l3codeca.acm
d:\windows\system32\sirenacm.dll

- - - - - - - > 'explorer.exe'(1060)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
.
Completion time: 2010-07-31 02:56:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-31 06:56

Pre-Run: 9,834,098,688 bytes free
Post-Run: 9,685,663,744 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 428D2EBB8E3CE1E81E7621E11469B30D


----------------------------------------------------------------------------------------


I know that these files were on there. I guess RootUnhooker would be able to pick theses up?????
these shoowed up as windows Core components. These had showed up on REg run unhackme in the past.

windows Core Components

Active Setup items

--------------
"%ProgramFiles%\Outlook Express\ setup50.exe" /APP:OE /CALLER:WINTT /user install

shows this target file in system
D:\PROGRAM FILES\OUTLOOK EXPRESS\SETUP50.EXE
--------------

--------------
"%ProgramFiles%\Outlook Express\ setup50.exe" /APP:WAB /CALLER:WINTT /user install

shows this target file in system
D:\PROGRAM FILES\OUTLOOK EXPRESS\SETUP50.EXE
--------------

--------------
%systemRoot%\system32\regsvr32.exe /s /n /i:UserInstall %SystemRoot%\system32themeui.dll

shows this target file in system
D:\WINDOWS\SYSTEM32\REGSVR32.EXE
--------------

--------------
%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
points to
D:\WINDOWS\SYSTEM32\SHMGRATE.EXE
--------------
--------------
%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
points to
D:\WINDOWS\SYSTEM32\SHMGRATE.EXE
--------------
--------------
D:\WINDOWS\inf\ unregmp2.exe /ShowWMP
shows this target file in system
D:\WINDOWS\INF\UNREGMP2.EXE
--------------
--------------
D:\WINDOWS\system32\ie4uinit.exe -BaseSettings
points to
D:\WINDOWS\SYSTEM32\IE4UINIT.EXE
--------------
--------------
D:\WINDOWS\system32\ieudinit.exe
points to
D:\WINDOWS\SYSTEM32\IEUDINIT.EXE
--------------
--------------
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
points to or is supposed to be
D:\WINDOWS\system32\IEDKCS32.DLL
--------------
--------------
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
points to or is supposed to be
D:\WINDOWS\system32\IEDKCS32.DLL
--------------
--------------
regsve32.exe /s /n /i:U shell32.dll
is supposed to be
D:\WINDOWS\system32\REGSVR32.EXE
---------------------------------------------------------------

hope I'm not loading you with too much info at one time.





#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 AM

Posted 31 July 2010 - 12:08 PM

Hello

all rootkit scans report back alot of legit files as that is what they are supposed to do. The check which files have hooked the system and where - legit files also hook into the system so these will be reported also, just because it gets reported in a scan does not make it bad

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 9.3.2

    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Microfloss

Microfloss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 03 August 2010 - 12:12 PM

Not home so I wont be able to post the logs until tomorrow. Im wondering is it safe to use the internet connection to update the programs. What about using the internet in general. I have not been using the internet on my computer and have been using other sources, as it looked like there was other connections that were happening on the computer. Do you think its safe to use it. Dont want files that will be silenly downloaded

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 AM

Posted 03 August 2010 - 02:15 PM

Hello

at this point it should be ok to use the internet


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Microfloss

Microfloss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 04 August 2010 - 04:56 PM

I should of updated Malware bytes and stayed off the internet. Now there is no connection at all.

I ran TFC(Temp File Cleaner), it seems to remove the tons of temp files that were still dorment and still working to access to other files.
It removed a few gigs of crap temp and microsoft files
.
Malware bytes didnt seem to do much for me as usual. I actuall did a scan with spyware doctor to see what it would find , and it sussposedly found 22relateed infection of the Trojan-Downloader. Murlo and another malware trojan. Is still on there as that program is just a monitior and does nor delete the malware.

A few days / a week ago when I was on the computer the comodo firerwall preported that a new private network was detected. (192.168.1.100\ 255.255.255.0) that the pc was about to join. I dont kow if this happened because I had turned off the internet access. modem. I never okayed it today. I allowed it to be the network today... A while later I couldnt access the Internet and still cannot log into my router...the admin page never comes up, when I type in the default domain 192.168.1.1 to log in. (the router/modem worked fine all this time before, it's only like 9 months old.)

So the internet was fine last night it worked a bit this morning, and there now there is no way to access to the internet.

Internet exploret explorer pops up/ opens on it own and wants access to the internet to some domain number I dont know as it just shows the domain number.

Well I dont know what to do with the router/modem now. I cant get to the admin set up from the browser/ computer. and the computer seems to be now slower since I went on the internet....to check email and the basics
well here are the logs.

I was wondering should I get rid of all the antimalware programs I have, and just leave 1 or 2.
Should I use superantispyware to see what else is on there.? what about the anti rootkits?


------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4387

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

04/08/2010 12:42:58 AM
mbam-log-2010-08-04 (00-42-58).txt

Scan type: Quick scan
Objects scanned: 133072
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:38:14 AM, on 04/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Comodo 2nd install\Comodo\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Avast-June29-2010\AvastSvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\BDT\BDTUpdateService.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\IObit\IObit Security 360\IS360srv.exe
D:\Program Files\Java August 2010\bin\jqs.exe
D:\Program Files\Sandboxie July2010\SbieSvc.exe
D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsAuxs.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsSvc.exe
D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\system32\atiptaxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsTray.exe
D:\Program Files\ThreatFire\TFService.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\desk98.exe
D:\Program Files\IObit\IObit Security 360\IS360tray.exe
D:\Program Files\Comodo 2nd install\Comodo\COMODO Internet Security\cfp.exe
D:\Program Files\ThreatFire\TFTray.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\IObit\IObit Security 360\is360.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Hijack This\Trend Micro\HiJackThis\HiJackThis.exe
D:\Program Files\Firefox-July2010\firefox.exe
D:\Program Files\Firefox-July2010\plugin-container.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java August 2010\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java August 2010\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [IObit Security 360] "D:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo 2nd install\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ThreatFire] D:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware Aug 2010\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [UnHackMe Monitor] D:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "D:\Program Files\Sandboxie July2010\SbieCtrl.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1AB4F85-8CE1-4E50-BCD1-E4814895627F}: NameServer = 206.248.154.22,69.28.199.126
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - D:\Program Files\Avast-June29-2010\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - D:\Program Files\Avast-June29-2010\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - D:\Program Files\Avast-June29-2010\AvastSvc.exe
O23 - Service: Browser Defender Update Service - Unknown owner - D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\Program Files\Comodo 2nd install\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: IS360service - IObit - D:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java August 2010\bin\jqs.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - D:\Program Files\Sandboxie July2010\SbieSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\PCtools Spydoctor July8 10\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - D:\Program Files\ThreatFire\TFService.exe

--
End of file - 6309 bytes










#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 AM

Posted 04 August 2010 - 11:32 PM

Hello

Here is what I want you to do in this order

Check - Reset Proxy settings

Internet Explorer Proxy settings:
  • Open Internet Explorer > click Tools > Internet Options > Connections tab.
  • Click the LAN Settings... button and uncheck "Use a proxy server for your LAN"
    or change the settings to the proxy you normally use if you previously reconfigured it.
  • Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
  • Click OK... then click OK again.
  • Close Internet Explorer and -restart- the computer.
  • An example of how to do this with screenshots can be found >here<

Firefox Proxy settings:
  • Open Firefox, click Tools > Options > Advanced and click the Network Tab.
  • Under the Connection section click on the Settings... button.
  • Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
  • Click OK... then click OK again.
  • Close Firefox and -restart- the computer.
  • An example of how to do this with screenshots can be found >here<

For other browsers, please refer to How to configure browser proxy settings.

after you do this check your internet again if ok let me know if nothing do the next

Resetting Router

Let’s try to reset the router to its default configuration.
  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know the router's default password, you can look it up. Here
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using or you can use OpenDNS

Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

Check internet again and let me know

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Microfloss

Microfloss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 05 August 2010 - 02:32 PM

Thanks for the help on that. Well it seems that the firewall decided to do it own thing and lock up and block everything. thats why it couldnt even get into the router. guess I should of disabled it to begin with....but I was afraid to do that case I still dont know what luring silently on this computer still.

I was able to get to the router through a the quick set up software that I found but it was no use as the firewall was blocking everything. I'll just do a new install of the firewall.


So what should I do next. my next feeling is a stealth anti rootkit? or or is that what combo fix was? any rootkit analysis software?.



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 AM

Posted 05 August 2010 - 02:55 PM

Greetings

Just to make sure I understand. You at this point can get on the internet with no problems correct?

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
      O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
      O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
      O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Report from ESET
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Microfloss

Microfloss
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 05 August 2010 - 10:13 PM

hi ...right now yes....an hour ago the firewall said that 242 programs were in memory. the CPU was up to a 100 and everything froze.

I was doing stuff in the kitchen and 5 copies of Internet explorer had popped up on its own

Its doing the same thing as before. it does it sloly. programs start asking for registry key and areas that they shoulnt be in. after a while it becomes overwhelming.

its probably silenly downloads sfuff in the background and probably start infecting and taking over old files on the computer.


IT TOTALLY DEACTIVATED THE ONLINE WEB SCANNER ON AVAST. AND THERE IS NO WAS TO TURN IT BACK ON. it has the other scanners but the web scanner is conveniently and permanently turned, and I cant get it to start.

ALSO my account on the computer is a slash after a number like.... (24679b\frank). When I look in the D:\Documents and Settings My profile is not there. The folder for my account profile is under the My Computer. It looks like my profile was changed and is being treated like a drive or a partition...like c: d: e:. I don't think that folders are ever usually under my computer. right now there is 2.....one called Shared Documents and mine Profile folder Frankenfunk's Documents

You profile folder is usually in the drive\paritions where your Windows is ...so it should be D:. I have 2 drives. The c is one logical drive. The next drive was partitioned into 3....so d, e, and f.

Right now in d where my windows is is only the Administration log on...which is also a slash after the same number.

I finally smarted up last night and got rid of hydravision. Its been on the computer all thses years ....desk.98....pure evil
I think a lot of the ATI drivers are being hijacked and copies are being made of them

I got rid of the rest of spydoctor stufff....they just drag the computer down. either way I''ll get infected.

I'll give this stuff a try










0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users