Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

saw Trojan.Agent/Gen-MSFake


  • This topic is locked This topic is locked
20 replies to this topic

#1 jdoe99

jdoe99

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 30 July 2010 - 07:50 AM

hi,
i started hearing audio messages once in a while that says "congratulations, you won" (even when i am not on the internet). malwarebytes did not catch anything. i ran superantispyware and it caught Trojan.Agent/Gen-MSFake. the ones it caught are as follows:

Trojan.Agent/Gen-MSFake
C:\USERS\GANESH\APPDATA\LOCAL\TEMP\28854865.EXE
C:\USERS\GANESH\APPDATA\LOCAL\TEMP\28923458.EXE
C:\USERS\GANESH\APPDATA\LOCAL\TEMP\LOADER.EXE
C:\USERS\GANESH\APPDATA\LOCAL\TEMP\SMSS.EXE

i ran eset online scan and it caught:
C:\Users\ganesh\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\2afe312d-4e032cb8 a variant of Win32/Unruy.AA trojan cleaned by deleting - quarantined

after all this i am still getting the audio message. not very often but once in quite a few hours(that was the case before too)

i ran dds and then gmer. gmer gave a bsod after some time, so i ran it in safe mode. here is the log for dds. i have attached the attach.txt from dds and gmer scan. do let me know how to proceed.
thanks

dds log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by ganesh at 7:47:43.14 on Fri 07/30/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2014.475 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe 4
C:\Windows\system32\rundll32.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
svchost.exe 4
C:\Windows\system32\java.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\lenovo\system update\suservice.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Freedom Scientific\JAWS\10.0\fsATProxy.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\Bigdog.exe
C:\Windows\LenovoTray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskmgr.exe
C:\Users\ganesh\Documents\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Web Accessibility Toolbar: {11352a67-0178-46b1-8855-d50b2f81c054} - c:\progra~1\access~1\ACCESS~1.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\ganesh\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BigDogPath323] c:\windows\BigDog.exe Lenovo USB Webcam(Video)
mRun: [LenovoTray] c:\windows\LenovoTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {474F00F5-3853-492C-AC3A-476512BBC336}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ganesh\appdata\roaming\mozilla\firefox\profiles\fuazw3ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\users\ganesh\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\ganesh\appdata\roaming\mozilla\firefox\profiles\fuazw3ob.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\ganesh\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\ganesh\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-7-21 225304]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-8 343664]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Freedom Scientific Kernel Manager {D2B4C7A7-7605-4039-89E4-DE5CC69BBE9D};Freedom Scientific Kernel Manager;c:\windows\system32\fsKMgr.dll [2010-1-15 20512]
R3 fsvidmir;fsvidmir;c:\windows\system32\drivers\fsvidmir.sys [2010-1-15 2944]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-8 91672]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-8 43288]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-6-26 3662848]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-19 21504]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-8 65448]
S3 vmapflt;vimicro Audio filter;c:\windows\system32\drivers\vmapflt.sys [2009-12-5 360704]
S3 vmcam325av;Lenovo USB WebCam;c:\windows\system32\drivers\vmcam325av.sys [2009-12-5 232448]
S3 vvftav;325 Primax filter service name, vista ver;c:\windows\system32\drivers\vvftav.sys [2009-12-5 280960]

=============== Created Last 30 ================

2010-07-23 16:26:32 0 d-----w- c:\program files\JAWS 8.0-9.0-10.0 Scripts For Flex 3.0
2010-07-23 16:21:47 218 ----a-w- c:\windows\system32\v31g6pe.tgz
2010-07-23 16:21:47 204 ----a-w- c:\windows\system32\v31g6pe.dll
2010-07-23 16:21:47 16 ---h--w- c:\windows\system32\v8sos1h.dll
2010-07-23 16:21:47 1024 ----a-w- c:\windows\system32\n74kuwl.dll
2010-07-23 15:58:34 0 d-----w- c:\program files\common files\SafeNet Sentinel
2010-07-09 00:56:19 91672 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-09 00:56:19 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-07-09 00:56:19 65448 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-07-09 00:56:19 63728 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-07-09 00:56:19 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-09 00:56:19 343664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-07-09 00:56:18 70728 ----a-w- c:\windows\system32\mfevtps.exe
2010-07-07 22:10:58 0 d-sh--w- C:\$RECYCLE.BIN
2010-07-05 02:51:26 16384 ----a-w- c:\windows\system32\drivers\nsiproxy.sys
2010-07-04 12:59:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-04 12:59:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-04 12:59:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 20:16:05 0 d-----w- c:\users\ganesh\appdata\roaming\com.adobe.QuothTheTwitter.852F8D123F54F8038D6C478F272C57F0EB5129CB.1
2010-07-01 19:02:53 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-07-01 19:02:10 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2010-07-01 19:02:09 40448 ----a-w- c:\windows\system32\winrs.exe
2010-07-01 19:02:09 20480 ----a-w- c:\windows\system32\winrshost.exe
2010-07-01 19:02:02 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2010-07-01 19:02:02 10240 ----a-w- c:\windows\system32\winrssrv.dll
2010-06-30 20:08:16 0 d-----w- c:\programdata\regid.1986-12.com.adobe
2010-06-30 20:08:05 0 d-----w- c:\users\ganesh\Adobe Flash Builder 4

==================== Find3M ====================

2010-07-29 22:10:01 97262 ----a-w- c:\programdata\nvModes.dat
2010-07-29 21:56:01 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-29 21:56:01 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-23 16:22:00 143360 ----a-w- c:\windows\inf\infstor.dat
2010-06-23 18:39:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 19:15:20 834048 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 18:37:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2009-10-28 03:15:39 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-03-19 13:08:54 174 --sh--w- c:\program files\desktop.ini
2007-11-13 20:01:44 3395343 ------w- c:\program files\openofficeorg4.cab
2007-11-13 20:00:51 67695863 ------w- c:\program files\openofficeorg3.cab
2007-11-13 19:49:19 17646967 ------w- c:\program files\openofficeorg2.cab
2007-11-13 19:48:24 18827152 ------w- c:\program files\openofficeorg1.cab
2007-11-13 19:47:02 4364800 ------w- c:\program files\openofficeorg23.msi
2007-11-13 19:47:02 217 ------w- c:\program files\setup.ini
2006-11-02 12:42:02 30674 ------w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ------w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ------w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ------w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfc.dat
2002-03-11 09:06:30 1822520 ------w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ------w- c:\program files\instmsia.exe
2008-09-15 13:26:00 16384 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-15 13:26:00 32768 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-15 13:26:00 16384 --sh--w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-03-22 00:48:57 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032120080322\index.dat
2008-06-05 07:19:45 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008060520080606\index.dat
2008-06-18 22:35:49 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008061820080619\index.dat
2008-06-26 00:44:05 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008062520080626\index.dat
2008-07-07 12:57:52 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008070720080708\index.dat
2008-07-22 01:29:43 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008072120080722\index.dat
2008-07-22 11:06:45 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008072220080723\index.dat
2008-10-11 20:33:07 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008101120081012\index.dat
2008-10-12 14:13:06 32768 --sh--w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008101220081013\index.dat
2008-11-27 12:47:14 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008112720081128\index.dat
2007-11-26 10:05:18 8192 --sh--w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 7:50:37.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:41 AM

Posted 30 July 2010 - 07:54 AM

This looks a rootkit again, jdoe99

Please run Rkill and then Combofix

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#3 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 30 July 2010 - 04:57 PM

hi,
i am attaching the rkill and combofix logs. do let me know what to do next.
thanks.

the rkill log is as follows::


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as ganesh on 07/30/2010 at 16:52:51.


Processes terminated by Rkill or while it was running:


C:\Users\ganesh\Documents\Desktop\rkill.scr


Rkill completed on 07/30/2010 at 16:52:55.


-===============

the combofix log is as follows::

ComboFix 10-07-30.01 - ganesh 07/30/2010 17:00:29.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2014.725 [GMT -4:00]
Running from: c:\users\ganesh\Documents\Desktop\combofix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\v31g6pe.dll

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.

2010-07-30 21:11 . 2010-07-30 21:11 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-30 21:11 . 2010-07-30 21:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-30 21:11 . 2010-07-30 21:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-23 16:26 . 2010-07-23 16:26 -------- d-----w- c:\program files\JAWS 8.0-9.0-10.0 Scripts For Flex 3.0
2010-07-23 16:21 . 2010-07-23 16:21 1024 ----a-w- c:\windows\system32\n74kuwl.dll
2010-07-23 16:21 . 2009-04-11 06:28 16 ---h--w- c:\windows\system32\v8sos1h.dll
2010-07-23 15:58 . 2010-07-23 15:58 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel
2010-07-09 00:56 . 2009-10-23 00:07 91672 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-09 00:56 . 2009-10-23 00:07 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-07-09 00:56 . 2009-10-23 00:07 65448 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-07-09 00:56 . 2009-10-23 00:07 63728 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-07-09 00:56 . 2009-10-23 00:07 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-09 00:56 . 2009-10-23 00:07 343664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-07-09 00:56 . 2009-10-23 00:07 70728 ----a-w- c:\windows\system32\mfevtps.exe
2010-07-05 03:31 . 2010-07-30 21:13 -------- d-----w- c:\users\ganesh\AppData\Local\temp
2010-07-05 02:51 . 2008-01-19 05:55 16384 ----a-w- c:\windows\system32\drivers\nsiproxy.sys
2010-07-04 12:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-04 12:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-04 12:59 . 2010-07-04 13:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 19:19 . 2010-07-03 19:19 -------- d-----w- c:\users\ganesh\AppData\Local\Microsoft_Corporation
2010-07-03 00:17 . 2010-07-03 00:18 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2010-07-02 20:16 . 2010-07-02 20:16 -------- d-----w- c:\users\ganesh\AppData\Roaming\com.adobe.QuothTheTwitter.852F8D123F54F8038D6C478F272C57F0EB5129CB.1
2010-07-02 20:15 . 2010-06-30 19:59 38784 ----a-w- c:\users\ganesh\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-01 19:02 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-07-01 19:02 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2010-07-01 19:02 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2010-07-01 19:02 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2010-07-01 19:02 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2010-07-01 19:02 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 19:22 . 2008-05-18 18:54 -------- d-----w- c:\programdata\Google Updater
2010-07-30 17:24 . 2008-03-06 13:54 97262 ----a-w- c:\programdata\nvModes.dat
2010-07-29 20:17 . 2010-06-22 21:11 63488 ----a-w- c:\users\ganesh\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-29 20:17 . 2010-06-22 21:11 117760 ----a-w- c:\users\ganesh\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-27 12:58 . 2009-04-07 13:21 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SACore
2010-07-23 16:20 . 2008-12-16 14:31 -------- d-----w- c:\program files\Freedom Scientific
2010-07-23 16:19 . 2008-12-16 14:40 -------- d--h--w- c:\program files\Freedom Scientific Installation Information
2010-07-23 16:13 . 2008-10-31 13:40 -------- d-----w- c:\users\ganesh\AppData\Roaming\uTorrent
2010-07-19 20:18 . 2009-05-18 21:29 -------- d-----w- c:\users\ganesh\AppData\Roaming\SecondLife
2010-07-10 03:47 . 2007-12-04 21:23 117856 ----a-w- c:\users\ganesh\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-09 00:56 . 2007-12-04 22:15 -------- d-----w- c:\programdata\McAfee
2010-07-09 00:54 . 2007-12-04 22:14 -------- d-----w- c:\program files\McAfee
2010-07-09 00:54 . 2007-12-04 22:14 -------- d-----w- c:\program files\Common Files\McAfee
2010-07-01 13:34 . 2009-09-12 20:04 -------- d-----w- c:\users\ganesh\AppData\Roaming\vlc
2010-06-30 20:09 . 2008-02-22 02:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-30 20:08 . 2010-06-30 20:08 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2010-06-30 19:59 . 2010-06-30 19:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-30 19:59 . 2010-06-30 19:59 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-23 19:46 . 2007-11-26 10:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-23 19:46 . 2007-11-26 10:32 -------- d-----w- c:\program files\Lenovo
2010-06-23 18:39 . 2010-06-23 18:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-06-22 21:16 . 2010-06-22 21:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-22 21:11 . 2010-06-22 21:11 52224 ----a-w- c:\users\ganesh\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-22 21:11 . 2010-06-22 21:11 -------- d-----w- c:\users\ganesh\AppData\Roaming\SUPERAntiSpyware.com
2010-06-22 21:11 . 2010-06-22 21:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-22 20:40 . 2010-06-22 20:40 -------- d-----w- c:\users\ganesh\AppData\Roaming\Helios
2010-06-22 20:40 . 2010-06-22 20:40 -------- d-----w- c:\program files\TextPad 5
2010-06-18 12:15 . 2008-03-05 00:22 -------- d-----w- c:\programdata\Roxio
2010-06-14 12:11 . 2009-09-16 00:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-14 12:09 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-14 03:06 . 2007-11-26 11:35 -------- d-----w- c:\programdata\Microsoft Help
2010-06-12 12:48 . 2010-06-12 12:48 -------- d-----w- c:\program files\ESET
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-06-01 12:05 . 2010-06-01 12:05 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-05-26 17:06 . 2010-06-14 02:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-14 02:50 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2009-10-03 05:55 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 20:38 . 2010-05-20 20:37 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2010-05-20 20:36 . 2007-12-04 21:17 117856 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-04 19:15 . 2010-06-14 02:50 834048 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 18:37 . 2010-06-14 02:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2007-11-13 20:01 . 2007-11-13 20:01 3395343 ------w- c:\program files\openofficeorg4.cab
2007-11-13 20:00 . 2007-11-13 20:00 67695863 ------w- c:\program files\openofficeorg3.cab
2007-11-13 19:49 . 2007-11-13 19:49 17646967 ------w- c:\program files\openofficeorg2.cab
2007-11-13 19:48 . 2007-11-13 19:48 18827152 ------w- c:\program files\openofficeorg1.cab
2007-11-13 19:47 . 2007-11-13 19:47 4364800 ------w- c:\program files\openofficeorg23.msi
2007-11-13 19:47 . 2007-11-13 19:47 217 ------w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ------w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ------w- c:\program files\instmsia.exe
2009-10-23 00:07 . 2010-07-09 00:56 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2007-11-26 10:05 . 2007-11-26 10:01 8192 --sh--w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2008-10-27 632096]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2008-10-27 214576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TpShocks"="TpShocks.exe" [2008-06-06 181536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-21 487424]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-16 217176]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-07 431392]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-07 148768]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2008-10-02 33304]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-01-11 166304]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 92704]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"BigDogPath323"="c:\windows\BigDog.exe" [2006-08-08 86016]
"LenovoTray"="c:\windows\LenovoTray.exe" [2007-07-03 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-02-22 500208]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-23 124240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-10-5 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:ee,8b,53,0e,0b,ee,c9,01

R1 SABKUTIL;SABKUTIL;c:\program files\SUPERAntiSpyware\SABKUTIL.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 MySQL5;MySQL5;c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=c:\program files\MySQL\MySQL Server 5.0\my.ini MySQL5 [x]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 JTVNCProxy_10.0;JTVNCProxy;c:\program files\Freedom Scientific\JAWS\10.0\JTVNCProxy.exe [2010-01-15 16152]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-23 65448]
R3 vmapflt;vimicro Audio filter;c:\windows\system32\drivers\vmapflt.sys [2007-04-13 360704]
R3 vmcam325av;Lenovo USB WebCam;c:\windows\system32\Drivers\vmcam325av.sys [2007-03-14 232448]
R3 vvftav;325 Primax filter service name, vista ver;c:\windows\system32\drivers\vvftav.sys [2007-06-20 280960]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2008-07-21 225304]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 Freedom Scientific Kernel Manager {D2B4C7A7-7605-4039-89E4-DE5CC69BBE9D};Freedom Scientific Kernel Manager;c:\windows\system32\fsKMgr.dll [2010-01-15 20512]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2009-10-23 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-23 70728]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-10-27 66848]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-09 569344]
S3 fsvidmir;fsvidmir;c:\windows\system32\DRIVERS\fsvidmir.sys [2010-01-15 2944]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 08:50]

2010-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143426175-2825981908-2602191129-1005Core.job
- c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 02:29]

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143426175-2825981908-2602191129-1005UA.job
- c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 02:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ganesh\AppData\Roaming\Mozilla\Firefox\Profiles\fuazw3ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\ganesh\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\ganesh\AppData\Roaming\Mozilla\Firefox\Profiles\fuazw3ob.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 17:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

c:\program files\Internet Explorer\iexplore.exe [6104] 0x93FAED58

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL5]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
Completion time: 2010-07-30 17:20:10
ComboFix-quarantined-files.txt 2010-07-30 21:20

Pre-Run: 16,113,209,344 bytes free
Post-Run: 16,099,852,288 bytes free

- - End Of File - - BC73CD8C473134B65AE4BFC05A18640B


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:41 AM

Posted 30 July 2010 - 05:06 PM

We'd better deal with the Whistler bootkit and then we'll go back to the Combofix log

Please download MBRCheck to your desktop.

http://ad13.geekstogo.com/MBRCheck.exe

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 30 July 2010 - 06:09 PM

the mbr check produced this log:


MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:41 AM

Posted 30 July 2010 - 06:11 PM

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#7 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 30 July 2010 - 06:46 PM

i got an error while i restarted.
its at windows boot manager

file: \windows\system32\winload.exe
status: 0xc000000e
info:the selected entry could not be loaded because the application is missing or corrupt


do let me know how to proceed

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:41 AM

Posted 30 July 2010 - 07:17 PM

I'm just checking that out, jdoe99 smile.gif

Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:41 AM

Posted 30 July 2010 - 07:22 PM

Right, I got it now. My fault there, I have had you overwrite the wrong operating system MBR over the infected one.

1. Boot up with the Vista install disc

2. You should see a screen that says "Windows is loading files"

3. After a few minutes you will get a language option. Select your language and hit next.

4. On the install screen select "Repair your computer"

5. Windows will find your copy of Vista on the machine

6. Select your copy of Vista and click next

7. Choose Startup repair and answer any questions that are asked. It may reboot the PC.

Let me know when you have completed this and of any improvements or errors you encounter.


When that's done can you run MBRCheck again

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#10 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 30 July 2010 - 08:20 PM

my lenovo laptop did not come with a dvd sad.gif
it came preinstalled.
how do i go about this now

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:41 AM

Posted 31 July 2010 - 06:47 AM

You need to burn a repair disk.

Please follow the instructions at How-To Geek

Once you have inserted the repair disk follow the instructions above.

Posted Image
m0le is a proud member of UNITE

#12 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 01 August 2010 - 06:53 PM

mole,
i did not have everything handy. i will try it on monday and let you know.
thanks

#13 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 02 August 2010 - 12:25 PM

m0le,
i was able to create the repair disc from the link you gave me. i repaired and restated and heres the MBRCheck log: what do i do next?


MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Windows Vista MBR code detected





Done! Press ENTER to exit...

Edited by jdoe99, 02 August 2010 - 12:26 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:41 AM

Posted 02 August 2010 - 06:00 PM

I apologise again for that, jdoe99. Good job thumbup2.gif

As you can see the MBR has now got the Vista MBR again. Now we can return to Combofix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\windows\system32\n74kuwl.dll
c:\windows\system32\v8sos1h.dll


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Posted Image
m0le is a proud member of UNITE

#15 jdoe99

jdoe99
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 03 August 2010 - 06:11 AM

i ran combofix with the script you told me and heres the log:::

ComboFix 10-08-02.01 - ganesh 08/02/2010 23:08:40.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2014.851 [GMT -4:00]
Running from: c:\users\ganesh\Documents\Desktop\combofix.exe
Command switches used :: c:\users\ganesh\Documents\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point

FILE ::
"c:\windows\system32\n74kuwl.dll"
"c:\windows\system32\v8sos1h.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\n74kuwl.dll
c:\windows\system32\v8sos1h.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-03 03:19 . 2010-08-03 03:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-08-03 03:19 . 2010-08-03 03:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-03 03:19 . 2010-08-03 03:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-02 17:21 . 2010-08-02 17:21 -------- d-----w- C:\B
2010-07-23 16:26 . 2010-07-23 16:26 -------- d-----w- c:\program files\JAWS 8.0-9.0-10.0 Scripts For Flex 3.0
2010-07-23 15:58 . 2010-07-23 15:58 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel
2010-07-09 00:56 . 2009-10-23 00:07 91672 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-07-09 00:56 . 2009-10-23 00:07 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-07-09 00:56 . 2009-10-23 00:07 65448 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-07-09 00:56 . 2009-10-23 00:07 63728 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-07-09 00:56 . 2009-10-23 00:07 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-07-09 00:56 . 2009-10-23 00:07 343664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-07-09 00:56 . 2009-10-23 00:07 70728 ----a-w- c:\windows\system32\mfevtps.exe
2010-07-05 03:31 . 2010-08-03 03:19 -------- d-----w- c:\users\ganesh\AppData\Local\temp
2010-07-05 02:51 . 2008-01-19 05:55 16384 ----a-w- c:\windows\system32\drivers\nsiproxy.sys
2010-07-04 12:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-04 12:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-04 12:59 . 2010-07-04 13:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 02:59 . 2008-03-06 13:54 97262 ----a-w- c:\programdata\nvModes.dat
2010-08-02 17:23 . 2008-05-18 18:54 -------- d-----w- c:\programdata\Google Updater
2010-07-29 20:17 . 2010-06-22 21:11 63488 ----a-w- c:\users\ganesh\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-29 20:17 . 2010-06-22 21:11 117760 ----a-w- c:\users\ganesh\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-27 12:58 . 2009-04-07 13:21 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SACore
2010-07-23 16:20 . 2008-12-16 14:31 -------- d-----w- c:\program files\Freedom Scientific
2010-07-23 16:19 . 2008-12-16 14:40 -------- d--h--w- c:\program files\Freedom Scientific Installation Information
2010-07-23 16:13 . 2008-10-31 13:40 -------- d-----w- c:\users\ganesh\AppData\Roaming\uTorrent
2010-07-19 20:18 . 2009-05-18 21:29 -------- d-----w- c:\users\ganesh\AppData\Roaming\SecondLife
2010-07-10 03:47 . 2007-12-04 21:23 117856 ----a-w- c:\users\ganesh\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-09 00:56 . 2007-12-04 22:15 -------- d-----w- c:\programdata\McAfee
2010-07-09 00:54 . 2007-12-04 22:14 -------- d-----w- c:\program files\McAfee
2010-07-09 00:54 . 2007-12-04 22:14 -------- d-----w- c:\program files\Common Files\McAfee
2010-07-02 20:16 . 2010-07-02 20:16 -------- d-----w- c:\users\ganesh\AppData\Roaming\com.adobe.QuothTheTwitter.852F8D123F54F8038D6C478F272C57F0EB5129CB.1
2010-07-01 13:34 . 2009-09-12 20:04 -------- d-----w- c:\users\ganesh\AppData\Roaming\vlc
2010-06-30 20:09 . 2008-02-22 02:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-30 20:08 . 2010-06-30 20:08 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2010-06-30 19:59 . 2010-06-30 19:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-30 19:59 . 2010-07-02 20:15 38784 ----a-w- c:\users\ganesh\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-30 19:59 . 2010-06-30 19:59 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-23 19:46 . 2007-11-26 10:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-23 19:46 . 2007-11-26 10:32 -------- d-----w- c:\program files\Lenovo
2010-06-23 18:39 . 2010-06-23 18:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-06-22 21:16 . 2010-06-22 21:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-22 21:11 . 2010-06-22 21:11 52224 ----a-w- c:\users\ganesh\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-22 21:11 . 2010-06-22 21:11 -------- d-----w- c:\users\ganesh\AppData\Roaming\SUPERAntiSpyware.com
2010-06-22 21:11 . 2010-06-22 21:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-22 20:40 . 2010-06-22 20:40 -------- d-----w- c:\users\ganesh\AppData\Roaming\Helios
2010-06-22 20:40 . 2010-06-22 20:40 -------- d-----w- c:\program files\TextPad 5
2010-06-18 12:15 . 2008-03-05 00:22 -------- d-----w- c:\programdata\Roxio
2010-06-14 12:11 . 2009-09-16 00:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-14 12:09 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-14 03:06 . 2007-11-26 11:35 -------- d-----w- c:\programdata\Microsoft Help
2010-06-12 12:48 . 2010-06-12 12:48 -------- d-----w- c:\program files\ESET
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-06-01 12:05 . 2010-06-01 12:05 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-05-26 17:06 . 2010-06-14 02:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-14 02:50 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2009-10-03 05:55 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 20:38 . 2010-05-20 20:37 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2010-05-20 20:36 . 2007-12-04 21:17 117856 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
2007-11-13 20:01 . 2007-11-13 20:01 3395343 ------w- c:\program files\openofficeorg4.cab
2007-11-13 20:00 . 2007-11-13 20:00 67695863 ------w- c:\program files\openofficeorg3.cab
2007-11-13 19:49 . 2007-11-13 19:49 17646967 ------w- c:\program files\openofficeorg2.cab
2007-11-13 19:48 . 2007-11-13 19:48 18827152 ------w- c:\program files\openofficeorg1.cab
2007-11-13 19:47 . 2007-11-13 19:47 4364800 ------w- c:\program files\openofficeorg23.msi
2007-11-13 19:47 . 2007-11-13 19:47 217 ------w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ------w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ------w- c:\program files\instmsia.exe
2009-10-23 00:07 . 2010-07-09 00:56 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2007-11-26 10:05 . 2007-11-26 10:01 8192 --sh--w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2008-10-27 632096]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2008-10-27 214576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TpShocks"="TpShocks.exe" [2008-06-06 181536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-08-21 487424]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-16 217176]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-08-07 431392]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-08-07 148768]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2008-10-02 33304]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-01-11 166304]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 92704]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"BigDogPath323"="c:\windows\BigDog.exe" [2006-08-08 86016]
"LenovoTray"="c:\windows\LenovoTray.exe" [2007-07-03 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-02-22 500208]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-23 124240]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-10-5 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:ee,8b,53,0e,0b,ee,c9,01

R1 SABKUTIL;SABKUTIL;c:\program files\SUPERAntiSpyware\SABKUTIL.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 MySQL5;MySQL5;c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=c:\program files\MySQL\MySQL Server 5.0\my.ini MySQL5 [x]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 JTVNCProxy_10.0;JTVNCProxy;c:\program files\Freedom Scientific\JAWS\10.0\JTVNCProxy.exe [2010-01-15 16152]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-23 65448]
R3 vmapflt;vimicro Audio filter;c:\windows\system32\drivers\vmapflt.sys [2007-04-13 360704]
R3 vmcam325av;Lenovo USB WebCam;c:\windows\system32\Drivers\vmcam325av.sys [2007-03-14 232448]
R3 vvftav;325 Primax filter service name, vista ver;c:\windows\system32\drivers\vvftav.sys [2007-06-20 280960]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2008-07-21 225304]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2008-05-14 19496]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 Freedom Scientific Kernel Manager {D2B4C7A7-7605-4039-89E4-DE5CC69BBE9D};Freedom Scientific Kernel Manager;c:\windows\system32\fsKMgr.dll [2010-01-15 20512]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2009-10-23 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-23 70728]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-10-27 66848]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-09 569344]
S3 fsvidmir;fsvidmir;c:\windows\system32\DRIVERS\fsvidmir.sys [2010-01-15 2944]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]


--- Other Services/Drivers In Memory ---

*Deregistered* - TvtDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 08:50]

2010-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143426175-2825981908-2602191129-1005Core.job
- c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 02:29]

2010-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4143426175-2825981908-2602191129-1005UA.job
- c:\users\ganesh\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 02:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\ganesh\AppData\Roaming\Mozilla\Firefox\Profiles\fuazw3ob.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\ganesh\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\ganesh\AppData\Roaming\Mozilla\Firefox\Profiles\fuazw3ob.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\ganesh\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 23:19
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL5]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
Completion time: 2010-08-02 23:22:55
ComboFix-quarantined-files.txt 2010-08-03 03:22
ComboFix2.txt 2010-07-30 21:20

Pre-Run: 14,895,460,352 bytes free
Post-Run: 14,807,879,680 bytes free

- - End Of File - - 3B8C2DECBA0A1F81F96A919A79F3FC9D





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users