Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removal - please help!! Have logs, browser hijacks, super slow


  • This topic is locked This topic is locked
10 replies to this topic

#1 CWB212001KD7DB

CWB212001KD7DB

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 02 August 2010 - 12:40 AM

I'm having similar firefox redirects as described in http://www.bleepingcomputer.com/forums/lof...hp/t329132.html . My machine is incredibly slow and my usual programs wont pick up anything. I've heard great things about combofix but need someone to walk me through it. Here are my logs... I appreciate any help you can give me!


DDS (Ver_10-03-17.01) - NTFSx86
Run by C at 14:53:09.33 on Sun 08/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.83 [GMT -7:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\C\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\c\applic~1\mozilla\firefox\profiles\f7acb3j4.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\c\application data\facebook\npfbplugin_1_0_3.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-22 64288]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
R2 CommSB96;CommSB96;c:\windows\system32\drivers\COMMSB96.sys [2009-12-15 24776]
R2 CommSBEP;CommSBEP;c:\windows\system32\drivers\COMMSBEP.sys [2009-12-15 44236]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-18 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090118.033\NAVENG.SYS [2009-1-18 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090118.033\NAVEX15.SYS [2009-1-18 876112]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
S3 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149352]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-1-18 1251720]
S3 Wdm1;Vertex Standard USB CDC class;c:\windows\system32\drivers\usbser.sys [2008-1-8 26112]

=============== Created Last 30 ================

2010-08-01 18:51:55 0 d-----w- c:\program files\CCleaner
2010-07-23 11:16:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-23 01:59:04 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-23 01:58:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-23 00:54:57 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-23 00:51:20 0 d-----w- c:\program files\Lavasoft
2010-07-15 16:01:23 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll
2008-08-18 22:32:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 14:53:42.11 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-01 17:20:32
Windows 5.1.2600 Service Pack 3
Running: 8jmc4jn9.exe; Driver: C:\DOCUME~1\C\LOCALS~1\Temp\kfliakog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75FE87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75FEBFE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F0 804E275C 4 Bytes CALL 17571EC0

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:58 AM

Posted 09 August 2010 - 01:04 PM

Hi CWB212001KD7DB, and welcome to Bleeping Computer.

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 CWB212001KD7DB

CWB212001KD7DB
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 10 August 2010 - 01:12 AM

Snemelk, thank you so much for helping me out. This has been driving me crazy. My combofix log is posted below. I downloaded combofix and turned off windows firewall and followed the instructions for disabling norton antivirus. Combofix warned that norton was still active and running and despite everything I tried I could not get it to turn off so I uninstalled it as it's subscription was expired. After a reboot I began combofix again and it almost immediately warned that the master boot record was infected and to press ok to restart the computer. It came back up, completed the scan and created the log. I look forward to any more help you can give so I can have my computer back.

ComboFix 10-08-09.02 - C 08/09/2010 22:42:15.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.278 [GMT -7:00]
Running from: c:\documents and settings\C\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\C\Local Settings\Application Data\Windows Server
C:\LOG1.tmp
C:\LOG4.tmp
C:\LOG4D.tmp
C:\LOG50.tmp
c:\windows\system32\Thumbs.db

.
\\.\PhysicalDrive0 - Bootkit Sinowal was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-10 05:28 . 2010-08-10 05:28 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-08-01 18:51 . 2010-08-01 18:52 -------- d-----w- c:\program files\CCleaner
2010-07-23 11:16 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-23 01:59 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-23 01:58 . 2010-07-23 01:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-23 00:57 . 2010-07-23 00:57 -------- d-----w- c:\documents and settings\C\Local Settings\Application Data\Sunbelt Software
2010-07-23 00:54 . 2010-07-23 00:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-23 00:54 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-23 00:51 . 2010-07-23 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-23 00:51 . 2010-07-23 00:51 -------- d-----w- c:\program files\Lavasoft
2010-07-15 16:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 05:30 . 2008-01-19 04:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-10 05:30 . 2008-01-19 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-24 20:41 . 2010-01-18 05:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 14:31 . 2008-01-03 18:45 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-28 21:06 . 2010-02-28 04:59 1080 ----a-w- c:\windows\AUTOLNCH.REG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 536576]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-30 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2002-12-17 19:40 49152 ----a-r- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-23 03:55 483328 ----a-w- c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-05-23 04:03 49152 ----a-w- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-10-30 08:46 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-05-26 17:15 98304 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\honestech Video Patrol 4.0\\scheduler.exe"=
"c:\\Program Files\\YDI\\Client Manager\\Client Manager.exe"=
"c:\\Program Files\\YDI\\Bridge Manager\\Bridge Manager.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3695:TCP"= 3695:TCP:Services
"5890:TCP"= 5890:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2010 6:59 PM 64288]
R2 CommSB96;CommSB96;c:\windows\system32\drivers\COMMSB96.sys [12/15/2009 3:53 PM 24776]
R2 CommSBEP;CommSBEP;c:\windows\system32\drivers\COMMSBEP.sys [12/15/2009 3:53 PM 44236]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 1352832]
S3 Wdm1;Vertex Standard USB CDC class;c:\windows\system32\drivers\usbser.sys [1/8/2008 11:57 AM 26112]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\C\Application Data\Mozilla\Firefox\Profiles\f7acb3j4.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\C\Application Data\Facebook\npfbplugin_1_0_3.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 22:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-08-09 22:53:11
ComboFix-quarantined-files.txt 2010-08-10 05:52

Pre-Run: 2,971,017,216 bytes free
Post-Run: 3,174,379,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 716E7A7985E2CEEBC721C1331381BE60




#4 CWB212001KD7DB

CWB212001KD7DB
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 10 August 2010 - 01:20 AM

I almost forgot. . . After the log was created, I opened firefox to post my reply and log. Instead of the occasional 'Well this is embarrassing' crash screen that says it failed to open the five infomoneyservice.com windows, it said it failed to open 30 windows with addresses I'd never seen before. I should have saved the addresses but I quickly clicked on start a new session. Just in case this helps.

#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:58 AM

Posted 10 August 2010 - 02:09 PM

Hi again CWB212001KD7DB!!.. smile.gif

QUOTE(CWB212001KD7DB @ Aug 10 2010, 08:12 AM) View Post
Combofix warned that norton was still active and running and despite everything I tried I could not get it to turn off so I uninstalled it as it's subscription was expired.

Probably Symantec wasn't removed properly...
I suggest you run a Norton Removal Tool to fully remove that AV...

Afterwards, so that your system is protected, please install an antivirus program of your choice, run a full system scan with it, and post a log (if possible)... You may want to install one of the antivirus applications I recommend on my site: link

QUOTE
After a reboot I began combofix again and it almost immediately warned that the master boot record was infected and to press ok to restart the computer.

Strange that Gmer logfile did not show it... It's possible also that this was not a fully active infection...

QUOTE(CWB212001KD7DB @ Aug 10 2010, 08:20 AM) View Post
Instead of the occasional 'Well this is embarrassing' crash screen that says it failed to open the five infomoneyservice.com windows, it said it failed to open 30 windows with addresses I'd never seen before. I should have saved the addresses but I quickly clicked on start a new session. Just in case this helps.

Does it happen with subsequent launches of Firefox as well or the problem has ceased??..

Please do the following (after installing an antivirus and running a scan with it):
Firstly,
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

QUOTE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3695:TCP"=-
"5890:TCP"=-
"3389:TCP"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
Folder::
c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Post it in your next reply.

Secondly,
Download and run HAMeb_check.exe
Post the contents of the resulting log.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 CWB212001KD7DB

CWB212001KD7DB
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 12 August 2010 - 10:54 AM

Snemelk, I appreciate your patience with me getting back to you, and all the help you have given me. After running combofix my machine is pretty much back up to speed and it's been nice to have it back. I installed and ran a full scan with avast and it found 3 files which were deleted. Here is the new combofix log and HAlog.

ComboFix 10-08-09.02 - C 08/12/2010 8:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.216 [GMT -7:00]
Running from: c:\documents and settings\C\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\C\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-08-12 06:50 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-12 06:50 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-12 06:50 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-12 06:50 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-12 06:50 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-12 06:50 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-12 06:50 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-12 06:49 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-12 06:49 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-12 06:49 . 2010-08-12 06:49 -------- d-----w- c:\program files\Alwil Software
2010-08-12 06:49 . 2010-08-12 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-01 18:51 . 2010-08-01 18:52 -------- d-----w- c:\program files\CCleaner
2010-07-23 11:16 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-23 01:59 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-23 01:58 . 2010-07-23 01:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-23 00:57 . 2010-07-23 00:57 -------- d-----w- c:\documents and settings\C\Local Settings\Application Data\Sunbelt Software
2010-07-23 00:54 . 2010-07-23 00:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-23 00:54 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-23 00:51 . 2010-07-23 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-23 00:51 . 2010-07-23 00:51 -------- d-----w- c:\program files\Lavasoft
2010-07-15 16:01 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 20:37 . 2008-01-19 04:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-10 20:37 . 2008-01-19 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-24 20:41 . 2010-01-18 05:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 12:15 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-14 14:31 . 2008-01-03 18:45 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-28 21:06 . 2010-02-28 04:59 1080 ----a-w- c:\windows\AUTOLNCH.REG
.

((((((((((((((((((((((((((((( SnapShot@2010-08-10_05.49.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 44544 c:\windows\system32\pngfilt.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\pngfilt.dll
- 2007-08-14 02:54 . 2010-05-04 17:20 52224 c:\windows\system32\msfeedsbs.dll
+ 2007-08-14 02:54 . 2010-06-24 12:15 52224 c:\windows\system32\msfeedsbs.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 27648 c:\windows\system32\jsproxy.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-14 02:39 . 2010-06-23 12:06 13824 c:\windows\system32\ieudinit.exe
- 2007-08-14 02:39 . 2010-05-04 12:39 13824 c:\windows\system32\ieudinit.exe
- 2004-08-04 12:00 . 2010-05-04 17:20 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\iernonce.dll
- 2004-08-04 12:00 . 2010-05-04 12:39 70656 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 12:00 . 2010-06-23 12:06 70656 c:\windows\system32\ie4uinit.exe
- 2007-08-14 02:36 . 2010-05-04 17:20 63488 c:\windows\system32\icardie.dll
+ 2007-08-14 02:36 . 2010-06-24 12:15 63488 c:\windows\system32\icardie.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-01-05 04:28 . 2010-06-24 12:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-01-05 04:28 . 2010-05-04 17:20 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-01-05 04:28 . 2010-06-23 12:06 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2008-01-05 04:28 . 2010-05-04 12:39 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2004-08-04 12:00 . 2010-05-04 17:20 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2010-06-24 12:15 78336 c:\windows\system32\dllcache\ieencode.dll
- 2009-02-20 18:09 . 2010-05-04 17:20 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-04 12:00 . 2010-06-23 12:06 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-04 12:00 . 2010-05-04 12:39 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-01-05 04:28 . 2010-05-04 17:20 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-01-05 04:28 . 2010-06-24 12:15 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-29 16:12 . 2010-06-24 12:15 17408 c:\windows\system32\dllcache\corpol.dll
- 2009-06-29 16:12 . 2010-05-04 17:20 17408 c:\windows\system32\dllcache\corpol.dll
+ 2010-08-12 10:02 . 2010-08-12 10:05 14820 c:\windows\SoftwareDistribution\EventCache\{D5AE2D67-E0AA-4213-91EC-9CD361CD981F}.bin
+ 2010-08-12 10:02 . 2010-05-04 17:20 44544 c:\windows\ie7updates\KB2183461-IE7\pngfilt.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 52224 c:\windows\ie7updates\KB2183461-IE7\msfeedsbs.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 27648 c:\windows\ie7updates\KB2183461-IE7\jsproxy.dll
+ 2010-08-12 10:02 . 2010-05-04 12:39 13824 c:\windows\ie7updates\KB2183461-IE7\ieudinit.exe
+ 2010-08-12 10:02 . 2010-05-04 17:20 44544 c:\windows\ie7updates\KB2183461-IE7\iernonce.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 78336 c:\windows\ie7updates\KB2183461-IE7\ieencode.dll
+ 2010-08-12 10:02 . 2010-05-04 12:39 70656 c:\windows\ie7updates\KB2183461-IE7\ie4uinit.exe
+ 2010-08-12 10:02 . 2010-05-04 17:20 63488 c:\windows\ie7updates\KB2183461-IE7\icardie.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 17408 c:\windows\ie7updates\KB2183461-IE7\corpol.dll
+ 2010-08-12 05:52 . 2010-08-12 05:58 8396 c:\windows\SoftwareDistribution\EventCache\{8AFC238D-830D-4EC0-A79D-7ED6B9F23E10}.bin
+ 2009-07-12 07:02 . 2009-07-12 07:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 233472 c:\windows\system32\webcheck.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 233472 c:\windows\system32\webcheck.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 105984 c:\windows\system32\url.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 102912 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 671232 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 193024 c:\windows\system32\msrating.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 477696 c:\windows\system32\mshtmled.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 477696 c:\windows\system32\mshtmled.dll
- 2007-08-14 02:54 . 2010-05-04 17:20 459264 c:\windows\system32\msfeeds.dll
+ 2007-08-14 02:54 . 2010-06-24 12:15 459264 c:\windows\system32\msfeeds.dll
- 2007-08-14 02:34 . 2010-05-04 17:20 268288 c:\windows\system32\iertutil.dll
+ 2007-08-14 02:34 . 2010-06-24 12:15 268288 c:\windows\system32\iertutil.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 192512 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 192512 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 385024 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 385024 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 20:27 . 2010-06-24 12:15 380928 c:\windows\system32\ieapfltr.dll
- 2007-07-11 20:27 . 2010-05-04 17:20 380928 c:\windows\system32\ieapfltr.dll
+ 2004-08-04 12:00 . 2010-06-17 15:11 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2010-04-16 11:43 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 153088 c:\windows\system32\ieakeng.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 133120 c:\windows\system32\extmgr.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 214528 c:\windows\system32\dxtrans.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 832512 c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 832512 c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 105984 c:\windows\system32\dllcache\url.dll
+ 2008-10-14 21:21 . 2010-06-21 15:27 354304 c:\windows\system32\dllcache\srv.sys
+ 2004-08-04 12:00 . 2010-06-24 12:15 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-01-05 04:28 . 2010-06-24 12:15 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2008-01-05 04:28 . 2010-05-04 17:20 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2008-01-03 18:44 . 2010-04-16 11:43 634656 c:\windows\system32\dllcache\iexplore.exe
+ 2008-01-03 18:44 . 2010-06-17 15:12 634656 c:\windows\system32\dllcache\iexplore.exe
+ 2008-01-05 04:28 . 2010-06-24 12:15 268288 c:\windows\system32\dllcache\iertutil.dll
- 2008-01-05 04:28 . 2010-05-04 17:20 268288 c:\windows\system32\dllcache\iertutil.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 192512 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2008-01-05 04:28 . 2010-05-04 17:20 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-01-05 04:28 . 2010-06-24 12:15 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2004-08-04 12:00 . 2010-06-17 15:11 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-04 12:00 . 2010-04-16 11:43 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 124928 c:\windows\system32\advpack.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 124928 c:\windows\system32\advpack.dll
+ 2010-08-12 06:50 . 2010-08-12 06:50 219648 c:\windows\Installer\37d615.msi
+ 2010-08-12 10:02 . 2010-05-04 17:20 832512 c:\windows\ie7updates\KB2183461-IE7\wininet.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 233472 c:\windows\ie7updates\KB2183461-IE7\webcheck.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 105984 c:\windows\ie7updates\KB2183461-IE7\url.dll
+ 2010-08-12 10:02 . 2010-02-22 14:23 382840 c:\windows\ie7updates\KB2183461-IE7\spuninst\updspapi.dll
+ 2010-08-12 10:02 . 2010-02-22 14:23 231288 c:\windows\ie7updates\KB2183461-IE7\spuninst\spuninst.exe
+ 2010-08-12 10:02 . 2010-05-04 17:20 102912 c:\windows\ie7updates\KB2183461-IE7\occache.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 671232 c:\windows\ie7updates\KB2183461-IE7\mstime.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 193024 c:\windows\ie7updates\KB2183461-IE7\msrating.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 477696 c:\windows\ie7updates\KB2183461-IE7\mshtmled.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 459264 c:\windows\ie7updates\KB2183461-IE7\msfeeds.dll
+ 2010-08-12 10:02 . 2010-04-16 11:43 634656 c:\windows\ie7updates\KB2183461-IE7\iexplore.exe
+ 2010-08-12 10:02 . 2010-05-04 17:20 268288 c:\windows\ie7updates\KB2183461-IE7\iertutil.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 192512 c:\windows\ie7updates\KB2183461-IE7\iepeers.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 385024 c:\windows\ie7updates\KB2183461-IE7\iedkcs32.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 380928 c:\windows\ie7updates\KB2183461-IE7\ieapfltr.dll
+ 2010-08-12 10:02 . 2010-04-16 11:43 161792 c:\windows\ie7updates\KB2183461-IE7\ieakui.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 230400 c:\windows\ie7updates\KB2183461-IE7\ieaksie.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 153088 c:\windows\ie7updates\KB2183461-IE7\ieakeng.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 133120 c:\windows\ie7updates\KB2183461-IE7\extmgr.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 214528 c:\windows\ie7updates\KB2183461-IE7\dxtrans.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 347136 c:\windows\ie7updates\KB2183461-IE7\dxtmsft.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 124928 c:\windows\ie7updates\KB2183461-IE7\advpack.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 1168384 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 1168384 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2010-06-25 00:45 3600896 c:\windows\system32\mshtml.dll
- 2007-08-14 02:54 . 2010-05-04 17:20 6067200 c:\windows\system32\ieframe.dll
+ 2007-08-14 02:54 . 2010-06-24 12:15 6067200 c:\windows\system32\ieframe.dll
- 2004-08-04 12:00 . 2010-05-04 17:20 1168384 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 1168384 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2010-06-25 00:45 3600896 c:\windows\system32\dllcache\mshtml.dll
- 2008-01-05 04:28 . 2010-05-04 17:20 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2008-01-05 04:28 . 2010-06-24 12:15 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 1168384 c:\windows\ie7updates\KB2183461-IE7\urlmon.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 3600384 c:\windows\ie7updates\KB2183461-IE7\mshtml.dll
+ 2010-08-12 10:02 . 2010-05-04 17:20 6067200 c:\windows\ie7updates\KB2183461-IE7\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 536576]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-30 118784]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2002-12-17 19:40 49152 ----a-r- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-23 03:55 483328 ----a-w- c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-05-23 04:03 49152 ----a-w- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-10-30 08:46 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-05-26 17:15 98304 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\honestech Video Patrol 4.0\\scheduler.exe"=
"c:\\Program Files\\YDI\\Client Manager\\Client Manager.exe"=
"c:\\Program Files\\YDI\\Bridge Manager\\Bridge Manager.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2010 6:59 PM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/11/2010 11:50 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/11/2010 11:50 PM 17744]
R2 CommSB96;CommSB96;c:\windows\system32\drivers\COMMSB96.sys [12/15/2009 3:53 PM 24776]
R2 CommSBEP;CommSBEP;c:\windows\system32\drivers\COMMSBEP.sys [12/15/2009 3:53 PM 44236]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 1352832]
S3 Wdm1;Vertex Standard USB CDC class;c:\windows\system32\drivers\usbser.sys [1/8/2008 11:57 AM 26112]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\documents and settings\C\Application Data\Mozilla\Firefox\Profiles\f7acb3j4.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\C\Application Data\Facebook\npfbplugin_1_0_3.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-12 08:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-08-12 08:45:05
ComboFix-quarantined-files.txt 2010-08-12 15:45
ComboFix2.txt 2010-08-10 05:53

Pre-Run: 3,150,848,000 bytes free
Post-Run: 3,155,873,792 bytes free

- - End Of File - - 555D78B4A593F61F59D8210426A4ABC1






C:\Documents and Settings\C\Desktop\HAMeb_check.exe
Thu 08/12/2010 at 8:50:21.67

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1708537768-1580436667-854245398-1000
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 9 !
copy of MBR has been found in sector 0x04A8143F
malicious code @ sector 0x04A81442 !
PE file found in sector at 0x04A81458 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3695:TCP"=3695:TCP:*:Enabled:Services
"5890:TCP"=5890:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:58 AM

Posted 12 August 2010 - 01:37 PM

Hi again CWB212001KD7DB!!.. smile.gif

QUOTE(CWB212001KD7DB @ Aug 12 2010, 05:54 PM) View Post
Snemelk, I appreciate your patience with me getting back to you, and all the help you have given me.

No problem at all!!.. smile.gif

QUOTE
After running combofix my machine is pretty much back up to speed and it's been nice to have it back. I installed and ran a full scan with avast and it found 3 files which were deleted. Here is the new combofix log and HAlog.

thumbup2.gif It looks like the infection is not active anymore but we need to clean up the leftovers and make sure we leave nothing behind...

Firstly,
Please download HelpAsst_mebroot_fix.exe and save it to your Desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
When it completes, a log will open.
Please post the contents of that log.

Secondly,
Reboot the machine manually, then re-run the HAMeb_check.exe application, post the logfile...

Thirdly,
Download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#8 CWB212001KD7DB

CWB212001KD7DB
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 12 August 2010 - 09:35 PM

Snemelk, as requested...

C:\Documents and Settings\C\Desktop\HelpAsst_mebroot_fix.exe
Thu 08/12/2010 at 14:56:59.42

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3695:TCP"=-
"5890:TCP"=-
"3389:TCP"=-

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1708537768-1580436667-854245398-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK





C:\Documents and Settings\C\Desktop\HAMeb_check.exe
Thu 08/12/2010 at 15:25:13.73

Account active No
Local Group Memberships *Administrators

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 9 !
copy of MBR has been found in sector 0x04A8143F
malicious code @ sector 0x04A81442 !
PE file found in sector at 0x04A81458 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~






MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7AAE000 \WINDOWS\system32\KDCOM.DLL
0xF79BE000 \WINDOWS\system32\BOOTVID.dll
0xF755F000 ACPI.sys
0xF7AB0000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF754E000 pci.sys
0xF75AE000 isapnp.sys
0xF79C2000 compbatt.sys
0xF79C6000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B76000 pciide.sys
0xF782E000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7AB2000 intelide.sys
0xF7530000 pcmcia.sys
0xF75BE000 MountMgr.sys
0xF7511000 ftdisk.sys
0xF79CA000 ACPIEC.sys
0xF7B77000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7836000 PartMgr.sys
0xF75CE000 VolSnap.sys
0xF74F9000 atapi.sys
0xF75DE000 disk.sys
0xF75EE000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74D9000 fltmgr.sys
0xF74C7000 sr.sys
0xF75FE000 Lbd.sys
0xF760E000 PxHelp20.sys
0xF74B0000 KSecDD.sys
0xF7423000 Ntfs.sys
0xF73F6000 NDIS.sys
0xF73DC000 Mup.sys
0xF779E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7A5A000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF735B000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7347000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF78A6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7323000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78AE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7312000 \SystemRoot\system32\DRIVERS\Rtlnic51.sys
0xF72BE000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF77AE000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78B6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7291000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7ACA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF78BE000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77BE000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF77CE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF77DE000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF726E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF722A000 \SystemRoot\system32\drivers\camchal.sys
0xF71E2000 \SystemRoot\system32\drivers\camcaud.sys
0xF71BE000 \SystemRoot\system32\drivers\portcls.sys
0xF77EE000 \SystemRoot\system32\drivers\drmk.sys
0xF718D000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF708E000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6FE7000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF78C6000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7A62000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7C2D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77FE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A66000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6FD0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF780E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF781E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78CE000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6FBF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF762E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78D6000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78DE000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF763E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7ACE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6F2C000 \SystemRoot\system32\DRIVERS\update.sys
0xF7A76000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF764E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEEE6B000 \SystemRoot\system32\drivers\ialmkchw.sys
0xEEE4D000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF766E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AD2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C91000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AD4000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7906000 \SystemRoot\System32\drivers\vga.sys
0xF7AD6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AD8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF790E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7916000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A96000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEED7A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEED21000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF767E000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xEECFB000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF769E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEECD3000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEECB1000 \SystemRoot\System32\drivers\afd.sys
0xF76AE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEEC86000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEEBEE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76BE000 \SystemRoot\System32\Drivers\Fips.SYS
0xEEBC7000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF7936000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF76DE000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEEBAF000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AE0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6F28000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7946000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B93000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF073000 \SystemRoot\System32\ialmdd5.DLL
0xF7A52000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xEEA83000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEE8F0000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xEE5A3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEE58E000 \SystemRoot\system32\drivers\wdmaud.sys
0xEE9D7000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7AFA000 \SystemRoot\SYSTEM32\drivers\DS1410D.SYS
0xEE6AC000 \SystemRoot\System32\Drivers\CommSB96.SYS
0xF796E000 \SystemRoot\System32\Drivers\CommSBEP.SYS
0xEE68C000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE359000 \SystemRoot\system32\DRIVERS\srv.sys
0xEE200000 \SystemRoot\System32\Drivers\HTTP.sys
0xF785E000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF7876000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xEE025000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xF7926000 \??\C:\DOCUME~1\C\LOCALS~1\Temp\mbr.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 24):
0 System Idle Process
4 System
336 C:\WINDOWS\system32\smss.exe
392 csrss.exe
416 C:\WINDOWS\system32\winlogon.exe
460 C:\WINDOWS\system32\services.exe
472 C:\WINDOWS\system32\lsass.exe
616 C:\WINDOWS\system32\svchost.exe
712 svchost.exe
752 C:\WINDOWS\system32\svchost.exe
864 svchost.exe
1076 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1260 C:\WINDOWS\explorer.exe
1380 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1388 C:\WINDOWS\system32\hkcmd.exe
1428 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
1768 C:\WINDOWS\system32\spoolsv.exe
1876 svchost.exe
304 C:\WINDOWS\system32\svchost.exe
1028 C:\WINDOWS\system32\wuauclt.exe
1212 svchost.exe
1532 alg.exe
2340 C:\WINDOWS\system32\wscntfy.exe
3736 C:\Documents and Settings\C\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHI_DK23FA-40, Rev: 00M5A0A2

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A




#9 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:58 AM

Posted 13 August 2010 - 10:11 AM

Hi again CWB212001KD7DB!!.. smile.gif

Leftovers removed, all looks good!.. thumbup2.gif

Firstly,
Please do the following:
Go to Start --> Run, write
helpasst -cleanup
and click Enter...

Secondly,
We need to update outdated programs (with security vulnerabilities) on your machine:

- Adobe Acrobat Reader:

You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 8.1.5 first):
http://www.adobe.com/products/acrobat/readstep2.html

- Adobe Flash Player:

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

- Mozilla Firefox - --> Help --> Check for updates - let it update to the newest version - 3.6.8


Then, if no problem remains:

Delete the tools: HelpAsst_mebroot_fix.exe, HAMeb_check.exe, MBRCheck.exe, DDS...

Then: The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Please check my site - snemelk.hekko.pl:
Also, I recommend you to read Grinler's excellent article: How did I get infected?, With steps so it does not happen again!
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#10 CWB212001KD7DB

CWB212001KD7DB
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 13 August 2010 - 10:13 PM

Snemelk, I've gone through and done everything you suggested. Well, except change my passwords. I have quite a few sites to do and I will get to them tomorrow (I'm on vacation and need to spend time with the fam). I just want to say thank you once again for all of your help and it's awesome knowing that there is a resource of volunteers such as this willing to give their time and expertise to help others out. I've learned alot and will be doing things differently from now on. Take care, Chris

#11 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:58 AM

Posted 16 August 2010 - 01:42 PM

Hi again CWB212001KD7DB!!.. smile.gif

Sorry for a very late reply...

QUOTE(CWB212001KD7DB @ Aug 14 2010, 05:13 AM) View Post
Well, except change my passwords. I have quite a few sites to do and I will get to them tomorrow (I'm on vacation and need to spend time with the fam).

No problem, but I highly recommend you do it as soon as possible - MBR rootkits have been known for "harvesting the passwords"...

QUOTE
I just want to say thank you once again for all of your help and it's awesome knowing that there is a resource of volunteers such as this willing to give their time and expertise to help others out. I've learned alot and will be doing things differently from now on.

Thank you for these kind words!! thumbup2.gif

Glad we could help. smile.gif

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users