Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi help me with log file for combofix


  • This topic is locked This topic is locked
2 replies to this topic

#1 sree135

sree135

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 08 August 2010 - 12:38 AM

Hi friends i am new to these kind of malware removing. I have been using computer for many years & i dont install anything so i was not infected by threatening spyware or malware programs which would do major corruption though i would be having some spy ware & add ware. Recently i left my friend to use my computer & he downloaded bandoo when he was chatting, i found out from the history & from programs. What this one did is that it changed all my home page to searchqu. So i first disabled system restore & removed it & other things installed with it from the add/remove & some other toolbar s it came with & reseted all IE, Mozilla & chrome settings & was able to change my homepage. I dont install anything like this(advertisement) in my computer as i know it will corrupt system files, i am going to check whether that guy has the tool installed in his computer or else i will install this bandoo in his system as he too knows that & am very sure he will not install in his computer but i dont know why he did it to me, if i find he has done in purpose, i am sure i am going to install in his computer too, let him then remove it wasting some time like how i did. Still i think it has corrupted my registry files, so when i searched for this i found that i need to run combo fix & send the log to this site or some other geek site, i choose this one & i am going to run this tool to see what has happened & will post the log info once i have completed it.

ComboFix 10-08-07.01 - sree 08/08/2010 11:18:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1325 [GMT 5.5:30]
Running from: d:\documents and settings\sree\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
d:\windows\SNMPAPI.DLL
d:\windows\system32\Cache
d:\windows\system32\d3d10core.dll
d:\windows\system32\dxgi.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-08-07 19:53 . 2010-08-07 19:53 -------- d-----w- d:\windows\IIS Temporary Compressed Files
2010-08-01 18:30 . 2010-08-01 18:53 9216 ----a-w- d:\documents and settings\sree\fbchathistory.dat
2010-08-01 18:30 . 2010-06-18 16:12 17276 ----a-w- d:\documents and settings\sree\Application Data\Mozilla\Firefox\Profiles\p5474ohd.default\extensions\fbchathistory@firechm.com\content\common.js.com
2010-08-01 18:30 . 2010-06-18 16:12 13869 ----a-w- d:\documents and settings\sree\Application Data\Mozilla\Firefox\Profiles\p5474ohd.default\extensions\fbchathistory@firechm.com\content\fbchathistory.js.com
2010-08-01 18:30 . 2010-06-18 16:12 12538 ----a-w- d:\documents and settings\sree\Application Data\Mozilla\Firefox\Profiles\p5474ohd.default\extensions\fbchathistory@firechm.com\content\history.js.com
2010-07-31 17:24 . 2010-07-31 17:24 -------- d-----w- d:\documents and settings\sree\Local Settings\Application Data\Broad Intelligence
2010-07-31 17:24 . 2010-07-31 17:24 -------- d-----w- d:\documents and settings\sree\Application Data\Broad Intelligence
2010-07-31 17:22 . 2010-07-31 17:24 -------- d-----w- d:\program files\XULPlayer
2010-07-24 01:16 . 2010-07-24 01:16 -------- d-----w- d:\program files\MountFocus
2010-07-17 20:06 . 2010-07-17 20:06 -------- d-----w- d:\documents and settings\sree\Local Settings\Application Data\ATI
2010-07-17 20:06 . 2010-07-17 20:06 -------- d-----w- d:\documents and settings\sree\Application Data\ATI
2010-07-17 20:06 . 2010-07-17 20:06 -------- d-----w- d:\documents and settings\All Users\Application Data\ATI
2010-07-17 20:06 . 2010-07-17 20:06 0 ----a-w- d:\windows\ativpsrm.bin
2010-07-17 19:53 . 2010-07-17 19:53 9158 ----a-r- d:\documents and settings\sree\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2010-07-17 19:53 . 2010-07-17 19:53 -------- d-----w- d:\program files\Common Files\ATI Technologies
2010-07-17 19:53 . 2008-12-01 09:05 593920 ------w- d:\windows\system32\ati2sgag.exe
2010-07-17 19:53 . 2010-07-17 19:55 -------- d-----w- d:\program files\ATI Technologies
2010-07-17 18:41 . 2008-04-13 16:35 20992 -c--a-w- d:\windows\system32\dllcache\rtl8139.sys
2010-07-17 18:41 . 2008-04-13 16:35 20992 ----a-w- d:\windows\system32\drivers\RTL8139.sys
2010-07-16 05:52 . 2010-05-12 11:17 1440768 ----a-w- d:\documents and settings\sree\Application Data\Mozilla\Firefox\Profiles\p5474ohd.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
2010-07-15 21:16 . 2010-07-15 21:16 -------- d-----w- d:\documents and settings\sree\Application Data\BitComet
2010-07-15 19:50 . 2010-07-15 19:50 -------- d-----w- d:\program files\CrystalDiskMark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 05:42 . 2010-01-22 21:59 -------- d-----w- d:\program files\BitComet
2010-08-07 18:26 . 2010-05-21 05:58 -------- d-----w- d:\documents and settings\All Users\Application Data\VMware
2010-08-07 18:26 . 2010-05-21 05:59 -------- d-----w- d:\documents and settings\LocalService\Application Data\VMware
2010-08-07 18:25 . 2010-05-21 06:00 -------- d-----w- d:\documents and settings\sree\Application Data\VMware
2010-08-07 18:14 . 2009-11-26 14:43 -------- d-----w- d:\documents and settings\All Users\Application Data\Avocent AdminWorks
2010-08-07 18:04 . 2009-11-24 13:54 45912 ----a-w- d:\documents and settings\sree\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-07 18:00 . 2009-11-26 14:13 -------- d--h--w- d:\program files\InstallShield Installation Information
2010-08-07 18:00 . 2009-11-26 14:15 -------- d-----w- d:\program files\Intel
2010-08-07 18:00 . 2009-11-26 14:18 6784 ----a-w- d:\windows\system32\drivers\osaio.sys
2010-08-02 02:44 . 2010-08-02 02:25 192 ----a-w- d:\documents and settings\sree\Local Settings\Application Data\GLF140.tmp
2010-07-25 12:50 . 2009-11-24 13:55 -------- d-----w- d:\program files\SpeedFan
2010-07-24 00:40 . 2009-11-26 18:28 22328 ----a-w- d:\windows\system32\drivers\PnkBstrK.sys
2010-07-24 00:40 . 2009-11-26 18:28 103736 ----a-w- d:\windows\system32\PnkBstrB.exe
2010-07-09 13:56 . 2010-07-08 00:46 -------- d-----w- d:\documents and settings\sree\Application Data\SecondLife
2010-07-08 00:46 . 2010-07-08 00:45 -------- d-----w- d:\program files\SecondLifeViewer2
2010-07-06 23:43 . 2010-07-06 23:01 -------- d-----w- d:\documents and settings\All Users\Application Data\DivX
2010-07-06 23:43 . 2010-07-06 23:43 57344 ----a-w- d:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-06 23:06 . 2010-07-06 23:06 56997 ----a-w- d:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-07-06 23:06 . 2010-07-06 23:06 56765 ----a-w- d:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-06 23:06 . 2010-07-06 23:06 53600 ----a-w- d:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-07-06 23:06 . 2010-07-06 23:06 57715 ----a-w- d:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-07-06 23:06 . 2010-07-06 23:06 84062 ----a-w- d:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-07-06 23:06 . 2010-07-06 23:06 57054 ----a-w- d:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-07-06 23:06 . 2010-07-06 23:06 54166 ----a-w- d:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-07-06 23:06 . 2010-07-06 23:06 57532 ----a-w- d:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-07-06 00:32 . 2010-03-25 00:22 -------- d-----w- d:\documents and settings\All Users\Application Data\NOS
2010-06-26 18:22 . 2010-06-26 18:22 -------- d-----w- d:\program files\SystemRequirementsLab
2010-06-26 18:22 . 2010-06-26 18:22 84480 ----a-w- d:\documents and settings\sree\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-06-26 18:22 . 2010-06-26 18:22 -------- d-----w- d:\documents and settings\sree\Application Data\SystemRequirementsLab
2010-06-26 17:54 . 2010-06-26 17:54 -------- d-----w- d:\program files\CPUID
2010-06-26 15:06 . 2010-06-26 15:06 -------- d-----w- d:\documents and settings\sree\Application Data\Nokia Multimedia Player
2010-06-22 02:56 . 2010-06-22 02:53 -------- d-----w- d:\program files\AutoGK
2010-06-22 02:56 . 2010-06-22 02:56 -------- d-----w- d:\program files\XviD
2010-06-22 02:56 . 2010-06-22 02:55 -------- d-----w- d:\program files\AviSynth 2.5
2010-06-22 02:53 . 2010-06-22 02:53 -------- d-----w- d:\program files\Gabest
2010-06-14 08:24 . 2009-11-28 12:33 -------- d-----w- d:\program files\Common Files\Nokia
2010-06-14 08:24 . 2010-06-14 08:24 -------- d-----w- d:\program files\Common Files\PCSuite
2010-06-14 08:24 . 2009-11-28 12:31 -------- d-----w- d:\program files\Nokia
2010-06-14 08:23 . 2010-06-14 08:23 733783 ----a-w- d:\documents and settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Packages\Nokia_PC_Suite\CustomActions\NSU_Inst_fix.exe
2010-06-14 08:23 . 2009-11-28 12:30 8192 ----a-w- d:\documents and settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Installer\CommonCustomActions\UninstCCD.exe
2010-06-14 08:23 . 2009-11-28 12:30 61440 ----a-w- d:\documents and settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-06-14 08:23 . 2009-11-28 12:30 10240 ----a-w- d:\documents and settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Installer\CommonCustomActions\UninstPCS.exe
2010-06-13 11:01 . 2010-01-17 21:24 -------- d-----w- d:\program files\NSS
2010-06-11 11:21 . 2010-06-11 11:21 3055600 ----a-w- d:\documents and settings\sree\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 11:06 . 2010-06-11 11:06 275952 ----a-w- d:\documents and settings\sree\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- d:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\57\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- d:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\57\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- d:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\57\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- d:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\57\AcrobatUpdater.exe
2010-06-08 21:11 . 2010-06-08 21:09 1956656 ----a-w- d:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-06-01 17:37 . 2009-11-30 06:13 221568 ------w- d:\windows\system32\MpSigStub.exe
2010-05-11 06:30 . 2010-06-26 17:54 20072 ----a-w- d:\windows\system32\drivers\cpuz133_x32.sys
2009-11-23 21:20 . 2009-11-23 21:20 3000 ----a-w- d:\program files\Common Files\unins000.dat
2009-11-23 21:20 . 2009-11-23 21:20 728858 ----a-w- d:\program files\Common Files\unins000.exe
2010-04-11 15:35 . 2010-04-11 15:36 251392 ----a-w- d:\program files\opera\program\plugins\dapop.dll
.

------- Sigcheck -------

[-] 2008-11-21 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . d:\windows\system32\drivers\tcpip.sys


[-] 2008-11-21 . 0C36665395F29A38407752DF7975DC48 . 1614848 . . [5.1.2600.5512] . . d:\windows\system32\sfcfiles.dll

d:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitComet"="d:\program files\BitComet\BitComet.exe" [2010-06-30 3205424]
"Switch Off"="d:\program files\Switch Off\swoff.exe" [2010-01-23 19456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"IAAnotif"="d:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"IntelAudioStudio"="d:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2008-03-27 9142272]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2008-12-18 150040]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2008-12-18 178712]
"Persistence"="d:\windows\system32\igfxpers.exe" [2008-12-18 150040]
"ipTray.exe"="d:\program files\Intel\IDU\iptray.exe" [2006-12-28 2242328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
"Nokia.PCSync"="d:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2008-08-26 124928]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Beyond TV.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Beyond TV.lnk
backup=d:\windows\pss\Beyond TV.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=d:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^sree^Start Menu^Programs^Startup^taskmgr.lnk]
path=d:\documents and settings\sree\Start Menu\Programs\Startup\taskmgr.lnk
backup=d:\windows\pss\taskmgr.lnkStartup

[HKLM\~\startupfolder\D:^Documents and Settings^sree^Start Menu^Programs^Startup^ZooskMessenger.lnk]
path=d:\documents and settings\sree\Start Menu\Programs\Startup\ZooskMessenger.lnk
backup=d:\windows\pss\ZooskMessenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
d:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 20:27 35760 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 10:05 202024 ----a-w- d:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-27 04:58 136176 ----atw- d:\documents and settings\sree\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2009-09-13 13:22 1048392 ----a-w- d:\program files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2007-12-10 04:42 695808 ----a-w- d:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCLoader]
2007-07-26 06:58 105544 ----a-w- d:\program files\Pinnacle\TVCenter Pro\PMCLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
2007-07-04 08:22 253000 ------w- d:\program files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-01-31 17:43 385024 ----a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2004-01-28 18:12 565248 ----a-w- d:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-08-29 11:41 61440 ----a-w- d:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2007-10-08 03:56 55856 ----a-w- d:\program files\VMware\VMware Workstation\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
2007-10-08 03:57 72240 ----a-w- d:\program files\VMware\VMware Workstation\vmware-tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 09:08 158448 ----a-w- d:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ToolTipFixer"=2 (0x2)
"ose"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"MsMpSvc"=2 (0x2)
"McComponentHostService"=3 (0x3)
"idsvc"=3 (0x3)
"AWService"=2 (0x2)
"VideoAcceleratorService"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"d:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"d:\\Documents and Settings\\sree\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"d:\\Documents and Settings\\sree\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"d:\\Program Files\\SnapStream Media\\Beyond TV\\SetupWizard.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files\\SecondLifeViewer2\\SLVoice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19579:TCP"= 19579:TCP:BitComet 19579 TCP
"19579:UDP"= 19579:UDP:BitComet 19579 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 iastor78;iastor78;d:\windows\system32\drivers\iastor78.sys [22/11/2008 00:33 308248]
R0 mv61xx;mv61xx;d:\windows\system32\drivers\mv61xx.sys [22/11/2008 00:34 143360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [24/11/2009 17:41 108289]
R2 cpuz133;cpuz133;d:\windows\system32\drivers\cpuz133_x32.sys [26/06/2010 23:24 20072]
R2 Iprip;RIP Listener;d:\windows\System32\svchost.exe -k netsvcs [14/04/2008 07:12 14336]
R2 Switch Off;Switch Off;d:\program files\Switch Off\swoff.exe -service --> d:\program files\Switch Off\swoff.exe -service [?]
R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;d:\windows\system32\drivers\3xHybrid.sys [26/11/2009 20:08 1121536]
R3 BTCAMDRV;Mobiola Web Camera driver;d:\windows\system32\drivers\BTCamDrv.sys [11/04/2010 14:17 219264]
S3 ALSysIO;ALSysIO;\??\d:\docume~1\sree\LOCALS~1\Temp\ALSysIO.sys --> d:\docume~1\sree\LOCALS~1\Temp\ALSysIO.sys [?]
S3 cpudrv;cpudrv;d:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;d:\windows\system32\drivers\ewusbmdm.sys [20/05/2010 22:34 65152]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;d:\windows\system32\drivers\ewusbser.sys [20/05/2010 22:34 65152]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;d:\windows\system32\drivers\nmwcdnsu.sys [25/02/2010 10:45 136704]
S3 PciCon;PciCon;\??\g:\pcicon.sys --> g:\PciCon.sys [?]
S3 PctvVirtualNdis;Pinnacle Virtual Miniport;d:\windows\system32\drivers\PctvVirtualNdis.sys [27/03/2010 23:02 13696]
S3 PRODIGY;PRODIGY;d:\windows\system32\drivers\prodigy.sys [18/01/2010 02:54 32377]
S4 sptd;sptd;d:\windows\system32\drivers\sptd.sys [26/11/2009 20:16 611064]
S4 ToolTipFixer;ToolTipFixer;d:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [14/10/2008 23:03 61952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-152049171-1801674531-1003Core.job
- d:\documents and settings\sree\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-27 04:58]

2010-08-08 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-152049171-1801674531-1003UA.job
- d:\documents and settings\sree\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-27 04:58]

2010-08-07 d:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 12:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
TCP: {0ABD9EC1-3C8E-429D-9205-D2612A1C8E8B} = 218.248.255.146,218.248.255.46
TCP: {734F0961-61BB-4DB5-9447-3EA29A884FB4} = 192.168.0.1
TCP: {86826903-EA01-40A3-A36A-42321CF37E15} = 218.248.255.146 218.248.255.147
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
FF - ProfilePath - d:\documents and settings\sree\Application Data\Mozilla\Firefox\Profiles\p5474ohd.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&q=
FF - plugin: d:\documents and settings\sree\Application Data\Mozilla\plugins\np-mswmp.dll
FF - plugin: d:\documents and settings\sree\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: d:\documents and settings\sree\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: d:\documents and settings\sree\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-DivXUpdate - d:\program files\DivX\DivX Update\DivXUpdate.exe
MSConfigStartUp-msnmsgr - d:\program files\Windows Live\Messenger\msnmsgr.exe
AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - d:\program files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3FF11DB6-8C5C-B26E-5AF7-BF75BBDB3855}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iakbdfdikgecakhemn"=hex:6a,61,6c,6f,64,6a,6c,61,70,67,61,6f,68,62,6b,6e,66,64,
6a,67,00,00
"haibbicenenbabdo"=hex:6a,61,6c,6f,6e,6a,66,70,63,6a,6c,6f,6b,65,6e,6f,63,6d,
6b,6e,00,00

[HKEY_USERS\S-1-5-21-73586283-152049171-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6F16F0D3-537A-C8F4-1F71-C4DD7F838768}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iancjklpfojnackabo"=hex:6a,61,61,65,6f,6c,65,6c,70,70,6a,64,6e,6d,6b,70,6a,67,
6c,6e,00,f0
"haddpndhgpjebjgd"=hex:6a,61,61,65,6f,6c,65,6c,70,70,6a,64,6e,6d,6b,70,6a,67,
6c,6e,00,f0

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3FF11DB6-8C5C-B26E-5AF7-BF75BBDB3855}\InProcServer32*]
"fambfacgadeg"=hex:70,61,6e,6f,6a,69,66,6f,65,6c,6c,64,6d,62,61,6a,61,6d,6c,66,
6b,64,64,63,6c,6e,61,65,68,64,65,67,00,00
"nambhaajjdhgoknmjjgjddmocmbl"=hex:64,62,67,6f,65,62,68,68,61,69,61,6b,67,65,
69,64,61,70,6b,62,6b,6e,67,70,61,65,63,67,62,6a,6f,6f,6c,70,6d,68,67,66,6e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
d:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-08 11:22:08
ComboFix-quarantined-files.txt 2010-08-08 05:52

Pre-Run: 3,691,393,024 bytes free
Post-Run: 3,995,832,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

- - End Of File - - 6EABF0C9E3A19C0B78C9686D30971EA7

I dont find anything regarding search searchqu or bandoo

Merged 3 posts. ~ OB

Edited by Orange Blossom, 08 August 2010 - 03:10 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 15 August 2010 - 08:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 21 August 2010 - 06:08 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users