Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New variant of Security Tool? Blocked all web pages.


  • Please log in to reply
2 replies to this topic

#1 dark fader

dark fader

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 10 August 2010 - 05:08 AM

I found myself infected with a program called 'Security Tool'. You know the deal, it pretends to find spyware then tries to charge you for removing it.

It also did a few other annoying things:

- It renamed regedit.exe to regedit.com
- It disabled Mbam and Spybot, popping up a fake alert saying that they were infected.
- It killed Mbam's ability to update.
- It redirected all port 80 requests to localhost. (In the interests of helping people search for this, I'll rephrase it in a few ways: I couldn't connect to the internet. All HTTP connections failed. HTTPS connections were unaffected. I couldn't get to a web page using any browser. It diverted all web requests to 127.0.0.1. I was connected to the net but I couldn't reach any server. All web pages were blocked.)
- It caused regedit and task manager to close straight after opening, also alerting that they were infected.

Its behaviour is slightly different to that I have seen described on a number of forums while trying to work out how to clear it. The randomly number files in the Application Data folder weren't there, for example. The major difference is the localhost divert on port 80, which is particularly nasty. I eventually found a solution, but I had to go through a lot to get it so I thought I'd share.



I have fixed some of the issues, but after you see a description of my actions so far I would be most grateful if someone could help me find out if I've killed it for good.

So far I:

1: Booted into Safe Mode with networking.
2: This is the bit that took the research. Standard solutions to the problem appear be:

- Reset the HOSTS file.
- Unset the proxy settings in IE tools menu.
- Change the registry settings for the loading commands of all web browsers from the start menu and remove the malware interceptor.

These didn't work.

Eventually I opened up a command window (click Start, then Run, then type cmd and tap Enter) and typed:

netsh winsock reset C:\resetlog_ws.txt
netsh int ip reset C:\resetlog_ip.txt

Then I rebooted back into safe mode with networking. This brought port 80 back.

3: I then re-installed Mbam, updated it and ran it.

A reboot into non-safe mode showed the malware to still be there, so I rebooted into safe mode again. Port 80 was still active. The malware was still interfering with program execution however.

4: I ran both Spybot and Mbam (in that order), after updating them of course.

A reboot into non-safe mode still showed the malware to be present, so in desperation I downloaded combofix. 'Security Tool' was still blocking anti-spyware tools, so I renamed it to iexplore.exe and ran it.

So far it's made short work of the 'security tool' task itself, renamed itself back to combofix, noticed that regedit.exe was missing (I renamed it back from regedit.com and re-ran), downloaded a Microsoft tool it needed, then finally alerted me to a root-kit and asked for a reset. I've done this, but I had to get in to work so I turned it off at this point.

So:

- Obviously I wanted to share the differences between the problem I experienced and the solutions I've seen so far, and the progress I'd made with it.
- In my haste to fix the problem I didn't see the warnings about using combofix. Now I'm not a noob, but I'm no expert in malware, registry settings, rootkits or the like. I don't really want to interrupt it now though. What are the implications of allowing it to run its course?
- Finally, how do I make sure the malware is completely cleaned from my machine?

Thanks!

BC AdBot (Login to Remove)

 


#2 dark fader

dark fader
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 10 August 2010 - 05:11 AM

Oops!

I'm running Windows XP.

#3 dark fader

dark fader
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 10 August 2010 - 02:54 PM

The ComboFix log, in case anyone can give me an idea if my machine is still infected:

ComboFix 10-08-09.03 - ben 10/08/2010 19:58:10.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3582.3133 [GMT 1:00]
Running from: c:\documents and settings\ben\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ben\Application Data\Desktopicon
c:\documents and settings\ben\Application Data\Desktopicon\eBay.ico
c:\documents and settings\ben\Application Data\Desktopicon\uninst.exe
c:\documents and settings\ben\Local Settings\Application Data\0682856.exe
c:\documents and settings\ben\Local Settings\Application Data\761205.exe
c:\documents and settings\ben\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\msconfig.exe
c:\windows\system32\msippsth.dll
c:\windows\system32\msnpwbcf.dll
c:\windows\system32\warning.html.vir

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack :thumbsup:
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPIP_PASS-THROUGH_FILTER
-------\Service_TCPIP Pass-through Filter


((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-10 19:08 . 2010-08-10 19:08 -------- d-----w- c:\windows\system32\wbem\snmp
2010-08-10 19:08 . 2010-08-10 19:08 -------- d-----w- c:\windows\system32\xircom
2010-08-10 19:08 . 2010-08-10 19:08 -------- d-----w- c:\windows\srchasst
2010-08-10 19:08 . 2010-08-10 19:08 -------- d-----w- c:\program files\microsoft frontpage
2010-08-09 21:57 . 2010-08-09 21:57 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Apple Computer
2010-08-09 21:57 . 2010-08-09 21:57 -------- d-----w- c:\documents and settings\Admin\Application Data\Apple Computer
2010-08-09 21:18 . 2010-08-09 21:18 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\AskToolbar
2010-08-09 20:45 . 2010-08-09 20:47 -------- d-----w- c:\documents and settings\Admin\Application Data\Notepad++
2010-08-09 20:44 . 2010-08-09 20:44 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2010-08-09 20:31 . 2010-08-09 20:57 -------- d-----w- c:\documents and settings\ben\Local Settings\Application Data\gfbqwskmm
2010-08-09 20:31 . 2010-08-10 19:09 782848 ----a-w- c:\windows\system32\drivers\spyha.sys
2010-08-09 20:31 . 2010-08-09 20:31 8192 ----a-w- c:\windows\system32\empaujr.dll
2010-07-31 00:09 . 2010-08-02 10:25 -------- d-----w- c:\documents and settings\ben\Application Data\FileZilla
2010-07-31 00:09 . 2010-07-31 00:09 -------- d-----w- c:\program files\FileZilla FTP Client
2010-07-12 23:19 . 2010-07-12 23:19 -------- d-----w- c:\program files\Cakewalk
2010-07-12 23:19 . 2010-07-12 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 19:11 . 2009-05-31 13:03 -------- d-----w- c:\documents and settings\ben\Application Data\Dropbox
2010-08-10 02:24 . 2010-02-12 00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 01:17 . 2010-02-11 23:07 -------- d-----w- c:\program files\uTorrent
2010-08-10 01:17 . 2010-02-11 23:06 -------- d-----w- c:\documents and settings\ben\Application Data\uTorrent
2010-08-04 22:01 . 2008-11-23 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-31 12:50 . 2010-04-29 19:47 -------- d-----w- c:\documents and settings\ben\Application Data\SQLyog
2010-07-28 01:34 . 2010-03-01 20:59 -------- d-----w- c:\documents and settings\ben\Application Data\vlc
2010-07-10 16:19 . 2007-12-23 10:58 -------- d-----w- c:\documents and settings\ben\Application Data\Ableton
2010-07-10 16:12 . 2007-12-23 10:52 -------- d-----w- c:\program files\Ableton
2010-07-06 22:10 . 2009-05-14 00:24 -------- d-----w- c:\program files\Mixed In Key 4
2010-07-05 20:42 . 2010-07-05 20:42 -------- d-----w- c:\documents and settings\ben\Application Data\PACE Anti-Piracy
2010-07-05 20:42 . 2010-07-05 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2010-07-05 20:42 . 2010-07-05 20:42 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2010-07-05 20:39 . 2010-03-16 21:14 -------- d-----w- c:\documents and settings\ben\Application Data\Cycling '74
2010-07-05 20:35 . 2010-07-05 20:35 -------- d-----w- c:\program files\u-he
2010-07-05 20:12 . 2010-03-16 21:13 -------- d-----w- c:\program files\Cycling '74
2010-06-23 20:32 . 2010-06-23 20:31 -------- d-----w- c:\documents and settings\ben\Application Data\REAPER
2010-06-23 20:28 . 2010-06-23 20:28 -------- d-----w- c:\program files\REAPER
2010-06-22 00:22 . 2010-06-22 00:22 -------- d-----w- c:\program files\Sugar Bytes
2010-06-21 13:20 . 2007-12-22 18:52 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2010-06-18 00:29 . 2010-06-18 00:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{C2686527-0D57-4F0B-ADAB-EE203CA30FC6}
2010-06-18 00:28 . 2010-01-24 16:14 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-06-18 00:27 . 2010-06-18 00:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A397AF63-B3A1-40DF-AA85-5C5368304B60}
2010-06-18 00:27 . 2007-12-23 23:24 -------- d-----w- c:\program files\Native Instruments
2010-06-18 00:06 . 2010-06-18 00:06 -------- d-----w- c:\documents and settings\ben\Application Data\Flux
2010-06-17 20:54 . 2010-06-17 20:54 -------- d-----w- c:\program files\Common Files\Intel
2010-06-17 20:53 . 2010-06-17 20:53 -------- d-----w- c:\program files\Flux
2010-06-16 21:27 . 2010-06-16 21:27 -------- d-----w- c:\program files\D16 Group
.

------- Sigcheck -------


[-] 2007-09-28 . A11391BE25035570AE4B8970920F2C74 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys



c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 16:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 08:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlay]
@="{B44A5D93-1351-41A1-BD91-5E92435D8ECD}"
[HKEY_CLASSES_ROOT\CLSID\{B44A5D93-1351-41A1-BD91-5E92435D8ECD}]
2010-04-22 09:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\ben\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\ben\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\ben\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveDownloadOverlay]
@="{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}"
[HKEY_CLASSES_ROOT\CLSID\{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}]
2010-04-22 09:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSharedOverlay]
@="{84CEF1E4-1356-4063-845F-05047F4DD52C}"
[HKEY_CLASSES_ROOT\CLSID\{84CEF1E4-1356-4063-845F-05047F4DD52C}]
2010-04-22 09:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveUploadOverlay]
@="{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}"
[HKEY_CLASSES_ROOT\CLSID\{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}]
2010-04-22 09:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Livedrive"="c:\program files\Livedrive\Livedrive.exe" [2010-04-22 1348608]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]
"Vs20 Panel"="Vs20Pan.Exe" [2002-11-21 520192]

c:\documents and settings\ben\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\ben\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OpenOffice.org 3.1.lnk.disabled [2009-6-4 872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2009-6-2 286720]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" /background
"Google Update"="c:\documents and settings\ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"SetDefaultMIDI"=MIDIDef.exe
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"
"AcronisTimounterMonitor"=c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"ASUSGamerOSD"=c:\program files\ASUS\GamerOSD\GamerOSD.exe
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"CTHelper"=CTHELPER.EXE
"EPSON Stylus Photo R300 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"36X Raid Configurer"=c:\windows\system32\xRaidSetup.exe boot
"JMB36X IDE Setup"=c:\windows\RaidTool\xInsIDE.exe
"TrueImageMonitor.exe"=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
"WinampAgent"="c:\program files\Winamp\winampa.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\eclipse\\eclipse.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\ben\\Desktop\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/02/2010 12:18 AM 162512]
R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [13/02/2010 6:30 PM 146904]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/12/2008 12:10 AM 24636]
R2 Dokan;Dokan;c:\windows\system32\drivers\dokan.sys [31/12/2008 12:34 PM 60928]
R2 DokanMounter;DokanMounter;c:\program files\Dokan\DokanLibrary\mounter.exe [31/12/2008 12:34 PM 20992]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [23/12/2007 9:31 AM 1373480]
R3 Vs20_01;Service for VSL2020-1;c:\windows\system32\drivers\Vs20wdm.sys [24/06/2010 12:16 AM 25184]
R3 Vs20_AA;Service for VSL2020 Audio Driver;c:\windows\system32\drivers\Vs20.sys [24/06/2010 12:16 AM 28960]
R4 atidgllk;atidgllk;c:\windows\atidgllk.sys [22/12/2007 7:52 PM 5376]
S0 ekqrr;ekqrr; [x]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S2 gupdate1c9215f78021282;Google Update Service (gupdate1c9215f78021282);c:\program files\Google\Update\GoogleUpdate.exe [28/09/2008 12:43 PM 133104]
S3 automap;Automap MIDI Driver Service;c:\windows\system32\drivers\automap.sys [15/03/2010 2:10 PM 7168]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [15/03/2010 12:41 PM 31232]
S3 RDID1046;EDIROL UA-25;c:\windows\system32\drivers\Rdwm1046.sys [09/11/2009 8:55 PM 173889]

--- Other Services/Drivers In Memory ---

*Deregistered* - spyha

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN
TCPIP Pass-through Filter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-23 20:31]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-28 19:05]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-28 19:05]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1409082233-839522115-1001Core.job
- c:\documents and settings\ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 19:05]

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1409082233-839522115-1001UA.job
- c:\documents and settings\ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 19:05]

2010-08-10 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\ben\Application Data\Mozilla\Firefox\Profiles\bwstm2g5.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\ben\Application Data\Mozilla\Firefox\Profiles\bwstm2g5.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\documents and settings\ben\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lkfnnc - c:\windows\system32\msnpwbcf.dll
AddRemove-eBay Icon - c:\documents and settings\ben\Application Data\Desktopicon\uninst.exe
AddRemove-Live 8.0.10 - c:\progra~1\Ableton\LIVE80~1.10\Install\UNWISE.EXE
AddRemove-Live 8.0.6 - c:\progra~1\Ableton\LIVE80~1.6\Install\UNWISE.EXE
AddRemove-Live 8.1.1 - c:\progra~1\Ableton\LIVE81~1.1\Install\UNWISE.EXE
AddRemove-Native Instruments Massive v1.0.1.008 VSTi DXi RTAS - c:\progra~1\NATIVE~1\Massive\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-10 20:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\spyha]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(948)
c:\program files\Unlocker\UnlockerHook.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\Livedrive\LivedriveExtensions.dll
c:\documents and settings\ben\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\Vs20Pan.Exe
.
**************************************************************************
.
Completion time: 2010-08-10 20:18:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-10 19:18

Pre-Run: 2,253,598,720 bytes free
Post-Run: 2,176,389,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D2A83927FB9FC8F0EC18AB0DF3F89C1E




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users